[sambapati]

Hi, I use a windows 2000 to share some files and directory and I need to block user in your directory. My first problem is how to stop directory browsing in child directory and, main target, is how to stop browsing of root directory '\'. When i place deny for user grup in root directory all system stop browsing: deny is more important related allow... Can you help me to solve this problem?

Tks.

Luigi Franceschi

[yuval14]

You can use list permission to hide folder inside share etc.
You can hide share by using Windows 2003 SP1:

http://www.jsifaq.com/SF/Tips/Tip.aspx?id=9231

[rvalstar]

yuval14:

That ABE (Access-Based Enumeration) looks interesting. I'm going to have to give it a try.

sambapati:

Deny has always given me more problems than it ever could solve.

I believe you can do most everything you want with some of the advanced features available in W2K and beyond ACLs. You'll have to apply them through the GUI however as XCACLS doesn't handle these features.

http://www.microsoft.com/resources/d....mspx?mfr=true

I'm running this scenario on WXP but I'm confident they'll work on W2K as that's where I worked out this process.

This looks messy but give it a chance...

On \\Server, you have C:\Test containing:

readme.txt (containing hello)
x.xls (1 cell containing 1)
x.cmd (containing pause)

New Folder containing:

readme2.txt (containing there)
y.xls (1 cell containing 2)
y.cmd (containing pause)

On \\Server, navigate to C:\Test in Explorer and (what follows may be a little different in W2K)

Right-Click\Properties\Sharing\Share this folder (as Test)\ then Click Permissions\Everyone\Check Full Control\Click OK\Click OK

So now we have a share \\Server\Test controlled by ACL's and not share level permissions.

Back to C:\Test in Explorer:

Right-Click\Properties\Security\Advanced\Un-check Inherit from parent...\Click Copy\Click OK\ now Remove groups -- Everyone plus anything w/ Users\ next Click Advanced\Check Replace permissions on all child objects...\Click OK\Click Yes\Click OK

Now C:\Test and all files / children have only *Admin*, CREATOR OWNER, SYSTEM listed as having privs.

Let's say you want a Group, UsersA to be able to list and modify the files in C:\Test but not be able to look into "New Folder":

Back to C:\Test in Explorer:

Right-Click\Properties\Security\Click Add\UsersA\Check Modify\Click OK\Click Advanced\Select UsersA\Click Edit\Select Apply Onto = "This folder and files"\Click OK\Click OK\Click OK

"This folder and files" limits downward visibility.

Users in UsersA can see all the files / folders in C:\Test and can modify the files in the folder. They can see "New folder" but can't look into it nor rename it, etc.

That was relatively easy.

Your next request to stop browsing the root of a share is somewhat more complicated not by the ACL's but by the behavior of most software in Windows. I can show you how to lock down the ability to do a DIR but all you'll be able to do is run CMDs and EXEs. Most software must be able to see the file (List) before opening it.

If you'd like to experiment, try the above process for UsersA except:

Change

Apply Onto = "This folder and files"

to

Apply Onto = "Files only"; Also Check "Apply these permissions to objects and/or containers within this container only"

Next give a "user" that does not have permissions in this directory (we'll change to UsersA in a minute):

"List Folder Contents" permissions using the "Right-Click\Properties\Security\Click Add\" bit from before.

Click Advanced\select that "user"\Apply Onto = "This folder only"\ Uncheck "List Folder / Read Data" \ Change Name to from "user" to "UsersA"

Next, Click the Change button and change from "user" to "UsersA"

Hit enolugh OK's to close the dialog down.

The net effect is users in UsersA cannot take a DIR on the share nor open any of the files for viewing but can run X.CMD even though it appears one should be able to open the other files in their respective applications.

Hopefully, this give you enough ideas so you can solve your problem w/ ACL's.

If I've totally confused you, I'd be more than happy to post screen shots of the relevant steps. If the steps don't match W2K, try them in WXP then figure out the equivalent.