Knowledge Base
How to isolate and secure user access to drive letters, folders and files on SoftXpand
Preface
SoftXpand is a multi-seat software which enables multiple users to share the same computer.
SoftXpand enables full Windows environment and security. It does not apply additional user policies. This means that Windows controls the user environment on all aspects: security, privileges, and policies.
When assembling a SoftXpand cluster out of a single computer, in some cases the need for security and user separation will arise so that the SoftXpand work environment will be similar to a multi computer environment.
The security and user separation includes: different levels of accessibility to files and folders, access to system files, system rights and privileges, user permissions to change system definitions, access to applications and software installation privileges.
This document will deal with the issue of user access to files, folders and drives.
Drives refer to local HDD, CDROM or DVD, removable flash drives and network drives.
Background
Whenever a user is created on Windows, by default he becomes a member of the users group.
On Windows, all users with a regular profile (users which are a part only of the users group) have access only to their own profile drives, folders and files.
This behavior was designed in order to protect the system in the way that the user will not be able to access resources or to change definitions that are not required for his daily work and normal activities.
Restrict Access
NTFS
It is recommended to install Windows XP professional with the NTFS file system because of its improved characteristics over the FAT 32 file system.
Under NTFS: performance, reliability, and disk space utilization are improved.
NTFS also supports file and directory level security and security access control (ACL).
Because of SoftXpand's multi user system behavior it is highly recommended to use NTFS.
SoftXpand under NTFS: user will have full access only to his own profile files and folders (such as: documents and settings, internet explorer favorites etc), and read only permissions to all other applications and resources that are essential for daily work and activities.
SoftXpand under NTFS enables by default isolation between users work environment.
For additional information about NTFS see the following links:
User data and settings management:
http://technet.microsoft.com/en-us/library/bb490855.aspx.
NTFS Technical Reference:
Network drives
When mapping network drives to a file server, and assigning relevant user access to specific network drives you will be able to create a situation which each user sees and has access only to his own assigned shared network folder on the file server.
The assignment of network drive to each user individually may be performed manually or by a login script.
How to connect and disconnect a network drive in Windows XP:
http://support.microsoft.com/kb/308582/en-us
Group policy
Group Policy and the Active Directory services infrastructure enable IT administrators to automate one-to-many management of users and computer. Administrators can efficiently implement security settings, enforce IT policies, and distribute software consistently across a given site, domain, or range of organizational units.
You can use group policy in order to hide drive letters.
This is the path on the group policy console in order to hide drive letters:
"User configuration/administrative templates/windows components/ windows explorer/hide these specified drives in my computer".
The following link explains in detail the procedure of hiding drive letters by group policy:
http://support.microsoft.com/kb/231289.
Hiding drive letters with group policy is restricted to drive letters A: to D: So, when dealing with drive letters D: and higher, other tools are required in order to hide drive letters.
For additional information about Group policy see the following links:
Windows server group policy home:
http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx.
How to use the group policy editor to manage local computer policy in Windows XP:
http://support.microsoft.com/kb/307882/en-us.
Controlling access to USB mass storage devices
USB removable disks can be mapped to a workstation as an internal feature enabled from SoftXpand 3.0.0 and higher.
This is done by assigning the USB port (to which the removable disk is plugged in to) to the Workstation.
Any removable disk which will be plugged into the assigned USB port will be automatically mapped to the Workstation, and only that Workstation will be able to see the removable disk and have access to it.
When deploying a SoftXpand cluster it is recommended to assign for each Workstation a USB port (or a number of USB ports) which will be used for connecting USB removable disks.
The assignment of USB removable disk to a Workstation is done through the Workstation Properties-Device Map tab.
The easiest way to do so is:
- Log on to all SoftXpand Workstations.
- On each Workstation open the Workstation Properties-Device Map tab from the Workstation tray icon.
- Connect a USB removable disk to a designated USB port and assign it to the Workstation.
- Do so for each USB port per Workstation.
For more information refer to SoftXpand help: http://www.miniframe.com/kb/onlinehelp/index.html
See Mapping hardware devices section.
Registry edit
By direct editing of the registry you can hide drive letters. This is done by adding the correct value which defines which drives are to be hidden.
Hide drives in my computer:
http://www.pctools.com/guides/registry/detail/148/
You may create a batch file that defines which drives will be hidden for every user.
Place the batch file in the `all users` startup folder, so that when the SoftXpand host starts, the drive letters will be hidden as wanted for each and separate user.
Click here to see an example of a batch file that hides drive letters for different users.
The example refers to two users: David and Sara.
David will hide drive letters A and D.
Sara will hide drive letter Donly.
The following utility enables a simple and easy way to get the correct value that should be added to the registry.
Click here in to download the restrict drives helper.exe.
Remarks about registry edit
- In order for the drive letters to be hidden, the explore.exe process must be terminated and started again.
This could be done by user logging off and logging on again or by the task manager's process terminate.
From the task manager on the processes tab terminate explore.exe.
This will "kill" all desktop icons.
By clicking CTRL+ALT+DEL keys you can open the task manager. On the applications tab, click "new task" and type in explorer. - In order for a user to be able to edit his registry he must have administrative privileges.
What can be performed is the following:
Add all SoftXpand cluster users into the administrators group.
Perform the registry edit (hide and restrict drives) as described above.
Once the registry values are set and each user sees and has access to the drives as wanted, remove the batch file from the startup folder, and remove the users from the administrators group.
Third party applications
There are several third party applications which perform the manual registry edit described above with a GUI.
Using a third party software is maybe the simplest way to hide drive letters. These applications actually perform the registry modification in an automated way.
An advantage of the third party software is that the explorer.exe does not have to be terminated manually and the restriction and hide of drives is done on the fly.
The following link is to a third party utility – TweakUI, which enable to hide and restrict of drives per user:
TweakUI:
http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx.
In Conclusion
All of the above are legitimate ways to restrict user access to drives, folders and files on SoftXpand.
The correct method you may choose depends on the level of security you would like to create for the computer host's users.
Email This Article