Hiding Specific Files from Unauthorized Users

Sometimes, challenging what we think we know is important. Last week, I received an email message from a reader asking a seemingly simple question: "How do I hide the content of drives from my users who don't have permission to see the files on those drives?" I tossed off a simple reply: "There's a Group Policy Object (GPO) called Prevent Access to Drives from My Computer. Use that."

The next day, the reader responded, telling me that using Prevent Access to Drives from My Computer didn't solve his problem--his users could use Windows Explorer to expand the folder listings on a particular drive by clicking the plus signs. Even worse, the Dir command still worked at the command prompt, fully enumerating the contents of the specified directory. Users couldn't access the files, but they could see that the files existed. To solve this administrator's problem, the files' existence needed to be hidden from unauthorized users.

I searched through the available GPOs and found "Hide these specified drives in My Computer." When you enable this policy, users can't use Windows Explorer to see the target drives. However, the drives and their content are still visible when a user runs the Dir command at a command prompt.

I wanted to discover some way to make this information invisible from the command line but didn't find any way to do so by using the services and tools that the OS makes available. I'm willing to bet that third-party tools exist that will let an administrator accomplish this goal. However, the best I could do was to suggest that the administrator set NTFS permissions to deny browsing on the target folders, a solution that isn't terribly helpful because it means making explicit permission changes on every network root folder that needs additional control. For the short term, I suggested that the administrator use the "Disable the Command prompt" policy to prevent users in groups with limited network access from launching a command session.

My solution is rather inelegant and definitely falls into the "If the only tool you have is a hammer, every problem looks like a nail" category. If any Windows Client UPDATE reader has found a better solution than using three separate GPOs yet can let users access the command prompt if necessary, please drop me an email message, even if your solution requires a third-party software tool.