Is it common practice to make a user's profile Documents and Settings and Local Setting "Read Only" and "Hidden", e.g from a Systems Admin perspective? In my experience, this is rare, however I work with a very specific set of users / enviornments. Any insight appreciated.
I have seen this ONCE in my life time, and user is not sure why the Sys Admin had done this (ironically, he/she is no longer the Sys Admin). What we be the point of making appdata completely read-only? That would mean any program that profiles per-user data in appdata (LOTS of software works like this), the software wouldn't be able to use it (potentially, breaking it completely).
Would it be safe to say making user profile directories read-only is a complete mistake?
答案1
Not really no. Hiding really wouldn't help you at all unless you also changed it to a non-standard path (which is a PITA to do the right way).
Even if you did change it to a non-standard path even the most locked down users would probably be able to find out the path by a little investigation.
If your filsystem ACLs are setup properly, then there isn't much a user can do with the knowlege about the existence and location of that directory.
Messing around with the read-only/hidden attributes is almost a complete waste of time from a security point of view. Filesystem ACLs are what should be use for security.
答案2
In Windows, the "read only" attribute on folders does NOT mean "read only" in any usual sense. I think all the Windows-defined shell folders have that attribute. Also, in Vista, the "AppData" folder in each users profile has the "hidden" attribute by default. What the deal is in XP is I don't know, but I wouldn't think it would be any different.
答案3
What you are describing is normal behavior for Windows Vista and Windows 7.
What is actually happening is that most of the "legacy folders" (for lack of a better term) are SYMLINKed to their new locations, then set as Hidden and Read Only. For example, the old C:\Documents and Settings folder is a SYMLINK to C:\Users now. C:\D&S\Username\Local Settings now points to ~\AppData\Local. Below is a full list of the ones in the User folder specifically:
Application Data [C:\Users\User\AppData\Roaming] Cookies [C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies] Local Settings [C:\Users\User\AppData\Local] My Documents [C:\Users\User\Documents] NetHood [C:\Users\User\AppData\Roaming\Microsoft\Windows\Network Shortcuts] PrintHood [C:\Users\User\AppData\Roaming\Microsoft\Windows\Printer Shortcuts] Recent [C:\Users\User\AppData\Roaming\Microsoft\Windows\Recent] SendTo [C:\Users\User\AppData\Roaming\Microsoft\Windows\SendTo] Start Menu [C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu] Templates [C:\Users\User\AppData\Roaming\Microsoft\Windows\Templates]
As well, this question describes how to find all the symbolic links using the command line (DIR /a:s /s)
Although these folders DO exist, if you try to browse to them, they will show Access Denied messages all the time. The proper way to navigate is to go to the folders they are actually linked to.