Australia | Securing FSLogix Profile and Office 365 Containers

Aaron Parker - 05.10.201620161005

Securing FSLogix Profile and Office 365 Containers

Australia | Securing FSLogix Profile and Office 365 Containers

So far I’ve shown you how FSLogix helps improve user experience for Office 365 customers and how simple it is to get up an running for an evaluation. In this article, I’ll describe how to secure access to FSLogix Profile Containers and Office 365 Containers.

FSLogix Storage Requirements

When designing for deployment of FSLogix Profile Containers and Office 365 Containers, the most challenging part of that design will be a solution for storage – you’ll need to ensure whichever solution you go with meets your high availability requirements. Underneath though, a simple SMB location is required for storing the virtual disks that contain the Profile and Office 365 containers.

When a user logs onto a desktop enabled with FSLogix, the virtual disk container stored in the target location, is mounted by desktop with a junction created into the user’s profile.

The screenshot here shows this in action:

Australia | Securing FSLogix Profile and Office 365 Containers

To secure the share that hosts the FSLogix containers, we can draw from existing permissions recommendations for user home directories and folder redirection. The following two articles are a great reference:
* How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000 and in Windows Server 2003
* Deploy Folder Redirection with Offline Files

Recommended Permissions

To secure the share, here are my recommendations for NTFS permissions. Share permissions are straight-forward – users will need to write access; however, also ensure that the target desktop computer accounts have read-only access.

Recommended NTFS permissions are below. This will ensure that the FSLogix agent can create a virtual disk for each user with secure permissions, preventing access to other user’s virtual disks.

  • CREATOR OWNER – Full Control (Apply onto: Subfolders and Files Only)
  • SYSTEM – Full Control (Apply onto: This Folder, Subfolders and Files)
  • Administrators – Full Control (Apply onto: This Folder, Subfolders and Files)
  • Users – Create Folder/Append Data (Apply to: This Folder Only)
  • Users – List Folder/Read Data (Apply to: This Folder Only)
  • Users – Read Attributes (Apply to: This Folder Only)
  • Users – Traverse Folder/Execute File (Apply to: This Folder Only)

If you are deploying Profile Containers and Office 365 Containers in a multi-tenant environment, you can change SYSTEM for a domain group that contains the target computer accounts. In this case, read-only access is the minimum permissions required.

Additionally, you can change Users for a domain group containing the target user accounts. This could be the same group, added to the local groups that enable inclusion (or exclusion) of Profile Containers or Office 365 Containers.

THANK YOU FOR YOUR SUBMISSION!

Australia | Securing FSLogix Profile and Office 365 Containers

The form was submitted successfully.

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

If you’re waiting for a sign, this is it.

We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

Australia | Securing FSLogix Profile and Office 365 Containers

Insentra ISO 27001:2013 Certification

SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.