So far I’ve shown you how FSLogix helps improve user experience for Office 365 customers and how simple it is to get up an running for an evaluation. In this article, I’ll describe how to secure access to FSLogix Profile Containers and Office 365 Containers.
FSLogix Storage Requirements
When designing for deployment of FSLogix Profile Containers and Office 365 Containers, the most challenging part of that design will be a solution for storage – you’ll need to ensure whichever solution you go with meets your high availability requirements. Underneath though, a simple SMB location is required for storing the virtual disks that contain the Profile and Office 365 containers.
When a user logs onto a desktop enabled with FSLogix, the virtual disk container stored in the target location, is mounted by desktop with a junction created into the user’s profile.
The screenshot here shows this in action:
To secure the share that hosts the FSLogix containers, we can draw from existing permissions recommendations for user home directories and folder redirection. The following two articles are a great reference:
* How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000 and in Windows Server 2003
* Deploy Folder Redirection with Offline Files
Recommended Permissions
To secure the share, here are my recommendations for NTFS permissions. Share permissions are straight-forward – users will need to write access; however, also ensure that the target desktop computer accounts have read-only access.
Recommended NTFS permissions are below. This will ensure that the FSLogix agent can create a virtual disk for each user with secure permissions, preventing access to other user’s virtual disks.
- CREATOR OWNER – Full Control (Apply onto: Subfolders and Files Only)
- SYSTEM – Full Control (Apply onto: This Folder, Subfolders and Files)
- Administrators – Full Control (Apply onto: This Folder, Subfolders and Files)
- Users – Create Folder/Append Data (Apply to: This Folder Only)
- Users – List Folder/Read Data (Apply to: This Folder Only)
- Users – Read Attributes (Apply to: This Folder Only)
- Users – Traverse Folder/Execute File (Apply to: This Folder Only)
If you are deploying Profile Containers and Office 365 Containers in a multi-tenant environment, you can change SYSTEM for a domain group that contains the target computer accounts. In this case, read-only access is the minimum permissions required.
Additionally, you can change Users for a domain group containing the target user accounts. This could be the same group, added to the local groups that enable inclusion (or exclusion) of Profile Containers or Office 365 Containers.