{"id":1120,"date":"2016-10-05T01:00:00","date_gmt":"2016-10-05T01:00:00","guid":{"rendered":"http:\/\/inswwdev.azurewebsites.net\/au\/insights\/uncategorized\/securing-fslogix-profile-and-office-365-containers\/"},"modified":"2016-10-05T01:00:00","modified_gmt":"2016-10-05T01:00:00","slug":"securing-fslogix-profile-and-office-365-containers","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/modern-workplace\/securing-fslogix-profile-and-office-365-containers\/","title":{"rendered":"Securing FSLogix Profile and Office 365 Containers"},"content":{"rendered":"<p style=\"text-align: justify;\">So far I\u2019ve shown you<span>\u00a0<\/span><a href=\"https:\/\/inswwdev.azurewebsites.net\/au\/delivering-great-user-experience-for-office-365-with-fslogix\/\" rel=\"nofollow noopener\" target=\"_blank\">how FSLogix helps improve user experience for Office 365 customers<\/a><span>\u00a0<\/span>and<span>\u00a0<\/span><a href=\"https:\/\/inswwdev.azurewebsites.net\/au\/deploying-fslogix-office-365-containers\/\" rel=\"nofollow noopener\" target=\"_blank\">how simple it is to get up an running for an evaluation<\/a>. In this article, I\u2019ll describe how to secure access to FSLogix Profile Containers and Office 365 Containers.<\/p>\n<h3 style=\"padding-bottom: 15px; margin-bottom: 30px; margin-top: 40px; border-bottom: 1px solid #f16020;\">FSLogix Storage Requirements<\/h3>\n<p style=\"text-align: justify;\">When designing for deployment of FSLogix Profile Containers and Office 365 Containers, the most challenging part of that design will be a solution for storage \u2013 you\u2019ll need to ensure whichever solution you go with meets your high availability requirements. Underneath though, a simple SMB location is required for storing the virtual disks that contain the Profile and Office 365 containers.<\/p>\n<p style=\"text-align: justify;\">When a user logs onto a desktop enabled with FSLogix, the virtual disk container stored in the target location, is mounted by desktop with a junction created into the user\u2019s profile.<\/p>\n<p style=\"text-align: justify;\">The screenshot here shows this in action:<\/p>\n<p style=\"text-align: justify;\"><img decoding=\"async\" style=\"width: 876px; height: 494px;\" src=\"https:\/\/www.insentragroup.com\/wp-content\/uploads\/sites\/21\/2021\/02\/fslogix-containers-vdisk-1.png\" alt=\"\" data-udi=\"umb:\/\/media\/955ce9ecf13047a486c7e588af5be431\" \/><\/p>\n<p style=\"text-align: justify;\">To secure the share that hosts the FSLogix containers, we can draw from existing permissions recommendations for user home directories and folder redirection. The following two articles are a great reference:<br \/>*<span>\u00a0<\/span><a href=\"https:\/\/support.microsoft.com\/en-us\/kb\/274443\" rel=\"nofollow noopener\" target=\"_blank\">How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000 and in Windows Server 2003<\/a><br \/>*<span>\u00a0<\/span><a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/jj649078.aspx#FolderRedirection_Step2Createafileshareforredirectedfolders\" rel=\"nofollow noopener\" target=\"_blank\">Deploy Folder Redirection with Offline Files<\/a><\/p>\n<h3 style=\"padding-bottom: 15px; margin-bottom: 30px; margin-top: 40px; border-bottom: 1px solid #f16020;\">Recommended Permissions<\/h3>\n<p style=\"text-align: justify;\">To secure the share, here are my recommendations for NTFS permissions. Share permissions are straight-forward \u2013 users will need to write access; however, also ensure that the target desktop computer accounts have read-only access.<\/p>\n<p style=\"text-align: justify;\">Recommended NTFS permissions are below. This will ensure that the FSLogix agent can create a virtual disk for each user with secure permissions, preventing access to other user\u2019s virtual disks.<\/p>\n<ul>\n<li style=\"text-align: justify;\"><strong>CREATOR OWNER<\/strong><span>\u00a0<\/span>\u2013 Full Control (Apply onto: Subfolders and Files Only)<\/li>\n<li style=\"text-align: justify;\"><strong>SYSTEM<\/strong><span>\u00a0<\/span>\u2013 Full Control (Apply onto: This Folder, Subfolders and Files)<\/li>\n<li style=\"text-align: justify;\"><strong>Administrators<\/strong><span>\u00a0<\/span>\u2013 Full Control (Apply onto: This Folder, Subfolders and Files)<\/li>\n<li style=\"text-align: justify;\"><strong>Users<\/strong><span>\u00a0<\/span>\u2013 Create Folder\/Append Data (Apply to: This Folder Only)<\/li>\n<li style=\"text-align: justify;\"><strong>Users<\/strong><span>\u00a0<\/span>\u2013 List Folder\/Read Data (Apply to: This Folder Only)<\/li>\n<li style=\"text-align: justify;\"><strong>Users<\/strong><span>\u00a0<\/span>\u2013 Read Attributes (Apply to: This Folder Only)<\/li>\n<li style=\"text-align: justify;\"><strong>Users<\/strong><span>\u00a0<\/span>\u2013 Traverse Folder\/Execute File (Apply to: This Folder Only)<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">If you are deploying Profile Containers and Office 365 Containers in a multi-tenant environment, you can change<span>\u00a0<\/span><strong>SYSTEM<\/strong><span>\u00a0<\/span>for a domain group that contains the target computer accounts. In this case, read-only access is the minimum permissions required.<\/p>\n<p style=\"text-align: justify;\">Additionally, you can change<span>\u00a0<\/span><strong>Users<\/strong><span>\u00a0<\/span>for a domain group containing the target user accounts. This could be the same group, added to the local groups that<span>\u00a0<\/span><a href=\"https:\/\/docs.fslogix.com\/display\/FA26\/Profile+Configuration+Tool\" rel=\"nofollow noopener\" target=\"_blank\">enable inclusion (or exclusion) of Profile Containers<\/a><span>\u00a0<\/span>or Office 365 Containers.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So far I\u2019ve shown you\u00a0how FSLogix helps improve user experience for Office 365 customers\u00a0and\u00a0how simple it is to get up an running for an evaluation. In this article, I\u2019ll describe how to secure access to FSLogix Profile Containers and Office 365 Containers. FSLogix Storage Requirements When designing for deployment of FSLogix Profile Containers and Office&hellip; <a class=\"more-link\" href=\"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/modern-workplace\/securing-fslogix-profile-and-office-365-containers\/\">Continue reading <span class=\"screen-reader-text\">Securing FSLogix Profile and Office 365 Containers<\/span><\/a><\/p>\n","protected":false},"author":65,"featured_media":1121,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[19],"tags":[],"class_list":["post-1120","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-modern-workplace","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts\/1120","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/comments?post=1120"}],"version-history":[{"count":0,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts\/1120\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/media\/1121"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/media?parent=1120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/categories?post=1120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/tags?post=1120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}