Share-level Security with Remote Desktop

The problem described in this article may not be something that vexes many professionals out there, but I can honestly say that I’ve had my share of issues along these lines. With so many businesses now moving to cloud-based solutions and off-site hosting of their data and applications, it’s just a matter of time before you have a client that has a hosted server that they access via Terminal Services. The issue, of course, then becomes how they can assign permissions to various users and/or groups to certain drives or folders on the server. While this can be done via NTFS file/folder security, I think most people would agree that this can be a tedious and painstaking task. For example, with file-level permissions, to give particular group access to only one specific folder, you’d have to first block ALL the other folders that the group should NOT have access to. With share-level security, you could simply share the one folder with the proper permissions and they’d immediately have the proper access to JUST that folder. Granted you could set up the folders with share-level permissions and setup VPN access to the server so that the functionality would essentially be the same as if they had the server in-house, but what if they refused to give up using Remote Desktop to access the server? Here’s where virtual machine software comes in. Fortunately, in the case of Windows 2008, no additional software is needed, such as VMware or Virtual PC, because of the wonderful built-in feature called “Hyper-V”.
The trick is to create a virtual machine (preferably with VMWare if working on an older server OS that does support Hyper-V) and install a client OS on it such as Windows XP Professional. The virtual machine can be configured to have access to the same data as on the main server, so it’s in the Windows XP of the virtual machine that you would set up the shares with all the proper permissions. All you have to do at this point is ensure that the IP address of the XP on the virtual machine is on the same network as the virtual network adapter that’s automatically created in the server OS. Therefore, the server OS would have two networks, one real for the users logging via Remote Desktop, and one virtual to access the shares set up on the virtual machine. There you have it. To any Remote Desktop user logging in, the share level security on the virtual machine will apply as surely as if it was set up on the main OS itself.
Keep in mind, of course, that with Windows 2008, there are other ways to achieve network –level authentication by configuring certain policies and security options, but the method presented here would work for Windows 2000 and Windows 2003 in conjunction with a copy of Window XP Professional and a virtual machine product such as VMware. It may not be an elegant solution or even the best solution as I myself would prefer certain users be set up with a mapped drive that has access to the server data via a VPN. However, it is a solution for certain clients with rigid requirements that don’t like change. As such, it’s a way to keep certain clients happy and that’s really what being an IT professional is really all about.