NTFS: Deny all permissions for all files, except where explicitly added

security ntfs permissions deny

Solution 1:

A couple things to keep in mind:

Disable bypass traverse checking for that user.

Explicit allows take precedence over inherited denies.

I would not recommend altering the Authenticated Users or Users security groups.

Solution 2:

Give a deny to that user at the root of the drive for exerything except "Traverse Folder" and then grant an explicit allow where you want them to be able to read. Generally speaking, removing Authenticated Users from Users isn't a good idea.

Solution 3:

I don't think this is the right way to approach this.

What you should really do is set ACLs on confidential data you have (eg. if users have home folders on this computer, you should change its ACL so that only that user and administrators are granted any access at all on it).

Solution 4:

In the end I went with the "excessive" solution:

icacls c:\* /T /C /deny MyComputer\SandboxUser:(OI)(CI)F

This adds deny entries to all files and directories. Then I used Process Monitor to see what permissions I have to change manually to let the application run.

Related

Making alarm in disk space using cloudwatch
500 oops bad bool value in config file for anonymous_enable
I don't understand how these recursive calls could finish
ionic 4 - livereload does not work
I have a problem whith adding a Container in a JFrame
Regex match if a substring is NOT found
Concatenating strings in iterating loop: += does not work as expected
Can map function in JS do multiple transformations at once? [closed]
Is "I don't work here" literal or does it mean "I am not an employee of this establishment"? [closed]
Etymology of 'vape'
More general term than "slashdotting"
Can “as soon as” ever mean “immediately after”?