So far I’ve shown you how FSLogix helps improve user experience for Office 365 customers and how simple it is to get up an running for an evaluation. In this article, I’ll describe how to secure access to FSLogix Profile Containers and Office 365 Containers.
FSLogix Storage Requirements
When designing for a deployment of FSLogix Profile Containers and Office 365 Containers, the most challenging part of that design will be a solution for storage – you’ll need to ensure whichever solution you go with meets your high availability requirements. Underneath though, a simple SMB location is required for storing the virtual disks that contain the Profile and Office 365 containers.
When a user logs onto a desktop enabled with FSLogix, the virtual disk container stored in the target location, is mounted by desktop with a junction created into the user’s profile.
The screenshot here shows this in action:
Enabling Secure Permissions on the Containers Share
To secure the share that hosts the FSLogix containers, we can draw from existing permissions recommendations for user home directories and folder redirection. The following two articles are a great reference:
* How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000 and in Windows Server 2003
* Deploy Folder Redirection with Offline Files
To secure the share, here are my recommendations for NTFS permissions. Share permissions are straight-forward – users will need write access; however, also ensure that the target desktop computer accounts have read-only access.
Recommended NTFS permissions are below. This will ensure that the FSLogix agent can create a virtual disk for each user with secure permissions, preventing access to other user’s virtual disks.
- CREATOR OWNER – Full Control (Apply onto: Subfolders and Files Only)
- SYSTEM – Full Control (Apply onto: This Folder, Subfolders and Files)
- Administrators – Full Control (Apply onto: This Folder, Subfolders and Files)
- Users – Create Folder/Append Data (Apply to: This Folder Only)
- Users – List Folder/Read Data (Apply to: This Folder Only)
- Users – Read Attributes (Apply to: This Folder Only)
- Users – Traverse Folder/Execute File (Apply to: This Folder Only)
If you are deploying Profile Containers and Office 365 Containers in a multi-tenant environment, you can change SYSTEM for a domain group that contains the target computer accounts. In this case, read-only access is the minimum permissions required.
Additionally you can change Users for a domain group containing the target user accounts. This could be the same group, added to the local groups that enable inclusion (or exclusion) of Profile Containers or Office 365 Containers.
Cloud & Collaboration, Application Delivery + Mobility
As a solution architect at Insentra across the Cloud + Collaboration and Application Delivery + Mobility teams, Aaron Parker implements technical designs of leading class enterprise solutions. With over 20 years’ experience in the IT industry, Aaron brings a wide range of expertise to Insentra in enterprise level End-user computing solutions. These include Server-based computing, Virtual Desktop Infrastructure, Mobility and PC deployments. Aaron assists Insentra to implement Microsoft and Citrix based solutions across government, private sector and not-for-profit organizations. His interest lies in continuous improvements to IT to better enable business by taking advantage of existing solutions, new technologies and processes. Microsoft MVP Citrix Technology Professional VMware EUC Champion