4.3 Securing Access to File Share on Windows Using the Logon Filter

Perform the following to secure access to file shares on Microsoft Windows with the Logon Filter:

  1. Open the properties of a shared folder.

  2. Click the Security tab.

  3. Click Edit.

  4. Click Add.

  5. Specify a group that is pointed in the MFA logon tag.

  6. Click OK.

  7. Set the required permissions for the added group.

  8. Click OK.

  9. Click the Sharing tab.

  10. Click Advanced Sharing.

  11. Click Permissions.

  12. Click Add.

  13. Specify a group that is pointed in the MFA logon tag.

  14. Click OK.

  15. Set the required permissions for the group.

  16. Click OK.

If members of Domain Admins or Enterprise Admins groups are using the shared folder, add the Domain Admins/ Enterprise Admins group to Members of a group that is pointed in the MFA logon tag to skip the Logon Filter for users of those groups. This is required because for Domain Admins and Enterprise Admins, by default, Microsoft Windows uses the NTLM authentication. Here, the authentication is required every time, but the Logon Filter requires the Kerberos authentication where a single Kerberos ticket obtained during the login to operating system is used instead of communicating to the Domain Controller every time.

NOTE:When a file share is secured by the Logon filter, the file share cannot be accessed. For a solution, see A File Share Cannot be Accessed When Secured by the Logon Filter.