This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
NTFS security - Folder Security
Posted on 2004-09-08
Hi!
I don't want the users in the network to be able to create, delete og remove folders at root level at our server.
We have 6 folders at root level which "domain users" are NOT supposed to create, move or delete files or folders at this level. (Wich they often do by mistake)
All users are members of "domain users".
I have tried to give the users restricted acces to the folders, but it has not succeded.
Eighter they gets denied, or they still get full access.
Sharing permissions tab shows "Domain Users" "Full Control" , "Change" , " Read".
Security tab shows "Authenticated Users" and "Domain Users" - Modify - Read & Execute - List Folder Contents - Read - Write.
Advanced Settings: Access Control Settings: Deny "Users" , Deny "Authenticated Users" - Change permissions , take ownership.
I have tried to deny "create folders / append data , create files / write data. I applied the settings by using " Apply these permissions to objects and/or containers within this container only". I am not getting the result I'm looking for.
Usually users don't get enough user rights, and I have to reset to "full access" so that everyone can start working again.
As mentioned above, I want to be able to deny users to do anything about the folders at root level. (6 folders which are shared). All users have mapped this folders by a loggon script. The users are not supposed to create files in theese 6 folders or above eighter.
My settings like they are right now is working in a way taht everyone gets access to the files. This is a temporary solution. Looking for a good solution. We have only 33 employees.
Anyone with long experience within this field?
TrondL
I don't want the users in the network to be able to create, delete og remove folders at root level at our server.
We have 6 folders at root level which "domain users" are NOT supposed to create, move or delete files or folders at this level. (Wich they often do by mistake)
All users are members of "domain users".
I have tried to give the users restricted acces to the folders, but it has not succeded.
Eighter they gets denied, or they still get full access.
Sharing permissions tab shows "Domain Users" "Full Control" , "Change" , " Read".
Security tab shows "Authenticated Users" and "Domain Users" - Modify - Read & Execute - List Folder Contents - Read - Write.
Advanced Settings: Access Control Settings: Deny "Users" , Deny "Authenticated Users" - Change permissions , take ownership.
I have tried to deny "create folders / append data , create files / write data. I applied the settings by using " Apply these permissions to objects and/or containers within this container only". I am not getting the result I'm looking for.
Usually users don't get enough user rights, and I have to reset to "full access" so that everyone can start working again.
As mentioned above, I want to be able to deny users to do anything about the folders at root level. (6 folders which are shared). All users have mapped this folders by a loggon script. The users are not supposed to create files in theese 6 folders or above eighter.
My settings like they are right now is working in a way taht everyone gets access to the files. This is a temporary solution. Looking for a good solution. We have only 33 employees.
Anyone with long experience within this field?
TrondL
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
5
2
11 Comments
just give read access to your "authenticated users" at root level (folder security). that will do the trick.
btw... you will need to break rights inheritance in subfolders, because permission will be propagated..
And if your users are members of other group, like domain users, and this group have access, they will get access to it anyways. I would give read access to "domain users", and full access to administrators. that'S it, nothing else.
Make the Root Folders "read only"
then inside the folders change the permissions of the folders/files to the security that you have.
make sure that the child folders dont inherit permissions from the parent..
example:
root1: <- read only
- child1: <-- full control
- child2: <-- full control
root2: <- read only
- child1: <-- full control
- child2: <-- full control
basically the design is make sure the door to the room is secure, but the information behind the door is wide open once the people are inside.
then inside the folders change the permissions of the folders/files to the security that you have.
make sure that the child folders dont inherit permissions from the parent..
example:
root1: <- read only
- child1: <-- full control
- child2: <-- full control
root2: <- read only
- child1: <-- full control
- child2: <-- full control
basically the design is make sure the door to the room is secure, but the information behind the door is wide open once the people are inside.
sorry bout that man.. i read the question, and just started typeing an answer in.. didn't even dawn on me to look at what had been written.
I am not sure about your config.
You say "I want to be able to deny users to do anything about the folders at root level. (6 folders which are shared). All users have mapped this folders by a loggon script."
Which folders are actually shared on your server?
Is there one shared folder that contains the 6 folders?
Or are there 6 different shared folders?
If all 6 folders are shared individually, then the only way they could get to the root (i.e. above those share points) is if there is another share defined for the root itself.
What are your client computers? This can make a difference.
How do you map the drives? Can you post the net use commands from the login scripts?
You say "I want to be able to deny users to do anything about the folders at root level. (6 folders which are shared). All users have mapped this folders by a loggon script."
Which folders are actually shared on your server?
Is there one shared folder that contains the 6 folders?
Or are there 6 different shared folders?
If all 6 folders are shared individually, then the only way they could get to the root (i.e. above those share points) is if there is another share defined for the root itself.
What are your client computers? This can make a difference.
How do you map the drives? Can you post the net use commands from the login scripts?
Featured Post
You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
If you're not part of the solution, you're part of the problem.
Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet. Use PRTG Network Monitor as one of the building blocks, to detect unusual…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg).
If you're looking for how to monitor bandwidth using netflow or packet s…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month7 days, 10 hours left to enroll
Earn Certification
Cisco CCNA R&S: ICND2 v3
$197.00$177.30
Earn Certification
Cisco CCNP Security: SIMOS
$197.00$177.30
632 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.