Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do I secure a folder with advanced NTFS permissions?

Posted on 2008-10-07
15
Medium Priority
?
472 Views
Last Modified: 2013-12-04
I need to better understand NTFS Folder and File permissions so that I can better protect a folder from deletion.

In the uploaded file: "Folder.gif", you can see the contents of the "ITOPS" folder.  I hope to use this folder for IT resources (documentation, tools, apps, etc).  It contains several "test" folders and files, along with an "SA" (SysAdmin) folder and a "DS" (Desktop Support) folder.  

I am using three security groups to control permissions:   ITOPS, ITOPS_SA, and ITOPS_DS.  Both the ITOPS_SA and ITOPS_DS groups are members of the ITOPS group.

I am also using "ABE" (Access-Based Enumeration) to control what's visible and accessible.  The ITOPS_SA group is applied to the SA folder, the ITOPS_DS group is applied to the DS folder, and the ITOPS group is applied to the ITOPS folder.  As a result of ABE, "DS" folks can see and access all but the "SA" folder, and "SA" folks can see and access all but the "DS" folder.

What I hope to accomplish is to protect the DS and SA folders from deletion by their respective group members while at the same time keeping the rest of the contents of the ITOPS folder under full control by either group.

Thanks...

I want to make the contents of this folder
Folder.gif
0
Comment
Question by:dwstovall
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
15 Comments
 
LVL 11

Expert Comment

by:loftyworm
ID: 22664201
I would use the deny feature.  allow the all the stuff you want, and deny the delete option.
0
 
LVL 4

Expert Comment

by:Patrick49er
ID: 22664244
NO!  Only use the Deny as a last step effort.  You will see this in plenty of documents stating such.  The explicit deny over rides everything if set incorrectly.  It is also difficult to troubleshoot.  Best practice is to set permission levels by groups.  Let me read over your problem and I will probably have a solution for you.
0
 
LVL 4

Expert Comment

by:Patrick49er
ID: 22664455
Offhand, here is the explanation on Delete and something you can take a look at on the folder.

Delete: Users can delete the file or folder. (If users don't have the Delete permission on a file or folder, they can still delete it if they have the Delete Subfolders And Files permission on the parent folder.)
The article discussing more on this is as follows:

http://articles.techrepublic.com.com/5100-10878_11-6084446.html?tag=rbxccnbtr1

Here are some articles on NTFS permissions:

http://articles.techrepublic.com.com/5100-10878_11-6059618.html?tag=rbxccnbtr1
http://articles.techrepublic.com.com/5100-10878_11-1055994.html?tag=rbxccnbtr1
http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.html  <- This article talks about the very limited use of Deny and warnings about using it.
0
ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

 

Author Comment

by:dwstovall
ID: 22669885
Patrick49er,

I have tried every possible combination I can think of to achieve what I want with this folder, but it still is not doing what I want.  It doesn't seem like it should be out of the question to want to protect a folder and its contents from being deleted.

I applied the settings to remove the "delete" from the advanced permission, while allowing "create subfolders and files" and "delete subfolders and files."  However, when I clicked on the principal folder and tried to delete it, the folder would not delete, but all of its subfolders and files did delete.

David
0
 
LVL 4

Expert Comment

by:Patrick49er
ID: 22670049
When you did that, did you have it apply the settings to all child folders?  Are your child folders set to inherit from the parent folder?  The articles above are really good on getting an understanding of how NTFS permissions operate.

One problem with having the no delete option is that this includes not being able to edit the documents.  I have a folder that is set to only allow placing a file in the folder.  The "user" cannot then modify it because in order to modify, it is actually doing a delete on the original and placing a modified copy in the folder.  If this is the way you want to go, I can go look up the settings I have on that network folder for you.
0
 

Author Comment

by:dwstovall
ID: 22670758
Looking at the picture of the folder in the original question - this is a folder for the IT Operations group which consists of the DS - Desktop Support and the SA - SysAdmin folks.  The IT Ops folder is a place for SA's and DS's to store stuff that might apply to either group.  But notice that there is an SA folder and a DS folder each specifically for its respective group.  Only the SA's should get into the SA folder, and only DS's in the DS folder.  Either group should be able to freely add or delete folders and files in the IT Ops folder, but neither should be able to delete their respective DS or SA folder - but, they should be able to add or delete files and folders within their respective SA or DS folders.
0
 
LVL 4

Expert Comment

by:Patrick49er
ID: 22671251
Ok...here is what you do.

For the ITOPS group, you create a share to ITOPS folder and give that group the following share permission (not the security tab but the permissions button on the share tab) and then make sure that group has the security (NTFS) settings:

Read & Execute
List Folder Contents
Read

For the DS folder, right click and choose Properties.  Add the group ITOPS_DS.  Click on the Advanced button and remove the check box for inherit and then allow the permissions to be copied.  Once that is completed, remove the ITOPS group and edit the ITOPS_DS group for the following:

Everything checked except Full Control and Delete.

Perform the same for the SA folder but follow the procedure for the ITOPS_SA group.  Meaning, only have them access.

I keep Domain Admins with full on all my folders.  Setting the folders up this way will give each respective group control over their folder without giving them delete ability on the specific folder.  They can also create and delete folders and files within the ITOPS folder.
0
 

Author Comment

by:dwstovall
ID: 22716909
Thanks for the ideas and input so far, but I really don't want to use shares or make this more complicated than it needs to be.

I am deploying this sort of scheme across our entire  "office" drive.

Simply put, I want to create a folder structure that can't be deleted or alterer; however, I want authorized users (those belonging to specific security groups) to be able to add, delete, and modify files and folders beneath this structure.

Specifically, in the original question, I cite a folder "SA" folder beneath the "ITOPS" folder (Note the previous image).  Members of the "SG_C_Off_O-F_Tech-Group_ITOPS_SA" Security Group (not holding DomainAdmin rights) should be able to add, delete, and modify files and folders within the "SA" folder; however,  I don't want some overzealous clicker to delete the "SA" folder (or its contents, accidentally).

I have tried all sorts of combinations of "Advanced Security Settings" (note the most recent snapshot), and I've learned that I can have multiple configurations for the same security group (e.g., "This Folder Only" and "Subfolders and Files Only") and I've tried applying the "Apply these permissions to objects and/or containers within this container only."

However, bottom-line, I can configure it so that I can add and delete files and folders to the "SA" folder (as a member of the group), and I can configure it so that I can't delete the "SA" folder - the big glitch is that if I right-click and delete on the "SA" folder, it doesn't delete the "SA" folder, but it does delete everything in the "SA" folder.

The only thing I haven't tried (which will probably be the ultimate right answer) is to try using the "Replace permission entries on all child object with entries shown here that apply to child objects."

Thanks...DavidS

satest2.gif
0
 
LVL 4

Expert Comment

by:Patrick49er
ID: 22721432
THen skip the share permissions side and just perform the NTFS security side I listed.  I tested this and it works.
0
 
LVL 4

Expert Comment

by:Patrick49er
ID: 22721789
"Members of the "SG_C_Off_O-F_Tech-Group_ITOPS_SA" Security Group (not holding DomainAdmin rights) should be able to add, delete, and modify files and folders within the "SA" folder; however,  I don't want some overzealous clicker to delete the "SA" folder (or its contents, accidentally)."

You will NOT be able to accomplish this.  Your scenario contradicts itself and therefore not able to be done in this realm.  What I mean is, you CANNOT have a person have the ability to add, delete, and modify files and folders within the "SA" folder and NOT allow them to delete the files and folders within "SA" from a right-click on the "SA" folder.  Basically this is what you are trying to do:

Be able to delete within the folder but not delete when performing a right-click delete on the folder.  Do you see how you are saying on one hand I want them to be able to delete the files but not delete the files?

Now, what I have given you directions for above will prohibit an "overzealous" clicker from deleting the "SA" folder, but as long as that user has delete options within the folder and all subfolders, that user can wipe all contents out of the "SA" folder by doing a right-click delete.
0
 

Author Comment

by:dwstovall
ID: 22741966
Patrick49er,

I agree with your logic if I am in the "SA" folder.  The permissions for that folder and its contents enable me to delete the files.  However, when I move to the parent folder, and I have broken inheritance between the parent folder and the "SA" folder, and the "SA" folder has been assigned permissions to prevent me from deleting the "SA" folder - there is an expectation (from me, my boss, and others) that if I am in the parent folder and try to delete the "SA" folder, that the system should rightly prevent me from deleting the "SA" folder as well as its contents.

Perhaps this is too much to ask of Microsoft to incorporate that level of logic.

Thanks...DavidS
0
 
LVL 4

Expert Comment

by:Patrick49er
ID: 22742227
dwstovall:

That is NOT possible.  You stated that you want, say Bob, to be able to create a file in the SA folder and to be able to put files into the SA folder.  You also want Bob to be able to delete individual files and folders in the SA folder.  Then you say you do not want Bob to be able to right-click on the SA folder and NOT delete any of the files and folders in the SA folder "accidentally?"

Now, what you CAN do is like I supplied.  You can prevent Bob from deleting the SA folder and only have read ability in the DS folder.  You can prevent Bob from creating and deleting more folders and files in the ITOPs folder (the parent of SA and DS).  But you CANNOT....I repeat CANNOT give Bob permissions to create files and folders in the SA folder and then prohibit his "accidentally" deleting them.
0
 
LVL 4

Accepted Solution

by:
Patrick49er earned 2000 total points
ID: 22742265
Just so you realize, this has nothing to do with "Perhaps this is too much to ask of Microsoft to incorporate that level of logic."  This has to do with the impossibility of completely dumbing proofing any system.
0
 

Author Comment

by:dwstovall
ID: 22958154
I have not abandoned this request.  I appreciate the assistance from all who participate, but I am curious why the advance permission seem to offer so many different option - applying permissions to "this folder only" and "to the contents only" and it seems that we should be able to accomplish this.  It there any way of contacting Microsoft to get further assistance?
0

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question