Solved

How do I secure a folder with advanced NTFS permissions?

Posted on 2008-10-07
15
460 Views
Last Modified: 2013-12-04
I need to better understand NTFS Folder and File permissions so that I can better protect a folder from deletion.

In the uploaded file: "Folder.gif", you can see the contents of the "ITOPS" folder.  I hope to use this folder for IT resources (documentation, tools, apps, etc).  It contains several "test" folders and files, along with an "SA" (SysAdmin) folder and a "DS" (Desktop Support) folder.  

I am using three security groups to control permissions:   ITOPS, ITOPS_SA, and ITOPS_DS.  Both the ITOPS_SA and ITOPS_DS groups are members of the ITOPS group.

I am also using "ABE" (Access-Based Enumeration) to control what's visible and accessible.  The ITOPS_SA group is applied to the SA folder, the ITOPS_DS group is applied to the DS folder, and the ITOPS group is applied to the ITOPS folder.  As a result of ABE, "DS" folks can see and access all but the "SA" folder, and "SA" folks can see and access all but the "DS" folder.

What I hope to accomplish is to protect the DS and SA folders from deletion by their respective group members while at the same time keeping the rest of the contents of the ITOPS folder under full control by either group.

Thanks...

I want to make the contents of this folder
Folder.gif
0
Comment
Question by:dwstovall
  • 8
  • 5
15 Comments
 
LVL 11

Expert Comment

by:loftyworm
Comment Utility
I would use the deny feature.  allow the all the stuff you want, and deny the delete option.
0
 
LVL 4

Expert Comment

by:Patrick49er
Comment Utility
NO!  Only use the Deny as a last step effort.  You will see this in plenty of documents stating such.  The explicit deny over rides everything if set incorrectly.  It is also difficult to troubleshoot.  Best practice is to set permission levels by groups.  Let me read over your problem and I will probably have a solution for you.
0
 
LVL 4

Expert Comment

by:Patrick49er
Comment Utility
Offhand, here is the explanation on Delete and something you can take a look at on the folder.

Delete: Users can delete the file or folder. (If users don't have the Delete permission on a file or folder, they can still delete it if they have the Delete Subfolders And Files permission on the parent folder.)
The article discussing more on this is as follows:

http://articles.techrepublic.com.com/5100-10878_11-6084446.html?tag=rbxccnbtr1

Here are some articles on NTFS permissions:

http://articles.techrepublic.com.com/5100-10878_11-6059618.html?tag=rbxccnbtr1
http://articles.techrepublic.com.com/5100-10878_11-1055994.html?tag=rbxccnbtr1
http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.html  <- This article talks about the very limited use of Deny and warnings about using it.
0
 

Author Comment

by:dwstovall
Comment Utility
Patrick49er,

I have tried every possible combination I can think of to achieve what I want with this folder, but it still is not doing what I want.  It doesn't seem like it should be out of the question to want to protect a folder and its contents from being deleted.

I applied the settings to remove the "delete" from the advanced permission, while allowing "create subfolders and files" and "delete subfolders and files."  However, when I clicked on the principal folder and tried to delete it, the folder would not delete, but all of its subfolders and files did delete.

David
0
 
LVL 4

Expert Comment

by:Patrick49er
Comment Utility
When you did that, did you have it apply the settings to all child folders?  Are your child folders set to inherit from the parent folder?  The articles above are really good on getting an understanding of how NTFS permissions operate.

One problem with having the no delete option is that this includes not being able to edit the documents.  I have a folder that is set to only allow placing a file in the folder.  The "user" cannot then modify it because in order to modify, it is actually doing a delete on the original and placing a modified copy in the folder.  If this is the way you want to go, I can go look up the settings I have on that network folder for you.
0
 

Author Comment

by:dwstovall
Comment Utility
Looking at the picture of the folder in the original question - this is a folder for the IT Operations group which consists of the DS - Desktop Support and the SA - SysAdmin folks.  The IT Ops folder is a place for SA's and DS's to store stuff that might apply to either group.  But notice that there is an SA folder and a DS folder each specifically for its respective group.  Only the SA's should get into the SA folder, and only DS's in the DS folder.  Either group should be able to freely add or delete folders and files in the IT Ops folder, but neither should be able to delete their respective DS or SA folder - but, they should be able to add or delete files and folders within their respective SA or DS folders.
0
 
LVL 4

Expert Comment

by:Patrick49er
Comment Utility
Ok...here is what you do.

For the ITOPS group, you create a share to ITOPS folder and give that group the following share permission (not the security tab but the permissions button on the share tab) and then make sure that group has the security (NTFS) settings:

Read & Execute
List Folder Contents
Read

For the DS folder, right click and choose Properties.  Add the group ITOPS_DS.  Click on the Advanced button and remove the check box for inherit and then allow the permissions to be copied.  Once that is completed, remove the ITOPS group and edit the ITOPS_DS group for the following:

Everything checked except Full Control and Delete.

Perform the same for the SA folder but follow the procedure for the ITOPS_SA group.  Meaning, only have them access.

I keep Domain Admins with full on all my folders.  Setting the folders up this way will give each respective group control over their folder without giving them delete ability on the specific folder.  They can also create and delete folders and files within the ITOPS folder.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:dwstovall
Comment Utility
Thanks for the ideas and input so far, but I really don't want to use shares or make this more complicated than it needs to be.

I am deploying this sort of scheme across our entire  "office" drive.

Simply put, I want to create a folder structure that can't be deleted or alterer; however, I want authorized users (those belonging to specific security groups) to be able to add, delete, and modify files and folders beneath this structure.

Specifically, in the original question, I cite a folder "SA" folder beneath the "ITOPS" folder (Note the previous image).  Members of the "SG_C_Off_O-F_Tech-Group_ITOPS_SA" Security Group (not holding DomainAdmin rights) should be able to add, delete, and modify files and folders within the "SA" folder; however,  I don't want some overzealous clicker to delete the "SA" folder (or its contents, accidentally).

I have tried all sorts of combinations of "Advanced Security Settings" (note the most recent snapshot), and I've learned that I can have multiple configurations for the same security group (e.g., "This Folder Only" and "Subfolders and Files Only") and I've tried applying the "Apply these permissions to objects and/or containers within this container only."

However, bottom-line, I can configure it so that I can add and delete files and folders to the "SA" folder (as a member of the group), and I can configure it so that I can't delete the "SA" folder - the big glitch is that if I right-click and delete on the "SA" folder, it doesn't delete the "SA" folder, but it does delete everything in the "SA" folder.

The only thing I haven't tried (which will probably be the ultimate right answer) is to try using the "Replace permission entries on all child object with entries shown here that apply to child objects."

Thanks...DavidS

satest2.gif
0
 
LVL 4

Expert Comment

by:Patrick49er
Comment Utility
THen skip the share permissions side and just perform the NTFS security side I listed.  I tested this and it works.
0
 
LVL 4

Expert Comment

by:Patrick49er
Comment Utility
"Members of the "SG_C_Off_O-F_Tech-Group_ITOPS_SA" Security Group (not holding DomainAdmin rights) should be able to add, delete, and modify files and folders within the "SA" folder; however,  I don't want some overzealous clicker to delete the "SA" folder (or its contents, accidentally)."

You will NOT be able to accomplish this.  Your scenario contradicts itself and therefore not able to be done in this realm.  What I mean is, you CANNOT have a person have the ability to add, delete, and modify files and folders within the "SA" folder and NOT allow them to delete the files and folders within "SA" from a right-click on the "SA" folder.  Basically this is what you are trying to do:

Be able to delete within the folder but not delete when performing a right-click delete on the folder.  Do you see how you are saying on one hand I want them to be able to delete the files but not delete the files?

Now, what I have given you directions for above will prohibit an "overzealous" clicker from deleting the "SA" folder, but as long as that user has delete options within the folder and all subfolders, that user can wipe all contents out of the "SA" folder by doing a right-click delete.
0
 

Author Comment

by:dwstovall
Comment Utility
Patrick49er,

I agree with your logic if I am in the "SA" folder.  The permissions for that folder and its contents enable me to delete the files.  However, when I move to the parent folder, and I have broken inheritance between the parent folder and the "SA" folder, and the "SA" folder has been assigned permissions to prevent me from deleting the "SA" folder - there is an expectation (from me, my boss, and others) that if I am in the parent folder and try to delete the "SA" folder, that the system should rightly prevent me from deleting the "SA" folder as well as its contents.

Perhaps this is too much to ask of Microsoft to incorporate that level of logic.

Thanks...DavidS
0
 
LVL 4

Expert Comment

by:Patrick49er
Comment Utility
dwstovall:

That is NOT possible.  You stated that you want, say Bob, to be able to create a file in the SA folder and to be able to put files into the SA folder.  You also want Bob to be able to delete individual files and folders in the SA folder.  Then you say you do not want Bob to be able to right-click on the SA folder and NOT delete any of the files and folders in the SA folder "accidentally?"

Now, what you CAN do is like I supplied.  You can prevent Bob from deleting the SA folder and only have read ability in the DS folder.  You can prevent Bob from creating and deleting more folders and files in the ITOPs folder (the parent of SA and DS).  But you CANNOT....I repeat CANNOT give Bob permissions to create files and folders in the SA folder and then prohibit his "accidentally" deleting them.
0
 
LVL 4

Accepted Solution

by:
Patrick49er earned 500 total points
Comment Utility
Just so you realize, this has nothing to do with "Perhaps this is too much to ask of Microsoft to incorporate that level of logic."  This has to do with the impossibility of completely dumbing proofing any system.
0
 

Author Comment

by:dwstovall
Comment Utility
I have not abandoned this request.  I appreciate the assistance from all who participate, but I am curious why the advance permission seem to offer so many different option - applying permissions to "this folder only" and "to the contents only" and it seems that we should be able to accomplish this.  It there any way of contacting Microsoft to get further assistance?
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now