Solved

Sharing Issue - Subfolders are accessible under prohibtted ones...

Posted on 2009-03-29
16
247 Views
Last Modified: 2013-12-02
Hi:

We are facing a issue regarding sharing and file permissions. We have made a folder (lets suppose X) on our File Server (Windows 2003 Server R2 Ent. Ed.) and enabled sharing permissions for all Users (Including A and B groups). Now we made separate folders under X for A and B groups called Y and Z. Now we have given full control to A and B groups to y and Z respectively. We want that they cant access each other folders. Now one of the members of A group made a folder under its Y folder and gave access and direct UNC path to one of the members of B group. That member of B group can access the folder under the prohibited one. How could it possible, is it bug?
0
Comment
Question by:A1opus
  • 7
  • 6
  • 3
16 Comments
 
LVL 14

Expert Comment

by:igor-1965
ID: 24012177
Set share permissions to change, NTFS rights to "modify" to respective folders/groups. This way the users won't be able to amend security on subfolders.
0
 
LVL 2

Author Comment

by:A1opus
ID: 24012207
No this is not the issue. Question is this that how could anyone access the sub folder who has no access to its parent folder?
0
 
LVL 14

Expert Comment

by:igor-1965
ID: 24012268
I think you have NOT set the subfolders to inherit NTFS rights set on "root" folders.
0
 
LVL 2

Author Comment

by:A1opus
ID: 24012368
It is inheriting but I am saying that if someone add another user in permissions then it works like that. I think it is sharing bug. If I deny that user in Sharing permissions then she couldn't access that subfolder though she has file permission on that folder.
0
 
LVL 11

Accepted Solution

by:
Quetzal earned 500 total points
ID: 24012396
This issue is due to the fact that a user rights assignment, Bypass Traverse Checking, is disabled by default for all users.  See http://technet.microsoft.com/en-us/library/cc739389.aspx.  This means that a UNC to a permitted folder is allowed, even though access to a parent folder is not.  Enabling traverse checking will require appropriate persmissions through all parent folders, even with a direct UNC path.

When you first enable this feature, you may be surprised at how many instances you have that made use of the disable feature.  You will have to add appropriate security to parent folders to fix these issues.
0
 
LVL 2

Author Comment

by:A1opus
ID: 24012449
Great! means it is too risky to remove Everyone from there? What can I do?
0
 
LVL 11

Expert Comment

by:Quetzal
ID: 24012481
I'm not trying to discourage from doing that.  I've done this for some of the servers I manage because business requirements demanded that security.  You just need to inform your users that you are make some changes that could have an impact so that they will let you know immediately if an issue arises.  When I've converted mine, such issues did arise, but with some thoughtful analysis, it was generally straight forward as to how to fix the problem(s).  There is no other way around this issue.
0
 
LVL 2

Author Comment

by:A1opus
ID: 24012693
So what should I do? Check Define these policy settings and then add the user. Will it stop that user to go in the subfolder or should I do something different? I have tried like that but still the user is accessing that sub folder.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 11

Assisted Solution

by:Quetzal
Quetzal earned 500 total points
ID: 24012716
You can deploy this setting by GPO if there are a number of servers that you would like configure in this way.  Or, you can use Local Security Policy for a single server.

When you add users to this policy, it enables bypass, that is, it enables the behavior you do not want.  Because this policy is typically includes Everyone or Users by default, you're going to need to remove these all-inclusive groups.  Doing this disables bypass for everyone, giving the behavior you do want.  If you want to test it or just implement for some users, create a group that includes everyone *except* for the users for whom you want to disable bypass and add this group to the policy.
0
 
LVL 2

Author Comment

by:A1opus
ID: 24013466
Okay, it means it could be test on servers only. I was testing on the Windows XP :)
0
 
LVL 11

Expert Comment

by:Quetzal
ID: 24013513
No, this is a function of NTFS.  XP has the same feature.
0
 
LVL 14

Expert Comment

by:igor-1965
ID: 24016475
I don't think Traverse is a root of you problems. As I wrote you have to revoke Full permissions from share / NTFS so your users won't be able to amend security.
Beside of that, you might want to redesign your "layout" - if you have 2 groups that need access to 2 different folders it is much easier to create 2 network shares per each folder / group. Set share permissions to Change to each group and you won't need to bother about NTFS.
Hope it helps.
0
 
LVL 2

Author Comment

by:A1opus
ID: 24016653
No you are dealing with the right problem, we are facing same one. In fact, we have many groups and their relevant folders as well. In fact, those users have full rights of their folders because they are owner of their data and folders. I am dealing with this scenario because this is against our claim that no one can access ur sub folders.
0
 
LVL 11

Expert Comment

by:Quetzal
ID: 24018038
The original problem states that "member of B group can access the folder under the prohibited one".  This IS due to Bypass Traverse Checking.  It is not a bug.  If your intent is that access to subfolders requires appropriate permissions above it, then the solution I have outlined is your only recourse.

In one of my situations, the client wanted to allow access to certain subfolders but did not want those users with access to those folders to know of the existance or names of the parent folders.  By disabling Bypass Traverse Checking, users of those folders could not traverse the folder hierarchy to their permitted folders (they were not allowed permission to see any of the parent folders).  The subfolders were shared out and it was only by that share that these users could access those folders.
0
 
LVL 2

Author Comment

by:A1opus
ID: 24026617
Hi Again:

Can we set this option for specific folder or drive? Because we dont want that it may affect the whole server.
0
 
LVL 11

Expert Comment

by:Quetzal
ID: 24029371
Unfortunately no.  However, as I pointed out earlier, you can set it by groups or individual users so that you could test and do a controlled rollout.  
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
This video discusses moving either the default database or any database to a new volume.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now