Sharing Issue - Subfolders are accessible under prohibtted ones...

Hi:

We are facing a issue regarding sharing and file permissions. We have made a folder (lets suppose X) on our File Server (Windows 2003 Server R2 Ent. Ed.) and enabled sharing permissions for all Users (Including A and B groups). Now we made separate folders under X for A and B groups called Y and Z. Now we have given full control to A and B groups to y and Z respectively. We want that they cant access each other folders. Now one of the members of A group made a folder under its Y folder and gave access and direct UNC path to one of the members of B group. That member of B group can access the folder under the prohibited one. How could it possible, is it bug?
LVL 2
A1opusAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
QuetzalConnect With a Mentor Commented:
This issue is due to the fact that a user rights assignment, Bypass Traverse Checking, is disabled by default for all users.  See http://technet.microsoft.com/en-us/library/cc739389.aspx.  This means that a UNC to a permitted folder is allowed, even though access to a parent folder is not.  Enabling traverse checking will require appropriate persmissions through all parent folders, even with a direct UNC path.

When you first enable this feature, you may be surprised at how many instances you have that made use of the disable feature.  You will have to add appropriate security to parent folders to fix these issues.
0
 
igor-1965Commented:
Set share permissions to change, NTFS rights to "modify" to respective folders/groups. This way the users won't be able to amend security on subfolders.
0
 
A1opusAuthor Commented:
No this is not the issue. Question is this that how could anyone access the sub folder who has no access to its parent folder?
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
igor-1965Commented:
I think you have NOT set the subfolders to inherit NTFS rights set on "root" folders.
0
 
A1opusAuthor Commented:
It is inheriting but I am saying that if someone add another user in permissions then it works like that. I think it is sharing bug. If I deny that user in Sharing permissions then she couldn't access that subfolder though she has file permission on that folder.
0
 
A1opusAuthor Commented:
Great! means it is too risky to remove Everyone from there? What can I do?
0
 
QuetzalCommented:
I'm not trying to discourage from doing that.  I've done this for some of the servers I manage because business requirements demanded that security.  You just need to inform your users that you are make some changes that could have an impact so that they will let you know immediately if an issue arises.  When I've converted mine, such issues did arise, but with some thoughtful analysis, it was generally straight forward as to how to fix the problem(s).  There is no other way around this issue.
0
 
A1opusAuthor Commented:
So what should I do? Check Define these policy settings and then add the user. Will it stop that user to go in the subfolder or should I do something different? I have tried like that but still the user is accessing that sub folder.
0
 
QuetzalConnect With a Mentor Commented:
You can deploy this setting by GPO if there are a number of servers that you would like configure in this way.  Or, you can use Local Security Policy for a single server.

When you add users to this policy, it enables bypass, that is, it enables the behavior you do not want.  Because this policy is typically includes Everyone or Users by default, you're going to need to remove these all-inclusive groups.  Doing this disables bypass for everyone, giving the behavior you do want.  If you want to test it or just implement for some users, create a group that includes everyone *except* for the users for whom you want to disable bypass and add this group to the policy.
0
 
A1opusAuthor Commented:
Okay, it means it could be test on servers only. I was testing on the Windows XP :)
0
 
QuetzalCommented:
No, this is a function of NTFS.  XP has the same feature.
0
 
igor-1965Commented:
I don't think Traverse is a root of you problems. As I wrote you have to revoke Full permissions from share / NTFS so your users won't be able to amend security.
Beside of that, you might want to redesign your "layout" - if you have 2 groups that need access to 2 different folders it is much easier to create 2 network shares per each folder / group. Set share permissions to Change to each group and you won't need to bother about NTFS.
Hope it helps.
0
 
A1opusAuthor Commented:
No you are dealing with the right problem, we are facing same one. In fact, we have many groups and their relevant folders as well. In fact, those users have full rights of their folders because they are owner of their data and folders. I am dealing with this scenario because this is against our claim that no one can access ur sub folders.
0
 
QuetzalCommented:
The original problem states that "member of B group can access the folder under the prohibited one".  This IS due to Bypass Traverse Checking.  It is not a bug.  If your intent is that access to subfolders requires appropriate permissions above it, then the solution I have outlined is your only recourse.

In one of my situations, the client wanted to allow access to certain subfolders but did not want those users with access to those folders to know of the existance or names of the parent folders.  By disabling Bypass Traverse Checking, users of those folders could not traverse the folder hierarchy to their permitted folders (they were not allowed permission to see any of the parent folders).  The subfolders were shared out and it was only by that share that these users could access those folders.
0
 
A1opusAuthor Commented:
Hi Again:

Can we set this option for specific folder or drive? Because we dont want that it may affect the whole server.
0
 
QuetzalCommented:
Unfortunately no.  However, as I pointed out earlier, you can set it by groups or individual users so that you could test and do a controlled rollout.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.