Sharing Issue - Subfolders are accessible under prohibtted ones...
Hi:
We are facing a issue regarding sharing and file permissions. We have made a folder (lets suppose X) on our File Server (Windows 2003 Server R2 Ent. Ed.) and enabled sharing permissions for all Users (Including A and B groups). Now we made separate folders under X for A and B groups called Y and Z. Now we have given full control to A and B groups to y and Z respectively. We want that they cant access each other folders. Now one of the members of A group made a folder under its Y folder and gave access and direct UNC path to one of the members of B group. That member of B group can access the folder under the prohibited one. How could it possible, is it bug?
We are facing a issue regarding sharing and file permissions. We have made a folder (lets suppose X) on our File Server (Windows 2003 Server R2 Ent. Ed.) and enabled sharing permissions for all Users (Including A and B groups). Now we made separate folders under X for A and B groups called Y and Z. Now we have given full control to A and B groups to y and Z respectively. We want that they cant access each other folders. Now one of the members of A group made a folder under its Y folder and gave access and direct UNC path to one of the members of B group. That member of B group can access the folder under the prohibited one. How could it possible, is it bug?
igor-1965
Set share permissions to change, NTFS rights to "modify" to respective folders/groups. This way the users won't be able to amend security on subfolders.
ASKER
No this is not the issue. Question is this that how could anyone access the sub folder who has no access to its parent folder?
I think you have NOT set the subfolders to inherit NTFS rights set on "root" folders.
ASKER
It is inheriting but I am saying that if someone add another user in permissions then it works like that. I think it is sharing bug. If I deny that user in Sharing permissions then she couldn't access that subfolder though she has file permission on that folder.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great! means it is too risky to remove Everyone from there? What can I do?
I'm not trying to discourage from doing that. I've done this for some of the servers I manage because business requirements demanded that security. You just need to inform your users that you are make some changes that could have an impact so that they will let you know immediately if an issue arises. When I've converted mine, such issues did arise, but with some thoughtful analysis, it was generally straight forward as to how to fix the problem(s). There is no other way around this issue.
ASKER
So what should I do? Check Define these policy settings and then add the user. Will it stop that user to go in the subfolder or should I do something different? I have tried like that but still the user is accessing that sub folder.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay, it means it could be test on servers only. I was testing on the Windows XP :)
No, this is a function of NTFS. XP has the same feature.
I don't think Traverse is a root of you problems. As I wrote you have to revoke Full permissions from share / NTFS so your users won't be able to amend security.
Beside of that, you might want to redesign your "layout" - if you have 2 groups that need access to 2 different folders it is much easier to create 2 network shares per each folder / group. Set share permissions to Change to each group and you won't need to bother about NTFS.
Hope it helps.
Beside of that, you might want to redesign your "layout" - if you have 2 groups that need access to 2 different folders it is much easier to create 2 network shares per each folder / group. Set share permissions to Change to each group and you won't need to bother about NTFS.
Hope it helps.
ASKER
No you are dealing with the right problem, we are facing same one. In fact, we have many groups and their relevant folders as well. In fact, those users have full rights of their folders because they are owner of their data and folders. I am dealing with this scenario because this is against our claim that no one can access ur sub folders.
The original problem states that "member of B group can access the folder under the prohibited one". This IS due to Bypass Traverse Checking. It is not a bug. If your intent is that access to subfolders requires appropriate permissions above it, then the solution I have outlined is your only recourse.
In one of my situations, the client wanted to allow access to certain subfolders but did not want those users with access to those folders to know of the existance or names of the parent folders. By disabling Bypass Traverse Checking, users of those folders could not traverse the folder hierarchy to their permitted folders (they were not allowed permission to see any of the parent folders). The subfolders were shared out and it was only by that share that these users could access those folders.
In one of my situations, the client wanted to allow access to certain subfolders but did not want those users with access to those folders to know of the existance or names of the parent folders. By disabling Bypass Traverse Checking, users of those folders could not traverse the folder hierarchy to their permitted folders (they were not allowed permission to see any of the parent folders). The subfolders were shared out and it was only by that share that these users could access those folders.
ASKER
Hi Again:
Can we set this option for specific folder or drive? Because we dont want that it may affect the whole server.
Can we set this option for specific folder or drive? Because we dont want that it may affect the whole server.
Unfortunately no. However, as I pointed out earlier, you can set it by groups or individual users so that you could test and do a controlled rollout.