Solved

NTFS File permissions

Posted on 2010-08-24
17
245 Views
Last Modified: 2012-05-10
Hi

I was wondering about default permissions given to new folders created on servers.

Let's say I have a Windows 2003 SP2 server part of company.com domain. I (Company\Bruce) am a member of the local administrators group of this server.

1. If I create a folder in D:\Test and create file within this - I see that only the local Administrators group has access to thie folder (along with SYSTEM). Should this be correct? Does this mean that anyone else logging onto the server or trying to connect via UNC doesn't have access?

2. If I wanted to give some Juniors access to the server but not local admin, I guess I could add them to the Remote Desktop group. But does this mean they can create folders, and if so - who has permissions to these? On my test server, users in the Remote Desktop group dont even have access to the D: drive, should this be the case?

3. Let's say I had a highly confidential folder on the server and I wanted only a few people to be able to have access to it (read only). Would I be correct in thinking that I needed to remove the Administrators group from that folder's NTFS permissions and manually add these users?
0
Comment
Question by:bruce_77
  • 10
  • 4
  • 2
  • +1
17 Comments
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 100 total points
ID: 33509882
1) the no one than local administrators and system can access that folder and files. It is unavailable over network because you didn't share it. Those permissions work only locally.

2) If you add them to local group called Remote Desktop Users they will have only possibility to connect remotely with server and log on there. But they still will be regular users and if nowhere is set everyone group or users with some access they will be unable to use them. But normally they will be able to create new folders on local drives (you can prevent them if you want - let me know ;))

3) Yes, you have to set only few people on security tab that should have read-only access and of course you to manage it (but if they agree).

If you want to more details just let me know
0
 
LVL 20

Accepted Solution

by:
woolnoir earned 300 total points
ID: 33509887
1) By default you and the permissions inherited from the parent folder will have access to the file, you can configure the parent permissions as needed and they will trickle down to the file, with the owner/creator having access.

2) Adding them to the remote desktop group will provide them with access but it wont allow anything extra over and above interactive login to the server.  Access to the D drive isnt depending on the group per se, more on the permissions assigned to the drive/folder stricture.

3) On the folder you could configure permissions and remove inheritance from the permissions properties, and then add the specific access rights you need. Be careful to ensure that any backup software etc has access... if this is a consideration.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33509894
And i see i'm maintaining my ability to post almost at the same time as other experts....
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 100 total points
ID: 33509898

1. Yes, it does mean that someone else accessing the path would not have access.

2. They can only create folders if they have permission to create defined in the ACL on the parent folder. Should it be the case? Impossible to answer, "should" is subjective, it's entirely up to you what people do and don't have access to.

3. You would be fooling yourself in thinking that prevents Administrators getting in. Nothing will stop an administrator adding permissions back in (or taking ownership). Basically, System Administrators must be trusted otherwise they should not hold that position.

Chris
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33509918
If files & folders are THAT important then secondary security should be added EFS or file level encryption. Dont rely on anything (as Chris) suggests being protected from Admins as they can always take ownership of files and alter the permissions.
0
 
LVL 2

Author Comment

by:bruce_77
ID: 33512160
Thanks all...couple of follow up questions if that's ok...

1. If I remove the local Administrators from the NTFS permissions of the Test folder and explicity add the three users who should have read permission, then would I be correct in thinking that Admins won't be able to access even if they try and access remotely via "\\servername\d$\test" [unless they log onto the server to take ownership but see next question for that :) ]

2. Again, if I remove the local Admins from the NTFS permissions, is the only way they can then go back and access the file to take ownership, and then change the permissions? Or can then still change permissions anyway?

3. We looked into EFS - but the problem was that, from my understanding, you couldn't allow multiple users to access encrypted files easily - the only way to allow multiple users access to encrypted files was to

i) Give them access on the file itself rather than the folder (doesn't work for us since the file is created daily automatically by the app)

ii) The users who need access apparently need to encrypt a file themselves on the server (maybe to generate a certificate) before they can be access the logs

Could someone confirm?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33512233
1. If I remove the local Administrators from the NTFS permissions of the Test folder and explicity add the three users who should have read permission, then would I be correct in thinking that Admins won't be able to access even if they try and access remotely via "\\servername\d$\test" [unless they log onto the server to take ownership but see next question for that :)

Correct

2. Again, if I remove the local Admins from the NTFS permissions, is the only way they can then go back and access the file to take ownership, and then change the permissions? Or can then still change permissions anyway?

Also correct, but they may know access to other users, i.e backup accounts which can access. Or they could get access to the file by exploiting their physical access (load the disk in another machine, but in practicality correct).

-------------

3. We looked into EFS - but the problem was that, from my understanding, you couldn't allow multiple users to access encrypted files easily - the only way to allow multiple users access to encrypted files was to

i) Give them access on the file itself rather than the folder (doesn't work for us since the file is created daily automatically by the app)

ii) The users who need access apparently need to encrypt a file themselves on the server (maybe to generate a certificate) before they can be access the logs

------------

A user needs to encrypt a file to create the keys they need to encrypt or be given access to a file, your right with the file only access, i dont believe EFS folder access is possible. But giving multiple people access is also fine since the file is encrypted with one key, which is then encrypted with the users key, meaning internally multiple people can be given access to a file... that being said, its stopped by your 'dynamic creation' issue... new files are insecure until they are encrypted.





0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33512238

1. Yes.

2. Should be. Yes.

3. We use GPG to sign files with multiple public keys, never tried using EFS for this (it would upset the Unix bods :))

Chris
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 2

Author Comment

by:bruce_77
ID: 33512515
Thanks

Regarding:

"A user needs to encrypt a file to create the keys they need to encrypt or be given access to a file, your right with the file only access, i dont believe EFS folder access is possible. But giving multiple people access is also fine since the file is encrypted with one key, which is then encrypted with the users key, meaning internally multiple people can be given access to a file... "

Sorry, I'm not sure I understand. Are you saying there's a way to give multiple users access to a file/folder without them having to encrypt another file first in order to generate a certificate for their username?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33512562
multiple people can be given access to a single file, that's standard. The issue is that someone needs to encrypt a file FIRST to start the EFS process, when you encrypt your first file you get a key generated and then you can be given access to files, or encrypt files.

Once you have YOUR key... then multiple people can be given access to a single file easily. What you cant do to my knowledge is encrypt a folder.
0
 
LVL 2

Author Comment

by:bruce_77
ID: 33512718
Ah ok -

So, ignoring the application creating daily file, let's say I have a static file named D:\Temp\log.txt

If I wanted to encrypt this AND give multiple people access, is this possible without them having to encrypt another file first in other to create a certficate for themselves?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33512786
Every person who uses EFS needs to encrypt a file once.... once this is done their keys are created and they can be added to, or encrypt files themselves.

Once the initial step is done by each user... as many people can be added to log.txt as you wish.. as long as each user has already encrypted a file at some point in the past.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33512793
As an example

log.txt

User 1 encrypts : randomfile.txt
User 2 encrypts : randomfile2.txt
User 3 has never encrypted a file

User 1 can be added to log.txt, as can User2, user 3 cannot.... thats how i understand EFS.
0
 
LVL 2

Author Comment

by:bruce_77
ID: 33512830
Got it!

And is that they need to encrypt a file per server that an encrypted file is held on? Or per domain?

So let's say there are two servers, Server1 and Server2.

User 1 encrypts : randomfile.txt on Server1
User 2 encrypts : randomfile2.txt on Server1
User 3 has never encrypted a file on Server1

Does this mean that User2 and User1 can also access encrypted files on Server2?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33512890

Taken from ( http://www.windowsecurity.com/articles/Implementing-EFS-Windows-Server-2003-Domain.html )

One change in EFS for Windows XP/2003, as compared to Windows 2000, is that encrypted files can be shared among multiple users. All users who share the encrypted file must have an EFS certificate on the computer on which it’s stored.

I'd imagine that if you have a domain based PKI (enterprise certification authority) as the keys are requested from the CA then it will be per domain... i personally havent done EFS with a domain based CA do i cant comment 100% though the article above goes into great details.

TO be sure ... count on the fact that every user on each server needs a file encryption to gain the keys needed.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33512943
Actually scratch that, it seems in a domain envrironment the EFS user certificates are stored in AD allowing multi server use... so in your example users having files on server 1 should be able to access on server 2...

http://www.windowsecurity.com/articles/Understanding-EFS-Windows-2003.html
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33539830
Any update on this one ?
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now