bruce_77
asked on
NTFS File permissions
Hi
I was wondering about default permissions given to new folders created on servers.
Let's say I have a Windows 2003 SP2 server part of company.com domain. I (Company\Bruce) am a member of the local administrators group of this server.
1. If I create a folder in D:\Test and create file within this - I see that only the local Administrators group has access to thie folder (along with SYSTEM). Should this be correct? Does this mean that anyone else logging onto the server or trying to connect via UNC doesn't have access?
2. If I wanted to give some Juniors access to the server but not local admin, I guess I could add them to the Remote Desktop group. But does this mean they can create folders, and if so - who has permissions to these? On my test server, users in the Remote Desktop group dont even have access to the D: drive, should this be the case?
3. Let's say I had a highly confidential folder on the server and I wanted only a few people to be able to have access to it (read only). Would I be correct in thinking that I needed to remove the Administrators group from that folder's NTFS permissions and manually add these users?
I was wondering about default permissions given to new folders created on servers.
Let's say I have a Windows 2003 SP2 server part of company.com domain. I (Company\Bruce) am a member of the local administrators group of this server.
1. If I create a folder in D:\Test and create file within this - I see that only the local Administrators group has access to thie folder (along with SYSTEM). Should this be correct? Does this mean that anyone else logging onto the server or trying to connect via UNC doesn't have access?
2. If I wanted to give some Juniors access to the server but not local admin, I guess I could add them to the Remote Desktop group. But does this mean they can create folders, and if so - who has permissions to these? On my test server, users in the Remote Desktop group dont even have access to the D: drive, should this be the case?
3. Let's say I had a highly confidential folder on the server and I wanted only a few people to be able to have access to it (read only). Would I be correct in thinking that I needed to remove the Administrators group from that folder's NTFS permissions and manually add these users?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Adrian Cantrill
And i see i'm maintaining my ability to post almost at the same time as other experts....
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If files & folders are THAT important then secondary security should be added EFS or file level encryption. Dont rely on anything (as Chris) suggests being protected from Admins as they can always take ownership of files and alter the permissions.
ASKER
Thanks all...couple of follow up questions if that's ok...
1. If I remove the local Administrators from the NTFS permissions of the Test folder and explicity add the three users who should have read permission, then would I be correct in thinking that Admins won't be able to access even if they try and access remotely via "\\servername\d$\test" [unless they log onto the server to take ownership but see next question for that :) ]
2. Again, if I remove the local Admins from the NTFS permissions, is the only way they can then go back and access the file to take ownership, and then change the permissions? Or can then still change permissions anyway?
3. We looked into EFS - but the problem was that, from my understanding, you couldn't allow multiple users to access encrypted files easily - the only way to allow multiple users access to encrypted files was to
i) Give them access on the file itself rather than the folder (doesn't work for us since the file is created daily automatically by the app)
ii) The users who need access apparently need to encrypt a file themselves on the server (maybe to generate a certificate) before they can be access the logs
Could someone confirm?
1. If I remove the local Administrators from the NTFS permissions of the Test folder and explicity add the three users who should have read permission, then would I be correct in thinking that Admins won't be able to access even if they try and access remotely via "\\servername\d$\test" [unless they log onto the server to take ownership but see next question for that :) ]
2. Again, if I remove the local Admins from the NTFS permissions, is the only way they can then go back and access the file to take ownership, and then change the permissions? Or can then still change permissions anyway?
3. We looked into EFS - but the problem was that, from my understanding, you couldn't allow multiple users to access encrypted files easily - the only way to allow multiple users access to encrypted files was to
i) Give them access on the file itself rather than the folder (doesn't work for us since the file is created daily automatically by the app)
ii) The users who need access apparently need to encrypt a file themselves on the server (maybe to generate a certificate) before they can be access the logs
Could someone confirm?
1. If I remove the local Administrators from the NTFS permissions of the Test folder and explicity add the three users who should have read permission, then would I be correct in thinking that Admins won't be able to access even if they try and access remotely via "\\servername\d$\test" [unless they log onto the server to take ownership but see next question for that :)
Correct
2. Again, if I remove the local Admins from the NTFS permissions, is the only way they can then go back and access the file to take ownership, and then change the permissions? Or can then still change permissions anyway?
Also correct, but they may know access to other users, i.e backup accounts which can access. Or they could get access to the file by exploiting their physical access (load the disk in another machine, but in practicality correct).
-------------
3. We looked into EFS - but the problem was that, from my understanding, you couldn't allow multiple users to access encrypted files easily - the only way to allow multiple users access to encrypted files was to
i) Give them access on the file itself rather than the folder (doesn't work for us since the file is created daily automatically by the app)
ii) The users who need access apparently need to encrypt a file themselves on the server (maybe to generate a certificate) before they can be access the logs
------------
A user needs to encrypt a file to create the keys they need to encrypt or be given access to a file, your right with the file only access, i dont believe EFS folder access is possible. But giving multiple people access is also fine since the file is encrypted with one key, which is then encrypted with the users key, meaning internally multiple people can be given access to a file... that being said, its stopped by your 'dynamic creation' issue... new files are insecure until they are encrypted.
Correct
2. Again, if I remove the local Admins from the NTFS permissions, is the only way they can then go back and access the file to take ownership, and then change the permissions? Or can then still change permissions anyway?
Also correct, but they may know access to other users, i.e backup accounts which can access. Or they could get access to the file by exploiting their physical access (load the disk in another machine, but in practicality correct).
-------------
3. We looked into EFS - but the problem was that, from my understanding, you couldn't allow multiple users to access encrypted files easily - the only way to allow multiple users access to encrypted files was to
i) Give them access on the file itself rather than the folder (doesn't work for us since the file is created daily automatically by the app)
ii) The users who need access apparently need to encrypt a file themselves on the server (maybe to generate a certificate) before they can be access the logs
------------
A user needs to encrypt a file to create the keys they need to encrypt or be given access to a file, your right with the file only access, i dont believe EFS folder access is possible. But giving multiple people access is also fine since the file is encrypted with one key, which is then encrypted with the users key, meaning internally multiple people can be given access to a file... that being said, its stopped by your 'dynamic creation' issue... new files are insecure until they are encrypted.
1. Yes.
2. Should be. Yes.
3. We use GPG to sign files with multiple public keys, never tried using EFS for this (it would upset the Unix bods :))
Chris
ASKER
Thanks
Regarding:
"A user needs to encrypt a file to create the keys they need to encrypt or be given access to a file, your right with the file only access, i dont believe EFS folder access is possible. But giving multiple people access is also fine since the file is encrypted with one key, which is then encrypted with the users key, meaning internally multiple people can be given access to a file... "
Sorry, I'm not sure I understand. Are you saying there's a way to give multiple users access to a file/folder without them having to encrypt another file first in order to generate a certificate for their username?
Regarding:
"A user needs to encrypt a file to create the keys they need to encrypt or be given access to a file, your right with the file only access, i dont believe EFS folder access is possible. But giving multiple people access is also fine since the file is encrypted with one key, which is then encrypted with the users key, meaning internally multiple people can be given access to a file... "
Sorry, I'm not sure I understand. Are you saying there's a way to give multiple users access to a file/folder without them having to encrypt another file first in order to generate a certificate for their username?
multiple people can be given access to a single file, that's standard. The issue is that someone needs to encrypt a file FIRST to start the EFS process, when you encrypt your first file you get a key generated and then you can be given access to files, or encrypt files.
Once you have YOUR key... then multiple people can be given access to a single file easily. What you cant do to my knowledge is encrypt a folder.
Once you have YOUR key... then multiple people can be given access to a single file easily. What you cant do to my knowledge is encrypt a folder.
ASKER
Ah ok -
So, ignoring the application creating daily file, let's say I have a static file named D:\Temp\log.txt
If I wanted to encrypt this AND give multiple people access, is this possible without them having to encrypt another file first in other to create a certficate for themselves?
So, ignoring the application creating daily file, let's say I have a static file named D:\Temp\log.txt
If I wanted to encrypt this AND give multiple people access, is this possible without them having to encrypt another file first in other to create a certficate for themselves?
Every person who uses EFS needs to encrypt a file once.... once this is done their keys are created and they can be added to, or encrypt files themselves.
Once the initial step is done by each user... as many people can be added to log.txt as you wish.. as long as each user has already encrypted a file at some point in the past.
Once the initial step is done by each user... as many people can be added to log.txt as you wish.. as long as each user has already encrypted a file at some point in the past.
As an example
log.txt
User 1 encrypts : randomfile.txt
User 2 encrypts : randomfile2.txt
User 3 has never encrypted a file
User 1 can be added to log.txt, as can User2, user 3 cannot.... thats how i understand EFS.
log.txt
User 1 encrypts : randomfile.txt
User 2 encrypts : randomfile2.txt
User 3 has never encrypted a file
User 1 can be added to log.txt, as can User2, user 3 cannot.... thats how i understand EFS.
ASKER
Got it!
And is that they need to encrypt a file per server that an encrypted file is held on? Or per domain?
So let's say there are two servers, Server1 and Server2.
User 1 encrypts : randomfile.txt on Server1
User 2 encrypts : randomfile2.txt on Server1
User 3 has never encrypted a file on Server1
Does this mean that User2 and User1 can also access encrypted files on Server2?
And is that they need to encrypt a file per server that an encrypted file is held on? Or per domain?
So let's say there are two servers, Server1 and Server2.
User 1 encrypts : randomfile.txt on Server1
User 2 encrypts : randomfile2.txt on Server1
User 3 has never encrypted a file on Server1
Does this mean that User2 and User1 can also access encrypted files on Server2?
Taken from ( http://www.windowsecurity.com/articles/Implementing-EFS-Windows-Server-2003-Domain.html )
One change in EFS for Windows XP/2003, as compared to Windows 2000, is that encrypted files can be shared among multiple users. All users who share the encrypted file must have an EFS certificate on the computer on which it’s stored.
I'd imagine that if you have a domain based PKI (enterprise certification authority) as the keys are requested from the CA then it will be per domain... i personally havent done EFS with a domain based CA do i cant comment 100% though the article above goes into great details.
TO be sure ... count on the fact that every user on each server needs a file encryption to gain the keys needed.
Actually scratch that, it seems in a domain envrironment the EFS user certificates are stored in AD allowing multi server use... so in your example users having files on server 1 should be able to access on server 2...
http://www.windowsecurity.com/articles/Understanding-EFS-Windows-2003.html
http://www.windowsecurity.com/articles/Understanding-EFS-Windows-2003.html
Any update on this one ?