Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Share Permissions

Posted on 2010-11-29
13
Medium Priority
?
473 Views
Last Modified: 2012-05-10
Can anyone explain to me that when you run sysinternals AccessEnum against a specific share / directory,it always tends to find hits when you select

select files with permissions less restrictive than the parent

I dont really understand why it does or should, surely if you set permissions at root level they should inherit all the way down. Otherwise there is a real risk of someone brute forcing a directory

i.e \\localhost\e$\backup\ and if backup has less restrictive permissions than root of e$ then people may well get access..
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 800 total points
ID: 34229543

> they should inherit all the way down

This is entirely optional for two reasons:

1. You can disable inheritance for specific objects (files or folders)
2. You can add explicit entries to an access control list, explicit entries are preferred over inherited entries

Chris
0
 
LVL 3

Author Comment

by:pma111
ID: 34229634
With regards to point 2, can you give me some links to research that further as I am not aware of that issue, or perhaps ellaborate a bit further on how it works, say for a \backup directory containing a .bkf file?
0
 
LVL 5

Assisted Solution

by:danubian
danubian earned 100 total points
ID: 34229671
On a NTFS partition the shares permissions are combined with NTFS. So, if you correctly assign permission also on the share level, the NTFS inheritance don't break security.
And your example with e$ - is on administrative share...  

Files/folders moved on the same partition preserve their permissions. To inherit the parent folder permissions, they need to be copied, not moved.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 71

Expert Comment

by:Chris Dent
ID: 34229675

You might have this, for instance:
c:\backup         - (Explicit) Administrators: Full Control
                  - (Explicit) Users: Read
                  - Inheritance Disabled

c:\backup\1.bkf   - (Implicit) Administrators: Full Control
                  - (Implicit) Users: Read
                  - (Explicit) John Doe: Full Control
                  - Inheritance Enabled

Open in new window

Each of the Explicit rights are directly assigned to that file or folder. And each of the Implicit rights are inherited. We can see that 1.bkf inherits two rights from the parent (c:\backup), and that it also has two other rights assigned.

The last two are normally what AccessEnum refers to. John Doe has more rights than a group like "Users" would ordinarily give.

Does that help?

Chris
0
 
LVL 3

Author Comment

by:pma111
ID: 34229685
I dont think thats true about the dollar sign automatically being an admin shaer. I know admin shares do have a $ but ive seen many non admin shares where the share has a $ to hide it from casual browsing in explorer
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34229715

Just a quite addendum: I'm deliberately avoided "Share" permissions at this stage. The inheritance model doesn't really apply to rights granted at Share level, only NTFS.

When combining Share rights there are two things you should note:

  - Share permissions apply to everything in the share, at every level
  - The most restrictive permission applies between NTFS and Share (if Share says Read-Only you cannot make one file writable using NTFS)

Chris
0
 
LVL 3

Author Comment

by:pma111
ID: 34229722
Chris, yes makes sense, out of interest, what is your advice if say your have a directory

\\localhost\team1 and all people need access who are in team1. This is a reserved area of a file server set a side for a specific team, and storage at company x is sparce so you cant ask for this share for this and this directory for something else.

However,, in \\localhost\team1\staffappraisals

are users indivudal team appraisals so not each memeber of the team1 require access to each others appraisal, is this where explicit acls are set to not inherit the root permissions and set i.e. manager plus relevant staff member, or are there more secure ways of structuring your directories in that case. Hope that makes sense.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34229725

> I dont think thats true about the dollar sign automatically being an admin shaer.

You're correct. It denotes a Hidden share. E$ is a hidden share that is likely to be an automatically created administrative share.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34229758

It's up to you, but I tend to use one of the two options below.

I prefer to keep inheritance enabled where possible, and I never grant anyone but administrative users Full Control on the NTFS level. I don't like people messing with permissions, they tend to remove things they shouldn't and stop backup jobs working.

Chris
SHARE:

\\localhost\team1 
  - Everyone (or just team1) Full Control

NTFS:

\\localhost\team1 
  - (Implicit) Administrators: Full Control
  - (Implicit) SYSTEM: Full Control
  - (Explicit) Team1: Modify
  - Inheritance Enabled

NTFS Sub-Directory OPTION 1:

\\localhost\team1\staffappraisals   
  - (Implicit) Administrators: Full Control
  - (Implicit) SYSTEM: Full Control
  - (Explicit) Users: Read (DENY)
  - (Explicit) HR Person: Modify
  - Inheritance Enabled

NTFS Sub-Directory OPTION 2:

\\localhost\team1\staffappraisals   
  - (Explicit) Administrators: Full Control
  - (Explicit) SYSTEM: Full Control
  - (Explicit) HR Person: Modify
  - Inheritance Disabled

Open in new window

0
 
LVL 6

Assisted Solution

by:ipajones
ipajones earned 100 total points
ID: 34229769
You're correct in that the '$' sign simply refers to a 'hidden' share, and any share created can be hidden by using the '$' suffix.  However, c$, e$ and admin$ etc are default admin shares created when the OS was installed.

Best practice with NTFS file systems is to simply leave the share permissions on created shares with everyone having full control.  You then manage security using the assigned NTFS permissions.  As chris-dent has already stated these can be either inherited or explicitly defined.  Any explicitly defined permissions always take precedence over inherited ones.

--IJ
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34229780

Edit: Please replace "Users" in option 1 with Team1, it was supposed to represent a deny for the thing we allowed on the parent.

Chris
0
 
LVL 3

Author Comment

by:pma111
ID: 34229914
Interesting comment about:

>Files/folders moved on the same partition preserve their permissions. To inherit the parent folder permissions, they need to be copied, not moved.

I didnt know that!
0
 
LVL 5

Expert Comment

by:danubian
ID: 34230031
ipajones:
Best practice with NTFS file systems is to simply leave the share permissions on created shares with everyone having full control.  


I strongly disagree as this been a "best practice"...
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question