Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Is there any way to exploit a windows share when NTFS permission restrict it?

Posted on 2011-09-30
4
Medium Priority
?
827 Views
Last Modified: 2012-05-12
Simple question:
If a Windows Share is set up with the permission Everyone - Full Access, and only the Domain Admins group is configured as having access to the folder through NTFS permissions, is there any way that share then becomes a security vulnerablity?

Windows server management 101 has always dictated that share vs NTFS = the most restrictive permission always applies.  that being the case, I wouldn't think it would matter from a security perspective what the share permission is set to as long as the folder's access is restricted by NTFS.

Historically, you always hear about how Windows shares open up security holes, however, I've never understood why it matters as long as NTFS is restricting access.  i want to make sure I'm not missing something...
0
Comment
Question by:patriots
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 7

Accepted Solution

by:
jrwarren earned 400 total points
ID: 36892632
There is a continual debate on share and share permissions.
   The old Set a share to Everyone - Full and lockdown via NTFS works, still.

However if only people internal to the domain are going to access the shares, I would suggest setting Domain Users to Full, this removes the Guest access from the equation.  Then use standard operating procedure for setting restrictive permissions on groups for the folder permissions.
0
 
LVL 8

Assisted Solution

by:Amitabh Singh
Amitabh Singh earned 600 total points
ID: 36892659
Hello

Windows Share have simple meaning = applying on shared object  
NTFS permission = is allowing you to restrict user to access object @ file system level

so if something is blocked on file system level (NTFS permission)  their is no possibility to access via share (even you have everyone full control )

Example : System Folder C:\Windows folder  share as Admin$ and only administrators have access to it  
0
 
LVL 8

Assisted Solution

by:Amitabh Singh
Amitabh Singh earned 600 total points
ID: 36892739
as system administrator its not a problem to share a folder to everyone , wear only administrator have NTFS access ,

but if you think security point of view , shared resources are less secured then non shared resource, its making more possibility to be affected by a virus  and expanding virus  to other system in your network

because of that some company even  do not allow  File and print sharing service on TCP level
0
 

Author Comment

by:patriots
ID: 36893501
I know that security standards organizations frown upon an open share on any server.  Fine, I get it.  However, knowing the mechanics of how share and NTFS permissions have worked together going all the way back to NT4, I fail to see why "Everyone - Full" is ever a danger from any malicious activity or software so long as NTFS is locked down.  About all that can happen is that the share is visible across the network, but if you can't right to the folder then what good is it for anyone with malicious intent.

The only way you could say that the open Share is a danger with NTFS locked down is if somehow NTFS security is compromised, and if that happens, then all bets are off and you could then access any part of the system regardless of share permission status.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question