Link to home
Start Free TrialLog in
Avatar of patriots
patriots

asked on

Is there any way to exploit a windows share when NTFS permission restrict it?

Simple question:
If a Windows Share is set up with the permission Everyone - Full Access, and only the Domain Admins group is configured as having access to the folder through NTFS permissions, is there any way that share then becomes a security vulnerablity?

Windows server management 101 has always dictated that share vs NTFS = the most restrictive permission always applies.  that being the case, I wouldn't think it would matter from a security perspective what the share permission is set to as long as the folder's access is restricted by NTFS.

Historically, you always hear about how Windows shares open up security holes, however, I've never understood why it matters as long as NTFS is restricting access.  i want to make sure I'm not missing something...
ASKER CERTIFIED SOLUTION
Avatar of jrwarren
jrwarren
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of patriots
patriots

ASKER

I know that security standards organizations frown upon an open share on any server.  Fine, I get it.  However, knowing the mechanics of how share and NTFS permissions have worked together going all the way back to NT4, I fail to see why "Everyone - Full" is ever a danger from any malicious activity or software so long as NTFS is locked down.  About all that can happen is that the share is visible across the network, but if you can't right to the folder then what good is it for anyone with malicious intent.

The only way you could say that the open Share is a danger with NTFS locked down is if somehow NTFS security is compromised, and if that happens, then all bets are off and you could then access any part of the system regardless of share permission status.