Solved

Share, subdirectory permissions and pass-through

Posted on 2013-11-07
4
393 Views
Last Modified: 2013-11-08
Hello everyone.  I've come across something a little strange.  This came up accidentally, but it opened my eyes to some possible problems.

Due to the strange nature of our data, folder structure and employee permissions, I use file-based access permissions (using groups, of course) to allow or deny people access to certain shares, areas within those shares, and specific subfolders sometimes up to three or four levels down.   So far I have never used the DENY permission anywhere.

I generally give all our employees a SHARE-level access of full control.  I use a special group for this, and not the "everyone" group.  Since I control all file-level permissions and allow or deny there, I never thought this would be a big problem.

I recently discovered the following.

Share permission:  All Employees - Full Control
Base directory:  No explicitly defined access for a specific user.  Just Server\Administrators, and Information Technology.
First subdirectory:  Again, no explicit permission
First\Second subdirectory:  Same Thing
First\Second\Third subdirectory:  This one user has read access.

By specifying a path of \\Server\Share\First\Second\Third, they are able to see the contents of this directory.

I initially though this was because I was using a NAS or got the permissions wrong, but after doublechecking and testing this on a Server 2008 R2 and Server 2012 machine, I get the same results.

I tried setting the permissions on the SECOND directory to explicitly DENY this individual user access to the SECOND directory (no further inheritance).  Looked at the advanced permissions, they are Denied everything.  They can still get through to the ...\three subdirectory.

Am I missing something here?  If someone doesn't have any permission to a directory, subdirectory, have specifiy DENY permission to a third, how can they pass through all of them to get to a directory where they DO have permission?

I'm aware this is strange and not something that should normally happen.  How would they even know the directory names to get to this subdirectory?  However due to some odd lunar alignments and my good luck, this has come to light.

If anyone could explain this to me, and also let me know a good way to prevent this from happening in the future, I'd really appreciate it.   Are there any other hidden fun things like this I should know about?

I'm already thinking about changing share permissions and directory structure.
Unfortunately, IT control of the share/directory structure is somewhat limited.
We recently used DFS (not replication) to merge many shares into a company-wide standard directory structure without actually running amok and changing the share contents.   To be honest, some of the shares are somewhat ... non-intuitive?
Creating a new permission/directory/share structure isn't a challenge I'm looking forward to.

Thanks!

Dave
0
Comment
Question by:GASAI
  • 2
4 Comments
 
LVL 36

Accepted Solution

by:
ArneLovius earned 500 total points
ID: 39633139
0
 

Author Comment

by:GASAI
ID: 39633560
That was denied.  For the account I'm testing, everything is denied.

Deny:
Full Control
Traverse folder/execute file
List folder/read data
Read attributes
Read Extended attributes
Create files/write data
Create folders/append data
write attributes
write extended attributes
delete subfolders and files
delete
read permissions
change permissions
take ownership

All denied for a specific account in the "Second" folder.
Applied to:  "This folder only"

Dave
0
 

Author Comment

by:GASAI
ID: 39633643
Ahh, "Bypass Traverse Checking".  The linked article says "Traverse folder takes effect only when the group or user is not granted the Bypass traverse checking user right in the Group Policy snap-in. (By default, the Everyone group is given the Bypass traverse checking user right.)"

I can see this seems to be set for "everyone" on every PC and Server I can touch.
It's also part of the default Deomain Controllers Policy.

I have some reading to do.  If I either disable this, or try to "target" disable it on certain systems, what will the effects be?

Thanks for the answer.  I have the clue I was looking for.  Now it's time to do more reading and testing.

Dave
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39634264
And by the way: never set the share permissions to full for anybody but administrators. That will have side effects you certainly would not want, read my old thread here: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22108365.html
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Log files are useful in diagnosing and repairing problems.  This is a list of common log files and their standard locations that I've compiled.   While this is not exhaustive, it is a pretty good list that I've found to be useful.  I may update it f…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now