Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 373
  • Last Modified:

directory ACL concerns

We have some sensitive documents on a windows 2008 r2 file server. They arent held within a "shared" folder, and can only be accessed via the server itself, i.e. local console access or remote desktop.

However the directory ACL does allow access to builtin\users group, which from what I can gather on member servers includes domain users group. As it isnt a shared folder, and those with OS level access with be trusted admins only - is there any risk? I wasnt sure of any other techniques users may try to get access to the data if it isnt a share or they dont have OS access, as they cant just map the directory. I am pretty sure unless its a share you cant just map access to this folder from your PC

any views on this most welcome
0
pma111
Asked:
pma111
3 Solutions
 
Davis McCarnOwnerCommented:
Anyone in the Remote Desktop Users group will have access to that folder  If that's a problem, create a new group (Execs?) and add them to its ACL then remove the User group.
0
 
CoralonCommented:
You're risk is minimal, but does exist.  Because it is not shared out, there is not easy access to it.
But, that does not mean it is completely inaccessible either..

Here's a list of the issues you could have:
1. If a parent directory were shared out, it would become available.
2. If another directory on the server that is shared out had a file system link (junction, mklinkd, etc.) that it could become visible.

It's still accessible if they have admin privileges, but then no amount of ntfs security is really going to keep them out.

I'd recommend you go ahead and remove the users group, and just leave it at admins, or create a group to manage that directory.  It's easy to do, and it's just more secure.

Coralon
0
 
pma111Author Commented:
Thanks

Pretty new to:

2. If another directory on the server that is shared out had a file system link (junction, mklinkd, etc.) that it could become visible.


Can you elaborate a little? Are you saying if you have access to an open share you can create some sort of open link to the rest of the drive?
0
WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

 
pma111Author Commented:
I guess its a similar concept really to SQL Server folders, they are typically on an admin share yet the folders are far more restrictive than BUILTIN.users, so they must perceive a level of threat.
0
 
pma111Author Commented:
And the next question is "how can you check if theres a file system link"
0
 
Davis McCarnOwnerCommented:
They're called symbolic links or junctions and here is a utility which will list them: http://www.nirsoft.net/utils/ntfs_links_view.html
0
 
pma111Author Commented:
by: DavisMcCarn

Thanks. Can I ask how you "run it", i.e. do you install it on the server itself, and does it list every link on every drive, or do you have to specify a drive as a parameter?
0
 
Davis McCarnOwnerCommented:
You type the drive letter or folder (i.e. C:\Data), choose the subfolder depth you want (Infinite), and Click Go.
0
 
pma111Author Commented:
Thanks. Can I ask are these symbolic links / junctions something an admin will have setup? I.e. what kinds of scenarios are there where an admin will want to create a symbolic link/ junction? What permissions do you need on the OS to create a symbolic link/junction? And why would you need to/want to?
0
 
Davis McCarnOwnerCommented:
The only links you should be concerned about are any to the folder with the sensitive data.
0
 
pma111Author Commented:
The question was though, why would you create these links in the first place? What scenarios require an admin to set up a "Symbolic link". What purpose do they serve?
0
 
Davis McCarnOwnerCommented:
Windows creates numerous symbolic links for backwards compatibility with older programs.  Documents and Settings and My Documents are but two of them.

Their purpose is to redirect the older program to the correct folder.
0
 
Leon FesterCommented:
From a security perspective; if it's "sensitive documents" then lock it down.
You should explicitly assign permission only to accounts that need access to this location.
Any account that does not need access should be removed from the ACL.
0
 
pma111Author Commented:
I get the lock it down thing, but I am struggling to justify to them why, as the only people with access to the server OS are admins anyway, and it isnt on a share, and theres no symbolic link. so with that in mind, whats the risk?
0
 
Davis McCarnOwnerCommented:
Because anyone with Remote Desktop permissions can get to it in a remote session,
0
 
pma111Author Commented:
that group is fine too, no members at all (and by default doesnt seem to include basic user groups anyway), so I assume its a no risk issue here.
0
 
Davis McCarnOwnerCommented:
Yup, you're OK; but, watch out for somebody being added to the Remote Desktop Users group!
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now