Solved

directory ACL concerns

Posted on 2013-12-19
17
366 Views
Last Modified: 2014-01-03
We have some sensitive documents on a windows 2008 r2 file server. They arent held within a "shared" folder, and can only be accessed via the server itself, i.e. local console access or remote desktop.

However the directory ACL does allow access to builtin\users group, which from what I can gather on member servers includes domain users group. As it isnt a shared folder, and those with OS level access with be trusted admins only - is there any risk? I wasnt sure of any other techniques users may try to get access to the data if it isnt a share or they dont have OS access, as they cant just map the directory. I am pretty sure unless its a share you cant just map access to this folder from your PC

any views on this most welcome
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
17 Comments
 
LVL 43

Assisted Solution

by:Davis McCarn
Davis McCarn earned 167 total points
ID: 39730961
Anyone in the Remote Desktop Users group will have access to that folder  If that's a problem, create a new group (Execs?) and add them to its ACL then remove the User group.
0
 
LVL 25

Accepted Solution

by:
Coralon earned 167 total points
ID: 39730963
You're risk is minimal, but does exist.  Because it is not shared out, there is not easy access to it.
But, that does not mean it is completely inaccessible either..

Here's a list of the issues you could have:
1. If a parent directory were shared out, it would become available.
2. If another directory on the server that is shared out had a file system link (junction, mklinkd, etc.) that it could become visible.

It's still accessible if they have admin privileges, but then no amount of ntfs security is really going to keep them out.

I'd recommend you go ahead and remove the users group, and just leave it at admins, or create a group to manage that directory.  It's easy to do, and it's just more secure.

Coralon
0
 
LVL 3

Author Comment

by:pma111
ID: 39731253
Thanks

Pretty new to:

2. If another directory on the server that is shared out had a file system link (junction, mklinkd, etc.) that it could become visible.


Can you elaborate a little? Are you saying if you have access to an open share you can create some sort of open link to the rest of the drive?
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 3

Author Comment

by:pma111
ID: 39731261
I guess its a similar concept really to SQL Server folders, they are typically on an admin share yet the folders are far more restrictive than BUILTIN.users, so they must perceive a level of threat.
0
 
LVL 3

Author Comment

by:pma111
ID: 39731275
And the next question is "how can you check if theres a file system link"
0
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 39731739
They're called symbolic links or junctions and here is a utility which will list them: http://www.nirsoft.net/utils/ntfs_links_view.html
0
 
LVL 3

Author Comment

by:pma111
ID: 39735618
by: DavisMcCarn

Thanks. Can I ask how you "run it", i.e. do you install it on the server itself, and does it list every link on every drive, or do you have to specify a drive as a parameter?
0
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 39735874
You type the drive letter or folder (i.e. C:\Data), choose the subfolder depth you want (Infinite), and Click Go.
0
 
LVL 3

Author Comment

by:pma111
ID: 39735878
Thanks. Can I ask are these symbolic links / junctions something an admin will have setup? I.e. what kinds of scenarios are there where an admin will want to create a symbolic link/ junction? What permissions do you need on the OS to create a symbolic link/junction? And why would you need to/want to?
0
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 39735957
The only links you should be concerned about are any to the folder with the sensitive data.
0
 
LVL 3

Author Comment

by:pma111
ID: 39735981
The question was though, why would you create these links in the first place? What scenarios require an admin to set up a "Symbolic link". What purpose do they serve?
0
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 39736322
Windows creates numerous symbolic links for backwards compatibility with older programs.  Documents and Settings and My Documents are but two of them.

Their purpose is to redirect the older program to the correct folder.
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 166 total points
ID: 39741624
From a security perspective; if it's "sensitive documents" then lock it down.
You should explicitly assign permission only to accounts that need access to this location.
Any account that does not need access should be removed from the ACL.
0
 
LVL 3

Author Comment

by:pma111
ID: 39751193
I get the lock it down thing, but I am struggling to justify to them why, as the only people with access to the server OS are admins anyway, and it isnt on a share, and theres no symbolic link. so with that in mind, whats the risk?
0
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 39751228
Because anyone with Remote Desktop permissions can get to it in a remote session,
0
 
LVL 3

Author Comment

by:pma111
ID: 39751408
that group is fine too, no members at all (and by default doesnt seem to include basic user groups anyway), so I assume its a no risk issue here.
0
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 39752585
Yup, you're OK; but, watch out for somebody being added to the Remote Desktop Users group!
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question