Solved

directory ACL concerns

Posted on 2013-12-19
17
354 Views
Last Modified: 2014-01-03
We have some sensitive documents on a windows 2008 r2 file server. They arent held within a "shared" folder, and can only be accessed via the server itself, i.e. local console access or remote desktop.

However the directory ACL does allow access to builtin\users group, which from what I can gather on member servers includes domain users group. As it isnt a shared folder, and those with OS level access with be trusted admins only - is there any risk? I wasnt sure of any other techniques users may try to get access to the data if it isnt a share or they dont have OS access, as they cant just map the directory. I am pretty sure unless its a share you cant just map access to this folder from your PC

any views on this most welcome
0
Comment
Question by:pma111
17 Comments
 
LVL 42

Assisted Solution

by:Davis McCarn
Davis McCarn earned 167 total points
ID: 39730961
Anyone in the Remote Desktop Users group will have access to that folder  If that's a problem, create a new group (Execs?) and add them to its ACL then remove the User group.
0
 
LVL 23

Accepted Solution

by:
Coralon earned 167 total points
ID: 39730963
You're risk is minimal, but does exist.  Because it is not shared out, there is not easy access to it.
But, that does not mean it is completely inaccessible either..

Here's a list of the issues you could have:
1. If a parent directory were shared out, it would become available.
2. If another directory on the server that is shared out had a file system link (junction, mklinkd, etc.) that it could become visible.

It's still accessible if they have admin privileges, but then no amount of ntfs security is really going to keep them out.

I'd recommend you go ahead and remove the users group, and just leave it at admins, or create a group to manage that directory.  It's easy to do, and it's just more secure.

Coralon
0
 
LVL 3

Author Comment

by:pma111
ID: 39731253
Thanks

Pretty new to:

2. If another directory on the server that is shared out had a file system link (junction, mklinkd, etc.) that it could become visible.


Can you elaborate a little? Are you saying if you have access to an open share you can create some sort of open link to the rest of the drive?
0
 
LVL 3

Author Comment

by:pma111
ID: 39731261
I guess its a similar concept really to SQL Server folders, they are typically on an admin share yet the folders are far more restrictive than BUILTIN.users, so they must perceive a level of threat.
0
 
LVL 3

Author Comment

by:pma111
ID: 39731275
And the next question is "how can you check if theres a file system link"
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 39731739
They're called symbolic links or junctions and here is a utility which will list them: http://www.nirsoft.net/utils/ntfs_links_view.html
0
 
LVL 3

Author Comment

by:pma111
ID: 39735618
by: DavisMcCarn

Thanks. Can I ask how you "run it", i.e. do you install it on the server itself, and does it list every link on every drive, or do you have to specify a drive as a parameter?
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 39735874
You type the drive letter or folder (i.e. C:\Data), choose the subfolder depth you want (Infinite), and Click Go.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 3

Author Comment

by:pma111
ID: 39735878
Thanks. Can I ask are these symbolic links / junctions something an admin will have setup? I.e. what kinds of scenarios are there where an admin will want to create a symbolic link/ junction? What permissions do you need on the OS to create a symbolic link/junction? And why would you need to/want to?
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 39735957
The only links you should be concerned about are any to the folder with the sensitive data.
0
 
LVL 3

Author Comment

by:pma111
ID: 39735981
The question was though, why would you create these links in the first place? What scenarios require an admin to set up a "Symbolic link". What purpose do they serve?
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 39736322
Windows creates numerous symbolic links for backwards compatibility with older programs.  Documents and Settings and My Documents are but two of them.

Their purpose is to redirect the older program to the correct folder.
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 166 total points
ID: 39741624
From a security perspective; if it's "sensitive documents" then lock it down.
You should explicitly assign permission only to accounts that need access to this location.
Any account that does not need access should be removed from the ACL.
0
 
LVL 3

Author Comment

by:pma111
ID: 39751193
I get the lock it down thing, but I am struggling to justify to them why, as the only people with access to the server OS are admins anyway, and it isnt on a share, and theres no symbolic link. so with that in mind, whats the risk?
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 39751228
Because anyone with Remote Desktop permissions can get to it in a remote session,
0
 
LVL 3

Author Comment

by:pma111
ID: 39751408
that group is fine too, no members at all (and by default doesnt seem to include basic user groups anyway), so I assume its a no risk issue here.
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 39752585
Yup, you're OK; but, watch out for somebody being added to the Remote Desktop Users group!
0

Featured Post

Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now