directory ACL concerns

We have some sensitive documents on a windows 2008 r2 file server. They arent held within a "shared" folder, and can only be accessed via the server itself, i.e. local console access or remote desktop.

However the directory ACL does allow access to builtin\users group, which from what I can gather on member servers includes domain users group. As it isnt a shared folder, and those with OS level access with be trusted admins only - is there any risk? I wasnt sure of any other techniques users may try to get access to the data if it isnt a share or they dont have OS access, as they cant just map the directory. I am pretty sure unless its a share you cant just map access to this folder from your PC

any views on this most welcome
LVL 3
pma111Asked:
Who is Participating?
 
CoralonCommented:
You're risk is minimal, but does exist.  Because it is not shared out, there is not easy access to it.
But, that does not mean it is completely inaccessible either..

Here's a list of the issues you could have:
1. If a parent directory were shared out, it would become available.
2. If another directory on the server that is shared out had a file system link (junction, mklinkd, etc.) that it could become visible.

It's still accessible if they have admin privileges, but then no amount of ntfs security is really going to keep them out.

I'd recommend you go ahead and remove the users group, and just leave it at admins, or create a group to manage that directory.  It's easy to do, and it's just more secure.

Coralon
0
 
Davis McCarnOwnerCommented:
Anyone in the Remote Desktop Users group will have access to that folder  If that's a problem, create a new group (Execs?) and add them to its ACL then remove the User group.
0
 
pma111Author Commented:
Thanks

Pretty new to:

2. If another directory on the server that is shared out had a file system link (junction, mklinkd, etc.) that it could become visible.


Can you elaborate a little? Are you saying if you have access to an open share you can create some sort of open link to the rest of the drive?
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
pma111Author Commented:
I guess its a similar concept really to SQL Server folders, they are typically on an admin share yet the folders are far more restrictive than BUILTIN.users, so they must perceive a level of threat.
0
 
pma111Author Commented:
And the next question is "how can you check if theres a file system link"
0
 
Davis McCarnOwnerCommented:
They're called symbolic links or junctions and here is a utility which will list them: http://www.nirsoft.net/utils/ntfs_links_view.html
0
 
pma111Author Commented:
by: DavisMcCarn

Thanks. Can I ask how you "run it", i.e. do you install it on the server itself, and does it list every link on every drive, or do you have to specify a drive as a parameter?
0
 
Davis McCarnOwnerCommented:
You type the drive letter or folder (i.e. C:\Data), choose the subfolder depth you want (Infinite), and Click Go.
0
 
pma111Author Commented:
Thanks. Can I ask are these symbolic links / junctions something an admin will have setup? I.e. what kinds of scenarios are there where an admin will want to create a symbolic link/ junction? What permissions do you need on the OS to create a symbolic link/junction? And why would you need to/want to?
0
 
Davis McCarnOwnerCommented:
The only links you should be concerned about are any to the folder with the sensitive data.
0
 
pma111Author Commented:
The question was though, why would you create these links in the first place? What scenarios require an admin to set up a "Symbolic link". What purpose do they serve?
0
 
Davis McCarnOwnerCommented:
Windows creates numerous symbolic links for backwards compatibility with older programs.  Documents and Settings and My Documents are but two of them.

Their purpose is to redirect the older program to the correct folder.
0
 
Leon FesterSenior Solutions ArchitectCommented:
From a security perspective; if it's "sensitive documents" then lock it down.
You should explicitly assign permission only to accounts that need access to this location.
Any account that does not need access should be removed from the ACL.
0
 
pma111Author Commented:
I get the lock it down thing, but I am struggling to justify to them why, as the only people with access to the server OS are admins anyway, and it isnt on a share, and theres no symbolic link. so with that in mind, whats the risk?
0
 
Davis McCarnOwnerCommented:
Because anyone with Remote Desktop permissions can get to it in a remote session,
0
 
pma111Author Commented:
that group is fine too, no members at all (and by default doesnt seem to include basic user groups anyway), so I assume its a no risk issue here.
0
 
Davis McCarnOwnerCommented:
Yup, you're OK; but, watch out for somebody being added to the Remote Desktop Users group!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.