Solved

directory ACL concerns

Posted on 2013-12-19
17
367 Views
Last Modified: 2014-01-03
We have some sensitive documents on a windows 2008 r2 file server. They arent held within a "shared" folder, and can only be accessed via the server itself, i.e. local console access or remote desktop.

However the directory ACL does allow access to builtin\users group, which from what I can gather on member servers includes domain users group. As it isnt a shared folder, and those with OS level access with be trusted admins only - is there any risk? I wasnt sure of any other techniques users may try to get access to the data if it isnt a share or they dont have OS access, as they cant just map the directory. I am pretty sure unless its a share you cant just map access to this folder from your PC

any views on this most welcome
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
17 Comments
 
LVL 43

Assisted Solution

by:Davis McCarn
Davis McCarn earned 167 total points
ID: 39730961
Anyone in the Remote Desktop Users group will have access to that folder  If that's a problem, create a new group (Execs?) and add them to its ACL then remove the User group.
0
 
LVL 25

Accepted Solution

by:
Coralon earned 167 total points
ID: 39730963
You're risk is minimal, but does exist.  Because it is not shared out, there is not easy access to it.
But, that does not mean it is completely inaccessible either..

Here's a list of the issues you could have:
1. If a parent directory were shared out, it would become available.
2. If another directory on the server that is shared out had a file system link (junction, mklinkd, etc.) that it could become visible.

It's still accessible if they have admin privileges, but then no amount of ntfs security is really going to keep them out.

I'd recommend you go ahead and remove the users group, and just leave it at admins, or create a group to manage that directory.  It's easy to do, and it's just more secure.

Coralon
0
 
LVL 3

Author Comment

by:pma111
ID: 39731253
Thanks

Pretty new to:

2. If another directory on the server that is shared out had a file system link (junction, mklinkd, etc.) that it could become visible.


Can you elaborate a little? Are you saying if you have access to an open share you can create some sort of open link to the rest of the drive?
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 3

Author Comment

by:pma111
ID: 39731261
I guess its a similar concept really to SQL Server folders, they are typically on an admin share yet the folders are far more restrictive than BUILTIN.users, so they must perceive a level of threat.
0
 
LVL 3

Author Comment

by:pma111
ID: 39731275
And the next question is "how can you check if theres a file system link"
0
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 39731739
They're called symbolic links or junctions and here is a utility which will list them: http://www.nirsoft.net/utils/ntfs_links_view.html
0
 
LVL 3

Author Comment

by:pma111
ID: 39735618
by: DavisMcCarn

Thanks. Can I ask how you "run it", i.e. do you install it on the server itself, and does it list every link on every drive, or do you have to specify a drive as a parameter?
0
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 39735874
You type the drive letter or folder (i.e. C:\Data), choose the subfolder depth you want (Infinite), and Click Go.
0
 
LVL 3

Author Comment

by:pma111
ID: 39735878
Thanks. Can I ask are these symbolic links / junctions something an admin will have setup? I.e. what kinds of scenarios are there where an admin will want to create a symbolic link/ junction? What permissions do you need on the OS to create a symbolic link/junction? And why would you need to/want to?
0
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 39735957
The only links you should be concerned about are any to the folder with the sensitive data.
0
 
LVL 3

Author Comment

by:pma111
ID: 39735981
The question was though, why would you create these links in the first place? What scenarios require an admin to set up a "Symbolic link". What purpose do they serve?
0
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 39736322
Windows creates numerous symbolic links for backwards compatibility with older programs.  Documents and Settings and My Documents are but two of them.

Their purpose is to redirect the older program to the correct folder.
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 166 total points
ID: 39741624
From a security perspective; if it's "sensitive documents" then lock it down.
You should explicitly assign permission only to accounts that need access to this location.
Any account that does not need access should be removed from the ACL.
0
 
LVL 3

Author Comment

by:pma111
ID: 39751193
I get the lock it down thing, but I am struggling to justify to them why, as the only people with access to the server OS are admins anyway, and it isnt on a share, and theres no symbolic link. so with that in mind, whats the risk?
0
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 39751228
Because anyone with Remote Desktop permissions can get to it in a remote session,
0
 
LVL 3

Author Comment

by:pma111
ID: 39751408
that group is fine too, no members at all (and by default doesnt seem to include basic user groups anyway), so I assume its a no risk issue here.
0
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 39752585
Yup, you're OK; but, watch out for somebody being added to the Remote Desktop Users group!
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question