Solved

NTFS and Access Based Enumeration Issue

Posted on 2015-02-12
4
261 Views
Last Modified: 2015-02-13
We are migrating from a Novell file server to Windows Server 2012 R2.  We are having issues with folder and subfolder permissions.
We have a top level folder that is shared, D:\FileShare.  Under FileShare we have a domain folder (Data), a user home folder (Users), a shared folder (Shared) and a private folder (Private).
\\Server\FileShare - Main shared folder with ABE
Mappings:
Net Use L:\ \\Server\FileShare
Folders under FileShare:
Data - Domain Users - Modify
Private - Administrators only, specific users. Private\SubFolder - specific user
Users - Administrators only.   Users\UserName - UserName - Modify
Shared - Domain Users - Modify
For Users, the main folder's permissions are only Administrators have rights.  The subfolders for each user, the UserName has Modify rights to that folder.  By doing this, when a user goes to \\Server\FileShare, they only see Data, Shared, and Private.  We do a drive mapping for users to access their home folder (net use H: \\Server\FileShare\Users\%UserName%).  
Where we have a problem is with the Private folder.  Only certain users will have access to this folder and subfolders.
Right now Private has only administrator rights.  Under Private are folders Group1, Group2 and Group3 for testing purposes.  For Private\Group1, this folder I gave my test user rights to it.  So they can use Windows Explorer and go to the path \\Server\FileShare\Private\Group1 and that user can see all the subfolders and files in it.  I then gave Group2 administrator only rights and created a subfolder (DivA) and gave the test user full rights to that folder.  However when the user goes to \\Server\FileShare\Private\Group2\DivA I get a Windows cannot access folder error.
Test User:
\\Server\FileShare\Private - denied
\\Server\FileShare\Private\Group1 - access
\\Server\FileShare\Private\Group2\DivA - no access even though user has full rights to DivA
This poses a huge problem for us because a user may only need access to DivA only and not see all the other files and subfolders of Group2.  
Example:
Group1 folder has three subfolders: G1DivA, G1DivB, and G1DivC
Group2 folder has three subfolders: G2DivA, G2DivB, and G1DivC
Group3 folder has three subfolders: G3DivA, G3DivB, and G3DivC
I have two users, John and Bob.  John needs access to Group1 and Group2 and all subfolders but not Group3.  Bob only has rights to Group2\G2DivB and no other folder.  
John has no issue accessing \\Server\FileShare\Private\Group1 and \\Server\FileShare\Private\Group2.  If John tries to go to \\Server\FileShare\Private he gets a network error.  If I add Domain Users with List Folder Contents to Private, John can see all three folders, even though he only has rights to Group1 and Group2.  John cannot access Group3, however we do not like the fact that he is aware that the folder exists.
Bob, on the other hand cannot access G2DivB even if he goes to the UNC path of \\Server\FileShare\Private\Group2\G2DivB.  I could add Domain Users with List Folder Contents so that they can traverse through the folders to get to the one they do have access to, however we believe that is a security issue for users to see folders they do not have access to.
If I give Domain Users just Traverse Folder rights, they don't see any folders.  If I give just List Folder in advanced permissions, they don't see any folders.  They only way I can get them to see folders is the List Folder Contents permission.
What permissions do I set so that when Bob wants to go to the G2DivB folder, when he goes to Private he only sees Group2 and not Group1 and Group3, and when he goes to Group2 he only sees G2DivB and not G2DivA and G2DivC?
0
Comment
Question by:DamonVan
  • 2
4 Comments
 
LVL 35

Expert Comment

by:Mahesh
ID: 40607503
Go to server manager and navigate to Files and storage services\Shares and go to share folder properties, and enable "enable Access Based enumeration"

This will ensure that user will see only those folders for what he has access
0
 

Author Comment

by:DamonVan
ID: 40607840
I should have posted this along with the original post but I didn't.

I'm coming from a Netware environment migrating to a Windows 2012 R2 server.  What we are trying to accomplish is very easy on Netware and we are having a difficult time replicating this on the new Windows server.

Basically on Netware if a user has access to a folder nestled deep inside several other folders, Netware automatically gives the user the necessary rights to browse through just the folders necessary to get to that folder while not allowing them to see any other folders or files that exist in folders along the way.  We are trying to accomplish this and it looks like ABE is the way, but it doesn't seem to be doing what we want. It's highly likely we are doing something wrong.

In the picture posted i'd like to give someone access to the Recovery Keys folder, allow them to browse to that folder, not see any other folders that exist under the Admin folder no see the TPM folder.  We are planning on mapping a drive letter directly to the fileshare share.  Is this possible and if so please assist us in figuring this out.

Thanks,
Damon
folders.JPG
0
 
LVL 38

Accepted Solution

by:
Philip Elder earned 500 total points
ID: 40608059
We migrated a client from Novell to Windows 2012 Standard about a year ago.

That turned out to be a bit of a rat's nest since Novell allowed for folder traversal with contents hidden while AbE does not do same.

We ended up having to re-architect the folder structure:
Root share: Company with AbE
 + HR (HR and Admin Groups - Disinherit & remove Users)
 + Finance (Finance and Admin A/A)
 + Marketing (Marketing & Admin A/A)

And so on. It was about the best solution we had available to us. PowerShell helped a bit with the permission sets as there were a LOT of folders under the root.

EDIT: BTW, ForensiT's Profile Migration Wizard was _AWESOME_ for automating the migration of the user's local profiles into the newly established domain setup. It was 165 desktops.
0
 

Author Comment

by:DamonVan
ID: 40608812
That's what  i was afraid of.  I just need someone to confirm my suspicion.

Thanks for the answer.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now