Connecting to a shared folder w/ a different user account

epichero22
epichero22 used Ask the Experts™
on
There are a few questions I have about a connection I want to make to a shared folder that's on an NTFS volume.  What I wanted to achieve was to have a single, non-admin user account on that target machine to which I only know the password.  The shared folder would give that user account full control while denying full control to all other accounts including administrators.  In other words, if you forget the password, you cannot access the data unless you remove the hard drive itself from the machine.  I would think that this would make it difficult for the likes of Ransomware to encrypt the contents and my backups would be relatively safe.

Next would be to program a backup software to perform nightly backups to this folder.  In this example, I'm using Veeam Endpoint Protection.  The software is programmed with said user account and performs backups nightly.  I'm assuming that while Veeam uses the username and password to open a connection, other programs and users on that originating computer cannot.  In other words, Veeam has a private connection using said credentials.

Is this correct?  Please let me know what you think.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016
Commented:
Can't be done with permissions as an administrator can always take ownership. All you can do is encrypt the file/files.  In some cases one can use the SYSTEM account which has global god permissions
Distinguished Expert 2017

Commented:
On the security tab of the shared folder properties, remove administrators after you add the user that needs full rights. The user you want to gave full rights can not be a member of the domain users group as that might restrict their access.
I.e. Security
Server\users of which domain users is a memeber set to read only
On the share tab, you can
Have setver\users read only
Your user full rights.

As was pointed out, administrators on a folder one level up can reassert their rights on subfolders.


Any admin will need to login onto the server where the share is to reassert.



Often backups use volume shadow copy, (snapshot) such that the backup would not interfere with user access to files. An open fire by a user however, will prevent the file backup.
Distinguished Expert 2018

Commented:
Protecting backups against ransomware by using a dedicated backup account and only entitling that account to access the data is a good idea - there's nothing more to say.
Exec Consultant
Distinguished Expert 2018
Commented:
Access granted based on least privileges. Whatever you do, please don’t use DOMAIN\Administrator for everything.
Good practice to use different credentials for backup storage. Consider authentication in the design and implement as much separation as possible from production workloads.
Also reduce the use of network shares as ransomware spreads from it. Common shares should be per individual granted wirh restricted access rights e.g. Read only etc. Nonetheless the Veeam endpoint agent setect if there are excessive write that increases the CPU resource.

Some good practices from Veeam on backup. https://www.veeam.com/blog/tips-to-prevent-ransomware-protect-backup-storage.html

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial