query about share and directory permissions which contain delete

pma111
pma111 used Ask the Experts™
on
I am doing a review of permissions on a file server. There is a file share crated for a specific department for arguments sake we can say this is \\fileserver\department  - when analysing permissions, at share ACL the admin has granted the NT AUTHORITY\Authenticated Users 'Full' permissions, and on the directory ACL they have given NT AUTHORITY\Authenticated Users Read, Write, Execute and the concerning one being "Delete". These are taken from an MBSA scan of the server.

Within \\fileserver\department\ there are numerous sub-directories, e.g. \\fileserver\department\team1 \\fileserver\department\team2 - a quick scan of permissions set at this child levels show they don't inherit the permissions set at \\fileserver\department - which is good from a data security perspective, as they are configured in such a way that they restrict access to only specific groups.

Where my concern is, that I am trying to determine if I am correct or not to be alarmed, is if NT AUTHORITY\Authenticated Users has delete permissions at the root level, e.g.  \\fileserver\department  level – could they just delete the sub-directories, e.g \\fileserver\department\team1 \\fileserver\department\team2 - or not? Does the fact the permissions on folders such as \\fileserver\department\team1 are more restrictive make my concerns that the NT AUTHORITY\Authenticated Users group has delete permissions at the root level less of an issue.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
NVITEnd-user support

Commented:
Try renaming one of the Team folders. If it works, they can delete it
Principal Support Engineer
Commented:
if NT AUTHORITY\Authenticated Users has delete permissions at the root level, e.g.  \\fileserver\department  level – could they just delete the sub-directories, e.g \\fileserver\department\team1 \\fileserver\department\team2 - or not?

Permissions can be configured to apply in a number of different ways:

Settings for applying permissions
So, applying permissions to a folder doesn't necessarily grant that permission to subfolders (although "This folder, subfolders, and files" is the default setting). If you look at the permissions of one of those subfolders, does Authenticated Users have Delete permission?

Author

Commented:
In a sample subfolder that group didnt seem to have delete which is why it seemed odd to grant it at the root folder.
DrDave242Principal Support Engineer

Commented:
It seems a little odd, but someone may have configured it that way for a reason. Or maybe those permissions were initially assigned on all of the subfolders as well until someone decided that wasn't a good idea and disabled inheritance on them. Can't really say at this point.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial