Pau Lo
asked on
file share permissions query/concern
Is there much of a risk with the following scenario.
We have a file server \\fileserver and a departmental file share \finance
Share permissions on \finance have everyone Full, directory level permissions at the root of the share have an enormous list of entries, most are ‘modify’, some user groups have ‘full’.
Each team then has their own directory, e.g.
\\fileserver\finance\team 1
From what I can tell, the team1 type directories do not inherit permissions from the \finance root directory ACL, and an explicit set of permissions are set on each team directory to limit access.
I noticed though on the directory permissions on the root of \finance – a user group with full control. They do not have local administrator rights on the \\fileserver itself though, they are basically standard users.
If they had the knowledge, how easy would it be for a group NOT listed in the ACL for \\fileserer\finance\team 1 to force themselves access to the team1 folder, given they have full control at the directory share ACL (the level above).
It sounds a poor design but I would be interested how they would go about forcefully adding themselves onto a sub-directory ACL, in this case \\fileserer\finance\team 1 - on which they are not currently listed on the ACL whatsoever.
They don’t have permission to RDP/local administrator onto the \\fileserver itself to amend any settings from there, in case that lowers the risk, likelehood and opportunity.
On their desktops they do have access to the security tab on folder properties, powershell, command prompt etc, in case that influences your feedback. I seem to recall at the top level, you used to be able to essentially "replace" any more restrictive sub directory ACL's with those set at the top level if you have full control (maybe)?
We have a file server \\fileserver and a departmental file share \finance
Share permissions on \finance have everyone Full, directory level permissions at the root of the share have an enormous list of entries, most are ‘modify’, some user groups have ‘full’.
Each team then has their own directory, e.g.
\\fileserver\finance\team 1
From what I can tell, the team1 type directories do not inherit permissions from the \finance root directory ACL, and an explicit set of permissions are set on each team directory to limit access.
I noticed though on the directory permissions on the root of \finance – a user group with full control. They do not have local administrator rights on the \\fileserver itself though, they are basically standard users.
If they had the knowledge, how easy would it be for a group NOT listed in the ACL for \\fileserer\finance\team 1 to force themselves access to the team1 folder, given they have full control at the directory share ACL (the level above).
It sounds a poor design but I would be interested how they would go about forcefully adding themselves onto a sub-directory ACL, in this case \\fileserer\finance\team 1 - on which they are not currently listed on the ACL whatsoever.
They don’t have permission to RDP/local administrator onto the \\fileserver itself to amend any settings from there, in case that lowers the risk, likelehood and opportunity.
On their desktops they do have access to the security tab on folder properties, powershell, command prompt etc, in case that influences your feedback. I seem to recall at the top level, you used to be able to essentially "replace" any more restrictive sub directory ACL's with those set at the top level if you have full control (maybe)?
I never ever give users full control over any directory except for their personal files, and even that is only so folder redirection works.
Even if the subfoldes are protected, defense in depth concepts would say that you should remove the full control, and I would also remove "Everyone". Everyone includes guest accounts. It's a terrible idea to use Everyone...especially in a sensitive location like Finance.
Even if the subfoldes are protected, defense in depth concepts would say that you should remove the full control, and I would also remove "Everyone". Everyone includes guest accounts. It's a terrible idea to use Everyone...especially in a sensitive location like Finance.
ASKER
Everyone Full was on the share permissions acl, the directory acl was limited to user security group(s) with modify level permissions. This is common practice, set share permissions to everyone and use the ntfs/directory acl's and restricted user security groups to govern proper data protection controls. Everyone is not on the directory ACL (NTFS), we are not that relaxed with permissions.
> Share permissions on \finance have everyone Full... Everyone was only on the share permissions
I've given users Full permissions before with not so obvious, bad results. With Share=Full and NTFS=Modify, users can modify the security permissions. See https://www.experts-exchange.com//questions/28955946/customize-Windows-explorer-such-that-Everyone-can't-get-selected-when-users-do-folder-sharing.html
Everything will be fine, till one finer day... Save yourself the stress & headaches - give users Share=Change & NTFS=Modify by default.
I've given users Full permissions before with not so obvious, bad results. With Share=Full and NTFS=Modify, users can modify the security permissions. See https://www.experts-exchange.com//questions/28955946/customize-Windows-explorer-such-that-Everyone-can't-get-selected-when-users-do-folder-sharing.html
Everything will be fine, till one finer day... Save yourself the stress & headaches - give users Share=Change & NTFS=Modify by default.
Share Permissions doesn't really care (from the permission perspective) as long as directory permissions are set properly.
And as long a user doesn't have permission with an account it even doesn't play a role, if he tries to change something via the shared folder, directly on the machine or which way he ever takes.
If you are doubt, if a user has directory permissions or not, you can use the effective permissions tab in the enhanced securiy tab to check it.
There are possibilities, that a user can inherit permissions by some special group membership constructions.
Don't forget the owner permissions (on the owner tab of the directory).
And as long a user doesn't have permission with an account it even doesn't play a role, if he tries to change something via the shared folder, directly on the machine or which way he ever takes.
If you are doubt, if a user has directory permissions or not, you can use the effective permissions tab in the enhanced securiy tab to check it.
There are possibilities, that a user can inherit permissions by some special group membership constructions.
Don't forget the owner permissions (on the owner tab of the directory).
> Share Permissions doesn't really care (from the permission perspective) as long as directory permissions are set properly.
I disagree. Use Share=Full and NTFS=Modify at your peril
I disagree. Use Share=Full and NTFS=Modify at your peril
I havn't said this is a good idea, because it makes also sense to expose shares only to users which have also directory permissions.
But just tested it with two folders...
One Read and one Write (Modify) folder...
Directory permissions set to me as well (read or modify) as to the admistrators group (full)
Share Permission Full on both folders.
And it is as I expect, I can write on the write folder and read on the read folder and permssions I can see, but not change on both of them.
May be there is sometimes confusion, as on the write folder I can add additional folders, and as I'm the creator, I have full permissions on that folder (as owner). But if I set the folder back to the admins group as owner, I can not change permissions anymore.
So, if something different happens, it has definitely to do with wrong directory permissions or memberships of the user, which possibly works around the permission limitation. I agree that it sometimes can easily happen.
But the effective permissions of shares is the least permission of both (share permissions and directory permissions).
But just tested it with two folders...
One Read and one Write (Modify) folder...
Directory permissions set to me as well (read or modify) as to the admistrators group (full)
Share Permission Full on both folders.
And it is as I expect, I can write on the write folder and read on the read folder and permssions I can see, but not change on both of them.
May be there is sometimes confusion, as on the write folder I can add additional folders, and as I'm the creator, I have full permissions on that folder (as owner). But if I set the folder back to the admins group as owner, I can not change permissions anymore.
So, if something different happens, it has definitely to do with wrong directory permissions or memberships of the user, which possibly works around the permission limitation. I agree that it sometimes can easily happen.
But the effective permissions of shares is the least permission of both (share permissions and directory permissions).
ASKER
I disagree. Use Share=Full and NTFS=Modify at your peril
I had a share mapped with exactly those permissions in place to test, share permissions - everyone full - directory permissions, whereby I am a member of a group with modify level permissions. I just tried to add a member onto the root level directory ACL via the security > permissions tab in explorer, and it produces an access denied error when I clicked apply.
That said, I am not the 'owner' of the root directory which sits within \\server\share - the 'owner' for the root directory, \\server\share\ is the servers administrators group. But, if I create a sub-folder, e.g. \\server\share\directory\M
I don't believe (unless that is another vulnerability as well in such a design whereby Everyone = F at the share) with modify permissions I can change the owner at the root level, or a folder created by a colleagues, and then I could share access to anything. So its the folders where the user is the owner which they can amend permissions on in the full/modify combination, which I agree is not ideal, but not quite as bad as first feared from reading the replies. If the full/modify combination also lets you do 'full' things like change ownership of folders then it really does start to become a big issue.
ASKER
May be there is sometimes confusion, as on the write folder I can add additional folders, and as I'm the creator, I have full permissions on that folder (as owner). But if I set the folder back to the admins group as owner, I can not change permissions anymore.
That was exactly my findings, for any other folder created and owned by other users, such as the local admins group, the full/modify share/directory combination stands, and you cannot change permissions, but any folder the user created within the share, and is therefore the owner, the full/modify share/directory combination does allow them to grant or revoke permissions, presumably due to the overly generous permissions set to the Everyone group on the share permissions.
Even though as 'owner' of a folder, the ACL still lists me as only having modify level permissions in the security tab. I cant downgrade the share permissions for everyone from full to modify, to see if I create a folder, and try to amend permissions, if the newly amended share permissions prevent this, or if you can still amend the permissions as a folder owner? Did you include that in your test?
You have to separate a few things.
Be aware that even share permissions came from a time, where FAT was more usual than NTFS.
But the fact is, a share permission is more a point of visibility than of real access permissions.
They can not give more rights a user has on the NTFS file system.
Owner permission have also some special behavious. You can be the owner without having permissions.
The difference is just, that an owner can change everything, and even he do not have permissions, he can grant the permission back to hisself or any other person.
If you limit the share permission down to modify, even then the owner is the creator, the difference is just, that the modify share permission is more restrictive than the NTFS permisson. In that case the owner can not change permissions anymore using the share. But he would be able to change them, if he directly accesses the file system.
Be aware that even share permissions came from a time, where FAT was more usual than NTFS.
But the fact is, a share permission is more a point of visibility than of real access permissions.
They can not give more rights a user has on the NTFS file system.
Owner permission have also some special behavious. You can be the owner without having permissions.
The difference is just, that an owner can change everything, and even he do not have permissions, he can grant the permission back to hisself or any other person.
If you limit the share permission down to modify, even then the owner is the creator, the difference is just, that the modify share permission is more restrictive than the NTFS permisson. In that case the owner can not change permissions anymore using the share. But he would be able to change them, if he directly accesses the file system.
ASKER
If you limit the share permission down to modify, even then the owner is the creator, the difference is just, that the modify share permission is more restrictive than the NTFS permisson. In that case the owner can not change permissions anymore using the share. But he would be able to change them, if he directly accesses the file system.
That is a much better situation though. By directly access the file system, I presume you mean by logging into the server directly (which they cannot do, they can only access the files via mapping to the share on their own device).
So the share/directory combination of modify/modify seems less risky then the combination of full/modify permissions, if you dont want users sharing access to folders they are the owner of.
By modify, on share permissions, I mean 'change' (there is only full/change/read, no modify). So change/modify seems less risky if you dont want end users sharing/amending permissions on folders they are the owner, whilst full/modify would allow that even via the share/mapped drive.
Yes, exactly..
Direct access, yes, on the local machine...
The kings way is to replace the owner permissions and inherit them down. But it depends from the already happened fragmentation of the current permission, because you may overwrite what the users have set.
On the other hand. At least in larger companies it is usual that the "owner" of a root element (i.e. a department) take the responsibility of their own folder structure. So only the root folder is limited, inside the folder thy can do whatever they want. The other option is to restrict access, then nobody is able anymore to change permissions.
At the end you have only these two options.
Direct access, yes, on the local machine...
The kings way is to replace the owner permissions and inherit them down. But it depends from the already happened fragmentation of the current permission, because you may overwrite what the users have set.
On the other hand. At least in larger companies it is usual that the "owner" of a root element (i.e. a department) take the responsibility of their own folder structure. So only the root folder is limited, inside the folder thy can do whatever they want. The other option is to restrict access, then nobody is able anymore to change permissions.
At the end you have only these two options.
ASKER
In the full/modify situation, can a user who does not own a folder, ‘change’ the owner of the folder to themselves or another (via the file share, not locally on the machine).
I am now questioning just how risky Everyone full at the share level is in some situations. Or is the risk totally contained to folders the create and therefore own, and they cannot change ownership on folders they don’t currently own? If they can take ownership due to an oversight in the full/modify granting of permissions, then it becomes a significant problem.
I am now questioning just how risky Everyone full at the share level is in some situations. Or is the risk totally contained to folders the create and therefore own, and they cannot change ownership on folders they don’t currently own? If they can take ownership due to an oversight in the full/modify granting of permissions, then it becomes a significant problem.
With full share permissions:
If the user has full access permissions on the folder, he can also change the owner.
Will modify change permissions:
No, he can not change any permission.
If the user has full access permissions on the folder, he can also change the owner.
Will modify change permissions:
No, he can not change any permission.
ASKER
All of this has been very interesting to me, and I have learnt a few things I didn’t know. For a sensitive file share, we have proper request & authorization policies before granting access to shares/folders, the end users should not be messing with permissions directly. Changes should be made to group memberships by qualified administrators ONLY.
I still don’t quite have an answer to my original question though...
Assuming everyone group has full permissions set on the share permissions for \\server\share
If user A ALSO has full control over \\server\share\directory on the NTFS side of things, but there is a more restrictive set of permissions on \\server\share\directory\s
There is a checkbox on 'advanced security settings' which reads "replace all child object permissions entries with inheritable permission entries from this object", for example.
I still don’t quite have an answer to my original question though...
Assuming everyone group has full permissions set on the share permissions for \\server\share
If user A ALSO has full control over \\server\share\directory on the NTFS side of things, but there is a more restrictive set of permissions on \\server\share\directory\s
There is a checkbox on 'advanced security settings' which reads "replace all child object permissions entries with inheritable permission entries from this object", for example.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> If they can take ownership due to an oversight in the full/modify granting of permissions, then it becomes a significant problem.
If Share = Change is sufficient, why take the chance?
If Share = Change is sufficient, why take the chance?
ASKER
Yes that will be the suggestion in future, share=change not share=full.
So if you see a group, which should not be there, then the question is, who has put the permission there.
Be aware, that the owner of a folder allways has the right to change permission, even if he doesn't have user permissions. The owner permissions are usualy assigned to the user, who has created the folder.