troubleshooting Question

file share permissions query/concern

Avatar of Pau Lo
Pau Lo asked on
Windows Server 2019Windows OSOS Security
18 Comments1 Solution48 ViewsLast Modified:
Is there much of a risk with the following scenario.
We have a file server \\fileserver and a departmental file share \finance
Share permissions on \finance have everyone Full, directory level permissions at the root of the share have an enormous list of entries, most are ‘modify’, some user groups have ‘full’.
Each team then has their own directory, e.g.
\\fileserver\finance\team 1
From what I can tell, the team1 type directories do not inherit permissions from the \finance root directory ACL, and an explicit set of permissions are set on each team directory to limit access.
I noticed though on the directory permissions on the root of \finance – a user group with full control. They do not have local administrator rights on the \\fileserver itself though, they are basically standard users.
If they had the knowledge, how easy would it be for a group NOT listed in the ACL for \\fileserer\finance\team 1 to force themselves access to the team1 folder, given they have full control at the directory share ACL (the level above).
It sounds a poor design but I would be interested how they would go about forcefully adding themselves onto a sub-directory ACL, in this case \\fileserer\finance\team 1 - on which they are not currently listed on the ACL whatsoever.
They don’t have permission to RDP/local administrator onto the \\fileserver itself to amend any settings from there, in case that lowers the risk, likelehood and opportunity.
On their desktops they do have access to the security tab on folder properties, powershell, command prompt etc, in case that influences your feedback. I seem to recall at the top level, you used to be able to essentially "replace" any more restrictive sub directory ACL's with those set at the top level if you have full control (maybe)?
ASKER CERTIFIED SOLUTION
Bembi
CEO

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 18 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 18 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros