Is there much of a risk with the following scenario.
We have a file server \\fileserver
and a departmental file share \finance
Share permissions on \finance have everyone Full, directory level permissions at the root of the share have an enormous list of entries, most are ‘modify’, some user groups have ‘full’.
Each team then has their own directory, e.g.\\fileserver\finance\team 1
From what I can tell, the team1 type directories do not inherit permissions from the \finance root directory ACL, and an explicit set of permissions are set on each team directory to limit access.
I noticed though on the directory permissions on the root of \finance – a user group with full control. They do not have local administrator rights on the \\file
server itself though, they are basically standard users.
If they had the knowledge, how easy would it be for a group NOT listed in the ACL for \\fileserer\finance\team
1 to force themselves access to the team1 folder, given they have full control at the directory share ACL (the level above).
It sounds a poor design but I would be interested how they would go about forcefully adding themselves onto a sub-directory ACL, in this case \\fileserer\finance\team
1 - on which they are not currently listed on the ACL whatsoever.
They don’t have permission to RDP/local administrator onto the \\fileserver itself to amend any settings from there, in case that lowers the risk, likelehood and opportunity.
On their desktops they do have access to the security tab on folder properties, powershell, command prompt etc, in case that influences your feedback. I seem to recall at the top level, you used to be able to essentially "replace" any more restrictive sub directory ACL's with those set at the top level if you have full control (maybe)?