Windows Security - Shared Folders

richardraehal · 2015-05-28T20:26:34.000Z

I utilize Windows Sever 2008 R2. My storage is connected via iSCSI. Recently I noticed a problem where any user can access any shared folder regardless of NTFS security. The two servers with this issue happen to be physical servers still.

I typically create a share with Everyone on the share with change permissions. I then apply security so the administrators groups, IT groups (in most cases), and a department group have access via NTFS. The inherited permissions include OWNER and SYSTEM.

I have checked and double checked my NTFS permissions, inheritance, ownership, and share permissions. The server does not appear to honor my NTFS security when the share is set to Everyone with read permissions.

If I change the share permission so the correct groups are listed there is no issue.

Did the security model change so setting everyone with change access is no longer a best practice? Could I be missing a permission somewhere?

SecurityIssue.png800×500 138 KB

richardraehal · 2015-05-28T20:31:11.000Z

I forgot to mention that picture 1 and 2 are from the server. Pictures 3 and 4 are from my client PC.

bloodhoundgang · 2015-05-28T20:33:08.000Z

It’s my understanding if you give everyone read access anyone will be able to access. I’m guessing they can only access and not write to the share. It sounds to me like it’s working as intended. But I’m still fairly new to administration, only a couple years in the field. Maybe someone else here will have a better answer for you.

richardraehal · 2015-05-28T20:37:37.000Z

I have been using this setup for a long time - At least Windows NT 4. Typically windows will apply the most restrictive access. This allowed me to administer shares on NTFS without having to double work the share permissions when changes were needed.

Example: If I give Everyone change access on the share and read only on NTFS users should have read only access (most restrictive). In this case everyone is getting read write access regardless of the NTFS permissions.

richardraehal · 2015-05-28T23:08:13.000Z

I have narrowed down the issue to a specific set of users. I will need to spend the bit of time tracing down membership of the users and see if there is a group connected to these users. For example they could have something like “Backup Operators” allowing windows to bypass file security.

richardraehal · 2015-05-28T23:25:30.000Z

I found the issue. Someone modified the local security policy of the file server. There were some group changes in the “User Rights Assignment” section under “Backup Files and Directories”. I have this set back to the three default groups and security is working as expected.