Access rights Shared and NTFS

All replies

• 

  

  0

  Sign in to vote

  Which operating system you are talking about on Server side?

  On Windows Home Server direct regulation of share and NTFS access on subfolder level is an unsupported scenario.

  On other Windows Server systems you would need to check following two scenarios first:

  1. Are the users member of any group, which gives them access?
  2. Do the users connect with a different account (stored credentials on the client) to the share/server?

  Best greetings from Germany
  Olaf
  

  • Edited by Olaf Engelke Monday, May 12, 2014 7:59 AM
  • Marked as answer by Justin Gu Tuesday, May 20, 2014 3:14 PM

  Monday, May 12, 2014 7:59 AM
• 

  

  0

  Sign in to vote

  Many thanks for your reply, Olaf. I just discovered that this is Home Server Forum.

  My Server Edition is actually Server Essential.

  Back to your questions . I broke the inheritance for that folder called management. And created only access rights for Management group and Admingroup. The Users I mentioned  ARE NOT a member of Management and not a member of Admins.

  The effective rights tools shows RED crosses. so theoretically they should not have access rights to that folder.

  I checked how the users logs in. they do not log in with other accounts, just themselves. 

  I wonder if this an Server Essential bug.

  Many thanks Karen

  Monday, May 12, 2014 8:28 PM
• 

  

  0

  Sign in to vote

  Hi Karen,

  the "other accounts" can be fully transparent, once stored in Control Panel/Credential Manager.

  Broken inheritance means, you are given the choice, to copy over the previous rights - if you did do this, you need to remove the appropriate user group/user account in the NTFS security settings.

  I usually recommend, to leave Share access in most situations to Everyone/Full control and only meddle with the NTFS permissions. So you avoid other shares bleeding in, which circumvent the limits set on one of the shares.

  What is the output of

  icacls Path

  issued on the server in a command prompt, Path pointing to the folder in question?

  Has the management folder been originally created from the Essentials console or manually in Windows Explorer?

  Best greetings from Germany
  Olaf

  Tuesday, May 13, 2014 6:57 AM
• 

  

  0

  Sign in to vote

  Thanks for your answer.

  Yes I did remove the appropriate users.

  Interesting that you recommend  Everyone/Full Shared Access. Security-wise that 'freaks' me a little bit out.

  Here is the output of icacls on 2012 Server Essential

  H:\LifeData\Admin\Management company\George:(OI)(CI)(F)
                               NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                               BUILTIN\Administrators:(OI)(CI)(F)
                               company\administrator:(OI)(CI)(F)
  
  Successfully processed 1 files; Failed processing 0 files

  Note:Only user George should have access to Management folder.

  Thanks a lot !

  Tuesday, May 13, 2014 10:52 PM
• 

  

  0

  Sign in to vote

  Hi Karen,

  looks fine for me. Did you ensure, that subfolders and files have the same permissions set and there are no shares pointing to deeper levels, so that the management folder is circumvented eventually?

  And all users, who are logging on as member of the domain admins group or with the account Administrator on their workstation, if using the local Admin account with identical password to domain account.

  What happens, if you change the Administrator password? Who would cry loud?

  Also validate, which users are eventually member of the Administrators group and the Domain admins group.

  For Share security - this one usually only causes trouble and confusion. Assuming you set read only access to that share, than another share from maybe an higher level folder grants full access, therefore no longer security as intended is given. So assuming shares always as insecure and only controlling behavior via NTFS is the way to go. At its best you can create hidden shares (name with $ in the end), which will not be seen by curious people.

  Best greetings from Germany
  Olaf

  
  

  • Edited by Olaf Engelke Thursday, May 15, 2014 7:11 AM
  • Marked as answer by Justin Gu Tuesday, May 20, 2014 3:14 PM

  Thursday, May 15, 2014 7:07 AM
• 

  

  0

  Sign in to vote

  Thanks Olaf..

  sorry about the late response.

  And all users, who are logging on as member of the domain admins group or with the account Administrator on their workstation, if using the local Admin account with identical password to domain account.

  good point!

  I know that our engineer set everyone up as local Administrator on their own computers and they log-in with the same account and password to the domain.

  Could this interfere with the permissions how I have set the folder up?

  What happens, if you change the Administrator password? Who would cry loud?

  Everyone. :)

  Also validate, which users are eventually member of the Administrators group and the Domain admins group.

  None. No local Administrators on Server and no Domain Admins, except me.

  So assuming shares always as insecure

  Thanks. Full access to users. And NTFS for full security

  
  

  
  

  Vielen Dank !

  thanks for your help. Much appreciated.

  So there is some confusion for me about the local admin on a computer and how much it affects the security on the server.

  Regards Karen

  Sunday, May 18, 2014 8:48 PM
• 

  

  0

  Sign in to vote

  So there is some confusion for me about the local admin on a computer and how much it affects the security on the server.

  There should not be any confusion if done right.

  You would have to check the members of the group BUILTIN\Administrators. If those are only domain accounts, remove all people who do not need to be in.

  Since you say "None. No local Administrators on Server and no Domain Admins, except me." there should be no problem to change the password for the account Administrator/Admin on Domain level (which will not effect the LOCAL workstation accounts with same name if nobody works unintended with domain admin account) and also your own password.

  Best greetings from Germany
  Olaf

  • Edited by Olaf Engelke Monday, May 19, 2014 7:04 AM
  • Marked as answer by Justin Gu Tuesday, May 20, 2014 3:14 PM

  Monday, May 19, 2014 7:03 AM