Server 2012 file permission issue

[cubby1223]

I'll be the first to say I'm not well knowledged on the ins & outs of Windows Server. I just noticed today at one office I work for that from a Windows 8 computer with a mapped drive to a Server 2012 shared folder, even with a non-administrator account on the server, from the workstation you can view and modify the user permissions of the server's shared folder for everyone.

So the questions that comes to mind... Why can I view the permissions from a workstation? Why can I alter the permissions from a workstation?


The terms seem to be too generic, I'm not finding much via google. Thanks!

 

[Mushkins]

1) Are you on a domain?
2) Is your account a member of the Domain Administrators group?
3) Does "Everyone" have Full Control set in the NTFS permissions for the folder?

By default folders in a file share are not locked down, they inherit permissions from the parent folder, whatever they may be. Which means anybody who's a member of the domain can make changes to that folder.

 

[cubby1223]

That server had been set up not as a domain controller. The users are local user accounts, but none are administrators. It's a very small organization and they do not have much in-house knowledge of computers. The simpler the setup, the better. Yes, it's a tradeoff between simplicity and security. There are two shares, one is a full-access shared folder for everyone who has a valid login, then a second that contains the Quickbooks data file, which only select people have permissions to.

I guess I was just stunned to notice the file & folder permissions can be altered straight from explorer on a client workstation! The Quickbooks folder does not have "Everyone" as a part of the security settings but I was able to successfully add it in from the workstation.

Now that I'm thinking back, and I wish I had a copy of Server 2012 here to test, I think it may have just altered the file & folder permissions from the workstation, but did not alter the network share permissions.

 

[Mushkins]

That server had been set up not as a domain controller. The users are local user accounts, but none are administrators. It's a very small organization and they do not have much in-house knowledge of computers. The simpler the setup, the better. Yes, it's a tradeoff between simplicity and security. There are two shares, one is a full-access shared folder for everyone who has a valid login, then a second that contains the Quickbooks data file, which only select people have permissions to.

I guess I was just stunned to notice the file & folder permissions can be altered straight from explorer on a client workstation! The Quickbooks folder does not have "Everyone" as a part of the security settings but I was able to successfully add it in from the workstation.

Now that I'm thinking back, and I wish I had a copy of Server 2012 here to test, I think it may have just altered the file & folder permissions from the workstation, but did not alter the network share permissions.

There's nothing wrong with not having a domain, but you lose a lot of the security and manageability of file permissions without one.

The way NTFS permissions work, is if you are an authenticated user with access to the share, you can alter the permissions on that share. So if you're at John Smith's computer, and John Smith has the proper access rights to //Server1/Quickbooks, he can right click that folder and edit the permissions from his workstation, but Jill Doe logged into the same workstation cannot access or alter that share.

You actually *DONT* want Everyone to have Full Control permissions, by adding that to the share you effectively granted anyone on any computer on the network full rights to access, alter, and reconfigure that share- precisely what you're trying to undo. The Everyone group is the first thing you remove when locking down a folder.

From what you're saying, it sounds like the folder permissions are misconfigured and that quickbooks folder is wide open to anyone.

Also note that Windows Sharing settings and NTFS permissions are two entirely different sets of permissions, and NTFS permissions always win out over whatever the sharing settings are. If Sharing says no access and NTFS says yes access, the answer is yes. In a domain environment I never use sharing permissions unless I absolutely have to, it's just an added level of confusion.

 

[cubby1223]

Thank you for the info. The two shares completely separate from each other, that's okay, like the quickbooks folder is not located underneath the general share. Permissions are set as they should be, Everyone is on for the general share, and only the specified people are on for the quickbooks share & quickbooks folder. Inherited permissions are turned off.

I'll have to test if NTFS permissions grant access, if that overrides the shared permissions, I could have sworn access to the share was first, then access to the files second.

This is a small not-for-profit organization, things need to side more on the cheap & ease of self-use for the long run side of the equation.

 

[Mushkins]

Thank you for the info. The two shares completely separate from each other, that's okay, like the quickbooks folder is not located underneath the general share. Permissions are set as they should be, Everyone is on for the general share, and only the specified people are on for the quickbooks share & quickbooks folder. Inherited permissions are turned off.

I'll have to test if NTFS permissions grant access, if that overrides the shared permissions, I could have sworn access to the share was first, then access to the files second.

This is a small not-for-profit organization, things need to side more on the cheap & ease of self-use for the long run side of the equation.

No problem. From my experience, NTFS permissions override *everything*.