How to Prevent Users from Changing Permissions on File Servers
On file servers in corporate environments one typically does not want users to change permissions, even on their own files. It might seem that it would be sufficient to simply grant change permissions instead of full control, but unfortunately that is not the case. The problem is that whenever a new file gets created, the user creating the file will be its owner. And owners can always change permissions, regardless of the contents of the DACL.
The Solution
In order to prevent “orderly” users from “tidying” the permissions on their files and directories and thus messing things up, often removing administrators from the DACL, too, the following needs to be done:
- Only grant change (aka modify) permissions in the NTFS file system. “Change” does not include the specific right “change permissions”.
- Do not grant full share permissions. Use change + read instead. This masks out the right “change permissions” which owners are implicitly granted. This obviously applies to network access only.
The clever part is not granting “full control” in the share permissions to users. Since administrators still want to be able to modify permissions, I suggest adding a second ACE to each share’s DACL. The resulting DACL now contains the following two entries:
- Authenticated users: change + read
- Administrators: full control
Automation
Manually setting, changing and modifying permissions is a tedious job, that can very well be offloaded to scripts. My powerful free tool SetACL manages permissions on shares, in the file system and in the registry. It works on all Windows operating systems from Windows XP onwards. And it does not contain the nasty bugs that essentially make Cacls.exe and XCacls.exe unusable.
1 Comment
I want to do near the same as tittle, but with a small difference.
I want to avoid an application that runs with full adminitrator rigths (sometimes also is run as system user) to be able to read a specific folder.
I can do such just by only letting rigths for user MyUser and not having SYSTEM or Administrators, etc on security.
But how on the hell can i avoid such application changes the ACL for that folder when it is run in an admin account or also when it is run as SYSTEM account?
In short words: How can i make only one user account can change permisions of a folder?
I mean a full lock, specially mention to not letting other admin user neither system special user to take owner on that folder.
Let me explain the problem:
All things i had try do not lock doing this from inside the app i need to run (under admin account and/or under SYSTEM special account):
The application is alloerd to take owner of the folder, then it is allowed to change permissions, etc.
How to reproduce it is easy, just program a small script that does this:
1. Take owner of the folder
2. Change permissions
3. Access that folder and do whatever is wanted
4. If want revert back permissions and owner
I want to avoid such thing to happen even when the script is run on SYSTEM special account.
Why? Easy: i need to run an application and it allways runs with full admin rights (need elevation, or even run under SYSTEM on start up, etc), but i want it not be able to access a ‘private’ folder that needs to be accessed at the same time by other (authorized) applications.
Partition encryption does not help, it must be mounted while app is running.
In other words: i need to run an application i do not trust on it, and it only runs with highest rights (admin / SYSTEM) else it refuses to be run, while i need to ensure ‘privacy’ of one folder that need to be accessed by other apps at the same time.
Why Windows has a lot of security rights for Groups, Users, etc… if just taking owner overides all of them? And any, i say any app that runs on SYSTEM account can take owner of anthything it wants.
Seems to be a BIG security breach! Or there is just something i do not get !
So resuming, howto avoid folder access for one application whatever such application does whatever account that application runs on?