How to Modify Default Share Permissions and Other Tweaks

NTFS permissions are stored in the file system, that is well known. But where are share permissions stored?

As so often with Windows: in the registry. Network shares are defined by only a handful of relatively simple registry entries stored in the server service’s key which is, for historical reasons that go back way beyond OS/2, named “LanmanServer” (the workstation service is similarly named “LanmanWorkstation”).

The share definitions can be found here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Shares

There is one value per share of type REG_MULTI_SZ. The value name corresponds to the share name.

Permissions are stored in the subkey “Security”:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Shares\Security

Again, there is one value per share, this time of type REG_BINARY.

Now, what can you do with this information?

Migrate

For one, you could implement a low-level method of migrating shares from one server to another. Although crude, this method seems to have been popular enough to warrant an official description in Microsoft’s Knowledge Base.

Tweak

Or you could recreate share permissions in the style en vogue till Windows XP. Up to Server 2003 network shares had no security (descriptor) whatsoever on them. Being naked, they allowed full access to everyone. That changed with Server 2003 and XP SP1, where nakedness was not deemed secure enough any more and network shares got restrictive default permissions that only allowed read access, which then had to be changed by the administrator to full access again. Sigh.

In my case I needed to create a share with a NULL security descriptor to test my permission manipulation tool SetACL. Creating such a beast is not so easy. When deleting all access control entries (ACEs) from the DACL, you do not get a NULL security descriptor granting full access to everyone, but instead an empty DACL that block every kind of access! Here is a sample SetACL command that clears all non-inherited ACEs from a DACL:

D:\>setacl -on test -ot shr -actn list
"test",5,"DACL(not_protected):[empty]"

So I had to resort to the low-level registry method to create my NULL-SD share:

  1. Stop the server service
  2. Rename the registry value that stores the security descriptor for my share “test”: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Shares\Security\test -> testX
  3. Start the server service

Voilà! Now SetACL prints out the following when listing permissions of the share “test”:

D:\>setacl -on test -ot shr -actn list
INFO: The object <test> has a NULL security descriptor (granting full control to everyone) and is being ignored.

Change Default Share Permissions

The LanmanServer registry key not only stores the permissions for existing shares, but also a default security descriptor assigned to new shares upon creation. With the following information it is easy to modify the permissions newly created shares get by default, and recreate the comfortable situation we had before Windows Server 2003, for example.

Default share permissions are stored in the binary value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\SrvsvcDefaultShareInfo

That value is not present by default. In order to create it and populate it with useful content, follow these steps:

  1. Create a template share named, for example, test.
  2. Assign appropriate permissions to your template share “test” using the GUI.
  3. Double-click the value storing the security descriptor of your “test” share: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Shares\Security\test. Select everything (!) by pressing CTRL+SHIFT+END. Copy the selection with CTRL+C.
  4. Create a new empty binary value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\SrvsvcDefaultShareInfo.
  5. Double-click SrvsvcDefaultShareInfo and press CTRL+V to paste the binary representation of the security descriptor you copied earlier.
  6. Restart the “server” service (aka LanmanServer).
  7. Create a new share. You will notice that it immediately has the same permissions you assigned to the “test” share.
  8. You may now delete the “test” share.

More Tweaks

In addition to SrvsvcDefaultShareInfo the key LanmanServer\DefaultSecurity has some other very interesting values that all store security descriptors and that might warrant playing around with:

  • SrvsvcConfigInfo: Manage file and printer sharing
  • SrvsvcConnection: Manage file/print server connections
  • SrvsvcFile: Manage file server open files
  • SrvsvcServerDiskEnum: Enumerate file servers disks
  • SrvsvcSessionInfo: Manage file/print server sessions
  • SrvsvcShareAdminConnect: Connect to administrative shares
  • SrvsvcShareAdminInfo: Manage administrative shares
  • SrvsvcShareChange: ?
  • SrvsvcShareConnect: Connect to file and printer shares
  • SrvsvcShareFileInfo: Manage file shares
  • SrvsvcSharePrintInfo: Manage printer shares
  • SrvsvcStatisticsInfo: Read file/print server statistics
  • SrvsvcTransportEnum: Enumerate server transport protocols

The TweakUI tool seems to have an option to manipulate these security descriptors, although I admit I have not tried that out.

PermissionsRegistryShare

Comments

Related Posts

Permissions: A Primer, or: DACL, SACL, Owner, SID and ACE Explained

Updated: 2021-06-22 Every object that can have a security descriptor (SD) is a securable object that may be protected by permissions. All named and several unnamed Windows objects are securable and can have SDs, although this is not widely known. There does not even exist a GUI for manipulating the SDs of many object types! Have you ever tried to kill a system process in Task Manager and got the message “Access denied”? This is due to the fact that this process’ SD does not allow even administrators to kill the process. But it is, of course, possible, as an administrator, to obtain the necessary permissions, provided a GUI or some other tool is available.
Windows Internals

How the App Paths Registry Key Makes Windows Both Faster and Safer

How the App Paths Registry Key Makes Windows Both Faster and Safer
Why can you start Mozilla Firefox by typing “firefox” in the Run dialog and press enter? Firefox.exe is not located in any directory in the path. The same with Outlook (type “outlook”), PowerShell (“powershell”), VMware Workstation (“vmware”) or Adobe Reader (“acrord32”). This “magic application starting thingy” works because of a little-known Windows feature based on the “App Paths” registry key.
Windows Internals

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware