none
don't allow user to change permissions RRS feed

  • Question

  • Hi,

    I just wander if somebody could help me. I've created folder with restricted access to particular group (this group has full access) inside folder which everybody can open. So basically UNC path looks like that \\SERVER\FOLDER\RESTRICTED_FOLDER.

    Now if user create folder inside RESTRICTED_FOLDER he can change permission on it, I mean add somebody and this person even if has no rights to RESTRICTED_FOLDER at all can access this folder using \\SERVER\FOLDER\RESTRICTED_FOLDER\NEW_FOLDER path. I was surprised when I discovered this as I've expected, when you have no permission to RESTRICTED_FOLDER you can't get access to NEW_FOLDER at all, but you can. 

    Can anybody suggest me something to make sure user is not able to give permission to sub folder or another way to resolve this issue?

    Tuesday, March 12, 2019 9:15 AM

Answers

  • In the Windows security model, the owner of an object is always allowed to change its permissions, so revoking the right to change permissions would only go as far as you would be able to control ownership of the objects in question. As users also would be creating files and directories, they would become owners of the newly created objects, so in your case this route is likely not going to help you.

    But fret not, there is a remedy. With file services, you have not just one but two objects' permissions checked for an access decision:

    1. the file or directory a user is trying to access
    2. the file share the user is accessing the file or directory through

    Only if ACLs of both allow access, it will be granted. To prevent users from changing ACLs of file system objects exposed through a share, simply do grant "Modify" or "Change" permissions to the users on the share instead of "Full Control", as you likely have done. In this case, even if a user is an owner of a file or directory, she will not be able to change file system ACLs through the share, as share ACLs would prevent this.

    Further reading: 

    https://docs.microsoft.com/en-us/iis/web-hosting/configuring-servers-in-the-windows-web-platform/configuring-share-and-ntfs-permissions


    • Edited by syneticon-dj Tuesday, March 12, 2019 10:43 AM
    • Marked as answer by piotrkow Tuesday, March 12, 2019 11:47 AM
    Tuesday, March 12, 2019 10:43 AM

All replies

  • Hello!

    A general rule is to never give a user group "Full Control" of a folder, "Modify" permissions is enough.

    If you give a group "Full Control", they will be able to change permissions, if you only add "Modify" which is basically read & write permissions, they will not be able to change permissions.

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Tuesday, March 12, 2019 9:27 AM
  • Hi Leon,

    Thanks for your reply.

    Modify is very often not enough so "Full Control" works, much better for me. Only thing which I would change is to prevent them to allow change permissions.

    Tuesday, March 12, 2019 9:59 AM
  • In this case, you can have special permissions, you can simply remove the "Change permissions" right from the group, like this:


    Blog: https://thesystemcenterblog.com LinkedIn:

    Tuesday, March 12, 2019 10:02 AM
  • Well, this is my issue as I've tried it before. I've tried it and even if I remove the "Change permission" (on both, user and owner) user still can change permissions.
    Tuesday, March 12, 2019 10:20 AM
  • The owner can always change the permissions, when you are testing you are probably not logging out or waiting for the changes to become active, this is why it still works for you.

    You can test this as follows:

    Set permission for a user with Full Control on the folder, then remove the "Change permissions" right from the user.

    Have the user logout from his computer, then login back and try changing permissions to see if it works.


    Blog: https://thesystemcenterblog.com LinkedIn:

    Tuesday, March 12, 2019 10:31 AM
  • In the Windows security model, the owner of an object is always allowed to change its permissions, so revoking the right to change permissions would only go as far as you would be able to control ownership of the objects in question. As users also would be creating files and directories, they would become owners of the newly created objects, so in your case this route is likely not going to help you.

    But fret not, there is a remedy. With file services, you have not just one but two objects' permissions checked for an access decision:

    1. the file or directory a user is trying to access
    2. the file share the user is accessing the file or directory through

    Only if ACLs of both allow access, it will be granted. To prevent users from changing ACLs of file system objects exposed through a share, simply do grant "Modify" or "Change" permissions to the users on the share instead of "Full Control", as you likely have done. In this case, even if a user is an owner of a file or directory, she will not be able to change file system ACLs through the share, as share ACLs would prevent this.

    Further reading: 

    https://docs.microsoft.com/en-us/iis/web-hosting/configuring-servers-in-the-windows-web-platform/configuring-share-and-ntfs-permissions


    • Edited by syneticon-dj Tuesday, March 12, 2019 10:43 AM
    • Marked as answer by piotrkow Tuesday, March 12, 2019 11:47 AM
    Tuesday, March 12, 2019 10:43 AM
  • Many thanks for your answer. This was exactly what I was looking for - simple and elegant solution!
    Tuesday, March 12, 2019 11:48 AM
  • Hi,

    I am glad to hear that your issue was successfully resolved.


    Best Regards,

    Frank


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 13, 2019 6:01 AM
    Moderator