none
Remove "Everyone" permissions from folders RRS feed

  • Question

  • Hello Scripting Guys,

    I'm in need of assistance, I'm currently working on fixing the mistake of another team, they were tasked with the creation of several shares, but made a mistake on the creation and left "Everyone" with read only in most folders and full control in a few. we need to have the default group "Everyone" removed from over one thousand shares, since this is a security problem for my company working this manually will mean a lot of time, I have been searching for script that I could use to change the permissions in bulk. If you could lend me a hand I'll appreciate it.

    Wednesday, March 26, 2014 3:54 PM

Answers

  • The usual recommendation is to have "Everyone:Full Control" on all shares, and control access via NTFS permissions instead. Share permissions are unnecessary unless the underlying file system does not have access control.

    -- Bill Stewart [Bill_Stewart]

    • Marked as answer by Arcano30 Wednesday, March 26, 2014 4:42 PM
    Wednesday, March 26, 2014 4:30 PM
    Moderator
  • Thanks for the info, I'll check it out, The reason I was asked to have Everyone removed completely from each of the shares is because, those are personal shares (home share), and Company security standard states that none besides the share owner and the server admins should have access to the share, even if it is read only.

    That is the way Windows sets this up by default.  Try accessing the users share from an admin account.  You should see nothing.  The NTFS permissions are set to only the user. In the default case the admins do not have access but this can  be changed by Group Policy.

    You so NOT want to start messing with these permission without a complete understanding of what you are doing.

    You can use the Effective Permissions Wizard to test shares for compliance.  Mistakes in permissions can only come from untrained admins trying to make things look neat by changing the defaults.


    ¯\_(ツ)_/¯

    • Marked as answer by Arcano30 Wednesday, March 26, 2014 4:42 PM
    Wednesday, March 26, 2014 4:35 PM

All replies

  • Everyone is added to all shares by default. The underlying NTFS system has final say on control.  I recommend concentrating on the NTFS permissions as Everyone:read is not the source of your issues.  If NTFS does not include everyone then the share contents are invisible to all but hose granted explicit permission.


    ¯\_(ツ)_/¯

    Wednesday, March 26, 2014 4:16 PM
  • Thanks for the info, I'll check it out, The reason I was asked to have Everyone removed completely from each of the shares is because, those are personal shares (home share), and Company security standard states that none besides the share owner and the server admins should have access to the share, even if it is read only.
    Wednesday, March 26, 2014 4:23 PM
  • The usual recommendation is to have "Everyone:Full Control" on all shares, and control access via NTFS permissions instead. Share permissions are unnecessary unless the underlying file system does not have access control.

    -- Bill Stewart [Bill_Stewart]

    • Marked as answer by Arcano30 Wednesday, March 26, 2014 4:42 PM
    Wednesday, March 26, 2014 4:30 PM
    Moderator
  • Thanks for the info, I'll check it out, The reason I was asked to have Everyone removed completely from each of the shares is because, those are personal shares (home share), and Company security standard states that none besides the share owner and the server admins should have access to the share, even if it is read only.

    That is the way Windows sets this up by default.  Try accessing the users share from an admin account.  You should see nothing.  The NTFS permissions are set to only the user. In the default case the admins do not have access but this can  be changed by Group Policy.

    You so NOT want to start messing with these permission without a complete understanding of what you are doing.

    You can use the Effective Permissions Wizard to test shares for compliance.  Mistakes in permissions can only come from untrained admins trying to make things look neat by changing the defaults.


    ¯\_(ツ)_/¯

    • Marked as answer by Arcano30 Wednesday, March 26, 2014 4:42 PM
    Wednesday, March 26, 2014 4:35 PM
  • To add to Bill's point.  Share permissions are retained for use in Workgroups.  We usually modify the share default in a domain to set the shares to "Full" and then take elaborate care to control NTFS permissions.

    I recommend purchasing a tool that will report on shares compliance.  After the first scan is vetted the report is used to monitor for changes and compliance.

    Share permissions can be enforced by Group Policy


    ¯\_(ツ)_/¯


    • Edited by jrv Wednesday, March 26, 2014 4:40 PM
    Wednesday, March 26, 2014 4:39 PM
  • Thanks jrv and Bill, I'll pass this information to the compliance team, doubt they company will buy any reporting tool, but at least it will get them off my back, since I usually handle AD, DNS, etc in our company domain controllers, they thought it was it was a good idea to ask me to make changes on folder permission, even though I don't manage any of the storage servers where the shares are hosted.
    Wednesday, March 26, 2014 4:48 PM
  • You need to have them hire a certified consultant that will help them understand how Windows works and how we enforce these things in Windows and with Group Policy.

    Compliance teams, too often, are just non-technical managers.  They should right rules and not dictate technical solutions.  The rules untrained managers write can be destructive.


    ¯\_(ツ)_/¯

    Wednesday, March 26, 2014 4:55 PM