NTFS and File Shares

I recently tried demonstrating NTFS vs file share permissions to the new folks on the team.

I had a Windows 2016 server set up and I created a folder. Now when we log into a server in my company, we don’t use the same account we use for daily work, i.e. email, etc. we use admin accounts that only have access to the servers. This helps mitigate the spread of malware, etc. So, I created a folder and I shared it. I gave full control at the share level to my daily account (non-admin) at the share level and change at the NTFS level. In theory, that allows me to create and modify files on the share from my productivity computer and it worked as expected.

My next step in the lesson was to demonstrate the concept of most restrictive. In Windows when dealing with file shares, the universal law states that any user is confined to the most restrictive policy so in short, if I have full control at the share level but read only at the NTFS level, I have read only permissions period. Now, there are some caveats around this, for instance the creator owner (the account that created the file or folder) will have full control at the NTFS level regardless.

That aside, I set the NTFS permission on my productivity account to read only and applied my changes. I then tried creating a text document from my laptop and I’ll be damned if it didn’t allow me to create the file. I checked NTFS on the server and yes, I had read only but I was able to modify my newly created text document, create folders and delete everything created. Now some people may say, “but you where the creator owner, of course you can modify and delete things, you said so in the last paragraph!” True, but with read only, I never should have been able to create them in the first place.

There are two laws at work here. Law number one – Murphy’s Law – What so ever can go wrong, will go wrong. This is what bit me initially, Ron said it, Ron tried to prove it, new kids on the team now think Ron is an idiot.

Law number two – when things go wrong, reboot. I tried this experiment again this morning and it was still behaving in opposition to the laws of least privilege. I rebooted the server and everything started working as expected. I was relegated to least privilege by way of NTFS permissions being set to read only.

Windows has some issues, when in doubt, when things simply don’t work as they should and before you hit Google to find a solution, reboot the box.



Leave a Reply