Getting/Setting Share and File Permissions

Getting/Setting Share and File Permissions
Last Updated: 02 May 2006 / Prior Update: 08 Aug 2004
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

*** PLEASE NOTE: Link(s), If Provided, May Be Wrapped ***


When determining access to remote resources, you can use
a simple four step process to determine the level of
access for any given user:


(a) Is this user granted "NO ACCESS"? If so, permission
    is denied -- no further processing required...

(b) Otherwise, calculate the highest level of access to
    the share (SHARE permissions) based on all group
    memberships

(c) Next, calculate the highest level of access to the
    file/folder (FILE permissions) based on all group
    memberships

(d) Then, choose the LOWER of the access levels
    calculated in B and C

(e) See Q152763 to learn about File Child Delete (FDC)


While some folks advocate leaving SHARE permissions at
the default (EVERYONE:F) and relying only on FILE level
permissions, I secure every entry point.  I'd rather
have a user denied from making the SHARE connection,
than let them connect to the resource and then receive
an "Access Denied" message (thus needlessly tying up
server resources).

Windows 2000 add more Special Permissions, so that it is
now much easier to provide someone with write permissions
in a folder, without them being able to create new sub-
folders.

Unlike some other operating systems, Windows does not
provide a mechanism for hiding folders which you don't
have permissions to access.  Other than using a hidden
share (name ending in $), a user can see all shares
enumerated on a server, even if they do not have any
access to use those shares.

The following tools can be used to VIEW and/or MANIPULATE
share and file level permissions:


CONSOLE

• CACLS .................. Native Command (File)
• XCACLS.VBS ............. http://support.microsoft.com/?KBID=825751

• SHOWACCS ............... Support Tools  (File/Share/Reg/Print/View)

• PERMS .................. Resource Kit   (File/View)
• SHOWACLS ............... Resource Kit   (File/View)
• XCACLS ................. Resource Kit   (File/Change)
• SUBINACL ............... Resource Kit   (File/Change/Ownership)
• TAKEOWN ................ Resource Kit   (File/Change/Ownership) -- Win2K
• TAKEOWN ................ Native Command (File/Change/Ownership) -- Win2003
• FIXACLS ................ Resource Kit   (Restore File ACLs to Default)

• FILEACL ................ http://www.gbordier.com/gbtools/fileacl.htm
          ................ http://www.microsoft.com/downloads/details.aspx?FamilyID=723f64ea-34f0-4e6d-9a72-004d35de4e64&DisplayLang=en
• NTSEC .................. http://www.pedestalsoftware.com/
• DUMPSEC ................ http://www.somarsoft.com/
• DUMPTOKENINFO .......... http://www.ntsecurity.net/Articles/Index.cfm?ArticleID=15989
• SUPERCACLS ............. http://www.trustedsystems.com/scacls.htm
• CHOWN .................. http://wwwthep.physik.uni-mainz.de/~frink/chown/readme.html
• AINTX Utilities ........ http://www.dwam.net/docs/aintx/
• SCACLS ................. http://www.netexec.de/fs_lstools.html
• XCACLS.VBS ............. http://support.microsoft.com/?KBID=825751

• SRVCHECK ............... Resource Kit   (Share/View)
• RMTSHARE ............... Resource Kit   (Share/Change)
• PERMCOPY ............... Resource Kit   (Share/Change)


GUI

• EXPLORER ............... Native Utility (Share)
• SRVMGR ................. Native Utility (Share)
• WINFILE ................ Native Utility (File/Share)
• MMC (Shared Folders) ... Native Utility (Share/Win2K)

• ShareUI ................ Resource Kit   (Share)

• AccessEnum ............. http://technet.microsoft.com/en-us/sysinternals/bb545027.aspx
• Domain Assistant ....... http://www.softwareshelf.com/products/domain.asp
• FolderGuard ............ http://www.winability.com/folderguard/
• Setup Explorer ......... http://www.admwin.com/umanu_ae.htm
• Setup Batcher .......... http://www.admwin.com/umanu_ab.htm
• Security Explorer ...... http://www.smallwonders.com/
• ShareEnum .............. http://www.sysinternals.com/ntw2k/source/shareenum.shtml


TAKING OWNERSHIP OF FILES

• http://support.microsoft.com/?KBID=308421


SIMPLE FILE SHARING IN WINDOWS XP

A clean install of Windows XP Pro, and every installation
of XP Home, will enable: "Use Simple File Sharing". With
this setting enabled, your ability to control exactly
what remote users can access on your machine is limited,
and it is advisable that power users and those familiar
with the file sharing options under NT/2000 disable this
setting.

• http://support.microsoft.com/?KBID=304040
• http://www.jsiinc.com/subi/tip4400/rh4487.htm
• http://www.practicallynetworked.com/sharing/xp/filesharing.htm
• http://www.practicallynetworked.com/sharing/xp_filesharing/
• http://www.udel.edu/timmins/FileSharingXP/
• http://www.microsoft.com/windowsxp/expertzone/columns/honeycutt/august13.asp
• http://www.wown.com/j_helmig/wxpwin9x.htm
• http://www.microsoft.com/windowsxp/home/using/howto/


WHITEPAPERS & TECH DOCUMENTS

• http://KB.UltraTech-llc.com/Docs/?File=Secure2000Pro.htm
• http://support.microsoft.com/?KBID=152763
• http://support.microsoft.com/?KBID=268546
• http://support.microsoft.com/?KBID=296865
• http://support.microsoft.com/?KBID=123647
• http://support.microsoft.com/?KBID=244600
• http://support.microsoft.com/?KBID=148437
• http://support.microsoft.com/?KBID=304040
• http://support.microsoft.com/?KBID=818362
• http://msdn.microsoft.com/library/periodic/period99/ntsf.htm
• http://www.winnetmag.com/Articles/Index.cfm?ArticleID=27098
• http://www.winnetmag.com/windowsnt20002003faq/Article/ArticleID/13753/windowsnt20002003faq_13753.html
• http://www.winnetmag.com/windowsnt20002003faq/Article/ArticleID/13758/windowsnt20002003faq_13758.html
• http://www.winnetmag.com/windowsnt20002003faq/Article/ArticleID/13741/windowsnt20002003faq_13741.html
• http://is-it-true.org/nt/atips/atips309.shtml
• http://windows2000.about.com/compute/windows2000/library/weekly/aa010506a.htm
• http://www.microsoft.com/windows2000/techinfo/planning/security/secdefs.asp
• http://www.windowsitlibrary.com/Content/592/toc.html
• http://www.gbordier.com/gbtools/index.htm
• http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.html


PERSONAL NOTES

• FILEACL is one of the best 3rd party tools for viewing
  and manipulating file permissions and ownership, and
  has now been endorsed by Microsoft (via a link from
  their website)

• The only difference between granting FULL CONTROL vs
  all the other permissions, is that FULL CONTROL also
  provides File Delete Child (FDC).  See Q152763

• You can also obtain SHOWACCS on the Win2K installation
  CD as part of the Windows 2000 Support Tools (SUPPORT
  folder)

• SUBINACL is probably the most versatile of the
  Microsoft provided Permissions tools, in that it
  can set and view file level permssions along with
  registry permissions, and it can be used to backup
  the permissions.

• To access remote Shared Folders in Windows 2000
  (assuming appropriate permissions):
	- Right Click on "My Computer"
	- Select "Manage"
	- Right Click on "Computer Management"
	- Select "Connect to Another Computer"
	- Select "System Tools"
	- Select "Shared Folders"

• One of the coolest features of Windows XP is the
  ability to determine the "Effective Permissions"
  of any group or account.  This is available under
  the Advanced Permissions dialog box.

• If "Simple File Sharing" is enabled, which it is
  by default in XP Pro, you will not be able to set
  specific permissions to prevent users from accessing
  your shared folders (it's either Everyone or No-one).
  To change this back to the Win2K Pro style, do the
  following:
	- Open an Explorer window
	- Select "Tools"
	- Select "Folder Options"
	- Select "View"
	- Go to "Advanced Settings"
	- Scroll all the way to the bottom of the list
	- Uncheck "Use Simple File Sharing"

• See: Q304040