Group with read-only access to administrative shares?

Discussion in 'Server Security' started by Frank B Denman, Mar 24, 2009.

  1. Hi Folks,

    Apologies for what may be a dumb question: Can I give a group read-only permission to adminstrative
    shares, e.g., \\wrkstn10\c$?


    Frank Denman
    Denman Systems

    [Please delete the "x" from my email address]
    Frank B Denman, Mar 24, 2009
    1. Advertisements

  2. I don't think so. You would have to create a new share.

    Do you really want to give a group who are not administrators permission to
    read an entire drive? If you do, make sure it is hidden with the $ sign.

    Paul Baker [MVP, Windows Desktop Experience], Mar 24, 2009
    1. Advertisements

  3. Frank B Denman

    Al Dunbar Guest

    "Paul Baker [MVP, Windows Desktop Experience]"
    That would appear to be microsoft-speak for: this isn't a good idea.
    Must be a data drive to which some group needs read access for the purpose
    of, for example, auditing work done.
    But also realize that, since some individuals will be accessing that share,
    they will need to know its name. And any secret shared by more than one
    person is no longer a secret.

    Al Dunbar, Mar 24, 2009
  4. Here's a high level view of the problem I need to solve. Customer had a totally disorganized 15
    computer workgroup network with files scattered hither and yon across the workstation drives. I've
    now got them in an SBS2k3 domain and need to have management identify files to move to the server.

    I've run NetworkSearcher to build a 29,000 row spreadsheet with hyperlinks to all *.doc files on the
    network. The hyperlinks are mostly in the form "\\wrkstn10\c$\dir1\dir2\something.doc". Managers
    need to sit at a workstation marking up the spreadsheet and confirming identity of likely files by
    clicking the hyperlinks in the spreadsheet.

    I don't want non-IT folks browsing the network with domain admin privileges, and I don't want
    anybody at all opening those mystery *.doc files with domain admin privileges because who knows what
    macro evil lurks therein.

    These network drives do not have inheritance running smoothly from top to bottom, so I need a way to
    give my "Network Auditors" group read-only permissions all the way down the tree without changing
    any other existing permissions.

    I suspect all this is pointing me to subinacl, which I've never used.

    Additional thoughts, advice, or even a sample subinacl command line would be most welcome.


    Frank Denman
    Denman Systems

    [Please delete the "x" from my email address]
    Frank B Denman, Mar 25, 2009
  5. Yes, that's exactly what I meant to imply, though it's Paul-speak not
    Microsoft-speak :)
    If there is a legitimate business reason for it, then okay. I would just be
    uncomfortable with it.
    Agreed. But the reason for hiding the share in this manner is not to keep a
    secret. It is is to prevent naive malware that is trying to spread itself
    from being able to find it. Some methods for enumerating shares will find
    the hidden ones, whereas some will not.

    Paul Baker [MVP, Windows Desktop Experience], Mar 25, 2009
  6. The permissions of an administrative share cannot be changed, unless there
    is a policy or registry hack to work around it that I don't know about (and
    that will likely be removed in a future version of Windows!).

    If you added your own share, you could set the permissions to whatever you
    want, but your hyperlinks would have to be adjusted.


    Paul Baker [MVP, Windows Desktop Experience], Mar 25, 2009
  7. Frank B Denman

    Al Dunbar Guest

    Has there been an actual agreement that the managers will do this? In a
    similar scenario in my organization, I expect the managers would agree to
    browse through a folder structure for a while to determine from the file and
    folder names what might be important and how it should be classified or
    handled. Once they had done a few spot checks they would quickly decide they
    had better things to do and would either make educated guesses, ask me to
    make their decisions, or just ask to have it all burned to DVD for review
    later in case they feel it might contain info they are looking for. That DVD
    would then likely stay where it was stored forever.
    Makes sense.
    cacls should be able to handle the job - assuming that you, as admin, do not
    have your permission blocked anywhere in the folder structure. But why do
    you need to preserve any existing permissions - is it that these files are
    still in operational use? If so, by the time they make their decisions, the
    users might have created, modified, and/or deleted them.


    Al Dunbar, Mar 25, 2009
  8. I expect that you are correct regarding how managers will basically spot-check files and ultimately
    hand implementation back to me.

    Nonetheless, I need to make the spot-checking as painless for them as I possibly can.

    I want to preserve existing permissions because I don't want to muck up OS security when I add
    Read-Only for Network Auditors thru the entire directory tree of each drive.

    Not sure which is the most likely tool: subinacl or cacl.


    Frank Denman
    Denman Systems

    [Please delete the "x" from my email address]
    Frank B Denman, Mar 26, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.