Lock down a folder, including from administrators

-

hi,

have scenario (windows server 2008 r2 enterprise):

1) staff in local group "bca power admin".  this local group in local administrators group, these staff need full admin access on server.

2) administrators group contains mix of other local , domain userids.  these staff , service accounts maintenance, backups, etc.

3) under drive t:\, have folder needs locked down, users given explicit access having access.  everything in folder , below contains sensitive, need-to-know data.

4) sub-folders, want prevent write access "bca power admin" group (who of course administrators).  these folders should updated service account runs our nightly etl process.  this done prevent staff accidentally corrupting data during development.  only production jobs should update these folders.

5) i'm happy if these sub-folders locked down administrators.  however, don't want "click continue permanently access folder" explicitly add userid the ntfs permissions folder.  (this last bit optional).

i've setup sample folders.  here acl's:

ps t:\> get-item t:\, t:\prod, t:\prod\folder1, t:\prod\folder2 | get-acl | format-list path, accesstostring      path           : microsoft.powershell.core\filesystem::t:\  accesstostring : allow  readandexecute, synchronize                   creator owner allow  fullcontrol                   nt authority\system allow  fullcontrol                   builtin\administrators allow  fullcontrol                   builtin\users allow  readandexecute, synchronize    path           : microsoft.powershell.core\filesystem::t:\prod  accesstostring : myserver\bca power admin allow  fullcontrol    path           : microsoft.powershell.core\filesystem::t:\prod\folder1  accesstostring : myserver\bca power admin allow  fullcontrol    path           : microsoft.powershell.core\filesystem::t:\prod\folder2  accesstostring : myserver\bca power admin allow  fullcontrol

so, default acl's t:\ (which don't want change) includes - read , builtin\users - read.

for t:\prod, i've removed inherited permissions, explicitly added "bca power admin" - full control.

folders t:\prod\folder1 & folder2 inherit t:\prod.  

questions:

1a) if login (rdp) administrator account, that's not in "bca power admin", the "click continue permanently access folder" dialog.  how prevent that?  i believe need change uac settings?  what repercussions if so?

1b) ok, 1 way i've prevented "click continue ..." dialog add administrators ntfs permissions.  even read access prevents dialog.  again, #5 optional; perhaps best practice add administrators full control, , backups won't have problems these folders?

2) but, how prevent "bca power admin" having full control?  do need add explicit deny "bca power admin" folders service account should have write access?

3) finally, since i've removed builtin\users, everyone, etc. t:\prod folder, assume folder , sub-folders locked down (no access @ all) users not administrator.  is correct?

regards,

scott

i more selective, if quote you;

"these folders should updated service account runs our nightly etl process. "

and admin need read access ?

if no put produsr modify flag (so can't change ownership of folder) , remove everythign else in dialog box, leave folder them only. (maybe add system sure backup able read content too)

the uac "pop" windows, if access right not ok can't unless go inplicitly take ownership of folder. else got access denied in end popup

 

mcp | mcts 70-236: exchange server 2007, configuring
microsoft translator widget - french moderator (technet wiki)

twitter - @yagmoth555 ()
blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

thanks replies btw!  much appreciated.

i've setup test folders these permissions:

ps e:\powershell\scripts> get-item t:\, t:\prod, t:\prod\folder1 | get-acl | format-list path, owner, accesstostring   path           : microsoft.powershell.core\filesystem::t:\ owner          : nt authority\system accesstostring : allow  readandexecute, synchronize                  creator owner allow  fullcontrol                  nt authority\system allow  fullcontrol                  builtin\administrators allow  fullcontrol                  builtin\users allow  readandexecute, synchronize  path           : microsoft.powershell.core\filesystem::t:\prod owner          : builtin\administrators accesstostring : builtin\administrators allow  fullcontrol  path           : microsoft.powershell.core\filesystem::t:\prod\folder1 owner          : builtin\administrators accesstostring : myserver\produsr allow  fullcontrol                  myserver\bca power admin allow  readandexecute, synchronize

inheritance removed t:\prod, , administrators have access.

inheritance removed t:\prod\folder1, produsr has full control (which ok - rdp produsr create new sub-folders, delete files, etc).  bca power admin has read access.

however, when login administrator user not in bca power admin, , navigate t:\prod\folder1, "click continue..." dialog.  if click ok, user explicitly added full control folder1.

if add administrators kind of access, if read or list contents, doesn't happen.

i think i'll add administrators read, augment produsr full control , bca power admin read.  this force explicitly use produsr update files in folder.

this keep running program in development accidentally overwrites production files (which happened recently).  only produsr have write access.  even other administrator accounts have read access.




Windows Server  >  Windows Server General Forum



Comments

Post a Comment

Popular posts from this blog

Cannot access Anywhere Access using domain name?

-
after installing anywhere access in windows server 2012 essentials r2, cannot use anywhere access using setup domain name in wizard such remote.mydomain.com? if enter public ip address, example, 72.2.34.5 works. before set anywhere access, created a record pointing public address...pinged , worked...so not sure doing wrong?  is wizard supposed create record etc , make remote.mydomain.com work? if enter public ip address while on lan, takes me router webpage.  shouldn't work on lan if accessed via public ip? thank you, tim. the wizard can configure remote.microsoft_names.com  remote.remotewebaccess.com but cannot configure domains purchased outside wizard.  depends on how domain configured if wildcard.yourdomain.com should work  if try ping remote.your_domain.com afar , not give proper  public ip, need add record mariette said. much have record domain.com www.domain.com , if have website somewhere else www.domain.com , need re...
Read more

server manager error: ADAM.events.xml could not be enumerated.

-
firewall off isnt it. rerun ldap wizard:?  why?  will screw exchange server running on machine?  ldap wizard asks questions don't understand. please dont send generic links to: http://social.technet.microsoft.com/wiki/contents/articles/13444.windows-server-2012-server-manager-troubleshooting-guide-part-ii-troubleshoot-manageability-status-errors-in-server-manager.aspx thanks, john hi john, >> ok. server manager app. these questions refer this. nothing else 2.  do need create app dir or not?  this server manager, shouldnt done? (why did break in first place?) how check if app dir exists server manager or not. 3.  if "lightweight" implementation of anything, sure hate see "heavyweight" version. the waring events can't enumerated. , cause not completing configuration of ad lds. ad lds not related server manager. used provide flexible support directory-enabled applications. if not implementing such application...
Read more

send messages to users

-
i have domain server windows 2000 sp4. my clients using win xp , win 98. when send messages computer management-shared folders-rightclick-all task-send message connected users, message received clients using winxp but not in  win 98 .how send them without winpopup  , net meeting. this forum windows server 2008.   check messenger service running on win98-clients. (haven't seen win 98 in while might not available...) Windows Server  >  Directory Services
Read more