0

Is there a way to set NTFS rights on a folder so that users are allowed to copy files into that folder and read them afterwards, but not delete or write to them (once they were closed at the end of the copy process)?

The reason is that I want to copy backup files to an off-site server in a way that possible ransomware on the source server can not mess with the backups, but yet still have them available and readable should the "usual" need arise to access a backup. The backup process and all other users on the source server have, of course, just normal (non-admin) rights on the off-site server, so they (the ransomware) can't simply modify the restricted rights.

Thomas
  • 101
  • 2

1 Answers1

-1

One way to achieve this would be to have two folder shares on the remote server. The first, your existing one, receives the backup files. A process runs on the remote server, moving the files to a second folder after they have completed.

That second folder is also shared, as pure read-only. If your main server ever needs to retrieve backups, they fetch them from the read-only share.

From the point of view of your main server, it would look that that files disappear from the "put" share and re-appear in the other.

How to know when the upload is complete? In a similar system I worked on that received http or ftp uploads from customers, we monitored the last-modified and size attributes. When they did not change from one 15 minute poll to another, they were moved.

David Pierson
  • 56
  • 2
  • That is pretty much my plan B - only that I'd set explicit access rights for the newly arrived files rather than move them to another directory. To indicate that the copy is complete I'd just create a small file as a flag. I'll probably go that way anyway, because if I'd succeed with my initial plan (the one I asked about), there would be one problem: If the transfer (robocopy) was stopped briefly because of a link interruption, the file would be closed and the copy process could not be resumed. But I'd still like to know if a dropbox-style folder is technically possible. – Thomas Mar 23 '21 at 07:09
  • I wish you good luck trying to achieve robust defence against ransomware just using NTFS permissions. If you do manage it do update here with how you get it to work.P.S Thank you to whoever gave my suggestion a -1 vote, this serverfault is such a great site, I'll be sure to post again here soon. – David Pierson Mar 26 '21 at 12:39
  • Well David, no need to be agressive or annoyed. I guess the -1 comes from the fact that you did not answer the question ("how to set NTFS rights for a dropbox-style-folder") at all. You have a provided "only" a workaround. If you had posted that as a comment, it would probably have been ok, but formally speaking it was not an answer. As far as your ironic comment on the NTFS permissions: What's wrong with that? I would say that NTFS permissions should do the job as long as they are always updated. Or why do you disagree? – Thomas Mar 27 '21 at 13:13
  • My comment on the NTFS permissions approach, was not ironic at all. It was a genuine remark. I believe it will prove difficult to achieve your goal using only those permissions in a single folder scenario, I tried this a number of times many years ago, wirhout success. Also I do genuinely mean it when I say, if you do figure it out, to let us know. It is certainly one of the difficult problems in file and folder permissioning. – David Pierson Mar 29 '21 at 00:30