3

I'd like to create a user account on a Windows Server which can read whatever bits of C:\ it needs to be able to execute programs, but have no read access to D:\ except for D:\Special.

It seems that the only sane way of achieving the former is to make this user part of the Users group. Unfortunately that also gives the user read access to all of D:\. If I add a Deny rule for D:\, however, this rule also applies to D:\Special, and it seems to be impossible to override by design.

Is there any way to do what I want, namely the "usual" Users access to C:\, but on D:\ no access except for read access to D:\Special?

RomanSt
  • 1,207
  • 1
  • 15
  • 32

2 Answers2

4

Your content on D:\ should not be available to "Users" since a newly created user is put into this group by default. Just remove the "Users" and "Everyone" entries from D:\ and all subdirectories - do not use "deny" type ACEs as they effectively will deny access for everyone who is the member of "Users", even if the user would otherwise have been granted access by the other defined ACEs.

Is there any way to do what I want, namely the "usual" Users access to C:\, but on D:\ no access except for read access to D:\Special?

It depends on your requirements. Technically, a user does not need any permissions granted on the parent directory to access a subdirectory. But if you need the user to be able to do the clickety-navigation through Windows Explorer, it obviously will be a problem if the parent directory cannot be listed. Your options here:

  1. just grant the access to D:\special and remove access for D:\, then create either a shortcut, a mapping or a symlink there so the user would not have to navigate through D:\ to access special
  2. grant access to D:\special and only grant the "List Folder Contents" permission to the user/group in question without inheritance. This way the user will be able to list the entire directory, but not open any of the files or subdirectories.

If the file or directory names in D:\ are not exposing something confidential, the second approach is to be preferred since it is more "organic" and works better for the user's and application programmer's expectations.

Edit: since TomTom has expresses some concerns about whether method #1 is really going to work, here is a short screencap demo from my Windows system (sorry, the output's German, but the idea should be apparent nonetheless)

C:\Users\denis>mkdir server

C:\Users\denis>mkdir server\fault

C:\Users\denis>echo "test" > server\fault\text.txt

C:\Users\denis>cacls server /d denis
Sind Sie sicher (J/N)?j
Bearbeitetes Verzeichnis: C:\Users\denis\server

C:\Users\denis>dir server
 Volume in Laufwerk C: hat keine Bezeichnung.
 Volumeseriennummer: C4CB-6B0E

 Verzeichnis von C:\Users\denis\server

Datei nicht gefunden

C:\Users\denis>dir server\fault
 Volume in Laufwerk C: hat keine Bezeichnung.
 Volumeseriennummer: C4CB-6B0E

 Verzeichnis von C:\Users\denis\server\fault

17.12.2011  21:08    <DIR>          .
17.12.2011  21:08    <DIR>          ..
17.12.2011  21:08                 9 text.txt
               1 Datei(en),              9 Bytes
               2 Verzeichnis(se), 14.307.930.112 Bytes frei

C:\Users\denis>type server\fault\text.txt
"test"
the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • Duh, I have no idea why it didn't occur to me to just remove the `Users` group from D:\ - this did the trick! (this account is non-interactive anyway, so I don't need any users to navigate anywhere) – RomanSt Dec 17 '11 at 20:16
0

Is there any way to do what I want, namely the "usual" Users access to C:\, but on D:\ no access except for read access to D:\Special?

No, because one needs to access D:\ in order to access D:\Special. Whoever came up with that idea left his common sense at the door before planning.

This simply is not possible and has nothing to do with windows - it is the same in any hierarchical file system. A folder in anotehr folder can not be accessed without any access to the root folder.

TomTom
  • 51,649
  • 7
  • 54
  • 136
  • I believe you're mistaken. This is perfectly possible in Windows. I've already set it up like that; now I need to duplicate "Users" permissions for drive C: only. – RomanSt Dec 17 '11 at 19:54
  • Actually it is not. Feel free to excplain how you did set it up - because if you did, the problem to replicate it should be... zero. – TomTom Dec 17 '11 at 19:57
  • @TomTom: Are you deliberately misunderstanding the question? Obviously the OS needs to know that there is a folder called Special in D:\, but that doesn’t mean that you need rights to list the rest of D:\ or access any other subfolders in it. – Timwi Dec 17 '11 at 19:59
  • Sadly the user needs if the user needs access to it. That is also the way it is set up on C. I odont misunderstand you. I tell you it is not possible, you say it is set up like that on C - I call your bluff. Now hsow your cards or admit you dont really know how windows security works. – TomTom Dec 17 '11 at 20:03
  • @TomTom: Difficulty reading? I’m not romkyns. :) – Timwi Dec 17 '11 at 20:21
  • @TomTom I think the misunderstanding here is whether the user needs to navigate to `D:\Special` via something like Explorer. This user account is non-interactive. It just runs a service. This program never needs to touch anything outside `D:\Special` (except C:\ of course), and as shown by syneticon, this is perfectly possible. – RomanSt Dec 17 '11 at 20:21
  • There's more info on how this works in [this article by Mark Russinovich](http://blogs.technet.com/b/markrussinovich/archive/2005/10/19/the-bypass-traverse-checking-or-is-it-the-change-notify-privilege.aspx), in which he explains that this is only possible if the user has the "Bypass Traverse Checking" privilege, and shows it work. – RomanSt Dec 18 '11 at 23:56