2

In NTFS/Active Directory, assume I have two drives mapped:

H:\
I:\

Users can edit files in H:\, but not in I:\ . I want users to be able to, using a script, move their files to the I:\ drive unless an overwrite would occur. After the files are copied, the script removes write permissions to the copied files in I:\ , in such a way that the users can no longer change permissions back and the files on I:\ become, in a sense, permanent.

How can I set this up in a secure manner?

Carbon
  • 103
  • 8

4 Answers4

2

As I see it, there's a problem that if the script is running as the user, they need to have permission to write to the I drive.

You could, perhaps, have a scheduled task, running with write permissions on the I drive, that pulls the files. Perhaps they could create a file called "readytocopy.txt" or something like that. When the scheduled task finds that file in the user's directory, it would copy the files (except readytocopy.txt).

What specific problem are you trying to solve?

Katherine Villyard
  • 18,550
  • 4
  • 37
  • 59
  • Allowing users to promote files to a permanent environment without having a super-user have to do it for them. I like the idea of a scheduled task. Is there a way to allow the users to hit a button to start it themselves? – Carbon Jun 10 '16 at 22:43
  • You might be able to write a web service to kick it off, or something like that. That seems like overkill to me, though. I'd probably use the text file and schedule the job to run fairly frequently, but I use the text file thing for some of my own scripts, so.... ;) – Katherine Villyard Jun 10 '16 at 22:52
  • If you're willing to buy third-party software and if the script itself is read-only, you could use a product called [Powerbroker Desktops](https://www.beyondtrust.com/products/powerbroker-for-windows/) that gives privileges to the script rather than the user. – Katherine Villyard Jun 17 '16 at 12:00
2

After a bunch of trial-and-error, this powershell script seems to do it:

$worm="C:\WORM"
mkdir -Force $worm
cd $worm

<#  https://serverfault.com/a/17869

SYSTEM - Full Control - Apply onto: This folder, subfolders, and files
Administrators - Full Control - Apply onto: This folder, subfolders, and files
Authenticated Users - Read - Apply onto: This folder, subfolders, and files
Authenticated Users - Create Files / Write Data - Apply onto: This folder and subfolders

#>

$acl  = Get-Acl $worm
$ace1 = New-Object Security.AccessControl.FileSystemAccessRule 'Users', `
        'CreateDirectories, CreateFiles, ListDirectory, Read', `
        'ContainerInherit, ObjectInherit', `
        'None', `
        'Allow'
$acl.AddAccessRule($ace1)
Set-Acl -AclObject $acl -Path $worm

$acl  = Get-Acl $worm
$ace1 = New-Object Security.AccessControl.FileSystemAccessRule 'Users', `
        'DeleteSubdirectoriesAndFiles,Delete', `
        'ContainerInherit, ObjectInherit', `
        'None', `
        'Deny'
$acl.AddAccessRule($ace1)
Set-Acl -AclObject $acl -Path $worm

$acl  = Get-Acl $worm
$ace1 = New-Object Security.AccessControl.FileSystemAccessRule 'Users', `
        'WriteData', `
        'ObjectInherit', `
        'InheritOnly', `
        'Deny'
$acl.AddAccessRule($ace1)
Set-Acl -AclObject $acl -Path $worm

It is not fool-proof though since an admin can take back control with:

icacls C:\WORM /T /Q /C /RESET

I will say that if you need an industrial grade solution for SEC-compliance or whatever, you may have to invest in NetApp and SnapLock:

https://library.netapp.com/ecmdocs/ECMP1196889/html/GUID-7334EEB5-94E9-4500-BA40-681DEC572420.html

Michael Fox
  • 146
  • 4
1

This is possible with a combination of a script, a scheduled task, and NTFS permissions.

Assuming you have no sub folders and just files in a single folder, this is how to achieve it:

Groups

  • Set up a Users Group
  • Set up an Admins Group

(use the built in ones if you like)

NTFS Permissions on the destination folder (I:)

  • Read, List Folder contents, Execute, Write - This folder only, to the Users Group
  • Full Control - This folder, subfolder, files to the Admins group

Scheduled task

  • A script that removes all write permissions from each file that has write permissions
  • Can be a batch script using icacls.exe, Powershell, vbscript, anything really
  • Set task to manual start
  • Needs to run as a user who has full control of the folder and files (Admins group)
  • Give the Users group the appropriate rights to start the scheduled task (can be a task on their local machine or on a remote machine)

Script

  • Can be pretty much any language (PS is probably the preference)
  • Copies over the file(s) only if they don't exist
  • After copy, using Powershell call Start-ScheduledTask or if using another scripting language use schtasks.exe to start the scheduled task. Works on local or remote machines.

There will be a time where the file is still writable by the user, depending on how the scripts are coded, how many files are in the folder etc, that will be as low as milliseconds.

jotap
  • 711
  • 3
  • 8
0

You should be able to do this with normal NTFS permissions. I found this article. It is about 10 years old but it shows this example pretty clearly:

https://technet.microsoft.com/en-us/magazine/2006.01.howitworksntfs.aspx

  1. Grant the Read & Execute and Write permissions for This folder only (selected in the Apply onto list) to the users you want to have access to the folder.
  2. Grant the Read & Execute permission for the Subfolders and files only to the same users.
  3. Grant the Write permission to the special user Creator Owner.

The effect of this is that all of the users will be able to add files to the folder and read each other’s files, but only the user that created a file will be able to modify it.

Dylan
  • 156
  • 4
  • Ah, that doesn't work - I need the user that created the file to NOT be able to access it after it's moved. – Carbon Jun 10 '16 at 23:55
  • Ah I see what you are saying. Apologies for misreading the question. I think at this point it's totally out of my windows knowledge league but, this thread is interesting http://www.pcreview.co.uk/threads/write-once-directory-permissions.155183/ – Dylan Jun 11 '16 at 01:09