-1

I am currently running a Windows Server 2016 Datacenter Virtual Machine in Azure. This server has 19 file shares on it. Each of these shares is devoted to a single customer of the company I work for. While troubleshooting a connection issue for a client, I found that all 19 of the file shares had been reconfigured so that the "Everyone" principal had full control. They where originally setup so that only the server administrator and a single, client specific account would have access to each file share.

1) Is there a way for me to determine how this happened? I did not have auditing configured on the server.

2) Is it possible that this happened without human intervention? Could some obscure windows bug have caused this?

3) How to I prevent this from happening again? I used the lastpass password generator when creating credentials for the group of people who administer this server. None of the accounts associated with customer file shares are authorized to remote into the server.

Sam Cogan
  • 38,736
  • 6
  • 78
  • 114
derangedhk417
  • 3
  • 1
  • Did you mess with share security versus ntfs permission ? as if a share security, its normal – yagmoth555 Jul 31 '17 at 19:11
  • I was referring to share security in my question. It was not configured that way on Friday. On Friday, the share permissions listed the Administrator and the customer specific accounts. Today only "Everyone" and Administrator where listed. Also, the server was allowing me to access all of the files within the shared folders from an un-authenticated computer. That can't possibly be normal. Before this happened you had to authenticate with a proper user account. – derangedhk417 Jul 31 '17 at 19:22
  • Please update your question with the ntfs permission too please – yagmoth555 Jul 31 '17 at 19:41

2 Answers2

1

If you didn't have auditing turned on, then no, there will be no record of who made the changes or how they made them.

How do you fix and prevent this?

First, fix the permissions on the shares and the NTFS permissions on the folders themselves. That way if the share permissions are set to Everyone has Full Access again, then the NTFS permissions will still protect the files. And the if NTFS permissions get changed, the share permissions will help mitigate.

Second, don't use Full Control permissions. Make sure users do not have "Change Permissions" and "Take Ownership". Preferably, they would not have those rights at any level. But if they need to set their own permissions inside the share, then take away "Change Permissions" and "Take Ownership" at the top level folder.

Third, depending on your role, you should not be logging in or connecting to this server as administrator on a regular basis. Instead, your everyday account should be a normal user. If your role is to regularly work with the data in the share, then your user account should be a member of a domain group that is assigned the same permissions as your customer accounts. Only connect to the server using an Administrator account when necessary for a particular reason, i.e. to create a new customer share.

longneck
  • 23,082
  • 4
  • 52
  • 86
-1

I have the same issue. I cannot access the server from my PC. I've tried both \serverip\admin$ or \servername\admin$ or C$ or D$ This doesn't even work on the server desktop itself. This is a regular Windows 2016 server. It's not a domain controller. Without access to \admin$, I can use Veeam to back it up.

I can ping the server and do remote desktop to it.

Shel
  • 1
  • 1
  • If you have a new question, ask a question on the front page; don't add a new question as an attempted answer to an existing question. This isn't a forum. – mfinni Jan 06 '22 at 17:03
  • This does not provide an answer to the question. Once you have sufficient [reputation](https://serverfault.com/help/whats-reputation) you will be able to [comment on any post](https://serverfault.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/late-answers/508207) – Dave M Jan 07 '22 at 12:11