Permissions and access security for a shared folder on a server

by
  1. I need to set permissions to a folder for two people.
  2. I am not an administrator on the server but I have access to grant and remove permissions to folders.
  3. Not even the Server Admin should have access to that folder except for those two users.
  4. The following users are default on the folder or at least are there when I check permissions in that folder the same as other folders:
    • Authenticated Users
    • SYSTEM
    • Administrators(hostname\Administrators)
    • Users(hostname\Users)
    • myusername(domain\myusername)

I need to set permissions for users not listed above and only them should have access to the folder, however, will it be safe to remove the users listed above without causing implications when creating backups or granting and removing permissions in the future?

Answer

I am not an administrator on the server but I have access to grant and
remove permissions to folders.

This was a bad setup on the admins part. Non-admins should not have FULL CONTROL on folders and files.

Not even the Server Admin should have access to that folder except for
those two users

This is not possible. If the admin has administrative rights to the server (the very definition of an admin) then they can easily grant themselves rights again to that folder.

All that said, you can add the 2 accounts with FULL CONTROL (because you said you wanted them to be able to add/remove permissions in the future) and can technically remove everything including SYSTEM. It won’t hurt to leave SYSTEM but it also isn’t REQUIRED to stay.

Backups should be done using an account in the Backup Operators group which technically doesn’t need rights to the folder as it can bypass security during backups. Some backup programs require the account it is run under to be an admin or even Domain Admin though. But as long as the account the backups run under is a part of the Backup Operators then it should run fine.

However, I still stand by the fact that if another account has administrative rights on that server they will be able to take ownership and apply new permissions including granting themselves access. If this folder truly needs to be “secure” you’ll have to look beyond NTFS permissions to secure it.

Attribution
Source : Link , Question Author : optionalNickname , Answer Author : TheCleaner

Leave a Comment