No announcement yet.

share info listed is not correct

  • Filter
  • Time
  • Show
Clear All
new posts

  • share info listed is not correct

    Using Exporter Pro, I ran a security scan for the shares on a W2K server. One share showed FULL_CONTROL for the Everyone group, which piqued my interest. When I examined the rights for that share using windows explorer on the server in question, I show the Everyone group has READ access at the share level. At the directory level, the Everyone group has read/execute/list permissions, but not write permissions.

    My question is this: why does Exporter Pro list the permissions for this share as FULL_CONTROL for the Everyone group when Windows shows the permissions as READ? Is there a particular set of circumstances that can cause this sort of anomoly? My concern is that I rely on the output of Exporter Pro for auditing system configurations. If I can't trust the results to match up with the actual rights on a given server, this tool isn't going to be of much use to me. My assumption is that something I'm not thinking of is causing a problem. Just not sure what it might be. Any thoughts?

  • #2
    Re: share info listed is not correct

    BTW, I'm using Exporter Pro Version 2.0 rev 'B'


    • #3
      Re: share info listed is not correct

      First, make sure that you are looking at the actual share security vs the NTFS file/directory permissions on the share. We get a lot of inquiries from users who are confused by these differences. In Explorer, you can get to the share permissions by right clicking on the share, selecting Properties, then the Sharing tab, then clicking on the Permissions button. I'm curious if you have Hyena, and what it reports for the permissions for this same share.

      One problem is that there isn't any such thing as the "FULL_CONTROL" permission, or any convention on what that is. Permissions are a series of bits, like on/off switches. For this reason, we don't try to present a one-word description of permissions on files/directories in Exporter Pro, but rather provide all of the 'bits' that are turned on. But for shares, there are only a few permissions, so we use a single-word label for each. To show "full control" we look for either the value of GENERIC_ALL or WRITE_DAC. There might be a way to use another Microsoft utility to show the raw security bits. I suspect that the WRITE_DAC bit may be turned on, as this security setting allows the user to WRITE (change) the security settings. I think that GENERIC_ALL also includes this right. Since anyone with the WRITE_DAC right can change their own permissions, we regard it as having Full Control, even though they have not have write access directly (but they can give it to themselves at any time). From a security standpoint, you could have someone with WRITE_DAC give themselves full write access, update the information through the share, then remove the write access and you would not know that they have access.

      I can't think of another utility off hand that shows the raw ACE entries, but maybe you know of one. But I wanted to know what Hyena shows as well for the share as a comparison.
      Kevin Stanush
      SystemTools Software Inc.


      • #4
        Re: share info listed is not correct

        Thanks for the reply. First off, I'm definitely looking at the share permissions in the Exporter Pro output (and on the Windows server). I did, however, look at the NTFS file/directory permissions set on the Windows server as well to see if I could see a reason the Exporter Pro output didn't match what I saw on the share permissions of the Windows server.

        I used the term "FULL_CONTROL" and "READ" very specifically, because that is what Exporter Pro lists as the permissions for a share. It is also the way it is listed on the share permissions when viewed via Windows Explorer (though "FULL_CONTROL" is "Full Control" in Windows Explorer), so your second paragraph about not having a right called "Full Control" is more than a little confusing to me.

        I assume the part about WRITE_DAC is referring to the NTFS file/directory permissions. My assumption is that the WRITE_DAC bit is set when someone checks the "Change Permissions" setting. When I check those on my server, I see that the Everyone group has the following settings:

        (For This folder, subfolders and files)
        Traverse Folder/ Execute File
        List Folder / Read Data
        Read Attributes
        Read Extended Attributes
        Read Permissions

        Nothing else is checked. Also, the directory is not owned by the Everyone group. To me, the Everyone group is clearly restricted to read-only behavior for this directory. Looking at the share permissions (shares tab, permissions) for the same directory, I see the following setting checked for the Everyone group:

        Read (allow)

        Nothing else.

        I do not have Hyena, so I can't provide the comparison. As for another tool to use, I was sort of hoping Exporter Pro could be the tool I use for this sort of audit. I'm still hoping that is the case. I just need an explanation of why Exporter Pro list the permissions as "FULL_CONTROL" for this particular user group/share combo.


        • #5
          Re: share info listed is not correct

          I can't tell from this response whether you are referring to share vs file/directory permissions. You indicate a screen with the information "(For This folder, subfolders and files)", which would be for file/directory permissions, and not for a share.

          Shares have independent permissions from files and directories. I suspect that you are comparing the share security information from Exporter Pro with what you are seeing in Explorer for the security on the shared directory.

          When I said that there isn't such a thing as "full control", I meant that there isn't such a security setting. But since Microsoft created the term "full control", and use it in their own GUIs, we attempt to define that as having either the GENERIC_ALL or WRITE_DAC right when looking at shares. We never use this term for files or directories so you must be looking at the output from the share security. In Explorer, you need to look at the security for the share, which is done by how I outlined in the previous post.

          Send some screenshots to [email protected] so that we can verify what you are comparing.
          Kevin Stanush
          SystemTools Software Inc.


          • #6
            Re: share info listed is not correct

            Ok, I thought I was clear in my previous posts, but I'll try again with a simpler description of the problem.

            I want to know the SHARE permissions of a given directory.

            I have used Export Pro to show me the SHARE permissions of that directory.

            I have also used Windows Explorer to view the SHARE permissions of that same directory.

            The results of the two do not match.

            When using Windows Explorer, I see a SHARE permission of Read (allow) for the Everyone group.

            When I view the Exporter Pro output I see a SHARE permission of "FULL_CONTROL" for the Everyone group for that same share.

            I am well aware of the difference between the SHARE permissions and the NTFS file/directory permissions and I am not confusing the two.

            In an attempt to determine the cause of the discrepency, I have also looked at the NTFS file/directory permissions using Windows Explorer. The results are clearly stated in my previous posts.

            Please explain why the SHARE permissions for this specific share in Exporter Pro do not match the SHARE permissions as seen through Windows Explorer.


            • #7
              Re: share info listed is not correct

              As I said, send a screen shot to [email protected] showing the dialog that you are seeing in Windows with the permissions in question.
              Kevin Stanush
              SystemTools Software Inc.


              • #8
                Re: share info listed is not correct

                Thank you for the screen shot. The only reason that I can think of where you would see this difference is because of what I originally said: you probably have the WRITE_DAC security setting turned on for the access control entry (ACE) for the Everyone group.

                Because there isn't an actual setting for "Full Control", applications have to try to decide what "full control" means. To Exporter Pro, we show FULL_CONTROL (for shares) if either GENERIC_ALL or the WRITE_DAC setting is present. The WRITE_DAC security setting can be applied to any securable object (files, directories, registry keys, and shares).

                I assume that you don't have this difference on all of your shares, just some of them. The Exporter Pro share security routines are the same ones used in Hyena, and those were developed almost 10 years ago, so any problems would have surfaced a long time ago.

                One thing you can try, as a test:

                Take this share, and add another user or group and give them "Read" access. Re-run Exporter Pro and see if the output is showing only 'read' for this new user/group and if the Everyone group has changed.

                If Everyone is still showing Full Control (in Exporter Pro's output), using Explorer, remove Everyone from any permissions on the share, click OK, then modify the share permissions again and put Everyone back with Read-Only access. Then rerun Exporter Pro to see what you see.

                I unfortunately don't know of a utility that will show the raw security flags that are set for this share, as that would reveal why you are seeing this.
                Kevin Stanush
                SystemTools Software Inc.