Windows Server 2016 Datacenter, all 19 shares suddenly accessible to everyone

security windows share server-message-block

I am currently running a Windows Server 2016 Datacenter Virtual Machine in Azure. This server has 19 file shares on it. Each of these shares is devoted to a single customer of the company I work for. While troubleshooting a connection issue for a client, I found that all 19 of the file shares had been reconfigured so that the "Everyone" principal had full control. They where originally setup so that only the server administrator and a single, client specific account would have access to each file share.

1) Is there a way for me to determine how this happened? I did not have auditing configured on the server.

2) Is it possible that this happened without human intervention? Could some obscure windows bug have caused this?

3) How to I prevent this from happening again? I used the lastpass password generator when creating credentials for the group of people who administer this server. None of the accounts associated with customer file shares are authorized to remote into the server.


Solution 1:

If you didn't have auditing turned on, then no, there will be no record of who made the changes or how they made them.

How do you fix and prevent this?

First, fix the permissions on the shares and the NTFS permissions on the folders themselves. That way if the share permissions are set to Everyone has Full Access again, then the NTFS permissions will still protect the files. And the if NTFS permissions get changed, the share permissions will help mitigate.

Second, don't use Full Control permissions. Make sure users do not have "Change Permissions" and "Take Ownership". Preferably, they would not have those rights at any level. But if they need to set their own permissions inside the share, then take away "Change Permissions" and "Take Ownership" at the top level folder.

Third, depending on your role, you should not be logging in or connecting to this server as administrator on a regular basis. Instead, your everyday account should be a normal user. If your role is to regularly work with the data in the share, then your user account should be a member of a domain group that is assigned the same permissions as your customer accounts. Only connect to the server using an Administrator account when necessary for a particular reason, i.e. to create a new customer share.

Related

Google Chat Port Number
Trying to understand IIS permissions
Bailiwick and "Sibling domain" definition
Separating DNS records into multiple zones for the same domain
What are the reasons to use a firewall in transparent mode?
UFW port not accessible from public web despite rule explicitely allowing it
bash does not show prompt (prompt missing)
Connecting to a wireguard peer through a VPS
/proc/meminfo shows MemFree greater than MemAvailable - Does it make sense?
Change ip address link to be http instead of https
Two mail providers for the same domain
How to override ansible playbook variable?