Read only access to single user for all servers

  • 410 Views
  • Last Post 08 February 2018
yogeshcittu posted this 05 February 2018

Hi All,
We a single user who requires “read only” access to all the drives (including C drive and other data drives) for all the servers in our environment.User doesn’t require any server login access but user should be able to access the drives through share from his local machine.
What is the best way to achieve this.Any suggestion or input would help.
Regards,Yogesh

Order By: Standard | Newest | Votes
kool posted this 08 February 2018

If this request for access to the file systems of all servers is taken literally, that would include the domain controllers. If an organization has even a modest

security posture, then membership in the DA and EA groups is thoroughly vetted and limited. The level of access being requested could end up close to that of DA/EA and, as pointed out, would pose a significant security risk especially if local admin privs

are the chosen solution.

 

It might be informative to ask what the reason is for needing this level of access. Is it an external or internal audit? Is it loss prevention? The legal department?

 

There are products out that that can be used to audit servers for things like file and share permissions and file access offered by firms such as Beyond Trust.

Would that meet the needs of this person?

 

It is pretty difficult to suggest a solution when the underlying need is not known.

 

Cheers,

 

    Eric

 

show

johnglenn posted this 08 February 2018

As Cynthia alluded to in her later response, you need this entity (user or group) to have file-system (e.g. NTFS) permissions to read all of these files - even for folders that do not inherit permissions.  Also, I assume that one of your goals is to operate with the least privileges required, so this entity should not be an administrator on all of your servers.  I can think of three feasible options for this:

  1. If you utilize a backup software that has a local agent running as SYSTEM and that supports file level restores to an alternate location, then perhaps this entity could be granted access to your backup infrastructure.  This would allow (effectively) read-only access to all file on all systems without granting over-reaching administrative access.  If real-time access is mandatory to the live data, this approach may not work.
  2. Utilize a PowerShell script (running as a scheduled task or as a server startup script) to set explicit "allow read" permissions at the root of each drive and also on any object that does not inherit permissions.  Be careful, though; changing NTFS ACLs using PowerShell can very easily cause severe problems if done even slightly incorrectly.
  3. Lastly, you could use a group policy preference to add this entity to the Administrators group on all of your servers without wiping out existing members.  If this entity has the authority to demand this access despite your objections and is able to bypass working with / through the normal administrators, then you may just be forced to do this.  Bear in mind that this entity will basically be God as far as your servers are concerned if you follow this approach.  No one in my organization has standing permissions of this level; they must be obtained through controlled elevation.
  4. I guess this isn't really an option since we're having this discussion, but it is worth pointing out: you could have this entity work through an existing administrator in your organization.  If literally none of the administrators can be trusted to serve as a trusted agent for this entity, then you should start polishing your LinkedIn profile.
Good luck with this one!  It seems like you are facing an uphill climb against an unruly demand of an over-eager internal checkbox-checker.  I know that pain all too well.  One word of caution: be aware that read access to literally all files on a system will grant access to some pretty sensitive files that could be used to compromise local accounts on the systems or identify other attack vectors - this especially applies with option #1.  Pick your poison carefully.
John


show

crossme posted this 07 February 2018

How do I unsubscribe? ??? ? ?


show

yogeshcittu posted this 07 February 2018

Creating a new GPO is what I should try but I’m not sure how it would be feasible for all existing folders in all servers unless I do some testing.
Interactive login is not what I’m looking into.
And also I’m looking for other better options.
On Wed, 7 Feb 2018 at 4:26 AM, Ken Schaefer <ken@xxxxxxxxxxxxxxxx> wrote:
















If we give someone interactive login to a server, then it starts becoming really hard to lock down what else they can do.

Hence, I’d recommend (in the absence of any other requirement) doing it via shares, since that would require “access this computer from the network”

only.

As you mention, this wouldn’t work for any folders which have been setup without giving BUILT IN\Users Read access – hopefully there aren’t too many

shares like that.

 

I guess other options would be to allow the user access to backups, or using a batch job/service running as System to access the files, and report

the results back to the user (thus avoiding any NTFS permissions issues)

 

Maybe if OP were to elucidate what the user is needing to do with Read access, there might be other options.

 

show

ken posted this 06 February 2018

If we give someone interactive login to a server, then it starts becoming really hard to lock down what else they can do.

Hence, I’d recommend (in the absence of any other requirement) doing it via shares, since that would require “access this computer from the network”

only.

As you mention, this wouldn’t work for any folders which have been setup without giving BUILT IN\Users Read access – hopefully there aren’t too many

shares like that.

 

I guess other options would be to allow the user access to backups, or using a batch job/service running as System to access the files, and report

the results back to the user (thus avoiding any NTFS permissions issues)

 

Maybe if OP were to elucidate what the user is needing to do with Read access, there might be other options.

 

show

Cynthia posted this 06 February 2018

I believe Yogesh isn’t looking to just create a share on a server, he is looking to give access to the existing folders on the servers. Changing all file permissions on a server

can be detrimental to security and a Huge! Job if it involves multiple servers.

J  You would have to take note of the current permissions on every folder to make sure you would not overwrite them when making them

a share and you may end up changing the permissions in a way that makes the containers insecure or worse, inaccessible to server apps. 



 

If you use group policy, and use groups to give the access, you have more control over what is accessed and you limit the damage to the existing server.

You are right, I was going from memory, and again, from memory, it may have been remote desktop users ability that I had granted to give the ability his user seeks.

I did not make myself clear enough that I wasn’t advocating the Administrator ability.

Once that ability is set up, and it would have to be in order for him to maintain the rights each server is now granting to others, he should have a feel on how to create the

others.

Bypass traverse checking is the right I believe you are looking for.

 

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory

 

I may have also had to give the right in the domain controllers policy as well.

(Since our org has become so big, I’ve not been a fileshare admin or AD admin for 3 years because of how much more time I have to dedicate to

what I’m doing now – but I’ll try to help in any way I am able.)

Use the link to find out more about your choices Yogesh, but keep in mind, even printer operators gives too much rights to users but we have to

work with what Microsoft gives us.  

Either way, let your user know that this will be a project

J

 



Cynthia Erno



 

show

Icolan posted this 05 February 2018

Ken Schaefer's suggestion is the way to go, you can configure those shares in GPO if you need them on a lot of servers.
The restricted groups suggestion made by Cynthia Erno will give the user too many rights, by putting the user in the Administrators group you will not be able to effectively restrict what that user is able to do.  The 'Builtin\Read Only' group that was mentioned does not exist.
https://msdn.microsoft.com/en-us/library/bb726980.aspx


show

ken posted this 05 February 2018

Setup shares on all the servers, make them read only shares. Give this guy/gal access to the shares? Seems straightforward…

 

show

marcuscoh posted this 05 February 2018

What Cynthia said... 


show

PARRIS posted this 05 February 2018

He needs access to all data but not the server it self?




How many servers are you talking about and what do they need to achieve with their access?










Regards,



 



Mark Parris



 



Active Directory & Cloud Security Consultancy.



 



MVP Enterprise Mobility | MCM Directory Services



Mobile: +44 7801

690596




E-mail: mark@xxxxxxxxxxxxxxxx 



 

Twitter | Blog | LinkedIn | Skype | About.me

show

Cynthia posted this 05 February 2018

You could set up your group policy to accommodate those.

 

Cynthia

 

show

yogeshcittu posted this 05 February 2018

Thanks Cynthia for the suggestion, but I don’t want local admin accounts to get wiped off.
Looking for any alternative.
On Mon, 5 Feb 2018 at 6:07 PM, Erno, Cynthia M (ITS) <Cynthia.Erno@xxxxxxxxxxxxxxxx> wrote:
















Yogesh,

 

Setup a group policy that allows this user read only access to all of your servers.

If you don’t have this already in place for your other users(groups), you will have to change that.

 

Groups are preferred, even if you are only putting one person in that group for now.

 

I called mine RestrictedGroupsX (with X signifying the ou I was applying it to).

For instance, RestrictedGroupsSQLservers and RestrictedSharepointServers.

These groups make sure that the Db’s stay in one admin group and the Sharepoint admin’s stay in the other so admin rights are only given to the servers

they need to administer; as long as your ou’s and servers are sorted to fit this method.

Then, in all restricted groups, add read only rights to the group that would contain your key user.

 

Group policy – computer configuration\policies\windows settings\security settings\restricted groups(this is key)

Builtin Administrators – then add your admin groups then add Builtin Read-Only (if memory serves me correctly) – then add your group for your user.

If memory also serves, this will wipe out all your local admin accounts (because it is being driven by group policy), so you will have to take note of those on every server

before you enable the group policies.

In the long run, these policies make it so much easier to secure your environment and be consistent about who is accessing what.

Good luck.

 



 

Cynthia Erno



 

show

Cynthia posted this 05 February 2018

Yogesh,

 

Setup a group policy that allows this user read only access to all of your servers.

If you don’t have this already in place for your other users(groups), you will have to change that.

 

Groups are preferred, even if you are only putting one person in that group for now.

 

I called mine RestrictedGroupsX (with X signifying the ou I was applying it to).

For instance, RestrictedGroupsSQLservers and RestrictedSharepointServers.

These groups make sure that the Db’s stay in one admin group and the Sharepoint admin’s stay in the other so admin rights are only given to the servers

they need to administer; as long as your ou’s and servers are sorted to fit this method.

Then, in all restricted groups, add read only rights to the group that would contain your key user.

 

Group policy – computer configuration\policies\windows settings\security settings\restricted groups(this is key)

Builtin Administrators – then add your admin groups then add Builtin Read-Only (if memory serves me correctly) – then add your group for your user.

If memory also serves, this will wipe out all your local admin accounts (because it is being driven by group policy), so you will have to take note of those on every server

before you enable the group policies.

In the long run, these policies make it so much easier to secure your environment and be consistent about who is accessing what.

Good luck.

 



 

Cynthia Erno



 

show

Close