Windows shared folder not respecting NTFS filesystem permissions?

I have discovered a quite disturbing issue with our Windows Server 2003 Small Business Server (SP2) concerning NTFS file permissions and shared folders.

If I set up a share with an ACL that includes a user with full control access to that share, as I understand it, if the underlying NTFS permission doesn't grant access to a file, then this share ACL should not override this.

Mysteriously, on our SBS 2003 install (but not on other Windows 2003 Server installs we have for testing purposes), the underlying NTFS ACL seems to be being ignored, and once a share ACL gives write access to a folder, it gives write access to *every* file, even if the NTFS file permissions are explicitly set to provide read access only.

For for instance if I have a folder structure like the following:

(on \\server)
C:\Data - ACL: {Everyone: Read Only}
|
+-- File1.txt - ACL: inherit
+-- File2.txt - ACL: inherit

And then share this folder as \\server\Data with the share ACL set to Everyone: Full Control, then if I write to the file \\server\Data\File1.txt then I should get an access denied error because although I've got write access via the share permissions I don't have write access to the file object in the NTFS file system.

On our domain controller which is running Windows 2003 Small Business Server with SP2 installed, with the scenario above is allowing access, in fact it appears to be allowing access to any file access via a share regardless of the NTFS file permissions?!

This seems wrong to me, and I checked on other windows installs we have and they definitely do respect the NTFS permissions, giving an access denied as I expected.

Is there something wrong with our server install, any ideas what could be causing this behaviour, or how I could troubleshoot the problem?

Regards,

Michael

--
Michael Sharman
Analyst Programmer
Insight GIS
http://www.insightgis.com.au/
.

Relevant Pages

  • RE: Windows 2003 Server - Everyone Group
    ... this folder only accessable by the users in the "special" group. ... Configure User and Group Access on an Intranet in Windows Server ... NTFS files system permissions control ... group that you want to set permissions for, click Check Names to verify the ...
    (microsoft.public.win2000.networking)
  • Re: Office Docs wont Open? and BU Drive not Recognized?
    ... Create a new Folder: ... On the server share... ... SHARING tab | Permissions | Share Permissions | Group or User Names ... If I copy the document to the local Client, the document opens ...
    (microsoft.public.windows.server.sbs)
  • Re: An NT Security Gotcha that looks like a Jet Security issue
    ... >people remotely via Windows Terminal Server. ... >code when it was run by a user that didn't have full permissions on ... There's a top-level DATA folder, ... >ApplicantsDB and Quickbooks. ...
    (comp.databases.ms-access)
  • Re: Exchange Move Issues?
    ... I'm a bit confused on what permissions to assign for SBS, ... When you finish moving the databases, ... You can move the log files and database files to any folder that you want to ... Note Only assign permissions to the Server Operators group if the Exchange ...
    (microsoft.public.windows.server.sbs)
  • Re: MS - Access Issues
    ... I don't see anything anywhere for NTFS folder permissions. ... Nor can it find the domain server. ... checked to bypass proxy server for local addresses. ...
    (microsoft.public.windows.server.sbs)
Loading