It’s that time of year again where a review of your Windows Network file and folder permissions is being performed, and yet again, there appears to be excessive Full Control access granted throughout your file structure. Upon further review of this noted excessive access being granted, it appears the culprit is the Creator Owner or Owner permissions1.
How can this be the case, as a periodic review of permissions is being performed, and what can be done to better limit this excessive access?
What is the Creator Owner permission?
Creator Owner is a default (built-in) Windows permission that is automatically created within the file structure each time a file or folder is added. This is due to Windows needing to assign permissions (ownership) to each corresponding item on the network. As a fail-safe, should no individual account be assigned permission, the Creator Owner permission becomes the designated way of establishing ownership. As this takes place instantaneously, there is no way to prevent Creator Owner permission from appearing on the network. However, the permissions assigned to the Creator Owner permission can be manually adjusted.
What are the available Windows (basic) permissions?
Generally, there are six Windows permissions that may be assigned on the network. If all six of these permissions are granted together, this is referred to as having “Full Control.” As a best practice, Full Control should typically be assigned to authorized administrative accounts, which generally include IT Department individuals and critical service-level accounts, including IT vendor accounts.2 For all other users, it is generally acceptable to grant only Read, Write, Execute, and Delete permissions, more commonly known as “Modify.”2 Brief descriptions of the six Windows permissions are as follows:
- Read (R) – This access level allows an account to open and view a designated file.
- Write (W) – This access level allows an account to open and make changes in a designated file.
- Execute (X) – This access level allows an account to run a designated file, generally with an “.exe” extension.
- Delete (D) – This access level allows an account to remove a designated file.
- Change (P) – This access level allows an account to adjust the permissions granted on a designated file. This permission is generally granted to authorized administrative accounts via Full Control.
- Take Ownership (O) – This access level allows an account to become the owner (“creator”) of a designated file after explicitly receiving a permission request. Windows implemented this permission to mitigate the possibility of a fake file being created and assigned to another account. This permission is generally granted alongside the Change permission.
Where does Creator Owner exist, and how can any instances assigned be remediated?
As noted above, Creator Owner permission will appear at various levels of the Windows network file structure whenever a file or folder is created. Generally, permissions are granted within the file structure using a descending (top-down) method. So the highest level of a file structure, known as the Root-level3, will determine the permission granted throughout the file structure. As a best practice, it is recommended to adjust the Creator Owner permission to Modify at the Root-level rather than fully removing it. Otherwise, if the account is fully removed, Windows may create a new instance of this permission, thus restarting this excessive permission being granted from that directory level downward. After making any adjustments to this permission, Windows will update and propagate down the file structure for each inherited instance of this account. The same is true for other accounts on the network with inherited accesses. They are adjusted from a higher level in the file structure.
However, due to various instances of Creator Owner permission existing, it is possible that permissions may be assigned from a subfolder location, a type of permission known as a “non-inherited” permission. For these non-inherited instances, Creator Owner permission will have to be further investigated at each defined location. Using the process noted above, Creator Owner permission may be adjusted to Modify. Alternatively, in these instances, this permission may be removed to default the inheritance of permissions back to the Root-level.
Default Owner Permissions
Another aspect of permissions to consider is Owner Rights. This is different than the Creator Owner permission granted in the file system as described above. Creators of files and folders are assigned as the Owner and by default have full control permission to the objects they create, regardless of other more restrictive file system permissions granted. To ensure Owners are properly limited to the intended permissions, the default permission granted to Owners should be changed for non-admin users. Therefore, it is recommended to add Owner Rights to the usernames at the Root-level of the shared folder and grant them Modify permission, which should inherit down throughout the folder structure. To ensure that IT admins do not inadvertently lose full control permissions in this process, domain admins should be granted full control permission at the Root-level of the shared folder. This process would need to be repeated within the folder structure anywhere inheritance has been disabled.
What is the risk?
As noted above, Full Control should typically be assigned to authorized administrative accounts, which generally include IT Department individuals and critical service-level accounts, including IT vendor accounts. There are some exceptions to granting this permission, such as each user having Full Control access on their own home drive or individual shared folder, where noncritical information is stored.5 As a sample scenario, it is assumed that Person A only has access to Person A’s folders, and Person B only has access to Person B’s folders, and so forth. However, if a capable individual were able to gain access to these directories, they would be able to grant permissions to others as Full Control is enabled. Considerations for such scenarios should be formally documented within the institution’s risk assessment to identify a comfortable level of risk.
When factoring in Creator Owner permission, an individual should not be inheriting Full Control access based on the fact that they created a folder within the directory. Instead, individuals should be inheriting the appropriate lowest privileged access required to perform job duties as defined from a higher level within the directory. For example, Person A is an entry-level staff member of Accounting and creates a subfolder in the Accounting share that will be used for storing financially significant spreadsheets. However, as Creator Owner permission has not been adjusted, Person A inherits Full Control access, as they were the individual that created this subfolder. Although Person A may not know how to grant access to others, as part of the Full Control access permissions, Person A (or someone who is able to gain access to this individual’s account) may authorize access (including Full Control) to this created subfolder to other individuals. Also, as financially significant spreadsheets are stored in this subfolder in this scenario, the risk of an unauthorized individual gaining access increases.
Instead, if Creator Owner permission is properly adjusted, when Person A creates the same subfolder, they will inherit the appropriate permission granted within that share location. For example, Person A has Read and Write permissions granted. When creating the noted subfolder, Person A will only be granted Read and Write permissions, even though this individual was the one who created the subfolder.
Performing effective reviews of Windows network permissions currently granted
As a best practice, a periodic review of Windows network users4, group assignments4, and file/folder permissions should be performed at least annually. During these reviews, network permissions should be investigated to ensure proper assignments, including Full Control and the Creator Owner permissions.
For all network permissions granted, as a best practice, it is recommended that the least amount of access be granted, where possible, so that any applicable job duties may still be performed. As part of the review process, the institution should determine if access appears appropriate where sensitive information is maintained and who has access to these network locations.4
To properly evidence who completed the periodic review and when, formal documentation should be maintained. Common methods to evidence the completion of these reviews come in the form of electronically signing/initialing and dating the system-generated report with any applicable markup notes, or even maintaining a separate summary log of changes detailing the reviewer and date of review, along with a copy of the system-generated reports. Alternatively, discussions may even be documented within corresponding committee meetings, along with a copy of the system-generated reports.
In regard to ongoing documentation of any access additions, changes, or removals, the institution should follow a defined process for submitting a request and obtaining approval under dual controls. Common methods to define this process are detailed within an information security policy and include utilizing an access change form or IT help desk ticket.
Sample scenarios
If there is an HR Department file share (“drive”), then typically only authorized administrators and members of that department should have access.4,5 These authorized administrators may have Full Control permission, while the HR Department members have Read and Write permissions. However, there may be another user from the Accounting Department who has access. This additional user’s access should be reviewed for necessity and adjusted as applicable. For instance, if this additional user needs access to a specific folder, then it may be reasonable to grant limited access to this network location. Considerations should include what is needed to complete job duties. If this user only needs to be able to view the files, then Read permission would suffice; however, if this user also needs to edit the files, then Read and Write permissions would suffice.
When granting permissions on the network, the preferred method would be to use group assignments and, as needed, grant additional permissions to individuals through manual assignment. In the example above, the HR Department group could be assigned Read and Write permissions, while the administrators group could be assigned Full Control permission for the HR network share. By assigning permissions through group assignment, any users added to these groups would inherit the applicable defined permission(s). Then, when access changes take place (i.e. new hires, terminations, job changes), the institution may easily amend the appropriate group members accordingly. This would apply to other network locations where these groups are granted access, too.
Further, by manually assigning permissions directly to an individual, the institution would need to specify each network location. In conjunction with the group assignment process noted above, the institution would only need to grant the Accounting Department individual the appropriate additional access for their job duties. If instead this individual was added to the HR Department group, this individual would have excessive permissions granted due to inheriting access to each of the network locations the HR Department group has been granted.4
Any questions?
Over the past couple years, we have noticed significant improvements for our clients’ Windows file and folder permissions after adjusting the Creator Owner and/or Owner permissions. There are free and paid tools available to generate Windows network permission reports and detailed user account listings:6
https://blog.netwrix.com/2021/01/13/ntfs-permissions-tools/
https://blog.netwrix.com/2021/03/10/active-directory-tools/
https://www.comparitech.com/net-admin/active-directory-tools/
If you have any questions related to Windows network file and folder permissions, please reach out to Jeremy Burris at jburris@srsnodgrass.com.
1: The Creator Owner permission was identified for further review purposes. It should be known that excessive access permissions granted are not only limited to this account; however, it is a recommended starting point to remove other identified inherited instances.
2: See further comments about granting Full Control and Modify access within the “Performing effective reviews of Windows network permissions currently granted.”
3: The Root-level is typically depicted by the drive letter (i.e. C://).
4: The focus of this document is network file and folder permissions. For further details regarding network user and group assignment reviews, please reach out to Jeremy Burris at jburris@srsnodgrass.com.
5: This is a sample scenario and is subject to a review on a case-by-case basis. There are instances where other users having access to select locations remains appropriate.
6: These are third-party resources, and we do not recommend one tool over another. Please perform your own independent review of these tools, that aligns with your vendor management process, prior to deciding.