How is this possible? User-targeted file share authentication specific to Windows Server

[Phas3L0ck]

I've been trying to figure this one out for years but no one could explain it properly and I never heard back from the few who did it. The closest I got was recognizing that there is a way to configure NFS with Access-Based-Enumeration, but I haven't been able to make it work at folder-level. And before anyone asks, yes I tried talking to the people who did it and managed the servers, yes I looked it up, and yes I've tried everything I know how already, and no I never got an answer.  Here's what I know:

 

At the schools in my area, there is a central file server where people store their files and other stuff for easy use throughout the district. But because there are so many people using it, modifications had to be made to prevent users from accessing each other's files and stealing or deleting work. The files themselves were never at risk, but people were able to look at and inside of every users' sub-directory and even see what was there or how many files they had.

In the early years, students who were accessing the network file storage system could view the folders and usernames of other students, but they could only enter their own assigned folder for storing and retrieving files. Once the problem became well known, the network file share authentication was modified so that each student and teacher could only access their assigned directory (well, teachers could still see everything, but that's because they had different viewing permissions) on the network file server, and the directory assigned to them would appear as a designated network hard drive. In other words, after the fix, there would no longer be a folder or sub-folder to enter for a person to access their files once they authenticate to the network drive; all their files would simply be right there when they entered the network drive shortcut. (except for some cases involving staff access)

 

In other words, a sub-directory stored on a shared root hard drive BECAME ROOT upon mounting the file share!!!

Now here's what I don't get; I can something similar happening through a simple permissions fix in the Active Directory controls, or perhaps even assign every single student and teacher file directory it's own network share path so that the shared directory would appear as a straight network drive to prevent others' folders and usernames being visible as sub-directories under the communal network-shared drive, but neither of these is the case.

Upon close examination during my network/system analysis a few years back, I discovered something that I now realize is extremely impressive...
I found that, upon logging into the main network file server, even on a personal system, only the shared paths with a sub-folder that correspond to my username (or have shared access permissions) were available to view, let alone log into; I was able to access on a personal system exactly what I would see logged into a district system, and even map the shares as network drives. Any other available file shares on that server which didn't have a single folder accessible to my username were properly hidden!  Let's focus on the drive mapping for a second; I can view the shared directories available on the network server under my username, and map these directories as network drives, but upon entering the mapped network drive, I didn't need to select the folder with my username, nor did I see sub-directories with others' named folders, because the mapped network drive and the file share itself is rooted to my assigned directory. It works the exact same way with other students' accounts, and even for most of the staff. This prevents other users' directories from being seen and/or potentially breached by only allowing the folder that corresponds to a specific username to be accessed. Normally I would think that some sort of "folder hiding" method is being used to do this, but what absolutely baffles me is the fact that, like I said, a user's designated directory (their named folder) does not need to be entered after opening the network drive share (no sub-dir) because the share directory that can be seen on the file server after entry of a user's credentials is the exact directory that corresponds to that user, displayed as it's own file share.

I've been trying to accomplish this for years on my personal systems, but I didn't have the hardware to run either a physical or virtual machine for file server experiments back then.

So now, keeping in mind everything I just described, my burning question is; how can I implement this exact file/folder share authentication method on a regular Windows Server system?  I intend to configure my Windows Server 2008 R2 system (same OS the district's server used) to authenticate network file share access in this unique way.

*And don't say Active Directory, because that's never gonna happen. AD doesn't really work for me and it shouldn't be necessary anyway.

[Electronics Wizardy]

14 hours ago, Phas3L0ck said:

*And don't say Active Directory, because that's never gonna happen. AD doesn't really work for me and it shouldn't be necessary anyway.

Windows server is built around AD, so doing this without AD is gonna be much more of a pain. Id setup a AD domain here first.

 

14 hours ago, Phas3L0ck said:

I intend to configure my Windows Server 2008 R2 system (same OS the district's server used) to authenticate network file share access in this unique way.

Why 2008r2. Its gone eol. Go 2019 with for a new system, id replace that 2008r2 system asap.

 

 

Id setup all the shares to automount, then hidden shares won't matter as users never have to go browse the server anyways.

 

 

I run a setup like this at work with redirected users folders. It auto mounts at login, and the GPOs  give you a good amount of options 

[Phas3L0ck]

2 hours ago, Electronics Wizardy said:

Why 2008r2. Its gone eol. Go 2019 with for a new system, id replace that 2008r2 system asap.

 

 

Id setup all the shares to automount, then hidden shares won't matter as users never have to go browse the server anyways.

 

 

I run a setup like this at work with redirected users folders. It auto mounts at login, and the GPOs  give you a good amount of options 

NO, IT'S NOT GONE, WINDOWS 7 STILL WORKS JUST FINE! Anything in the realm of Windows 8, 10, or otherwise NEEDS TO BURN!

 

Automount has nothing to do with it, what I experienced is something much deeper and more organized.

I don't know what you have, but it sounds like the end systems are all linked in to make it look like it auto-redirected, but that's just a facade put on by AD and GPO tweaks. I'm not running a co-dependent client/server config like most do, and I managed to see and experience what I did by connecting to their network with a personal system NOT registered on AD and NOT affected by GPO!

 

Seriously, does anyone read what's actually been written?  I already concluded that root/folder authentication like this has something to do with NFS and Access Based Enumeration, but I can't figure out how. I got as far as a folder-level lock, but I still can't get a dedicated folder under the root drive share to mount as a root directory on a client end.

[Electronics Wizardy]

1 minute ago, Phas3L0ck said:

NO, IT'S NOT GONE, WINDOWS 7 STILL WORKS JUST FINE! Anything in the realm of Windows 8, 10, or otherwise NEEDS TO BURN!

No windows 7 needs to burn. Its missing support for lots of modern features, and is eol so it doesn't get security updates.

 

2 minutes ago, Phas3L0ck said:

Automount has nothing to do with it, what I experienced is something much deeper and more organized.

I don't know what you have, but it sounds like the end systems are all linked in to make it look like it auto-redirected, but that's just a facade put on by AD and GPO tweaks. I'm not running a co-dependent client/server config like most do, and I managed to see and experience what I did by connecting to their network with a personal system NOT registered on AD and NOT affected by GPO!

 

Really you do want auto mount. Much more seamless for the user, and then the users newer have to think about the network at all, and users think its all just local files. Works great.

 

ALso you really want AD, even if the clients aren't on it. Makes it much easier to keep users and accounts synced between servers.

 

4 minutes ago, Phas3L0ck said:

 

Seriously, does anyone read what's actually been written?  I already concluded that root/folder authentication like this has something to do with NFS and Access Based Enumeration, but I can't figure out how. I got as far as a folder-level lock, but I still can't get a dedicated folder under the root drive share to mount as a root directory on a client end.

Did you follow this guide from MS? https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772681(v=ws.10)?redirectedfrom=MSDN

 

 

 

You can also mount a folder withing a share as a mapped drive on a client. Just path the full unc path. So if a share is something like \\test.domain.local\share and you want to mount the folder bob, just mount \\test.domain.local/share/bob and the bob folder shows as the top level. Just tested this and it works.

 

 

[Phas3L0ck]

1 minute ago, Electronics Wizardy said:

No windows 7 needs to burn. Its missing support for lots of modern features, and is eol so it doesn't get security updates.

 

Really you do want auto mount. Much more seamless for the user, and then the users newer have to think about the network at all, and users think its all just local files. Works great.

 

ALso you really want AD, even if the clients aren't on it. Makes it much easier to keep users and accounts synced between servers.

 

Did you follow this guide from MS? https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772681(v=ws.10)?redirectedfrom=MSDN

 

 

 

You can also mount a folder withing a share as a mapped drive on a client. Just path the full unc path. So if a share is something like \\test.domain.local\share and you want to mount the folder bob, just mount \\test.domain.local/share/bob and the bob folder shows as the top level. Just tested this and it works.

 

 

Hell no! Windows 7 is more stable and reliable than anything "newer" from M$. And what "modern features" could it possibly be missing?

And BTW, YES, it does get security updates! ESU updates are out left and right, and they all just work.

 

But how is automount relevant if I can see the restricted directory under the name of the main/root share without even mounting it?

 

No, I don't want AD, and most definitely don't need it.  Between servers? No, I only have 1 server that I use for everything.

 

Yeah I looked at that link, but it's not a guide, it just says what ABE is. It doesn't tell me how to use it.

 

You still don't get it, do you? The config I experienced was so advanced there was NO NEED for the "full UNC path" or deeper folder mounting. That was what the admins tried to do and FAILED to make it work before the configuration was finalized to work as I know it.

Let me clarify this at the level of the full drive path, this is an example of exactly what's going on as a result of the config and how I know it works for them;

Imagine drive H:\ is a master share, and I want a user to only be able to enter folder "user1" upon authenticating to the file server...

The user sees the share under \\server\share, but this is where things get weird... On a normal system, what  would happen is the user sees the directory as \\server\share\user1 and is able to see other folders next to it on the drive, but unable to access them...  What ACTUALLY HAPPENED is that, after entering login credentials, the server knows who the user is and which folders are assigned, so when the share is accessed, the server's H:\user1 folder becomes \\server\share as if the user1 folder were the master share!  No AD, no extended UNC path, and no GPO.

[Electronics Wizardy]

3 hours ago, Phas3L0ck said:

Hell no! Windows 7 is more stable and reliable than anything "newer" from M$. And what "modern features" could it possibly be missing?

SMB3 is a big feature that can help here. Encryption, compression, multistream support. Really stop using 2008r2 if you can. Also newer clients will stop supporting it soon.

 

3 hours ago, Phas3L0ck said:

magine drive H:\ is a master share, and I want a user to only be able to enter folder "user1" upon authenticating to the file server...

The user sees the share under \\server\share, but this is where things get weird... On a normal system, what  would happen is the user sees the directory as \\server\share\user1 and is able to see other folders next to it on the drive, but unable to access them...  What ACTUALLY HAPPENED is that, after entering login credentials, the server knows who the user is and which folders are assigned, so when the share is accessed, the server's H:\user1 folder becomes \\server\share as if the user1 folder were the master share!  No AD, no extended UNC path, and no GPO.

Did you read that link? It shows you how to do this exactly. In the SMB settings you can enable access based enumeration, so a user can only see the files they have permission to access.

 

My point is this isn't a super common config, and most companies just auto mount the shares they want users to access. 

[Phas3L0ck]

28 minutes ago, Electronics Wizardy said:

SMB3 is a big feature that can help here. Encryption, compression, multistream support. Really stop using 2008r2 if you can. Also newer clients will stop supporting it soon.

 

Did you read that link? It shows you how to do this exactly. In the SMB settings you can enable access based enumeration, so a user can only see the files they have permission to access.

 

My point is this isn't a super common config, and most companies just auto mount the shares they want users to access. 

As much as I like the idea, I don't have a real need for SMB3. If I truly wanted or required those features in-transit, I would be using Linux.

 

And yes, I did read the link, and it's really nothing but a summary of what ABE can do. If I managed to get it to do what I want, I wouldn't be posting this on a forum right now.

And MY point is that I need to figure out how to do what I described exactly as it was, and without auto-mount or using extended UNC paths.

So tell me, do you know how to configure a file share to do exactly what I described or not?

[Electronics Wizardy]

16 minutes ago, Phas3L0ck said:

As much as I like the idea, I don't have a real need for SMB3. If I truly wanted or required those features in-transit, I would be using Linux.

 

And yes, I did read the link, and it's really nothing but a summary of what ABE can do. If I managed to get it to do what I want, I wouldn't be posting this on a forum right now.

And MY point is that I need to figure out how to do what I described exactly as it was, and without auto-mount or using extended UNC paths.

So tell me, do you know how to configure a file share to do exactly what I described or not?

Really, get a newer os, 2008r2 is a big security issue. IDK why you don't want a newer better os. There also more stable and faster

 

Will ask again, did you look at that link. As I quote:

• Share a folder or volume by using the Provision a Shared Folder Wizard. If you select the SMB protocol on the Share Protocols page of the Provision a Shared Folder Wizard, the advanced settings options on the SMB Settings page includes the option to enable access-based enumeration on the shared folder or volume. (To see the advanced settings options, on the SMB Settings page of the wizard, click Advanced).

[Phas3L0ck]

11 minutes ago, Electronics Wizardy said:

Really, get a newer os, 2008r2 is a big security issue. IDK why you don't want a newer better os. There also more stable and faster

 

Will ask again, did you look at that link. As I quote:

• Share a folder or volume by using the Provision a Shared Folder Wizard. If you select the SMB protocol on the Share Protocols page of the Provision a Shared Folder Wizard, the advanced settings options on the SMB Settings page includes the option to enable access-based enumeration on the shared folder or volume. (To see the advanced settings options, on the SMB Settings page of the wizard, click Advanced).

Been there, done that. Only got a partial result, and not the level of complexity I'm looking for.