Do not use "Disable inheritance" NTFS Permissions in Microsoft Active Directory connector for Home Directory
J
Jan Willem Slagman
When creating home folders (and possibly also TSHome, Profile and TSProfile folders), the "Disable inheritance" option is used by default for this folder.
The HelloID service account needs "Local administrator" rights to "Enable inheritance".
Without local administrator rights, it cannot restore the rights. You can break and remove the rights to fix this.
When using an Enterprise NAS solution for SMB Home shares, there is not always a "Local administrator" group. The HelloID service account needs root/global administrator access to the entire NAS and all shares.
From a security perspective, this is not the best solution.
Do not use "Disable inheritance" by default. Otherwise, let the customer choose to enable or disable "Inheritance" by checking a checkbox under Home -> Configuration.
Rick Jongbloed
I believe the proposed solution would address some of the current issues that require implementing a separate NTFS connector in certain edge cases.
R
Rick van den Dijssel
Hey Jan Willem Slagman, thanks for your feedback! I have a few more questions for you:
- What specific security concerns arise from requiring root/global administrator access for the HelloID service account?
- How often do you encounter environments without a 'Local administrator' group when using Enterprise NAS solutions?
- Would having a default setting to enable inheritance, with an option to disable, meet your security and operational needs?
J
Jan Willem Slagman
Rick van den Dijssel
Hi Rick, here are my answers.
- The service account has far more rights than necessary. Even full control rights on our entire NAS system that contains medical data. Excluding rights to the home folder share is more than sufficient.
- As a hospital with a 24/7 environment, a Windows file server is not a solution for us due to the frequent Windows Updates and associated reboots. Of course, I do not know all Enterprise NAS solutions and do not know if they all have this issue, but we use Qumulo. If you are admin, you are immediately Global admin and not admin on the relevant Share or volume or lun or vserver.
- Absolutely. That is also how Windows works out-of-the-box. On the home folder, you break the inherited rights and set the rights correctly for admins/servicedesk/MFPs or whatever you need. You let these inherit to the subfolder of the users. Here Windows itself explicitly adds Full Control rights for the user in question.
For customers who do not want this (for whatever reason), the toggle to enable Break Inheritance could then be the choice. This seems to me to be a relatively easy feature for you to set up.