SMB Share Advanced Permissions / ACL - no permission to execute

[chuck32]

Hello all,

OS Version:TrueNAS-SCALE-22.12.3.3
Product:B560M-ITX/ac
Model:Intel(R) Core(TM) i3-10100 CPU @ 3.60GHz
Memory:62 GiB

I recently discovered that it is possible to run executables on my mapped network drives from our windows machines. For security purposes I don't want to allow that.

I went into the share settings and under advanced I chose all permissions except for execute:

However then I am not able to access the mount anymore:

switching back to basic (modify) resolves the issue.

The account from which I am logged in to the share also has Full Control, I assume this is inherited from the owner flag, since I created that folder:

What would be the best way to revoke execution rights for me and other users? There are two users overall using Win 11 and Win 8 (Win 10 in the near future, when I get around to the update).

I'm trying to advance our security by being conscious to settings like that, I also created a separate admin account under windows when I switched to win 11 and gave myself a standard user account. I want to follow the same practice for the win 8 machine.

Thanks in advance!

 

[anodos]

Code:

        const int SEC_FILE_EXECUTE         = 0x00000020;
        const int SEC_DIR_TRAVERSE         = 0x00000020;

If you look at windows you'll note that permission to traverse a directory shares a mask with execute. This means the same bit in the access mask means different things depending on whether it's a directory or a file. If you want a bit on directories than a files, then you need to adjust he inheritance flags. For example MODIFY on directories, but MODIFY - EXECUTE on files.

That said, if you're really concerned about where users might be executiing files from on Windows, you should look into setting a software restriction policy whitelist GPO to explicitly define where the OS can execute from.

 

[chuck32]

Thanks!

So this is why I also lose access when I revoke execute permissions because I also revoke traverse permissions with it?

That said, if you're really concerned about where users might be executiing files from on Windows, you should look into setting a software restriction policy whitelist GPO to explicitly define where the OS can execute from.

So there is no way in truenas to disable execution and I would need to set it on our two machines at home separately? This should not pose a problem.

Mainly I want to avoid malware hitting the server and thought this would be a good additional step. I'm not overly concerned though but better safe than sorry.

 

[anodos]

Thanks!

So this is why I also lose access when I revoke execute permissions because I also revoke traverse permissions with it?


So there is no way in truenas to disable execution and I would need to set it on our two machines at home separately? This should not pose a problem.

Mainly I want to avoid malware hitting the server and thought this would be a good additional step. I'm not overly concerned though but better safe than sorry.

It's maybe not entirely clear what you are trying to prevent. If you're talking about protecting against a local process on NAS being able to execute a file on an SMB share, then you could simply turn off exec on the dataset underlying the share. If you're talking about preventing a client from executing a file that's on an untrusted path, then the only way to really tamp that down on Windows is to set up software restriction policies (in one of its incarnations) and define exactly where the OS will execute files from (and run as non-privileged user).

That said, if this is just a home NAS, you may need to adjust threat model slightly.

 

[chuck32]

It's maybe not entirely clear what you are trying to prevent.

I read somewhere that it would be good practice to disable execution on shares.

The more I think about it you are right, I need to rethink my threat model. I assumed that if anything happens one of our computers would be infected but then it wouldn't really matter if you can execute on the share or not, it would be enough that an executable is run on a local machine and then all mapped drives would be at risk.

If you're talking about protecting against a local process on NAS being able to execute a file on an SMB share, then you could simply turn off exec on the dataset underlying the shar

Not really the threat I had in mind but that wouldn't hurt. The only outside connection for the server is an ubuntu VM that runs wireguard. I have a subdomain pointing to that so there is some attack surface but from I read it should be safe to just open one obscure port for wireguard and nothing else.

Thanks for your help, so basically I would see if disabling execution for the datasets does any harm (like losing access mentioned in my OP) but other than that my result would be: Do nothing.