FileServer Connector: Enable Share Security checkbox

Owned by Former user (Deleted)
Last updated: Jul 12, 2018 by Steinar Skjerven
3 min read


The ayfie File Server connector installation wizard includes a checkbox labeled "Enable Share Security", which has some effect on the subsequent behavior of Locator search. There are a number of factors to consider when deciding whether or not to check this checkbox. This section will attempt to address these and related issues.

When Locator is installed in an environment, the domain administrator must create an "index user". The index user must be given broad rights to read files and folders in the environment. Specifically, the index user must:

  • Have READ access to the file share
  • Have READ access to files and folders via NTFS security
  • Be a local admin on the file server (not required, but recommended)

The third bullet above goes hand in hand with the aforementioned checkbox. Some administrators may be reluctant to grant local admin privileges to the index user out of security or policy concerns. However, there is a reason for this elevated access requirement: the index user must enumerate share level permissions remotely, from the Locator server[1]. This is a constraint imposed by the Windows architecture and not a limitation of the ViaLocator orks product. Therefore, the index user must be given local admin privileges if "Enable Share Security" is checked. If such permission is not granted, then the checkbox must be unchecked[2].

It is important to note that if the "Enable Share Security" is left unchecked, it can lead to undesirable behavior.  Leaving it unchecked will direct Locator to ignore share security for indexing. If share security is utilized in the environment, and Locator indexes the files as if no share security were in place, this may lead to situations in which users will be able to see search results but not be able to access those results. This can give the impression that there is a defect when in fact the product is working correctly.

There are of course many different ways to manage Windows security. Some administrators manage their environments by giving everyone full (or read) access at the share level. We may think of this as "open-door" style security, because everyone is allowed in at the share level and the real access control is done at the NTFS level. In the following table, the "Open-Door?" column represents this case.


Open-Door?

Index user is admin?

Enable Share Security checked?

Search works as expected?

Y

Y

Y

Y

Y

Y

N

Y

Y

N

Y

Invalid

Y

N

N

Y

N

Y

Y

Y

N

Y

N

N

N

N

Y

Invalid

N

N

N

N

As the table above makes clear, there are a couple of scenarios (highlighted) in which we may see some of the undesirable behavior described above. In both of these cases, we see the same two observations:

  • The Enable Share Security checkbox is unchecked, and
  • Open-Door security is not in use. That is, share security is being actively used to manage access in the environment.

Conclusion

The best way to guarantee the proper functioning of Locator search from a security perspective is to give the index user local admin access and to check the Enable Share Security checkbox. If the index user is not a local admin then the checkbox cannot be checked, and therefore share security will not be taken into account as Locator goes about indexing. This may still be acceptable if the environment uses "open-door" security. However, if share security is actively used (no "open door"), and Enable Share Security is turned off, then there will likely be some users who will be presented with search results (and data) that they do not have access to.


[1] NetShareEnum is the API function that Locator uses to enumerate the shares' ACLs. See: http://msdn.microsoft.com/en-us/library/windows/desktop/bb525387(v=vs.85).aspx

[2] If local admin permission is not granted and the Enable Share Security checkbox is checked, errors will be generated as this is an invalid configuration

ayfie