3

We have a folder on a windows server shared to provide access to an important application. When the application is being updated we (DBAs) change the permissions on the share to deny all access to it and then disconnect any files open on the share. After we complete the application update (using a different share to the same files) we re-enable access to the share.

The way we modify the share is using the MS Management Console to remotely connect to the server. Apparently this capability requires administrator access on the server or at least some level of permissions that the Infrastructure team would like to take away.

The question is how can the DBAs handling the application update disable and enable access to the share with as few permissions on the server as possible?

Leigh Riffel
  • 605
  • 2
  • 10
  • 23
  • 1
    What is a Windows NAS? Why aren't you working in concert with the infrastructure team to perform the updates? It sounds to me like you've got a team cooperation and communication problem, not a technical one. – joeqwerty Sep 25 '14 at 15:22
  • The infrastructure team doesn't want to be available every time we do an update, but they do want reduce our privileges. Their proposed method has us dropping a file in a folder and then waiting for a script that checks the folder every five minutes to detect the file and perform the required work. The method works, but the five minute delay is undesirable. – Leigh Riffel Sep 25 '14 at 15:42
  • I'm not trying to give you a hard time, but really? 5 minutes isn't desirable? They've given you a working solution and you aren't happy because it's on a 5 minute schedule? If 5 minutes isn't desirable then ask them to set it to something that is desirable. – joeqwerty Sep 25 '14 at 15:48
  • Every minute of downtime is a minute the application is inaccessible to the company. This has financial implications. They say they can't set it lower due to the excessive logging. – Leigh Riffel Sep 25 '14 at 16:59
  • 1
    Well then you'll have to go to the business leaders as a joint team and explain it to them. – joeqwerty Sep 25 '14 at 17:01
  • Or find a technical solution that satisfies the speed, security, and labor requirements. :) – Leigh Riffel Sep 26 '14 at 03:36

4 Answers4

5

One possibility, although it requires programming, would be to write a system service (running therefore with all required privileges, and set to manual start), and give the rights to a specific group to start and stop this service (this is straightforward, see How do I grant start/stop/restart permissions on a service to an arbitrary user or group on a non-domain-member server?, you can use for example Service Security Editor or Process Hacker to edit the ACL).

The users would not need any privilege at all: the service would do the required disconnections/share changes upon start, and revert to the normal configuration on stop. When your application has to be updated, the user doing this would only have to start the service before the update, and stop it afterwards. By the way, this kind of solution is used by some software, e.g., to allow everybody to update it (see for example the Mozilla Maintenance Service).

Community
  • 1
Ale
  • 1,613
  • 17
  • 25
  • Actually, this might not require any true programming, only some scripting. You could use SrvAny (http://support.microsoft.com/kb/137890) from the NT resource kit with a simple batch file or VB script to carry out the maintenance. – tfrederick74656 Oct 01 '14 at 22:26
  • +1 Interesting concept, we'll consider it. – Leigh Riffel Oct 02 '14 at 17:46
1

You could set the share permissions to an Active Directory group, then have the infrastructure team give you delegation privileges to that group. When you need to deny access, simply edit the group membership. When you're done, restore the group membership.

This solution doesn't require having any administrative access, and is much faster than editing the share permission each time.

tfrederick74656
  • 1,442
  • 1
  • 12
  • 29
  • Sounds interesting. What will this do to the files that the users have open on the share? Will they be able to continue using them? Will I be able to replace the files they had open? – Leigh Riffel Sep 30 '14 at 18:15
  • It should work identically to editing the share permissions directly. Existing handles stay open, but new reads/writes are prevented. I think I see where you're going with that question though - I'm assuming you currently have to use the server management tool to close open sessions/handles after a permission change? – tfrederick74656 Sep 30 '14 at 18:19
  • Yes, that is correct. We currently disconnect any open files on the share. I believe this was done to prevent users from using already open files while changes were being done. These files aren't written to by the users, only read by the application. – Leigh Riffel Sep 30 '14 at 18:59
  • Well that right there is the tricky part. There's plenty of solutions to the permissions issue, but I don't know of any way to disconnect a user session without administrative rights on that server. The other solutions posted so far would have the same limitations. Let me think on that for a bit and get back to you - perhaps there's a user rights assignment that would give you that access. – tfrederick74656 Sep 30 '14 at 19:12
  • Alright, so I did a bit of research. Network shares in Windows are supported by the 'Server' service. Restarting this service would flush all of the open network file handles. Group policy would allow permission to restart this service to be delegated as well. The caveat is that it would affect any other shares on that server as well. My question to you is: are there any other network shares on that server? – tfrederick74656 Oct 01 '14 at 08:18
  • Yes we have many other shares on this box, so that is a non-starter. One option we are considering is moving the files to a dedicated server where the full control issue goes away. – Leigh Riffel Oct 01 '14 at 18:15
  • You might want to take that route. I can't think of any other method that would allow you to disconnect active sessions without having administrative rights. I haven't been able to find any way to delegate those privileges either. I understand where both you and your infrastructure group are coming from, but as @joeqwerty mentioned above, you might want to go to the next person up the chain and explain your situation. They may simply authorize the five minute delay, or direct that you retain administrative access. – tfrederick74656 Oct 01 '14 at 19:57
  • 2
    It's an interesting and elegant solution, however, beware of group memberships: as the group tokens are assigned at login. If I'm not wrong this also applies to network share connections, so even if you remove all users from the group, the connected ones will keep their tokens until the connection is closed, and could therefore still access the files. So you need anyway to force closing the connection. – Ale Oct 01 '14 at 21:15
  • 1
    *I can't think of any other method that would allow you to disconnect active sessions without having administrative rights. I haven't been able to find any way to delegate those privileges either* -- @tfrederick74656 as much as I think your answer is the best game in town here, there's no way to get away from the fundamental problem of this question which is "how can we perform an administrator task without being an administrator". We might be able to change the size of the splat or how easily it mops up but there's still going to be a mess on the floor no matter what, I think. – Rob Moir Oct 01 '14 at 21:55
  • 1
    @RobM You're right, of course. This is one of the limitations of the Windows environment that has always bothered me. Sure, you can edit the rights assignment and/or schema and accomplish low-level delegation, but unfortunately there's no inherent capability to delegate high-level tasks, such as managing a single network share. – tfrederick74656 Oct 01 '14 at 22:23
0

You could:

  • Ask them to disable logging on the copy-script
  • Ask them to share out the parent folder giving you access to the folder in question, where you can set file-system-permissions (as opposed to share-permissions) (e.g. D:\additionalFolder\yourfolder, share additionalFolder for the DBA team, and yourfolder as the current share.
MichelZ
  • 11,008
  • 4
  • 30
  • 58
0

A option we are considering is to have the activity performed by scheduled task and then use an event of some sort to trigger the scheduled task to run. The problem with this solution is that we don't know of a way to send an event that can cause the trigger to fire without giving permissions that are more broad than they need to be.

Leigh Riffel
  • 605
  • 2
  • 10
  • 23