NTFS Permissions for parent folder to make subfolders accessible



Quick scenario on a local Windows system.

Drive E: is formatted with NTFS has the following layout and permissions:

E:\                  (JohnDoe)
E:\folder            (Administrator)
E:\folder\subfolder  (JohnDoe)
  • JohnDoe has read/write access to the root directory.
  • JohnDoe has read/write access subfolder
  • JohnDoe does NOT have access to folder
  • JohnDoe does NOT have the ability to alter permissions.

Since JohnDoe cannot access folder and thus cannot list the contents, he must type in the path E:\folder\subfolder manually. There is is no "clickable" way to get from E:\ to subfolder.

Here's the question: Is there any way for JohnDoe to discover the existence and path of the accessible subfolder, without being able to list the contents of it's parent folder? Assume that he was not told the subfolder's name and that the permissions do not change from what is stated above.

For the sake of this problem, ignore the possibility of a brute-force attack to guess subfolder's name. Only non-brute-force methods are permitted.


Posted 2011-10-07T01:28:40.810




NTFS does not provide a method to discover such remote sub-folders within itself, assuming that the intermediary folder is truly no-access. To get such intelligence you have to look beyond just the file-system, perhaps by interrogating other files for paths contained in the doucments, or any shortcuts laying about that reference such sub-directories.

Things get more interesting if JohnDoe has elevated access to the machine. At that point examining open file-handles can reveal the presence of hidden directories. If the directory is shared out, the list of open files for the share would also reveal their presence. These methods wouldn't work for 'normal' users though.


Posted 2011-10-07T01:28:40.810

Reputation: 5 239

4This is the correct answer for Windows – if you do not have the "Read" permission on folder, you cannot list its contents. But note that, even though one would expect folder\subfolder to be entirely inaccessible due to lack of the "Traverse" permission on folder (corresponding to the x bit on Unix), by default Windows gives everyone the "Bypass traverse checking" privilege and subfolder remains reachable if its full path is known. – user1686 – 2011-10-07T05:56:22.733


Create a junction for subfolder in the root directory.


Use the command:

MkLink /j "E:\junction-to-subfolder" "E:\folder\subfolder"

Now JohnDoe can see and access that subfolder easily.

EDIT: To remove the junction without affecting the target, use:

RD "E:\junction-to-subfolder"


Posted 2011-10-07T01:28:40.810

Reputation: 4 711

Sorry, I read "how can" rather than "if". – Hand-E-Food – 2011-10-07T02:26:16.653

This should of been how the folders were implemented in the first place. This not only limits the discoverability of subfolders, but it also solves the "Bypass traverse issue". – surfasb – 2011-11-23T23:50:13.757


I've used a similar setup and it seems as though the users would stumble upon the directory. The problem in your case is now it would be accessed. If there is going to be a batch script or drive mapping, then the user would probably be able to discover it if they were savvy. I know in Windows you can hiding drive letters, but that may not be enough.

I would suggest if you don't want them to access it, don't give them permission, if possible. Use another account for that ever task you are doing (for example, running a batch script for backups or whatever).

It is hard to give more specific advice not knowing more on what you want to accomplish while not letting the user know. There may be a different way.

Scott McClenning

Posted 2011-10-07T01:28:40.810

Reputation: 3 519

If the computer the user is using doesn't know of or use the share, the user doesn't know of the share, and no one will tell the user. Then I don't see how the user could discover it exists on their own. – Scott McClenning – 2011-10-07T02:34:02.713

Your right, I misspoke, not share, but they wouldn't know of the "subfolder" in the share exists. That said, I still stand by that the shouldn't be able to discover it exists short of being told or brute-force (which you excluded). As far as being ambiguous, you didn't reveal much on why such a folder would need to exist. If the user shouldn't find it, why give them access to it? – Scott McClenning – 2011-10-07T03:00:05.477

I've run across it when business people what groups made for external users that come in for a few weeks to work on a small part of a project. Then when the next project comes along, they do the same setup, but they didn't think to remove them from the first project's folder. I told them to be 100% sure the external users don't access the completed Project 1 while they work on Project 2, just remove them from Project 1 (after all their part is over). We still hid the folders that way because people on Project 2 don’t need to know Project 3 exists (even if they don't have access to it). – Scott McClenning – 2011-10-07T03:16:33.313

In the testing I've done with a similar setup, no. The external users didn't like not clicking through until we told them just make a shortcut on their desktop so they didn't have to remember the path. Then when done, remove the shortcut. If they didn't, no problem because when their part was done we removed their group from the folder, just in case they returned. Testing is easy, just add an account to the group, login and double check. I had to do that to prove to my bosses this would work. All the group need is "Traverse folder" permission for the screening/guard folder. – Scott McClenning – 2011-10-07T03:39:20.483

"Everyone" by default is allowed the user right of "Bypass traverse checking" by default. Some places don't allow that setting. As far as you question, it seems unlikely they would find it such a folder. However, if they did, there wouldn't be much to stop them. Security through obscurity isn't much, but I guess sometimes it may be enough. – Scott McClenning – 2011-10-07T06:21:56.950