Shared folder, write but not delete

[MiMadreMia87]

I am applying a solution to take backup from clients machine to a shared folder location, the share management will be done through their AD accounts through a backup application.

However, I want to prevent user from accessing the shared folder location and deleting contents
it would be possible to use another account for shared file access but am looking for better option.

if Anything from the following can be done it should be great:
- Modifying permissions to allow writing and modifying content but not deleting
- Disable web access to shared location through windows explorer
- Only allowing access to shared location through the backup application in any way


Really appreciate any help.

 

[Barman58]

not done any Active Directory work for a while but I'm sure the delete permission was separate so a deny could be applied the the delete for the group concerned who would have the other permissions, you would need to check the stacking of the actual permissions to be sure though, a deny is a dangerous thing for sysdmins as you often forget what groups you've assigned yourself as for testing

Also it's worth having a look at Sysinternals as I think they still have some advanced AD tools

As most of the others should be possible through normal NTFS permissions and even the parental controls it should be possible using Group Policy

 

[Alejandro85]

What is this "backup application"? Is a program running on a server that accesses all computers and copies to a backup server? Or is installed in each computer and they copy whatever necessary into a server? Something else?
Both options are possible, but the approach can be different in each case.

Quickly answering the questions, but without a good background of the situation:

Modifying permissions to allow writing and modifying content but not deleting

That's not possible with SMB shares permissions (that only allow read/write/full control), but normal NTFS permissions can separate creating new files from deleting and modifying existing files. Allow read and write to the share, but in the underlying NTFS permissions for the shared folder allow creating but not modification or deletion. An obvious drawback if that the logical drive hosting the shared folder must be NTFS for this to work. BTW, you really want to prevent both deletions and modifications, contrary to what you request, because users should not only be unable to delete backups, but also tamper with them in any way.

Disable web access to shared location through windows explorer

This don't make any sense to me, could you explain what did you mean? "web" hasn't anything to do with SMB shares and Windows Explorer, which is in turn unrelated to anything web based.

Only allowing access to shared location through the backup application in any way

This would be the ideal option, but depends on the setup, hence my initial question.

As a separate question, why do you want to backup client machines anyway? That's not the best thing to do, because the numerous different things each one does his job and manages their files. Ideally, only the servers should be backed up, with people instructed to drop anything important there.

 

[MiMadreMia87]

The backup application is Iperius, installed on every client machine and backs up date to a NAS Storage.
This is more of a requirement, to have backup of files that match specific criteria to a central location..

It is not actually SMB shares, its NTFS, but I cannot manage to find the suitable share combination to enable the client of doing its job while still prohibiting users from deleting them.. I assume modification would be required since the backup client installs the latest version of each document, writing the changes only.

Firewall didn't do the trick, I tried disabling access to the NAS IP with allowing that Application, yet it didn't work.

Web access I was referring to normal windows explorer navigation to the shares.. my bad

 

[Alejandro85]

Having the backup program in each computer has certain security implications, but it's possible to deal with those. Yes, accesing with Windows Explorer implies standard SMB shares, but if it's a NAS it's quite unlikely to be an underlying NTFS filesystem there, as they run Linux almost always.
Have a look at what access permission the NAS allows to setup, no idea what it's even possible exactly in your case, but it should be possible to configure them correctly.

I insist in that permission to change files is the wrong way to go. For one, permission to modify implies that the user can, instead of delete, just empty the file, or change it in arbitrary ways, which still destroy the backup value.
Moreover, replacing each document on each backup makes the backup itself vulnerable to accidents. Suppose that a virus destroys the file on client machine, or the user makes a mistake he wants to revert, by overwriting the file you lose the original without chances to revert to the old, safe version. That's called a "mirror backup" and is of little value against some incidents.

A better aproach could be to give users only create file access to the shared backup location. The backup program creates a new file each day for each document (named after the data for example), so you only need read and create access (not delete nor modify) and gives you the last days worth of copies, in case of an incident you can go back further is need arrises. A scheduled tasks could purge the oldest ones to preserve disk space.

Firewall are no good here. They can block access to the server completely or allow it, but have nothing to do with what is done there exactly.

Have a look at the NAS configuration panel, look for what file access restrictions it supports exactly.