SrvsvcDefaultShareInfo - microsoft/SMBSecurity GitHub Wiki

Summary

Modifies the default permissions used when a new share is created. Supplying permissions when creating the share will overwrite the default settings. These default permissions are used only when mapping a drive via File Explorer.

🗒️ NOTE
Creating the share with File Explorer is currently the only known share creation method that reads SrvsvcDefaultShareInfo.

Share Permissions with CMD and PowerShell Drive Mapping Tools

The share permissions should be defined when creating the share via command line (CMD) or PowerShell (pwsh). Each of these tools, such as "net use" and New-SmbShare, have a tool-specific default that is independent of SrvsvcDefaultShareInfo.

Defining share permissions when creating the share will override the tool's default setting. Any scripted or CLI-based process, such as a logon script, must therefore define the share permissions as part of the share mapping process.

For example, using New-SmbShare with -ChangeAccess, -ReadAccess, and/or -FullAccess will create the share without the Everyone group, unless the Everyone group is added as part of the command.

Default values

These values were collected from Windows Server 2019 in September 2022. These values may be different on other versions of Windows and may change in the future by Windows Update or in future versions of Windows.

Owner : NT AUTHORITY\SYSTEM
Group : NT AUTHORITY\SYSTEM
ACLs  : Everyone (Allow) {Read}
❗Special Note ❗
The SrvsvcDefaultShareInfo SMB security descriptor (SD) does not appear in the registry by default. This is the expected behavior. The SrvsvcDefaultShareInfo SMB SD will only appear when modified.

Rights

FullControl : All permissions are granted.
Change      : Read, execute, synchronize, write, and delete access.
Read        : Read, execute, and synchronize access.

Example

This example is from Windows Server 2019. The ACL defaults may vary by version of Windows.

  • Open an elevated PowerShell terminal (Run as Administrator). Both Windows PowerShell 5.1 and PowerShell 7+ are supported.
  • Create a new share using Windows Explorer or PowerShell.
# PowerShell example
New-Item -Path C:\Test -ItemType Directory -Force
New-SmbShare -Name "Test" -Path "C:\Test"
  • Check the share permissions.
(Get-SmbShare Test).PresetPathAcl.Access

Output:

FileSystemRights  : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : Everyone
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None
  • Remove the share.
Remove-SmbShare Test -Force
  • Run these commands to create the SMBSecurityDescriptor object for SrvsvcDefaultShareInfo.
$sdName = "SrvsvcDefaultShareInfo"
$SD = Get-SMBSecurity $sdName
$SD

Output:

DisplayName : SMB SecurityDescriptor Object
Name        : SrvsvcDefaultShareInfo
Description : Default Share Permissions
Owner       : NT AUTHORITY\SYSTEM
Group       : NT AUTHORITY\SYSTEM
DACL        : {Everyone (Allow) {Read}}
  • Add an Authenticated Users DACL with Change rights.
$DACLSplat = @{
                SecurityDescriptorName = 'SrvsvcDefaultShareInfo'
                Access                 = 'Allow'
                Right                  = 'Change'
                Account                = "Authenticated Users"
            }
            
$newDACL = New-SMBSecurityDACL @DACLSplat
Add-SMBSecurityDACL -SecurityDescriptor $SD -DACL $newDACL
$SD

DisplayName : SMB SecurityDescriptor Object
Name        : SrvsvcDefaultShareInfo
Description : Default Share Permissions
Owner       : NT AUTHORITY\SYSTEM
Group       : NT AUTHORITY\SYSTEM
DACL        : {Everyone (Allow) {Read}, NT AUTHORITY\Authenticated Users (Allow) {Change}}
  • Remove the Everyone account.
$DACL = $SD.DACL | Where-Object {$_.Account.Username -eq "Everyone"}
$DACL | Remove-SMBSecurityDACL -SecurityDescriptor $SD
$SD

Output:

DisplayName : SMB SecurityDescriptor Object
Name        : SrvsvcDefaultShareInfo
Description : Default Share Permissions
Owner       : NT AUTHORITY\SYSTEM
Group       : NT AUTHORITY\SYSTEM
DACL        : {NT AUTHORITY\Authenticated Users (Allow) {Change}}
  • Save the changes to the SMB SecurityDescriptor.
Save-SMBSecurity -SecurityDescriptor $SD
  • Confirm that the changes were written to the registry.
Get-SMBSecurity $sdName
  • The Server service (LanmanServer) must be restarted for the SMB SecurityDescriptor to be updated. Alternately, the server can be rebooted.
⚠️ WARNING ⚠️
Restarting the Server service will cause all SMB file server connections to be disconnected! 
Restart-Service LanmanServer -Force
  • Create the Test share using Windows Explorer and confirm that the defaults have changed.
🗒️ NOTE
In case you didn't see it the first time... Creating the share with File Explorer is currently the only known share creation method that reads SrvsvcDefaultShareInfo. 
(Get-SmbShare Test).PresetPathAcl.Access

Output:

FileSystemRights  : Modify, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None