Windows Network Share Permissions Audit: How to Find Overly Permissive Shares Before an Attacker Does

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Network share permission sprawl is not a configuration failure -- it is an operational decay problem. Shares get created with broad access for immediate convenience, the business team that requested them leaves, the IT engineer who created them moves on, and the share remains accessible for years without anyone reviewing who can reach it. A systematic audit using PowerShell against all file servers takes under an hour and typically surfaces a handful of high-risk findings that represent years of accumulated exposure.
Enumerate All Shares and Permissions Across the Domain
Enumerate all file servers in the domain:
# File servers typically have specific services or are in a Servers OU
# Option 1: Enumerate shares from a list of known file servers
$fileServers = @('fileserver01', 'fileserver02', 'nas01')
# Option 2: Find all domain computers with SmbServer role
# (requires admin access to each)
$fileServers = Get-ADComputer -Filter * -Properties OperatingSystem |
Where-Object { $_.OperatingSystem -like '*Server*' } |
Select-Object -ExpandProperty Name
Enumerate shares on each server:
# For each file server, get all shares and their permissions
$results = @()
foreach ($server in $fileServers) {
try {
$shares = Get-WmiObject -Class Win32_Share -ComputerName $server -ErrorAction Stop |
Where-Object { $_.Type -eq 0 } # Type 0 = Disk shares (excludes admin shares and IPC)
foreach ($share in $shares) {
# Get share-level permissions
$acl = Get-WmiObject -Class Win32_LogicalShareSecuritySetting `
-Filter "Name='$($share.Name)'" -ComputerName $server
$results += [PSCustomObject]@{
Server = $server
ShareName = $share.Name
Path = $share.Path
ShareACL = $acl | ConvertTo-Json -Compress
}
}
} catch {
Write-Warning "Failed to query $server: $_"
}
}
$results | Export-Csv C:\ShareAudit.csv -NoTypeInformation
Simpler approach using Get-SmbShare (if you have admin access and remoting enabled):
$allShares = @()
foreach ($server in $fileServers) {
$shares = Invoke-Command -ComputerName $server -ScriptBlock {
Get-SmbShare | ForEach-Object {
$share = $_
$access = Get-SmbShareAccess -Name $share.Name
[PSCustomObject]@{
Server = $env:COMPUTERNAME
Name = $share.Name
Path = $share.Path
Access = ($access | ForEach-Object { "$($_.AccountName):$($_.AccessRight)" }) -join '; '
}
}
} -ErrorAction SilentlyContinue
$allShares += $shares
}
$allShares | Export-Csv C:\ShareAuditFull.csv -NoTypeInformation
Identify High-Risk Share Permission Patterns
After collecting the share data, filter for these high-risk patterns:
1. Everyone: Change or Full Control
# From the share audit CSV:
$shares = Import-Csv C:\ShareAuditFull.csv
$everyoneShares = $shares | Where-Object {
$_.Access -match 'Everyone' -and
($_.Access -match 'Change' -or $_.Access -match 'Full')
}
$everyoneShares | Format-Table Server, Name, Path, Access
2. Authenticated Users: Change or Full Control
$authUserShares = $shares | Where-Object {
($_.Access -match 'Authenticated Users' -or $_.Access -match 'Domain Users') -and
($_.Access -match 'Change' -or $_.Access -match 'Full')
}
3. Admin shares accessible on workstations (test from a management machine):
# Test if C$ is accessible on workstations
$workstations = Get-ADComputer -SearchBase 'OU=Workstations,DC=domain,DC=com' -Filter * |
Select-Object -ExpandProperty Name
foreach ($ws in $workstations[0..20]) { # Test first 20 for speed
$path = "\\$ws\C$"
$accessible = Test-Path $path -ErrorAction SilentlyContinue
Write-Output "$ws C$ accessible: $accessible"
}
4. Shares with no current users or last access older than 1 year (orphaned shares): Check the underlying folder's last modified date:
# For each share, check when the shared folder was last written to
foreach ($share in $allShares) {
if ($share.Path -and (Test-Path $share.Path)) {
$lastWrite = (Get-Item $share.Path).LastWriteTime
if ($lastWrite -lt (Get-Date).AddYears(-1)) {
Write-Output "ORPHANED: $($share.Server) - $($share.Name) - Last write: $lastWrite"
}
}
}
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Understand Share Permission vs NTFS Permission Interaction
Before remediating, verify the effective permission by checking both layers:
# Get share-level permissions
Get-SmbShareAccess -Name 'SharedFolder'
# Example output:
# AccountName AccessControlType AccessRight
# Everyone Allow Full
# Get NTFS permissions on the underlying folder
$folderPath = '\\server\c$\SharedFolder'
(Get-Acl -Path $folderPath).Access |
Select-Object IdentityReference, FileSystemRights, AccessControlType |
Where-Object { $_.AccessControlType -eq 'Allow' }
Interpretation examples:
| Share Permission | NTFS Permission | Effective |
|---|---|---|
| Everyone: Full Control | Finance: Modify | Finance can Modify; others cannot read (NTFS blocks) |
| Everyone: Read | Finance: Full Control | Finance gets Read; NTFS Full Control is capped by share Read |
| Everyone: Full Control | Everyone: Full Control | Everyone has Full Control -- high risk |
| Finance: Full Control | Finance: Modify | Finance gets Modify (most restrictive) |
The common false positive: A share with Everyone: Full Control but NTFS permissions that restrict access to a specific group. The share permission is technically overly broad but the NTFS permissions are the effective control. The remediation is to tighten the share permission to match the NTFS permission (remove the false sense of security from a 'Full Control' share ACE).
Remediate Without Causing User Outages
Step 1: Document the intended access before changing anything
# For each share being remediated, document current state
Get-SmbShareAccess -Name 'SharedFolder' | Export-Csv C:\Remediation-Before-SharedFolder.csv
(Get-Acl -Path '\\server\c$\SharedFolder').Access | Export-Csv C:\NTFS-Before-SharedFolder.csv
Step 2: Replace Everyone with Authenticated Users if broad access is needed
# Remove Everyone, add Authenticated Users with Read
Revoke-SmbShareAccess -Name 'SharedFolder' -AccountName 'Everyone' -Force
Grant-SmbShareAccess -Name 'SharedFolder' -AccountName 'Authenticated Users' -AccessRight Read -Force
Step 3: Replace broad groups with specific groups
# Replace Authenticated Users with a specific AD group
Revoke-SmbShareAccess -Name 'SharedFolder' -AccountName 'Authenticated Users' -Force
Grant-SmbShareAccess -Name 'SharedFolder' -AccountName 'DOMAIN\SharedFolder-ReadAccess' -AccessRight Read -Force
Grant-SmbShareAccess -Name 'SharedFolder' -AccountName 'DOMAIN\SharedFolder-WriteAccess' -AccessRight Change -Force
Step 4: Remove orphaned shares
# Remove a share (does not delete the folder, only the share)
Remove-SmbShare -Name 'OldProjectShare' -Force
Communication before remediating: Email the business owners of high-risk shares before changing permissions, not after. Include: what the share is named, what the current permissions are, what you plan to change, and when. This prevents the outage call where you have to roll back at 3 AM.
The bottom line
Share permission audits surface real exposure in almost every environment that has not had a systematic review in the past two years. The audit takes an afternoon with PowerShell; the remediation takes longer because it requires business owner communication. Prioritize: (1) Everyone: Change/Full shares on file servers, (2) workstation C$ accessibility from non-admin accounts, (3) orphaned shares with no recent activity. Build the audit as a quarterly scheduled task -- share permission drift is an operational problem that recurs without ongoing controls.
Frequently asked questions
What is the difference between share permissions and NTFS permissions?
Share permissions are enforced by the SMB server when a remote user connects to the shared folder over the network. They are a separate, coarser-grained access control layer with three options: Read, Change, and Full Control. NTFS permissions are enforced by the file system itself and apply both for local access and network access. They offer granular controls (List Folder Contents, Read Attributes, Write Data, Delete, etc.). The effective network access is the most restrictive of both layers. Local access (a user sitting at the server console) is governed by NTFS permissions only -- share permissions do not apply to local logins.
Is Everyone: Full Control at the share level always a risk?
Not always an immediate risk, but always a finding. If the NTFS permissions are tightly controlled, the Everyone: Full Control share permission is a false broad grant that is capped by NTFS. The actual exposure depends on the NTFS ACL. However, it is a finding because: NTFS permissions can be changed by someone with local admin access without updating the share permission, the share permission provides no defense in depth, and auditors and compliance frameworks (CIS benchmarks, SOC 2) flag it regardless. Best practice: tighten the share permission to match the NTFS permission. Use specific AD groups at the share level.
How do I find shares that are accessible to low-privilege users across the domain?
Run the enumeration from a low-privilege account, not a domain admin. Use net view /all from a standard domain user's session or use PowerView's Invoke-ShareFinder (from a security testing tool) to enumerate shares accessible to that user context. Shares that return accessible from a standard user account are your priority findings. This perspective matters because domain admin accounts can access most shares via admin rights -- the risk is what a compromised standard user or attacker with standard user access can reach without any privilege escalation.
Should I disable the default admin shares (C$, ADMIN$) on workstations?
It depends on your tooling. The admin shares are used by: SCCM/Intune management agents, domain join and policy processes, remote management tools (WMI, PsExec when invoked by admins), and some antivirus management tools. Disabling them breaks these management paths. The more targeted mitigation is to restrict who can authenticate to the admin shares by tightening local administrator membership (via LAPS and restricted groups), requiring admin authentication through jump servers rather than allowing direct workstation-to-workstation admin access, and enforcing Windows Firewall rules that block SMB from non-management sources (covering the admin shares as a side effect). Disabling the shares entirely is viable if you can verify no management tooling depends on them -- test in a pilot group first.
How do I detect unauthorized shares created by end users on workstations?
Use Group Policy to enable the Security event log auditing for share creation: Audit File Share events under Advanced Audit Policy. Event ID 5142 (Network Share Object Added) is generated when a new share is created, including the share name, path, and creating user. Collect these events in your SIEM and alert on share creation events originating from workstation names (workstations rarely need to create shares). Also run a weekly scheduled task via SCCM or Intune that queries each machine using `Get-SmbShare | Where-Object { $_.Name -notmatch '^(ADMIN|C|D|IPC)\$' }` and reports non-default shares to a central inventory. Any non-approved share on a workstation is a finding.
How do I remediate shares with Everyone or Authenticated Users permissions without causing business disruption?
Remediating overly permissive shares requires identifying current access patterns before removing permissions. Run `Get-SmbOpenFile` on the file server to see who is currently accessing files in real time, and review file access logs (enable Object Access auditing with success events for the share's NTFS path for 2-4 weeks) to build an access baseline. For shares with Everyone: Full Control or Authenticated Users: Change at the share level, the remediation path is: identify who actually accesses the share from the access logs, create an AD security group containing those users, replace the Everyone/Authenticated Users share permission with that group at Read or Change (never Full Control at share level -- NTFS is where granular permissions should live). For shares where the owner is unknown or has left the organization, escalate to the business unit manager to identify a new owner before modifying permissions. Document every permission change with the business justification and the previous state so changes can be reversed if a legitimate use case is discovered.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
