PRACTITIONER GUIDE | DATA SECURITY
Practitioner GuideUpdated 10 min read

Windows Network Share Permissions Audit: How to Find Overly Permissive Shares Before an Attacker Does

Most restrictive wins
is the rule for combined share + NTFS permissions. A user with Full Control at the NTFS level but Read at the share level gets Read effective access. A user with Full Control at the share level but Read at NTFS gets Read. The share permission and NTFS permission are both enforced -- users need both to get access
Everyone = Authenticated Users + Guest
on modern Windows. The Everyone group includes Guest in addition to all authenticated users. For most enterprise shares, 'Authenticated Users: Read' is the intent -- but 'Everyone: Full Control' is what gets configured for convenience and never reviewed again
Admin shares
C$, D$, ADMIN$, IPC$ are hidden shares automatically created by Windows on every machine. These are accessible to members of the local Administrators group over the network. On workstations, this means any domain admin (or account with local admin rights) can browse the C drive of any workstation -- a significant lateral movement and data access vector
ShareEnum or PowerView
are the attacker tools used to enumerate accessible shares across the domain. Running the same enumeration as a defender tells you what attackers see. Any share returned by these tools that should not be accessible to regular users is a finding

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Network share permission sprawl is not a configuration failure -- it is an operational decay problem. Shares get created with broad access for immediate convenience, the business team that requested them leaves, the IT engineer who created them moves on, and the share remains accessible for years without anyone reviewing who can reach it. A systematic audit using PowerShell against all file servers takes under an hour and typically surfaces a handful of high-risk findings that represent years of accumulated exposure.

Enumerate All Shares and Permissions Across the Domain

Enumerate all file servers in the domain:

# File servers typically have specific services or are in a Servers OU
# Option 1: Enumerate shares from a list of known file servers
$fileServers = @('fileserver01', 'fileserver02', 'nas01')

# Option 2: Find all domain computers with SmbServer role
# (requires admin access to each)
$fileServers = Get-ADComputer -Filter * -Properties OperatingSystem |
    Where-Object { $_.OperatingSystem -like '*Server*' } |
    Select-Object -ExpandProperty Name

Enumerate shares on each server:

# For each file server, get all shares and their permissions
$results = @()
foreach ($server in $fileServers) {
    try {
        $shares = Get-WmiObject -Class Win32_Share -ComputerName $server -ErrorAction Stop |
            Where-Object { $_.Type -eq 0 }  # Type 0 = Disk shares (excludes admin shares and IPC)
        
        foreach ($share in $shares) {
            # Get share-level permissions
            $acl = Get-WmiObject -Class Win32_LogicalShareSecuritySetting `
                -Filter "Name='$($share.Name)'" -ComputerName $server
            $results += [PSCustomObject]@{
                Server    = $server
                ShareName = $share.Name
                Path      = $share.Path
                ShareACL  = $acl | ConvertTo-Json -Compress
            }
        }
    } catch {
        Write-Warning "Failed to query $server: $_"
    }
}
$results | Export-Csv C:\ShareAudit.csv -NoTypeInformation

Simpler approach using Get-SmbShare (if you have admin access and remoting enabled):

$allShares = @()
foreach ($server in $fileServers) {
    $shares = Invoke-Command -ComputerName $server -ScriptBlock {
        Get-SmbShare | ForEach-Object {
            $share = $_
            $access = Get-SmbShareAccess -Name $share.Name
            [PSCustomObject]@{
                Server     = $env:COMPUTERNAME
                Name       = $share.Name
                Path       = $share.Path
                Access     = ($access | ForEach-Object { "$($_.AccountName):$($_.AccessRight)" }) -join '; '
            }
        }
    } -ErrorAction SilentlyContinue
    $allShares += $shares
}
$allShares | Export-Csv C:\ShareAuditFull.csv -NoTypeInformation

Identify High-Risk Share Permission Patterns

After collecting the share data, filter for these high-risk patterns:

1. Everyone: Change or Full Control

# From the share audit CSV:
$shares = Import-Csv C:\ShareAuditFull.csv
$everyoneShares = $shares | Where-Object {
    $_.Access -match 'Everyone' -and
    ($_.Access -match 'Change' -or $_.Access -match 'Full')
}
$everyoneShares | Format-Table Server, Name, Path, Access

2. Authenticated Users: Change or Full Control

$authUserShares = $shares | Where-Object {
    ($_.Access -match 'Authenticated Users' -or $_.Access -match 'Domain Users') -and
    ($_.Access -match 'Change' -or $_.Access -match 'Full')
}

3. Admin shares accessible on workstations (test from a management machine):

# Test if C$ is accessible on workstations
$workstations = Get-ADComputer -SearchBase 'OU=Workstations,DC=domain,DC=com' -Filter * |
    Select-Object -ExpandProperty Name
foreach ($ws in $workstations[0..20]) {  # Test first 20 for speed
    $path = "\\$ws\C$"
    $accessible = Test-Path $path -ErrorAction SilentlyContinue
    Write-Output "$ws C$ accessible: $accessible"
}

4. Shares with no current users or last access older than 1 year (orphaned shares): Check the underlying folder's last modified date:

# For each share, check when the shared folder was last written to
foreach ($share in $allShares) {
    if ($share.Path -and (Test-Path $share.Path)) {
        $lastWrite = (Get-Item $share.Path).LastWriteTime
        if ($lastWrite -lt (Get-Date).AddYears(-1)) {
            Write-Output "ORPHANED: $($share.Server) - $($share.Name) - Last write: $lastWrite"
        }
    }
}
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Understand Share Permission vs NTFS Permission Interaction

Before remediating, verify the effective permission by checking both layers:

# Get share-level permissions
Get-SmbShareAccess -Name 'SharedFolder'
# Example output:
# AccountName          AccessControlType  AccessRight
# Everyone             Allow              Full

# Get NTFS permissions on the underlying folder
$folderPath = '\\server\c$\SharedFolder'
(Get-Acl -Path $folderPath).Access |
    Select-Object IdentityReference, FileSystemRights, AccessControlType |
    Where-Object { $_.AccessControlType -eq 'Allow' }

Interpretation examples:

Share PermissionNTFS PermissionEffective
Everyone: Full ControlFinance: ModifyFinance can Modify; others cannot read (NTFS blocks)
Everyone: ReadFinance: Full ControlFinance gets Read; NTFS Full Control is capped by share Read
Everyone: Full ControlEveryone: Full ControlEveryone has Full Control -- high risk
Finance: Full ControlFinance: ModifyFinance gets Modify (most restrictive)

The common false positive: A share with Everyone: Full Control but NTFS permissions that restrict access to a specific group. The share permission is technically overly broad but the NTFS permissions are the effective control. The remediation is to tighten the share permission to match the NTFS permission (remove the false sense of security from a 'Full Control' share ACE).

Remediate Without Causing User Outages

Step 1: Document the intended access before changing anything

# For each share being remediated, document current state
Get-SmbShareAccess -Name 'SharedFolder' | Export-Csv C:\Remediation-Before-SharedFolder.csv
(Get-Acl -Path '\\server\c$\SharedFolder').Access | Export-Csv C:\NTFS-Before-SharedFolder.csv

Step 2: Replace Everyone with Authenticated Users if broad access is needed

# Remove Everyone, add Authenticated Users with Read
Revoke-SmbShareAccess -Name 'SharedFolder' -AccountName 'Everyone' -Force
Grant-SmbShareAccess -Name 'SharedFolder' -AccountName 'Authenticated Users' -AccessRight Read -Force

Step 3: Replace broad groups with specific groups

# Replace Authenticated Users with a specific AD group
Revoke-SmbShareAccess -Name 'SharedFolder' -AccountName 'Authenticated Users' -Force
Grant-SmbShareAccess -Name 'SharedFolder' -AccountName 'DOMAIN\SharedFolder-ReadAccess' -AccessRight Read -Force
Grant-SmbShareAccess -Name 'SharedFolder' -AccountName 'DOMAIN\SharedFolder-WriteAccess' -AccessRight Change -Force

Step 4: Remove orphaned shares

# Remove a share (does not delete the folder, only the share)
Remove-SmbShare -Name 'OldProjectShare' -Force

Communication before remediating: Email the business owners of high-risk shares before changing permissions, not after. Include: what the share is named, what the current permissions are, what you plan to change, and when. This prevents the outage call where you have to roll back at 3 AM.

The bottom line

Share permission audits surface real exposure in almost every environment that has not had a systematic review in the past two years. The audit takes an afternoon with PowerShell; the remediation takes longer because it requires business owner communication. Prioritize: (1) Everyone: Change/Full shares on file servers, (2) workstation C$ accessibility from non-admin accounts, (3) orphaned shares with no recent activity. Build the audit as a quarterly scheduled task -- share permission drift is an operational problem that recurs without ongoing controls.

Frequently asked questions

What is the difference between share permissions and NTFS permissions?

Share permissions are enforced by the SMB server when a remote user connects to the shared folder over the network. They are a separate, coarser-grained access control layer with three options: Read, Change, and Full Control. NTFS permissions are enforced by the file system itself and apply both for local access and network access. They offer granular controls (List Folder Contents, Read Attributes, Write Data, Delete, etc.). The effective network access is the most restrictive of both layers. Local access (a user sitting at the server console) is governed by NTFS permissions only -- share permissions do not apply to local logins.

Is Everyone: Full Control at the share level always a risk?

Not always an immediate risk, but always a finding. If the NTFS permissions are tightly controlled, the Everyone: Full Control share permission is a false broad grant that is capped by NTFS. The actual exposure depends on the NTFS ACL. However, it is a finding because: NTFS permissions can be changed by someone with local admin access without updating the share permission, the share permission provides no defense in depth, and auditors and compliance frameworks (CIS benchmarks, SOC 2) flag it regardless. Best practice: tighten the share permission to match the NTFS permission. Use specific AD groups at the share level.

How do I find shares that are accessible to low-privilege users across the domain?

Run the enumeration from a low-privilege account, not a domain admin. Use net view /all from a standard domain user's session or use PowerView's Invoke-ShareFinder (from a security testing tool) to enumerate shares accessible to that user context. Shares that return accessible from a standard user account are your priority findings. This perspective matters because domain admin accounts can access most shares via admin rights -- the risk is what a compromised standard user or attacker with standard user access can reach without any privilege escalation.

Should I disable the default admin shares (C$, ADMIN$) on workstations?

It depends on your tooling. The admin shares are used by: SCCM/Intune management agents, domain join and policy processes, remote management tools (WMI, PsExec when invoked by admins), and some antivirus management tools. Disabling them breaks these management paths. The more targeted mitigation is to restrict who can authenticate to the admin shares by tightening local administrator membership (via LAPS and restricted groups), requiring admin authentication through jump servers rather than allowing direct workstation-to-workstation admin access, and enforcing Windows Firewall rules that block SMB from non-management sources (covering the admin shares as a side effect). Disabling the shares entirely is viable if you can verify no management tooling depends on them -- test in a pilot group first.

How do I detect unauthorized shares created by end users on workstations?

Use Group Policy to enable the Security event log auditing for share creation: Audit File Share events under Advanced Audit Policy. Event ID 5142 (Network Share Object Added) is generated when a new share is created, including the share name, path, and creating user. Collect these events in your SIEM and alert on share creation events originating from workstation names (workstations rarely need to create shares). Also run a weekly scheduled task via SCCM or Intune that queries each machine using `Get-SmbShare | Where-Object { $_.Name -notmatch '^(ADMIN|C|D|IPC)\$' }` and reports non-default shares to a central inventory. Any non-approved share on a workstation is a finding.

How do I remediate shares with Everyone or Authenticated Users permissions without causing business disruption?

Remediating overly permissive shares requires identifying current access patterns before removing permissions. Run `Get-SmbOpenFile` on the file server to see who is currently accessing files in real time, and review file access logs (enable Object Access auditing with success events for the share's NTFS path for 2-4 weeks) to build an access baseline. For shares with Everyone: Full Control or Authenticated Users: Change at the share level, the remediation path is: identify who actually accesses the share from the access logs, create an AD security group containing those users, replace the Everyone/Authenticated Users share permission with that group at Read or Change (never Full Control at share level -- NTFS is where granular permissions should live). For shares where the owner is unknown or has left the organization, escalate to the business unit manager to identify a new owner before modifying permissions. Document every permission change with the business justification and the previous state so changes can be reversed if a legitimate use case is discovered.

Sources & references

  1. Microsoft -- Best practices for securing Active Directory
  2. Microsoft -- Share and NTFS Permissions

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.