Note that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything. Read and act on it at your own peril!

The first thing to do is check the system’s default permissions for shares.

PS C:\> whoami
champignac\administrator
PS C:\> md TestShare

    Directory: C:\

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         2/25/2025   9:05 AM                TestShare

PS C:\> New-SmbShare -Name TestShare -Path C:\TestShare\

Name      ScopeName Path         Description
----      --------- ----         -----------
TestShare *         C:\TestShare

PS C:\> Get-SmbShare TestShare|Format-List *

PresetPathAcl          : System.Security.AccessControl.DirectorySecurity
ShareState             : Online
AvailabilityType       : NonClustered
ShareType              : FileSystemDirectory
FolderEnumerationMode  : Unrestricted
CachingMode            : Manual
LeasingMode            : Full
QoSFlowScope           : File
SmbInstance            : Default
CATimeout              : 0
CompressData           : False
ConcurrentUserLimit    : 0
ContinuouslyAvailable  : False
CurrentUsers           : 0
Description            :
DirectoryHandleLeasing : True
EncryptData            : False
IdentityRemoting       : False
Infrastructure         : False
IsolatedTransport      : False
Name                   : TestShare
Path                   : C:\TestShare
QoSPolicyId            : {00000000-0000-0000-0000-000000000000}
Scoped                 : False
ScopeName              : *
SecurityDescriptor     : O:SYG:SYD:(A;;0x1200a9;;;WD)
ShadowCopy             : False
Special                : False
Temporary              : False
Volume                 : \\?\Volume{079e08b7-0000-0000-0000-500600000000}\
PSComputerName         :
CimClass               : ROOT/Microsoft/Windows/SMB:MSFT_SmbShare
CimInstanceProperties  : {AvailabilityType, CachingMode, CATimeout, CompressData...}
CimSystemProperties    : Microsoft.Management.Infrastructure.CimSystemProperties

PS C:\>

You can see that, tragically, the share’s default permissions are “A;;0x1200a9;;;WD”.

The more sensible net share command tells us what this means.

PS C:\> net share TestShare
Share name        TestShare
Path              C:\TestShare
Remark
Maximum users     No limit
Users
Caching           Manual caching of documents
Permission        Everyone, READ

The command completed successfully.

PS C:\>

But looking at the Access Control Entry “A;;0x1200a9;;;WD” is sufficient:

  1. It is an “Allow” entry (the “A” at the beginning).
  2. It has an accessmask of 1200a9 in hex.
  3. It is for a Security Principal “WD”, who turns out to be “Everyone”. (“WD” stands for “World”)
PS C:\> & 'C:\Program Files\ABTokenTools\LookupAccountSid.exe' WD
Everyone
PS C:\>

The access mask does not tell us a lot because nobody knows what those mean. But one thing is easy. Since the first bit (the right-most bit) enables “read”, any odd access mask allows (at least) reading.

I have it on good authority that 0x1200a9 is odd, hence this access mask allows (at least) reading. I have no idea what the other bits mean and it doesn’t matter.

To replace the shares default permissions, create a template share and set its permissions to something more sensible, like so:

PS C:\> New-SmbShare -FullAccess "Authenticated Users" -Name Test -Path C:\Test\

Name ScopeName Path    Description
---- --------- ----    -----------
Test *         C:\Test


PS C:\>

Now tranfer its security descriptor to the default security descriptor registry entry named SrvsvcDefaultShareInfo (to which MSFT openly admit in some support document). Don’t forget to restart the file share server LanmanServer.

PS C:\> cd HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares\Security\
PS HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares\Security\> $sd=(Get-ItemProperty .).Test
PS HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares\Security\> cd HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity
PS HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity> New-ItemProperty . -Name SrvsvcDefaultShareInfo -Value $sd

SrvsvcDefaultShareInfo : {1, 0, 4, 128...}
PSPath                 : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity
PSParentPath           : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer
PSChildName            : DefaultSecurity
PSDrive                : HKLM
PSProvider             : Microsoft.PowerShell.Core\Registry

PS HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity> Restart-Service LanmanServer
PS HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity>

You can now see that new shares created in Explorer have the new default security descriptor not allowing Everyone full access but Authenticated Users. Modify as needed.

For some reason this does not seem to affect shares created by net share or New-SmbShare.

And, of course, while share creation using New-SmbShare can easily be delegated to a share creators group (see shares), share creation in Explorer appears to require membership in Administrators by default.

This is really a bit pointless, since the reason for changing the default security descriptor is to prevent users from making mistakes, but this won’t, unless those users are administrators in which case we are just trusting someone to do everything except create shares.

Ah well…

Next: TBD