#Unexplained NTFS ACL changes across hundreds of folders across our NetApp environment.

We're dealing with a strange issue that is likely not NetApp related at all, but I'm curious if anyone else has run into this issue before.

We've seen 250+ folders on our shared network drives have their NTFS permissions be almost entirely replaced with the following SIDs...

CREATOR OWNER - Full Control
SYSTEM - Full Control
local-netapp-server\Users - Special

These changes are happening over multiple weeks, across 3 different sites. Doesn't appear to be related to any known changes or upgrades, whether it's NetApp or other IT stack changes. The only thing I know of that the 3 sites have in common is that we're using DFS to provide the file path namespace for all these sites. Users at these 3 sites will map the local DFS namespace for their particular NetApp server to their desktop as the Z drive for example.

We're enabling auditing to capture future changes, but just completely scratching our heads to figure out what is happening here. I don't think it's user error given the scope and type of permissions changes being applied, and I don't think it's an attack for other reasons. Could be wrong though.

Thanks!

Auditing would be your best bet to get a clue.

Based on the principals used in the "new" permissions, I am curious if there were attempts to change permissions using the ONTAP CLI for those paths. Do you see any entries for "vserver security file-directory apply" in your audit log?

We unfortunately didn't have it enabled previously but have now done so to catch future issues. Thanks!

the audit log for CLI commands is always enabled, so you could check for security file-directory apply there, just in case. But yeah, other than that, CIFS auditing is your friend