Quick scenario on a local Windows system.
Drive E: is formatted with NTFS has the following layout and permissions:
E:\ (JohnDoe)
E:\folder (Administrator)
E:\folder\subfolder (JohnDoe)
JohnDoehas read/write access to the root directory.JohnDoehas read/write accesssubfolderJohnDoedoes NOT have access tofolderJohnDoedoes NOT have the ability to alter permissions.
Since JohnDoe cannot access folder and thus cannot list the contents, he must type in the path E:\folder\subfolder manually. There is is no "clickable" way to get from E:\ to subfolder.
Here's the question: Is there any way for JohnDoe to discover the existence and path of the accessible subfolder, without being able to list the contents of it's parent folder? Assume that he was not told the subfolder's name and that the permissions do not change from what is stated above.
For the sake of this problem, ignore the possibility of a brute-force attack to guess subfolder's name. Only non-brute-force methods are permitted.
Best Answer
NTFS does not provide a method to discover such remote sub-folders within itself, assuming that the intermediary folder is truly no-access. To get such intelligence you have to look beyond just the file-system, perhaps by interrogating other files for paths contained in the doucments, or any shortcuts laying about that reference such sub-directories.
Things get more interesting if JohnDoe has elevated access to the machine. At that point examining open file-handles can reveal the presence of hidden directories. If the directory is shared out, the list of open files for the share would also reveal their presence. These methods wouldn't work for 'normal' users though.