Discussion:
Share Permissions vs NTFS Permissions
(too old to reply)
Jon
2007-06-17 10:11:00 UTC
Permalink
Hello,

I'm struggling to understand permissions in W2k3 server standard. I have
shared a folder, 'Documents', and set the share permission for my user group
to Read only. On a sub-folder within 'Documents' I want my user group to have
full control so have set the folder's security permissions appropriately.
However, members of the user group are denied access.

Which set of permissions take precedence? Should I avoid share permissions
altogether or set them in a particular way?

Apologies if this has been answered before - haven't been able to find the
answer.

Thanks, Jon
Pegasus
2007-06-17 16:32:57 UTC
Permalink
Post by Jon
Hello,
I'm struggling to understand permissions in W2k3 server standard. I have
shared a folder, 'Documents', and set the share permission for my user group
to Read only. On a sub-folder within 'Documents' I want my user group to have
full control so have set the folder's security permissions appropriately.
However, members of the user group are denied access.
Which set of permissions take precedence? Should I avoid share permissions
altogether or set them in a particular way?
Apologies if this has been answered before - haven't been able to find the
answer.
Thanks, Jon
You should set the Share permissions to "Full access" for everyone,
then tune the NTFS permissions to meet your specific requirements.
Herb Martin
2007-06-17 17:07:04 UTC
Permalink
Post by Pegasus
Post by Jon
Hello,
I'm struggling to understand permissions in W2k3 server standard. I have
shared a folder, 'Documents', and set the share permission for my user group
to Read only. On a sub-folder within 'Documents' I want my user group to have
full control so have set the folder's security permissions appropriately.
However, members of the user group are denied access.
Which set of permissions take precedence? Should I avoid share permissions
altogether or set them in a particular way?
Apologies if this has been answered before - haven't been able to find the
answer.
Thanks, Jon
You should set the Share permissions to "Full access" for everyone,
then tune the NTFS permissions to meet your specific requirements.
As a general recommendation this is not a good one -- sometimes it is
the right choice, but share permissions should ALSO be set by GROUP,
and set to the minimum needed for that group.

Anyone can make a mistake setting the NTFS permissions and share
permissions give us another layer of defense IF security is important to
us.

In general, "Everyone" (and similar generic groups) should seldom if
ever be used when graning ANY permissions.

Use specific groups. Give the minimum.
Pegasus
2007-06-17 17:55:31 UTC
Permalink
Post by Herb Martin
Post by Pegasus
Post by Jon
Hello,
I'm struggling to understand permissions in W2k3 server standard. I have
shared a folder, 'Documents', and set the share permission for my user group
to Read only. On a sub-folder within 'Documents' I want my user group to have
full control so have set the folder's security permissions
appropriately.
However, members of the user group are denied access.
Which set of permissions take precedence? Should I avoid share permissions
altogether or set them in a particular way?
Apologies if this has been answered before - haven't been able to find the
answer.
Thanks, Jon
You should set the Share permissions to "Full access" for everyone,
then tune the NTFS permissions to meet your specific requirements.
As a general recommendation this is not a good one -- sometimes it is
the right choice, but share permissions should ALSO be set by GROUP,
and set to the minimum needed for that group.
Anyone can make a mistake setting the NTFS permissions and share
permissions give us another layer of defense IF security is important to
us.
In general, "Everyone" (and similar generic groups) should seldom if
ever be used when graning ANY permissions.
Use specific groups. Give the minimum.
NTFS permissions are sufficiently powerful to keep out
unauthorised users. I'd be interested to hear why you are
so strongly in favour of a belt-and-braces approach.
Herb Martin
2007-06-17 18:13:59 UTC
Permalink
Post by Pegasus
Post by Herb Martin
Post by Pegasus
Post by Jon
Hello,
I'm struggling to understand permissions in W2k3 server standard. I have
shared a folder, 'Documents', and set the share permission for my user group
to Read only. On a sub-folder within 'Documents' I want my user group to have
full control so have set the folder's security permissions
appropriately.
However, members of the user group are denied access.
Which set of permissions take precedence? Should I avoid share permissions
altogether or set them in a particular way?
Apologies if this has been answered before - haven't been able to find the
answer.
Thanks, Jon
You should set the Share permissions to "Full access" for everyone,
then tune the NTFS permissions to meet your specific requirements.
As a general recommendation this is not a good one -- sometimes it is
the right choice, but share permissions should ALSO be set by GROUP,
and set to the minimum needed for that group.
Anyone can make a mistake setting the NTFS permissions and share
permissions give us another layer of defense IF security is important to
us.
In general, "Everyone" (and similar generic groups) should seldom if
ever be used when graning ANY permissions.
Use specific groups. Give the minimum.
NTFS permissions are sufficiently powerful to keep out
unauthorised users. I'd be interested to hear why you are
so strongly in favour of a belt-and-braces approach.
I already gave you the why -- re-read the message.
Pegasus
2007-06-17 19:06:18 UTC
Permalink
Post by Herb Martin
Post by Pegasus
Post by Herb Martin
Post by Pegasus
Post by Jon
Hello,
I'm struggling to understand permissions in W2k3 server standard. I have
shared a folder, 'Documents', and set the share permission for my user group
to Read only. On a sub-folder within 'Documents' I want my user group to have
full control so have set the folder's security permissions
appropriately.
However, members of the user group are denied access.
Which set of permissions take precedence? Should I avoid share permissions
altogether or set them in a particular way?
Apologies if this has been answered before - haven't been able to find the
answer.
Thanks, Jon
You should set the Share permissions to "Full access" for everyone,
then tune the NTFS permissions to meet your specific requirements.
As a general recommendation this is not a good one -- sometimes it is
the right choice, but share permissions should ALSO be set by GROUP,
and set to the minimum needed for that group.
Anyone can make a mistake setting the NTFS permissions and share
permissions give us another layer of defense IF security is important to
us.
In general, "Everyone" (and similar generic groups) should seldom if
ever be used when graning ANY permissions.
Use specific groups. Give the minimum.
NTFS permissions are sufficiently powerful to keep out
unauthorised users. I'd be interested to hear why you are
so strongly in favour of a belt-and-braces approach.
I already gave you the why -- re-read the message.
I was hoping for a little more substance. When I apply
permissions then I check them, same as I check all my
other work. If I detect a mistake then I prefer to correct
it instead of adding a second security layer which offers
far less flexibility or granularity than ACLs.
Herb Martin
2007-06-17 19:23:19 UTC
Permalink
Post by Pegasus
Post by Herb Martin
Post by Pegasus
NTFS permissions are sufficiently powerful to keep out
unauthorised users. I'd be interested to hear why you are
so strongly in favour of a belt-and-braces approach.
I already gave you the why -- re-read the message.
I was hoping for a little more substance. When I apply
permissions then I check them, same as I check all my
other work. If I detect a mistake then I prefer to correct
it instead of adding a second security layer which offers
far less flexibility or granularity than ACLs.
Security principle: Never grant more security privileges than
necessary, even with the INTENT to restrict them later.

Always grant the minimum privileges at each opportunity.

Alwasy grant privileges to ONLY those who specifically need
them.

You may in fact get the NTFS perfect -- but the fact that you
have to check them (and you should) implies you COULD be
wrong. Don't take such chances unnecessarily and don't recommend
that others (who may not be as careful as you) do so as a GENERAL
rule.

Recommend the tightest possible (practical) settings, with privileges
being granted as EXCEPTIONS whenever possible.

This is the way good security works more reliably.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
Pegasus
2007-06-17 20:21:41 UTC
Permalink
Post by Herb Martin
Post by Pegasus
Post by Herb Martin
Post by Pegasus
NTFS permissions are sufficiently powerful to keep out
unauthorised users. I'd be interested to hear why you are
so strongly in favour of a belt-and-braces approach.
I already gave you the why -- re-read the message.
I was hoping for a little more substance. When I apply
permissions then I check them, same as I check all my
other work. If I detect a mistake then I prefer to correct
it instead of adding a second security layer which offers
far less flexibility or granularity than ACLs.
Security principle: Never grant more security privileges than
necessary, even with the INTENT to restrict them later.
Always grant the minimum privileges at each opportunity.
Alwasy grant privileges to ONLY those who specifically need
them.
You may in fact get the NTFS perfect -- but the fact that you
have to check them (and you should) implies you COULD be
wrong. Don't take such chances unnecessarily and don't recommend
that others (who may not be as careful as you) do so as a GENERAL
rule.
Recommend the tightest possible (practical) settings, with privileges
being granted as EXCEPTIONS whenever possible.
This is the way good security works more reliably.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
Just because I ***might*** forget to do up my belt does
not necessarily mean that I wear braces. It seems you do
(or at least you recommend to the OP that he does).
Herb Martin
2007-06-18 00:57:21 UTC
Permalink
Post by Pegasus
Post by Herb Martin
Post by Pegasus
Post by Herb Martin
Post by Pegasus
NTFS permissions are sufficiently powerful to keep out
unauthorised users. I'd be interested to hear why you are
so strongly in favour of a belt-and-braces approach.
I already gave you the why -- re-read the message.
I was hoping for a little more substance. When I apply
permissions then I check them, same as I check all my
other work. If I detect a mistake then I prefer to correct
it instead of adding a second security layer which offers
far less flexibility or granularity than ACLs.
Security principle: Never grant more security privileges than
necessary, even with the INTENT to restrict them later.
Always grant the minimum privileges at each opportunity.
Alwasy grant privileges to ONLY those who specifically need
them.
You may in fact get the NTFS perfect -- but the fact that you
have to check them (and you should) implies you COULD be
wrong. Don't take such chances unnecessarily and don't recommend
that others (who may not be as careful as you) do so as a GENERAL
rule.
Recommend the tightest possible (practical) settings, with privileges
being granted as EXCEPTIONS whenever possible.
This is the way good security works more reliably.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
Just because I ***might*** forget to do up my belt does
not necessarily mean that I wear braces.
It does if you really care about your security, your business and
your resources, as opposed to the mild discomfort or embarrassment
that will ensue if your pants are droopy or even fall off.

And notice, it's actually a figure of speech to refer to someone who is
serious about getting things right as "a belt and suspenders man".
Post by Pegasus
It seems you do
(or at least you recommend to the OP that he does).
Also notice that "belt and suspenders" must be added, but we are
discussing built-in security and my GENERAL recommendation is
to NEVER give MORE privilege than necessary and never give
privileges to people (groups) who don't require that access.

People who are serious about security follow this as a general
principle:

Lock everything down; grant only the privileges required.
AllenM
2007-06-18 15:52:28 UTC
Permalink
Pegasus is correct here simple because SHARE permissions superceed NTFS file
permissions with the "least" permissive or as some say "most" restrictive.
If you start controlling access at the share level you'll find yourself
creating more groups and adding security more than you have to. What happens
if you share a top level folder with GroupA=READ and GroupB=Change then you
have sub folders where GroupA needs Modify access on one folder yet only
Read access on another? What are you going to do? GroupA can now only have
Read access within any folder or sub folder. you can't even create another
group and add those users to have Modify access because their in a Read only
Share group that will take precedent over any other group there in. industry
standards and best practices sine the old NT days have "always" been
Everyone-FULL at the share level and control folder security using NTFS.
Post by Pegasus
Post by Herb Martin
Post by Pegasus
Post by Herb Martin
Post by Pegasus
NTFS permissions are sufficiently powerful to keep out
unauthorised users. I'd be interested to hear why you are
so strongly in favour of a belt-and-braces approach.
I already gave you the why -- re-read the message.
I was hoping for a little more substance. When I apply
permissions then I check them, same as I check all my
other work. If I detect a mistake then I prefer to correct
it instead of adding a second security layer which offers
far less flexibility or granularity than ACLs.
Security principle: Never grant more security privileges than
necessary, even with the INTENT to restrict them later.
Always grant the minimum privileges at each opportunity.
Alwasy grant privileges to ONLY those who specifically need
them.
You may in fact get the NTFS perfect -- but the fact that you
have to check them (and you should) implies you COULD be
wrong. Don't take such chances unnecessarily and don't recommend
that others (who may not be as careful as you) do so as a GENERAL
rule.
Recommend the tightest possible (practical) settings, with privileges
being granted as EXCEPTIONS whenever possible.
This is the way good security works more reliably.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
Just because I ***might*** forget to do up my belt does
not necessarily mean that I wear braces. It seems you do
(or at least you recommend to the OP that he does).
Herb Martin
2007-06-18 21:01:12 UTC
Permalink
Post by AllenM
Pegasus is correct here simple because SHARE permissions superceed NTFS
file permissions with the "least" permissive or as some say "most"
restrictive. If you start controlling access at the share level you'll
find yourself creating more groups and adding security more than you have
to. What happens if you share a top level folder with GroupA=READ and
GroupB=Change then you have sub folders where GroupA needs Modify access
on one folder yet only
At least with Pegasus I get the feeling he understands permissions.
Post by AllenM
Read access on another? What are you going to do? GroupA can now only have
Read access within any folder or sub folder. you can't even create another
group and add those users to have Modify access because their in a Read
only Share group that will take precedent over any other group there in.
industry standards and best practices sine the old NT days have "always"
been Everyone-FULL at the share level and control folder security using
NTFS.
Post by Pegasus
Post by Herb Martin
Post by Pegasus
Post by Herb Martin
Post by Pegasus
NTFS permissions are sufficiently powerful to keep out
unauthorised users. I'd be interested to hear why you are
so strongly in favour of a belt-and-braces approach.
I already gave you the why -- re-read the message.
I was hoping for a little more substance. When I apply
permissions then I check them, same as I check all my
other work. If I detect a mistake then I prefer to correct
it instead of adding a second security layer which offers
far less flexibility or granularity than ACLs.
Security principle: Never grant more security privileges than
necessary, even with the INTENT to restrict them later.
Always grant the minimum privileges at each opportunity.
Alwasy grant privileges to ONLY those who specifically need
them.
You may in fact get the NTFS perfect -- but the fact that you
have to check them (and you should) implies you COULD be
wrong. Don't take such chances unnecessarily and don't recommend
that others (who may not be as careful as you) do so as a GENERAL
rule.
Recommend the tightest possible (practical) settings, with privileges
being granted as EXCEPTIONS whenever possible.
This is the way good security works more reliably.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
Just because I ***might*** forget to do up my belt does
not necessarily mean that I wear braces. It seems you do
(or at least you recommend to the OP that he does).
AllenM
2007-06-18 21:54:53 UTC
Permalink
I got that feeling he does also. It was you I wasn't quite sure understood.
But at least now you know...........
Post by Herb Martin
Post by AllenM
Pegasus is correct here simple because SHARE permissions superceed NTFS
file permissions with the "least" permissive or as some say "most"
restrictive. If you start controlling access at the share level you'll
find yourself creating more groups and adding security more than you have
to. What happens if you share a top level folder with GroupA=READ and
GroupB=Change then you have sub folders where GroupA needs Modify access
on one folder yet only
At least with Pegasus I get the feeling he understands permissions.
Post by AllenM
Read access on another? What are you going to do? GroupA can now only
have Read access within any folder or sub folder. you can't even create
another group and add those users to have Modify access because their in
a Read only Share group that will take precedent over any other group
there in. industry standards and best practices sine the old NT days have
"always" been Everyone-FULL at the share level and control folder
security using NTFS.
Post by Pegasus
Post by Herb Martin
Post by Pegasus
Post by Herb Martin
Post by Pegasus
NTFS permissions are sufficiently powerful to keep out
unauthorised users. I'd be interested to hear why you are
so strongly in favour of a belt-and-braces approach.
I already gave you the why -- re-read the message.
I was hoping for a little more substance. When I apply
permissions then I check them, same as I check all my
other work. If I detect a mistake then I prefer to correct
it instead of adding a second security layer which offers
far less flexibility or granularity than ACLs.
Security principle: Never grant more security privileges than
necessary, even with the INTENT to restrict them later.
Always grant the minimum privileges at each opportunity.
Alwasy grant privileges to ONLY those who specifically need
them.
You may in fact get the NTFS perfect -- but the fact that you
have to check them (and you should) implies you COULD be
wrong. Don't take such chances unnecessarily and don't recommend
that others (who may not be as careful as you) do so as a GENERAL
rule.
Recommend the tightest possible (practical) settings, with privileges
being granted as EXCEPTIONS whenever possible.
This is the way good security works more reliably.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
Just because I ***might*** forget to do up my belt does
not necessarily mean that I wear braces. It seems you do
(or at least you recommend to the OP that he does).
KåreS
2010-12-03 12:59:59 UTC
Permalink
I know this is an old thread, but Google and other search engines makes this a reference for ever, so an update;

There is at least one scenario where you would like to set share permissions:
If You as the Admin want to be in control of the access control in the directory tree, you should only grant Read and Modify at the Share to specific groups or Domain Users and Authenticated Users. You could additionally grant Administrators Full Control at the share.
The effect of this is that the ordinary users will not be able to change the access rights on files or folders below the share, regardless of having Full Control on them.
You must also remember that the owner of a file or directory may actually change the access rights, even if he/her doesn't have Full Control on the file/directory.
Therefor: Restrict access on the share.
This is also the recommended best practice from Microsoft for nearly the last 10 years.
Post by Jon
Hello,
I'm struggling to understand permissions in W2k3 server standard. I have
shared a folder, 'Documents', and set the share permission for my user group
to Read only. On a sub-folder within 'Documents' I want my user group to have
full control so have set the folder's security permissions appropriately.
However, members of the user group are denied access.
Which set of permissions take precedence? Should I avoid share permissions
altogether or set them in a particular way?
Apologies if this has been answered before - haven't been able to find the
answer.
Thanks, Jon
Post by Pegasus
You should set the Share permissions to "Full access" for everyone,
then tune the NTFS permissions to meet your specific requirements.
Post by Herb Martin
As a general recommendation this is not a good one -- sometimes it is
the right choice, but share permissions should ALSO be set by GROUP,
and set to the minimum needed for that group.
Anyone can make a mistake setting the NTFS permissions and share
permissions give us another layer of defense IF security is important to
us.
In general, "Everyone" (and similar generic groups) should seldom if
ever be used when graning ANY permissions.
Use specific groups. Give the minimum.
Post by Pegasus
NTFS permissions are sufficiently powerful to keep out
unauthorised users. I'd be interested to hear why you are
so strongly in favour of a belt-and-braces approach.
Post by Herb Martin
I already gave you the why -- re-read the message.
Post by Pegasus
I was hoping for a little more substance. When I apply
permissions then I check them, same as I check all my
other work. If I detect a mistake then I prefer to correct
it instead of adding a second security layer which offers
far less flexibility or granularity than ACLs.
Post by Herb Martin
Security principle: Never grant more security privileges than
necessary, even with the INTENT to restrict them later.
Always grant the minimum privileges at each opportunity.
Alwasy grant privileges to ONLY those who specifically need
them.
You may in fact get the NTFS perfect -- but the fact that you
have to check them (and you should) implies you COULD be
wrong. Don't take such chances unnecessarily and don't recommend
that others (who may not be as careful as you) do so as a GENERAL
rule.
Recommend the tightest possible (practical) settings, with privileges
being granted as EXCEPTIONS whenever possible.
This is the way good security works more reliably.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
Post by Pegasus
Just because I ***might*** forget to do up my belt does
not necessarily mean that I wear braces. It seems you do
(or at least you recommend to the OP that he does).
Post by Kerry Brown
One does not override the other. The most restrictive permissions take
precedence. In this case it's the read only on the share. It doesn't matter
what you set the the NTFS permissions to the share permissions only allow
reading. Vice versa if the share was set to full control and the NTFS
permissions were read you would get read only. It used to be that setting
the share to full control for everyone was the "best practice" and actually
the default setting. NTFS permissions were used to fine tune the
permissions. In today's security conscious world this is changing and many
people now recommend you use both sets of permissions to control security.
The important thing is to understand how they work in combination, be
consistent in how you apply them, and document everything so someone else
can figure why a certain user can't access a file when you're not available.
--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca
Post by Herb Martin
It does if you really care about your security, your business and
your resources, as opposed to the mild discomfort or embarrassment
that will ensue if your pants are droopy or even fall off.
And notice, it's actually a figure of speech to refer to someone who is
serious about getting things right as "a belt and suspenders man".
Also notice that "belt and suspenders" must be added, but we are
discussing built-in security and my GENERAL recommendation is
to NEVER give MORE privilege than necessary and never give
privileges to people (groups) who don't require that access.
People who are serious about security follow this as a general
Lock everything down; grant only the privileges required.
Post by Brains,None
hhmm... What I do is to set the share to "authorized users", then use
the ntfs system for the rest...
j
Post by AllenM
Pegasus is correct here simple because SHARE permissions superceed NTFS file
permissions with the "least" permissive or as some say "most" restrictive.
If you start controlling access at the share level you'll find yourself
creating more groups and adding security more than you have to. What happens
if you share a top level folder with GroupA=READ and GroupB=Change then you
have sub folders where GroupA needs Modify access on one folder yet only
Read access on another? What are you going to do? GroupA can now only have
Read access within any folder or sub folder. you can't even create another
group and add those users to have Modify access because their in a Read only
Share group that will take precedent over any other group there in. industry
standards and best practices sine the old NT days have "always" been
Everyone-FULL at the share level and control folder security using NTFS.
Post by Herb Martin
At least with Pegasus I get the feeling he understands permissions.
I got that feeling he does also. It was you I was not quite sure understood.
But at least now you know...........
To restrict access the easiest, for NTFS, you can find the check box under public file properties, security tab, click advanced, click edit, and it should be there under the permissions tab. Then, (BEFORE you close the window, which would leave the folder inaccessible to everyone) open back up access to someone before you close out the window, by adding users and groups back in with whatever permissions are needed to get work done.
Note: this applies to NTFS permissions, not simple file sharing.
Submitted via EggHeadCafe
Microsoft LINQ Query Samples For Beginners
http://www.eggheadcafe.com/training-topic-area/LINQ-Standard-Query-Operators/33/LINQ-Standard-Query-Operators.aspx
KåreS
2010-12-03 13:01:11 UTC
Permalink
I know this is an old thread, but Google and other search engines makes this a reference for ever, so an update;

There is at least one scenario where you would like to set share permissions:
If You as the Admin want to be in control of the access control in the directory tree, you should only grant Read and Modify at the Share to specific groups or Domain Users and Authenticated Users. You could additionally grant Administrators Full Control at the share.
The effect of this is that the ordinary users will not be able to change the access rights on files or folders below the share, regardless of having Full Control on them.
You must also remember that the owner of a file or directory may actually change the access rights, even if he/her doesn't have Full Control on the file/directory.
Therefor: Restrict access on the share.
This is also the recommended best practice from Microsoft for nearly the last 10 years.
Post by Jon
Hello,
I'm struggling to understand permissions in W2k3 server standard. I have
shared a folder, 'Documents', and set the share permission for my user group
to Read only. On a sub-folder within 'Documents' I want my user group to have
full control so have set the folder's security permissions appropriately.
However, members of the user group are denied access.
Which set of permissions take precedence? Should I avoid share permissions
altogether or set them in a particular way?
Apologies if this has been answered before - haven't been able to find the
answer.
Thanks, Jon
Post by Pegasus
You should set the Share permissions to "Full access" for everyone,
then tune the NTFS permissions to meet your specific requirements.
Post by Herb Martin
As a general recommendation this is not a good one -- sometimes it is
the right choice, but share permissions should ALSO be set by GROUP,
and set to the minimum needed for that group.
Anyone can make a mistake setting the NTFS permissions and share
permissions give us another layer of defense IF security is important to
us.
In general, "Everyone" (and similar generic groups) should seldom if
ever be used when graning ANY permissions.
Use specific groups. Give the minimum.
Post by Pegasus
NTFS permissions are sufficiently powerful to keep out
unauthorised users. I'd be interested to hear why you are
so strongly in favour of a belt-and-braces approach.
Post by Herb Martin
I already gave you the why -- re-read the message.
Post by Pegasus
I was hoping for a little more substance. When I apply
permissions then I check them, same as I check all my
other work. If I detect a mistake then I prefer to correct
it instead of adding a second security layer which offers
far less flexibility or granularity than ACLs.
Post by Herb Martin
Security principle: Never grant more security privileges than
necessary, even with the INTENT to restrict them later.
Always grant the minimum privileges at each opportunity.
Alwasy grant privileges to ONLY those who specifically need
them.
You may in fact get the NTFS perfect -- but the fact that you
have to check them (and you should) implies you COULD be
wrong. Don't take such chances unnecessarily and don't recommend
that others (who may not be as careful as you) do so as a GENERAL
rule.
Recommend the tightest possible (practical) settings, with privileges
being granted as EXCEPTIONS whenever possible.
This is the way good security works more reliably.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
Post by Pegasus
Just because I ***might*** forget to do up my belt does
not necessarily mean that I wear braces. It seems you do
(or at least you recommend to the OP that he does).
Post by Kerry Brown
One does not override the other. The most restrictive permissions take
precedence. In this case it's the read only on the share. It doesn't matter
what you set the the NTFS permissions to the share permissions only allow
reading. Vice versa if the share was set to full control and the NTFS
permissions were read you would get read only. It used to be that setting
the share to full control for everyone was the "best practice" and actually
the default setting. NTFS permissions were used to fine tune the
permissions. In today's security conscious world this is changing and many
people now recommend you use both sets of permissions to control security.
The important thing is to understand how they work in combination, be
consistent in how you apply them, and document everything so someone else
can figure why a certain user can't access a file when you're not available.
--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca
Post by Herb Martin
It does if you really care about your security, your business and
your resources, as opposed to the mild discomfort or embarrassment
that will ensue if your pants are droopy or even fall off.
And notice, it's actually a figure of speech to refer to someone who is
serious about getting things right as "a belt and suspenders man".
Also notice that "belt and suspenders" must be added, but we are
discussing built-in security and my GENERAL recommendation is
to NEVER give MORE privilege than necessary and never give
privileges to people (groups) who don't require that access.
People who are serious about security follow this as a general
Lock everything down; grant only the privileges required.
Post by Brains,None
hhmm... What I do is to set the share to "authorized users", then use
the ntfs system for the rest...
j
Post by AllenM
Pegasus is correct here simple because SHARE permissions superceed NTFS file
permissions with the "least" permissive or as some say "most" restrictive.
If you start controlling access at the share level you'll find yourself
creating more groups and adding security more than you have to. What happens
if you share a top level folder with GroupA=READ and GroupB=Change then you
have sub folders where GroupA needs Modify access on one folder yet only
Read access on another? What are you going to do? GroupA can now only have
Read access within any folder or sub folder. you can't even create another
group and add those users to have Modify access because their in a Read only
Share group that will take precedent over any other group there in. industry
standards and best practices sine the old NT days have "always" been
Everyone-FULL at the share level and control folder security using NTFS.
Post by Herb Martin
At least with Pegasus I get the feeling he understands permissions.
I got that feeling he does also. It was you I was not quite sure understood.
But at least now you know...........
To restrict access the easiest, for NTFS, you can find the check box under public file properties, security tab, click advanced, click edit, and it should be there under the permissions tab. Then, (BEFORE you close the window, which would leave the folder inaccessible to everyone) open back up access to someone before you close out the window, by adding users and groups back in with whatever permissions are needed to get work done.
Note: this applies to NTFS permissions, not simple file sharing.
Post by KÃ¥reS
I know this is an old thread, but Google and other search engines makes this a reference for ever, so an update;
If You as the Admin want to be in control of the access control in the directory tree, you should only grant Read and Modify at the Share to specific groups or Domain Users and Authenticated Users. You could additionally grant Administrators Full Control at the share.
The effect of this is that the ordinary users will not be able to change the access rights on files or folders below the share, regardless of having Full Control on them.
You must also remember that the owner of a file or directory may actually change the access rights, even if he/her doesn't have Full Control on the file/directory.
Therefor: Restrict access on the share.
This is also the recommended best practice from Microsoft for nearly the last 10 years.
Submitted via EggHeadCafe
Microsoft LINQ Query Samples For Beginners
http://www.eggheadcafe.com/training-topic-area/LINQ-Standard-Query-Operators/33/LINQ-Standard-Query-Operators.aspx
Kerry Brown
2007-06-17 22:22:52 UTC
Permalink
One does not override the other. The most restrictive permissions take
precedence. In this case it's the read only on the share. It doesn't matter
what you set the the NTFS permissions to the share permissions only allow
reading. Vice versa if the share was set to full control and the NTFS
permissions were read you would get read only. It used to be that setting
the share to full control for everyone was the "best practice" and actually
the default setting. NTFS permissions were used to fine tune the
permissions. In today's security conscious world this is changing and many
people now recommend you use both sets of permissions to control security.
The important thing is to understand how they work in combination, be
consistent in how you apply them, and document everything so someone else
can figure why a certain user can't access a file when you're not available.
--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca
Post by Jon
Hello,
I'm struggling to understand permissions in W2k3 server standard. I have
shared a folder, 'Documents', and set the share permission for my user group
to Read only. On a sub-folder within 'Documents' I want my user group to have
full control so have set the folder's security permissions appropriately.
However, members of the user group are denied access.
Which set of permissions take precedence? Should I avoid share permissions
altogether or set them in a particular way?
Apologies if this has been answered before - haven't been able to find the
answer.
Thanks, Jon
Brains,None
2007-06-18 14:55:43 UTC
Permalink
Post by Jon
Hello,
I'm struggling to understand permissions in W2k3 server standard. I have
shared a folder, 'Documents', and set the share permission for my user group
to Read only. On a sub-folder within 'Documents' I want my user group to have
full control so have set the folder's security permissions appropriately.
However, members of the user group are denied access.
Which set of permissions take precedence? Should I avoid share permissions
altogether or set them in a particular way?
Apologies if this has been answered before - haven't been able to find the
answer.
Thanks, Jon
hhmm... What I do is to set the share to "authorized users", then use
the ntfs system for the rest...

j
Loading...