Share Permissions vs Security

I am sure that this question has been asked thousands of times, but I would
like to re-ask it. I believe I know that share permissions apply to a
share, and that NTFS permissions apply to files and folders.

When I look at the Properties for a share, why do I even see the NTFS
permissions, which I gather is the last tab labelled "Security"?

If we're working in the context of shares, why do we also see NTFS
permissions in the properties?

Sorry if this question sounds odd. I am just trying to get a broader
understanding.

Hello Buck,

They are different, share permissions are for the shared itself and will
win, regardless of which NTFS permissions are set. So if you set the share
permissions to read-only and the NTFS permissions to a security group to
Full control, they still have read-only access.

So share and NTFS permissions must always be set as a combination.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I am sure that this question has been asked thousands of times, but I
> would like to re-ask it. I believe I know that share permissions
> apply to a share, and that NTFS permissions apply to files and
> folders.
>
> When I look at the Properties for a share, why do I even see the NTFS
> permissions, which I gather is the last tab labelled "Security"?
>
> If we're working in the context of shares, why do we also see NTFS
> permissions in the properties?
>
> Sorry if this question sounds odd. I am just trying to get a broader
> understanding.
>

Thanks for the response. But what do the NTFS permissions apply to? Is it
the folder that underlies the share?



> They are different, share permissions are for the shared itself and will
> win, regardless of which NTFS permissions are set. So if you set the share
> permissions to read-only and the NTFS permissions to a security group to
> Full control, they still have read-only access.
>
> So share and NTFS permissions must always be set as a combination.
>

Hello news.eternal-september.org,

This is depending on which folder you configure the NTFS settings.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thanks for the response. But what do the NTFS permissions apply to?
> Is it the folder that underlies the share?
>
>> They are different, share permissions are for the shared itself and
>> will win, regardless of which NTFS permissions are set. So if you set
>> the share permissions to read-only and the NTFS permissions to a
>> security group to Full control, they still have read-only access.
>>
>> So share and NTFS permissions must always be set as a combination.
>>

On the properties of the share, you see a "Security" tab, which are NTFS
permissions. To what folder do those NTFS permissions apply?



>
> This is depending on which folder you configure the NTFS settings.
>
> Best regards

Hello news.eternal-september.org,

If you have a folder named "folder" share the folder with name "share" the
NTFS permissions set on the folder "folder" applies to it.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> On the properties of the share, you see a "Security" tab, which are
> NTFS permissions. To what folder do those NTFS permissions apply?
>
>> This is depending on which folder you configure the NTFS settings.
>>
>> Best regards
>>

On Sun, 17 Jan 2010 14:50:48 +0000 (UTC), Meinolf Weber [MVP-DS] wrote:

> Hello Buck,
>
> They are different, share permissions are for the shared itself and will
> win, regardless of which NTFS permissions are set. So if you set the share
> permissions to read-only and the NTFS permissions to a security group to
> Full control, they still have read-only access.
>
> So share and NTFS permissions must always be set as a combination.

I always thought that deny permissions beat allow permissions.
So, if you set NTFS permissions to deny, and set SHARING permissions to
allow, I would think you couldn't access that folder via file sharing.
So, I wouldn't say that share permissions will beat NTFS permissons, rather
that deny permissions will beat allow permissions.

Correct me if I'm wrong ...

"Matija Kapraljevic [Revenger]" <> wrote in message
news:16b92kwpybyx8.1en2u8uq07i72$... .
> On Sun, 17 Jan 2010 14:50:48 +0000 (UTC), Meinolf Weber [MVP-DS]
> wrote:
>
>> Hello Buck,
>>
>> They are different, share permissions are for the shared itself and
>> will
>> win, regardless of which NTFS permissions are set. So if you set the
>> share
>> permissions to read-only and the NTFS permissions to a security group
>> to
>> Full control, they still have read-only access.
>>
>> So share and NTFS permissions must always be set as a combination.
>
> I always thought that deny permissions beat allow permissions.

A common misconception.

As a result of the (default) order in which permissions are checked, a
specific deny is the first checked - if found, access is denied, end of
story. If no specific deny is found it moves on to check for a specific
allow - if found, access is granted, end of story. If no specific allow
is found it moves on to check the inherited permissions - first for
deny, then for allow - so a deny takes precedence as a matter of the
default format of the record not by some policy that says a deny will
dominate.

On Tue, 19 Jan 2010 17:39:45 -0500, FromTheRafters wrote:

>> I always thought that deny permissions beat allow permissions.
>
> A common misconception.
>
> As a result of the (default) order in which permissions are checked, a
> specific deny is the first checked - if found, access is denied, end of
> story. If no specific deny is found it moves on to check for a specific
> allow - if found, access is granted, end of story. If no specific allow
> is found it moves on to check the inherited permissions - first for
> deny, then for allow - so a deny takes precedence as a matter of the
> default format of the record not by some policy that says a deny will
> dominate.

As a result of what you said above, deny permissions will take precedence
of the allow permissons, and will actually 'beat' allow permissions to the
punch, resulting in access being denied.

Still, thanks for the explanation, I didn't know the inner workings of
security permissions to this detail.

In the context of OP's question, and in reply to Meinolfs reply, if you set
File sharing permissions on a folder to Full Control, and then go and set
NTFS permissions to Deny, the access will be denied...

"Matija Kapraljevic [Revenger]" <> wrote in message
news:iwqm6m17w393$.i6f8rfmk2c3l$....
> On Tue, 19 Jan 2010 17:39:45 -0500, FromTheRafters wrote:
>
>>> I always thought that deny permissions beat allow permissions.
>>
>> A common misconception.
>>
>> As a result of the (default) order in which permissions are checked,
>> a
>> specific deny is the first checked - if found, access is denied, end
>> of
>> story. If no specific deny is found it moves on to check for a
>> specific
>> allow - if found, access is granted, end of story. If no specific
>> allow
>> is found it moves on to check the inherited permissions - first for
>> deny, then for allow - so a deny takes precedence as a matter of the
>> default format of the record not by some policy that says a deny will
>> dominate.
>
> As a result of what you said above, deny permissions will take
> precedence
> of the allow permissons, and will actually 'beat' allow permissions to
> the
> punch, resulting in access being denied.
>
> Still, thanks for the explanation, I didn't know the inner workings of
> security permissions to this detail.

You're welcome.

Stated otherwise, one could assume that an inherited deny dominates a
specific allow, and/or that it is an immutable law enforced by policy.

[...]