Share Permissions vs NTFS Permissions

Discussion in 'Windows Server' started by Jon, Jun 17, 2007.

  1. Jon

    Jon Guest

    Hello,

    I'm struggling to understand permissions in W2k3 server standard. I have
    shared a folder, 'Documents', and set the share permission for my user group
    to Read only. On a sub-folder within 'Documents' I want my user group to have
    full control so have set the folder's security permissions appropriately.
    However, members of the user group are denied access.

    Which set of permissions take precedence? Should I avoid share permissions
    altogether or set them in a particular way?

    Apologies if this has been answered before - haven't been able to find the
    answer.

    Thanks, Jon
     
    Jon, Jun 17, 2007
    #1
    1. Advertisements

  2. Jon

    Pegasus Guest

    You should set the Share permissions to "Full access" for everyone,
    then tune the NTFS permissions to meet your specific requirements.
     
    Pegasus, Jun 17, 2007
    #2
    1. Advertisements

  3. Jon

    Herb Martin Guest

    As a general recommendation this is not a good one -- sometimes it is
    the right choice, but share permissions should ALSO be set by GROUP,
    and set to the minimum needed for that group.

    Anyone can make a mistake setting the NTFS permissions and share
    permissions give us another layer of defense IF security is important to
    us.

    In general, "Everyone" (and similar generic groups) should seldom if
    ever be used when graning ANY permissions.

    Use specific groups. Give the minimum.
     
    Herb Martin, Jun 17, 2007
    #3
  4. Jon

    Pegasus Guest

    NTFS permissions are sufficiently powerful to keep out
    unauthorised users. I'd be interested to hear why you are
    so strongly in favour of a belt-and-braces approach.
     
    Pegasus, Jun 17, 2007
    #4
  5. Jon

    Herb Martin Guest

    I already gave you the why -- re-read the message.
     
    Herb Martin, Jun 17, 2007
    #5
  6. Jon

    Pegasus Guest

    I was hoping for a little more substance. When I apply
    permissions then I check them, same as I check all my
    other work. If I detect a mistake then I prefer to correct
    it instead of adding a second security layer which offers
    far less flexibility or granularity than ACLs.
     
    Pegasus, Jun 17, 2007
    #6
  7. Jon

    Herb Martin Guest

    Security principle: Never grant more security privileges than
    necessary, even with the INTENT to restrict them later.

    Always grant the minimum privileges at each opportunity.

    Alwasy grant privileges to ONLY those who specifically need
    them.

    You may in fact get the NTFS perfect -- but the fact that you
    have to check them (and you should) implies you COULD be
    wrong. Don't take such chances unnecessarily and don't recommend
    that others (who may not be as careful as you) do so as a GENERAL
    rule.

    Recommend the tightest possible (practical) settings, with privileges
    being granted as EXCEPTIONS whenever possible.

    This is the way good security works more reliably.
     
    Herb Martin, Jun 17, 2007
    #7
  8. Jon

    Pegasus Guest

    Just because I ***might*** forget to do up my belt does
    not necessarily mean that I wear braces. It seems you do
    (or at least you recommend to the OP that he does).
     
    Pegasus, Jun 17, 2007
    #8
  9. Jon

    Kerry Brown Guest

    One does not override the other. The most restrictive permissions take
    precedence. In this case it's the read only on the share. It doesn't matter
    what you set the the NTFS permissions to the share permissions only allow
    reading. Vice versa if the share was set to full control and the NTFS
    permissions were read you would get read only. It used to be that setting
    the share to full control for everyone was the "best practice" and actually
    the default setting. NTFS permissions were used to fine tune the
    permissions. In today's security conscious world this is changing and many
    people now recommend you use both sets of permissions to control security.
    The important thing is to understand how they work in combination, be
    consistent in how you apply them, and document everything so someone else
    can figure why a certain user can't access a file when you're not available.
     
    Kerry Brown, Jun 17, 2007
    #9
  10. Jon

    Herb Martin Guest

    It does if you really care about your security, your business and
    your resources, as opposed to the mild discomfort or embarrassment
    that will ensue if your pants are droopy or even fall off.

    And notice, it's actually a figure of speech to refer to someone who is
    serious about getting things right as "a belt and suspenders man".
    Also notice that "belt and suspenders" must be added, but we are
    discussing built-in security and my GENERAL recommendation is
    to NEVER give MORE privilege than necessary and never give
    privileges to people (groups) who don't require that access.

    People who are serious about security follow this as a general
    principle:

    Lock everything down; grant only the privileges required.
     
    Herb Martin, Jun 18, 2007
    #10
  11. Jon

    Brains,None Guest

    hhmm... What I do is to set the share to "authorized users", then use
    the ntfs system for the rest...

    j
     
    Brains,None, Jun 18, 2007
    #11
  12. Jon

    Herb Martin Guest

    At least with Pegasus I get the feeling he understands permissions.
     
    Herb Martin, Jun 18, 2007
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.