NTFS & Share permissions

[C Hall]

Hi everybody,

When a logical drive is setup, by default the Everyone group has full
control (NTFS). I read somewhere that it was best to remove the Everyone
group and replace with the Authenticated Users group. Before I go romping
around and making this change on all my servers logical drives, can someone
confirm this or otherwise make recommendations? I also read that when
creating a security structure with share & ntfs permissions, to use share
permissions sparingly, but use ntfs to secure folders.

Any input would be appreciated.

Chris

 

[Steven L Umbach]

Share and ntfs permissions work together to restrict network user access to
a share. Both should be no more than is needed. Of course ntfs permissions
are much more granular. If a user needs to write to a share you have no
choice but to give that user/group change permissions to the share but if
you don't want them to delete files you can give them
read/list/execute/write ntfs permissions.

It is generally safe to replace everyone with authenticated users and to
change permissions for either down from full control. Everyone access can be
more convenient if you need to give permissions to users in a trusted domain
also. The big danger with everyone permissions is if both the share and ntfs
permissions include the everyone group and the guest account is enabled then
everyone indeed [without authentication] can access the share. The NSA
security guides use authenticated users instead of everyone for users for
access permissions. --- Steve

 

[Guest]

Remember that NT Share permissions only work if accessed via the network. In
combination with NTFS permissions, you should be able to achieve what you
need (both access locally and remotely).

 

[chrish64]

Thanks everyone for the posts. For whatever reason, after I posted the
message never showed up in Outlook Express.