Security vs. Sharing Permissions

[Mike W.]

I'm a little unclear on the difference between the
permissions one sets in the Security sheet and the ones in
the Sharing>Permissions sheet. How do they affect each
other, if at all?

Is there a 'best practices' document for setup of network
shares on a server? I'm setting up some different folders
to be accessed by some or all of our domain users & want
to be sure I get it right.

 

[Steven Umbach]

Share permissions only apply to network access while ntfs permissions apply to
all access, network and local. A users permissions for each is determined by the
most liberal permission granted to the groups he belongs to, except that a deny
overrides all [with exception of ntfs where an explicit allow overrides a
inherited deny]. Then a users final access is based on the most restrictive of
either share or ntfs. In other words if Joe has full access to a share, but read
ntfs permissions to that share then his granted access over the network is read.
Be careful with default share permissions in W2K as they are full control for
everyone which is usually way to much, and full should usually be only for
administrators or maybe a home folder. See the links below for more info. --
Steve


http://support.microsoft.com/default.aspx?scid=kb;en-us;300691
http://support.microsoft.com/?id=301195
http://support.microsoft.com/default.aspx?scid=kb;EL;301198
http://www.windowsitlibrary.com/Content/592/toc.html

 

[Mike W.]

Thank you Steve.

So if we take a standard user's home folder, would it make
sense to set NTFS permissions giving only the user full
control & leave share permissions at 'everyone',
effectively blocking them out?

-----Original Message-----
Share permissions only apply to network access while ntfs permissions apply to
all access, network and local. A users permissions for each is determined by the
most liberal permission granted to the groups he belongs to, except that a deny
overrides all [with exception of ntfs where an explicit allow overrides a
inherited deny]. Then a users final access is based on the most restrictive of
either share or ntfs. In other words if Joe has full access to a share, but read
ntfs permissions to that share then his granted access over the network is read.
Be careful with default share permissions in W2K as they are full control for
everyone which is usually way to much, and full should usually be only for
administrators or maybe a home folder. See the links below for more info. --
Steve


http://support.microsoft.com/default.aspx?scid=kb;en- us;300691

http://support.microsoft.com/?id=301195
http://support.microsoft.com/default.aspx?

scid=kb;EL;301198
http://www.windowsitlibrary.com/Content/592/toc.html

I'm a little unclear on the difference between the
permissions one sets in the Security sheet and the ones in
the Sharing>Permissions sheet. How do they affect each
other, if at all?

Is there a 'best practices' document for setup of network
shares on a server? I'm setting up some different folders
to be accessed by some or all of our domain users & want
to be sure I get it right.

.

 

[Paul Matear]

personally I wouldn't ever give FULL to users at either share or ntfs level
except where absolutely necessary- don't let users play with permissions
(especially where there's no reason for this e.g. in a home folder that only
they have access to) - give them matches instead, far less dangerous

you need to ensure that the share doesn't have FULL as this will give the
user FULL control over any new files they create (by virtue of being the
OWNER)

regards
paul

Thank you Steve.

So if we take a standard user's home folder, would it make
sense to set NTFS permissions giving only the user full
control & leave share permissions at 'everyone',
effectively blocking them out?

-----Original Message-----
Share permissions only apply to network access while ntfs permissions apply to
all access, network and local. A users permissions for each is determined by the
most liberal permission granted to the groups he belongs to, except that a deny
overrides all [with exception of ntfs where an explicit allow overrides a
inherited deny]. Then a users final access is based on the most restrictive of
either share or ntfs. In other words if Joe has full access to a share, but read
ntfs permissions to that share then his granted access over the network is read.
Be careful with default share permissions in W2K as they are full control for
everyone which is usually way to much, and full should usually be only for
administrators or maybe a home folder. See the links below for more info. --
Steve


http://support.microsoft.com/default.aspx?scid=kb;en- us;300691

http://support.microsoft.com/?id=301195
http://support.microsoft.com/default.aspx?

scid=kb;EL;301198
http://www.windowsitlibrary.com/Content/592/toc.html

I'm a little unclear on the difference between the
permissions one sets in the Security sheet and the ones in
the Sharing>Permissions sheet. How do they affect each
other, if at all?

Is there a 'best practices' document for setup of network
shares on a server? I'm setting up some different folders
to be accessed by some or all of our domain users & want
to be sure I get it right.

.

 

[Steven L Umbach]

The KB link below describes a home folder ntfs setup. The share permissions
you would want would probably be modify for the everyone/users group. ---
Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;300691

Thank you Steve.

So if we take a standard user's home folder, would it make
sense to set NTFS permissions giving only the user full
control & leave share permissions at 'everyone',
effectively blocking them out?

-----Original Message-----
Share permissions only apply to network access while ntfs permissions apply to
all access, network and local. A users permissions for each is determined by the
most liberal permission granted to the groups he belongs to, except that a deny
overrides all [with exception of ntfs where an explicit allow overrides a
inherited deny]. Then a users final access is based on the most restrictive of
either share or ntfs. In other words if Joe has full access to a share, but read
ntfs permissions to that share then his granted access over the network is read.
Be careful with default share permissions in W2K as they are full control for
everyone which is usually way to much, and full should usually be only for
administrators or maybe a home folder. See the links below for more info. --
Steve


http://support.microsoft.com/default.aspx?scid=kb;en- us;300691

http://support.microsoft.com/?id=301195
http://support.microsoft.com/default.aspx?

scid=kb;EL;301198
http://www.windowsitlibrary.com/Content/592/toc.html

I'm a little unclear on the difference between the
permissions one sets in the Security sheet and the ones in
the Sharing>Permissions sheet. How do they affect each
other, if at all?

Is there a 'best practices' document for setup of network
shares on a server? I'm setting up some different folders
to be accessed by some or all of our domain users & want
to be sure I get it right.

.

 

[Mike W.]

Thanks Gents.

I'll give it a try & write back if I have any more questions.

-----Original Message-----
personally I wouldn't ever give FULL to users at either share or ntfs level
except where absolutely necessary- don't let users play with permissions
(especially where there's no reason for this e.g. in a home folder that only
they have access to) - give them matches instead, far less dangerous

you need to ensure that the share doesn't have FULL as this will give the
user FULL control over any new files they create (by virtue of being the
OWNER)

regards
paul

Thank you Steve.

So if we take a standard user's home folder, would it make
sense to set NTFS permissions giving only the user full
control & leave share permissions at 'everyone',
effectively blocking them out?

-----Original Message-----
Share permissions only apply to network access while ntfs permissions apply to
all access, network and local. A users permissions for each is determined by the
most liberal permission granted to the groups he belongs to, except that a deny
overrides all [with exception of ntfs where an explicit allow overrides a
inherited deny]. Then a users final access is based on the most restrictive of
either share or ntfs. In other words if Joe has full access to a share, but read
ntfs permissions to that share then his granted access over the network is read.
Be careful with default share permissions in W2K as they are full control for
everyone which is usually way to much, and full should usually be only for
administrators or maybe a home folder. See the links below for more info. --
Steve


http://support.microsoft.com/default.aspx?scid=kb;en- us;300691

http://support.microsoft.com/?id=301195
http://support.microsoft.com/default.aspx?

scid=kb;EL;301198
http://www.windowsitlibrary.com/Content/592/toc.html


I'm a little unclear on the difference between the
permissions one sets in the Security sheet and the ones in
the Sharing>Permissions sheet. How do they affect each
other, if at all?

Is there a 'best practices' document for setup of network
shares on a server? I'm setting up some different folders
to be accessed by some or all of our domain users & want
to be sure I get it right.


.

.