Share and NTFS permissions

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have read that the best way to allocate permissions for shared folders is -
is to Share the folder . Give Share-Permissions as " Everyone Full Control"
and give the specific Allow/Deny permissions in the NTFS tab.

Is there any insecurity in giving Share-permissions as Full control and only
specifying the NTFS permissions accurately ?

If no insecurities , why is Windows giving us the facility to give
permissions in 2 places and making it confusing?
 
No security risk other than someone screwing up and not setting the NTFS
permissions properly.

As for why they have both mechanisms, because if they didn't, you would
have 100 people in here at least including myself asking why MSFT didn't
give that flexibility. Maybe you have a situation where regardless of
anything, no one should have more than READ when connecting through a
specific share (say it is a share that houses archive data) but some
admin screws up when adding a new folder to it and gives Change... The
Share RO permissions would make that case so it wasn't an issue.

It really isn't all that confusing. I think when I first heard about it
back in about 1995 or 1996 I spent all of about 15 seconds thinking
about it and haven't had an issue since. Doesn't mean I haven't seen
hundreds if not thousands of admins have issues with it. But that
doesn't make me question the granularity capability in the system.



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
IMO that is the best way when the objective is to make the
task as simple as possible without regard to what the impact
is upon security. You have two levels of protection. The
advise is to not use one. Bad advise in my opinion.
The share level permissions need to allow as minimum the
sum of the ntfs permissions you want to be possible. Some
people evidently do not want to add, and say that, since there
is no sum greater than Everyone Full, use that. OK. So now
you make a mistake in the NTFS permissions and grant to
Users Full on some part of the share - or the Owner of some
part does. Now what?
 
Back
Top