Learning NTFS Permissions

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

i don't know what the books say. i'm talking from the real world.
yes, share read and ntfs full, would still be effective read, but that doesn't mean that you then should just leave the share wide open. why invent a door if you're not going to close it?

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I like to think of it as the Share being a door to a nightclub and NTFS being bouncers.

The doors are always open, but you only get in if your name is on the list.

Kinda makes sense in my mind that way.

 

again, what is the function of the doors if you leave them open?

try to think of it as an airport. first you have to go through passport control. second you have to go through the metal detector. two layers of security. it may not be much, but at least it's something. use it. it's best practice.

let me put it another way, remember the nimda virus? or the sircam virus? or the funlove virus? just a few of the viruses that spread through so called open shares. but, you say, i'm safe because my ntfs permissions are bolted down. are you sure? does that include the admin? wouldn't it have been "much" safer if you had also bolted down the share permissions?

 

I can see your point D. I mean, it can make sense to increase your security by using both share permissions and NTFS.

But . . . It is Microsofts Operating system, and they suggest it is best practice. I suppose it is a matter of preference and business needs. In the end, do most organisations need the extra tight security and thus need to spend the extra time dealing with shares, or does the organisation just need a relatively strong security and not have to deal with the extra complication and time consumption of shares.

Suppose it is just another trade off.

 

I would have to disgree with you on this one D-Faktor. I have always gone with what is considered the MS way of doing things when it comes to share permissions & NTFS permissions, ie shares wide open, and NTFS locked down. And yes, in the real world, not just from books.

 

When I did 290 about 20 of the questions were on NTFS and share permissions. Luckily for me I was very good with this and enjoyed learning the technology. The best way to learn I found was to read a little on the subject first and then practise the theory at work or in the lab. Just make sure you know it well for 290.

Hope that helps you

 

lets say that User has (NTFS) Read and Write permissions for FolderA and Read (share) permissions to the same folder.

if User tries to access FolderA locally, he will have both Read and Write access.
if instead he accesses it over the network, his effective permissions will be Read, because that is the more restrictive of the two (NTFS and share) permissions.

now we change his share permissions to Full Control.
User accesses the folder again over the network, and tries to delete FolderA.
he will be unsuccessful because this time the more restrictive of the two is the NTFS permissions, which are Read and Write.

so as you can see, it all comes down to the NTFS permissions. the share permissions let you in the gate, but it is the NTFS permissions that will decide (once the share Ps have let you in the gate) whether or not you can enter the front door. which would be the folder.
ok bad example

 

Great thread on permissions. Any more takers

 

I know very little about NTFS permissions, but what I would want to see is a set of rules incorporating boolean expressions to derive it.

I'm fairly certain that the underlying code does it that way - and I am comfortable with such things.

Perhaps I ought to take a look.....

Harry.

 

Err for those with the MS Press book there is a nice section in grey about this: 3 ways of using ntfs permissions:

Real World
MS best practice
MS Exams and Certs

Real world says: Share: Full control and lock down with NTFS - now that to me makes alot of sense and D i will make sure to slam all my doors shut!

 

it also makes sense for the troubleshooting/maintaining aspect, because it is simpler to leave the shares open and control everything at the granular NTFS level.
then when there's a problem, you won't have to dig through confusing share/NTFS combinations.

 

I'm going to have to agree with d-Faktor. Leaving share permissions at full control for everyone just doesn't make good sense from a security perspective. You want to operate from a least required permission standpoint and work out from there, not a most permissive permissions standpoint.

Giving full share permissions to everyone violates all good security principles. It might be the easiest solution to implement, but it is far from an ideal, or even a good, solution.

 

I believe both methods are mentioned in several study guides that I have read (read too many on pemission to check where).
I would stick with share-full control with granular NTFS permission on folders method since this is mentioned in MS Press book for test purposes. I have been reading on this subject for over 4 days through dozens of study guides and white papers that it is hard to decide which one for the best.

 

Throughout my studies for MCSE I never encountered a question where the share permissions were left wide open. So for studying purposes, I would recommend understanding both and how they affect each other.

In the real world *I* would use both!

Microsoft seem to be trying to get people to focus on NTFS now (in the real world) but you should also remember that not all shares are on NTFS volumes

 

there i totally agree! if its a FAT32 volume this whole debate wouldnt exist!

Umm going back to my very first thread whats the difference between write and modify? is modify a *subset permission* of write?

 

This is one of the best guides to NTFS permissions I have seen...

http://www.windowsitlibrary.com/Content/592/1.html

HTH

supa

 

permissions on the security tab consist of several special permissions.
with that in mind, Write is comprised of:

Create Files / Write Data
Create Folders / Append Data
Write Attributes
Write Extended Attributes

while Modify is composed of the Read, Read & Execute, and Write "general" permissions, which includes:

Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Create Files / Write Data
Create Folders / Append Data
Write Attributes
Write Extended Attributes
Delete Subfolders and Files
Delete
Read Permissions

go set a permission on a file, then go to security tab > advanced, double click the relevant permission entry and you will see what the permission is really composed of.

 

thanks dude!

 

I would like to retract my earlier comment about exam's purpose on share and NTFS permission.
In the Ms Press 70-290 book, Chapter 6-lesson 1- page 6-8; it is stated, "you must understand share permission to meet the objectives of the mcsa and mcse exams". Default share permission in Windows server 2003 is Allow Read for Everyone.
But in the real world, configure shares with Everyone: Allow Full Control share permission, and lock down the share folder, and any other files or folders beneath it, using NTFS permissions.
Took me several days of readings to understand the minute details of share and NTFS permission with relations to inherited-explicit-effective permissions, and account's special memberships such as Batch, Interactive, Network, Creative Group, and etc.
I would suggest to anyone to read Mastering Windows Server 2003 by Manasi get a good understanding on this subject. He explains it better than anyone I have read so far.

 

thats where i get my reasoning from zen - the 290 book.. you talking about that grey box in the book right? im sure everyone has their own way of locking down resources and it will vary from pro to pro..