simpleton needs help with ntfs permissions

Discussion in 'General Microsoft Certifications' started by thetokyoproject, Aug 31, 2008.

  1. thetokyoproject

    thetokyoproject Byte Poster

    187
    20
    22
    hi, i need help with a text recommendation that goes into depth about ntfs/share permissions with inheritance and special permissions - i;ve looked at the chapter in ms press book but it's not really that detailed.

    is there a particular text that goes into this in a lot of detail with examples and exercises - this is one of my bete noir subjects. some things i just can;t really get my head around.


    many thanks.
     
    Certifications: 271
  2. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,373
    89
    190
    Windows 2000/2003 NTFS and Share Permissions

    Understanding Windows NTFS Permissions

    How IT works. NTFS Permissions

    NTFS Permissions

    NTFS From Wikipedia
     
  3. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    When setting up a share on a file server it is common for the share permissions to have ‘full control’ for everyone and then the permissions are tailored with NTFS permissions (in the security tab).

    Follow the links posted by cheeks and also mess around with NTFS permissions on a test\virtual server to get a better idea on how to configure security on file shares.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  4. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    172
    211
    define 'common'

    Whilst it may be done, I personally wouldnt say its a good practice. If your users dont need more than write access, dont set the permissions on the share higher than write. I know, for instance, that the standard policy in my company is to assign a user group share permissions only to the highest level they will ever require on that share. Since users are rarely (if ever) given full control (we dont want them to be able to remove the is group permissions from a file/folder for instance, nor do we ever want them to change the permissions to allow someone else access. All access is controlled by IS), the share permissions for their groups are set to write access. For those few groups that never ever need to write, they are solely given read.

    As I understand it, the share permissions define the highest level of access that group can have on the share. Thus, if you set the share permission for the group to read, even if you give them write onto a file on that share, they will still only have read.
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  5. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    The share permission is ‘full’ but the NTFS can be ‘read only’ (for a user or group) therefore the user gets read only.

    The root share folder (e.g. Data) can have full control at the share level (not NTFS) and I could put a folder called finance in it and assign only the finance group read\write through NTFS. That’s the folder configured exactly how I need it and I can then map a drive directly to the finance folder. I can then put other folders in the data directory and assign a security group with the required permissions.

    In regard to being ‘common’ it’s explained that way in the 70-290 MS Press book if I remember correctly.

    Here is another example..

    http://www.windowsecurity.com/articles/Share-Permissions.html
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  6. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,373
    89
    190
    For the exam, its has to be the M$ you will need to learn.
     
  7. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    172
    211
    Just because MS says it should be done one way (and yes, it should be noted for exam purposes) doesnt mean its the right way. I personally would follow with what my company does, no-one gets full access on the share permissions unless they genuinely need it. If the group needs read on some and write on others, they get write. if they only need read, they only get read on the share permissions. I would still need to configure the folder permissions as appropriate, but its an extra level of security to ensure people dont get a level of access they have no business with.
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  8. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    As long as the methods used are documented and followed correctly then that’s the main thing. The only reason I said it was ‘common’ as it have seen the config many times on various networks I support day to day and for one off contracts.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  9. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,373
    89
    190
  10. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    The way I remember this is as follows:

    Escalate each Users rights to the highest for NTFS Permissions and a Share Permissions seperatley.

    Then take the lowest of the two Permissions, which would be the result.

    For example:

    User 1 has NFTS Permissions in Group A\Read (Net is Read Access)
    User 1 has Share Permissions In Group A\Read Group B\Write Group C\Full Access (Net is Full Access)

    Take the lower of these two, therefore User 1 has Read Access.

    It is worth remember that Deny nearly always overwrites Allow unless it has been explicitally placed on a file/folder rather than being inherited.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  11. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,373
    89
    190
    Yep - thats how you work out the effective permission for the user.
     
  12. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    Actually... setting share permissions to full IS the right way. Configuring both NTFS and share permissions is either a) at worst, a recipe for misconfigured permissions, or b) at best, an exercise in futility, causing you to spend twice as much administrative effort to configure when you don't need to do so.

    NTFS permissions aren't just "an extra level of security"; they are permissions that work whether a user gets access over the network OR at the local computer. Share permissions are USELESS if the user somehow gains access to the local computer, because share permissions only restrict network access to the share... not to the local files. THAT is why network admins recommend setting share to Full Control and NTFS to what you need.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  13. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    172
    211
    well, you are certainly welcome to do it however you like. But I wholeheartedly disagree, at least at this moment in my life.

    I'm not saying that you shouldnt use NTFS permissions - I never did. I just think that share permissions shouldnt be set to full control unless that group actually requires full control.

    Sure, the share permissions are useless if they get access to the local machine, but NTFS permissions are all but useless if they get access to the admin password. Almost all measures can be overcome if the user gets access to something. Does that mean you shouldnt utilise the tools at your disposal to regulate things?

    As Sparky said, ultimately it doesnt matter, so long as you document how you have implemented things.
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  14. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    But dude... if they get access to the admin password, then your share permissions are just as useless as your NTFS passwords.

    My point is this: the NTFS permissions cover everything. The share permissions do not. The NTFS permissions cover every scenario the share permissions do, plus more.

    Imagine, if you will, an approaching hailstorm... setting share and NTFS permissions is like covering your car with a car cover before putting the car in the garage. Why take the time and effort to put the car cover on? The garage will protect the car far better than the car cover, and you're already putting the car in the garage.

    Additionally, NTFS permissions are much more granular than share permissions. So when you set up NTFS permissions that have no corresponding share permission, you can end up with unexpected behavior due to the combining of permissions. I know by experience; I once supported a network where they set up both share and NTFS permissions. Users would regularly experience permission problems until we set everything to Share - Full. When you just use NTFS permissions, there's no confusion as to what will happen; it will always work as your NTFS permissions are configured.

    All it takes is one lazy admin, and you'll have problems. This, too, I know from experience.

    But if you insist on doing it, it's your network. :thumbleft
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  15. Tinus1959

    Tinus1959 Gigabyte Poster

    1,539
    42
    106
    I never set Share permissions to full control and MS doesn't do it by default for windows 2003. That must have a reason. I heart in my CEH course of a tool to elevate your NTFS rights to full control, even if you had only read or even no access. You needed full control on the share for this.

    There might be a hole in the roof...

    I agree on this one, but that still does not mean to set one level of protection open as if it was not there. If there is no reason to limit the rights on share, than why are they there?
     
    Certifications: See my signature
    WIP: MCSD, MCAD, CCNA, CCNP
  16. NightWalker

    NightWalker Gigabyte Poster

    1,172
    25
    92
    In 2000 Server the default on share permissions was Everyone > Full Control. Too many bad admins created shares and didn't set the permissions, leaving things open to abuse. So in Server 2003 MS locked it down so the bad admins not checking the share permissions could't do so much damage...although now (and twice I can remember in the last 18 months) I have had to go and change the share permissions because the admin that created them left the default settings, and the users cant save stuff to their mapped drive :blink
     
    Certifications: A+, Network+, MCP, MCSA:M 2003, ITIL v3 Foundation
  17. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,878
    181
    256
    Because the drive might not be NTFS :rolleyes:
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  18. thetokyoproject

    thetokyoproject Byte Poster

    187
    20
    22
    thanks for the tips. i need to sit down with vpc and a book and practice different exercises
     
    Certifications: 271
  19. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,373
    89
    190
    You cannot get NTFS permissions, unless the drive is formatted with NTFS anyway...
    ... so I *think* Tinus means, why have have NTFS and Share Permissions, and not just NTFS permissions only and not have Share permission as an option.
     
  20. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    But there's NEVER a time that share permissions take effect and NTFS permissions do not. Thus, the hole in the roof can never exist.

    Can you honestly say that with a straight face without laughing? This is Microsoft we're talking about, here... :biggrin This wouldn't be exactly the first time they've done something that makes no sense, even to their own "best practices"... :D
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.