Windows Thread, Back to basics - NTFS and Share permissions in Technical; I know that lots here are MS certified (my aim too!) and it's with that in mind that I post ...
14th December 2009, 06:40 PM #1
Back to basics - NTFS and Share permissions
I know that lots here are MS certified (my aim too!) and it's with that in mind that I post the question.
I know about the principles of Share and NTFS permissions:
Share permissions are cumulative
NTFS permissions are cumulative
Share + NTFS permissions ... use the most restrictive
Deny trumps Allow
File permissions trump Folder permissions
etc., but is there any logical or numerical way of knowing exactly the order of priority? For instance, if I'm asked to combine Full Share with Read NTFS, it's easy enough to determine the answer but what about Change Share with Modify NTFS or Change Share with Write NTFS? Is it as simple as the order in which the permissions are listed on the Properties pages? If so, is Write *really* more restrictive than Read?
Finally, is there any clever trick (perhaps commandline) which will allow me to assess combined/effective permissions, rather like using RSOP or GPRESULT when dealing with Group Policies? I had a look at CACLS but that didn't seem to give me the solution that I'm looking for.
IDG Tech News
14th December 2009, 07:00 PM #2
I think the share permissions are largely ignored on most networks these days - I've certainly always been taught to share the folder so everyone has full control, and use NTFS permissions to control the folder security.
In answer to one of your questions, yes write is more restrictive than read - if you think about it logically without read permissions you won't see or be able to access anything in the share, just simply be able to add new files to it - you can't even delete or see what you add. We use that permission to create 'drop boxes' for students work on our shared drive.
14th December 2009, 09:24 PM #3
Thank you for the input. I realise that, in real life, Share permissions are ignored and configured to allow everyone to have Full control so security is provided by fine tuning NTFS permissions, but that doesn't help me (or anyone else) when doing MS exams! I (we) still need to understand the Share/NTFS permissions interaction as well as how Share permissions and NTFS permissions all combine in a logical manner.
As far as Read vs. Write is concerned, I understand your explanation. Maybe it is down to the order that the various permissions are listed on the Properties sheet after all.
14th December 2009, 10:42 PM #4
Ahhhh, didn't realise it was for a M$ exam - sorry.
15th December 2009, 09:42 AM #5
NP. It's the same with all the IT exams that I've taken ... there's a "correct in the book" answer and there's a "correct in real life" answer. Unfortunately, the exams require the former!
15th December 2009, 09:49 AM #6
Share permissions tend to come first. The actually NTFS permission you can use can be the same or lower than the permissions on the share. Thus if you have Full control on the share you can use, read, Change, and Full Controll NTF permissions. If you have Change on the share you can use Change and Read and if you have read on the share then you can only use read NTFS permissions.
Folder NTFS permissions are, by default, applied from the top down with lower level's inheriting the permissions from those above. Ofcourse it's rarely that simple and usualy involves a lot of blocked inheirtance, denied groups, allowed groups and setting of permissions to get the set up correct for a real life organisation.
15th December 2009, 10:31 AM #7
Share permissions come first - then NTFS,
So you theorectically can connect to a share (with share permissions) but then have no access to read or modify its contents (with NTFS permissions).
My assumption (please correct me if i'm wrong, is that if you do not have the share permissions you can't connect to it - so they are like the garden gate, even though your through, the house is still locked.
15th December 2009, 10:47 AM #8
If your not on the share permissions you cant access.
Its also the minimum of permissions prevail...
So if you have full share and read NTFS .... its read.
If its read share and full NTFS ... its read.
deny allways takes priority.
Its mostly advised using educational software to allow full share and clamp down using NTFS.
15th December 2009, 11:01 PM #9
I too used to work on the basis of controlling permissions using NTFS alone, but would say now that using the share permissions provides a useful safety net. NTFS permissions can be complex things and it is not unknown for them to become incorrectly set. If you set up share permissions correctly, it's possible to limit possible security issues caused by incorrectly set NTFS permissions.
For example, imagine a share which Students were allowed to read from and staff could update. If the share permissions were set to Everyone:Full, then a mistake setting NTFS permissions could result in students having write access to the files. If the share permissions were set as follows;
IT Techs: Full Control
then students could never be accidentally granted any access higher than Read and staff could never be granted any access higher that Change.
16th December 2009, 04:25 PM #10
That's interesting Andy. I know that there are Share Change and NTFS Modify permissions and they *appear* to allow similar activity (I guess the major thing that they allow is deletion). Are there any subtle differences between them and which is the more restrictive (i.e. which would apply if they both applied to the same resource)?
Originally Posted by ajbritton
16th December 2009, 11:42 PM #11
AFAIK (and without doing any research), Change and Modify are essentially the same.
This may be useful: Windows 2003 NTFS and Share Permissions
Here's another: Share Permissions
- This suggests that best practice is to set share permissions to Authenticated User: Full Control and then control access using NTFS perms. though, which I still disagree with.
This article: Share versus NTFS Permissions makes a good point which is that share permissions (and any restrictions you apply using them) are only effective when the resource is accessed across the network.
Hope this helps
Afterthought: The way I tend to think of permissions is like this. Change/Modify is all anyone (or any application) should ever need for normal (ie non administrative) operations. It lets you read/write/delete files & folders. That's the baseline. The most common restriction is to make files available for viewing only ie Read. That's one level down. If you are an administrator and need to actually change the permissions, then you need Full Control, which is one level up.
Last edited by ajbritton; 16th December 2009 at 11:46 PM.
Reason: Added afterthought
16th December 2009, 11:52 PM #12
Thank you Andy. The more that I look into this (and *think* that I have nailed it), the more I realise there is to learn about Share and NTFS permissions! I guess I can only learn so much and the rest is done "on the hoof" when administering a network. I suppose it's like learning to drive - passing the test doesn't make me an expert driver. It's just the first rung of a long learning ladder.
17th December 2009, 12:23 AM #13
I do use share permissions to lock down shares before adding them to my DFS. It's good practice and is more secure. I also use NTFS to lock down folders, but i do not use modify very often, as i normally use the special permissions and go through them all specifying exactly what i do and dont want. I do not use the authenticated users for anything. It's much better practice to lock things down to actual users or groups you've created yourself, than to a generic object that could lead to a massive security hole, especially if you allow full control. In windows the share security comes first as it's the method of access, then NTFS permissions of the tree structure, then the file it'self. BUT not all folders are in the tree, and not all follow the hirache. A deny may not always deny everything within a folder structure.
students (group) have read access to a share. The share is mapped to H:/share1.
students have NTFS read access to folder share1. This contains a hand-in folder called homework, where the students (group) have NTFS write and creator owner access allowed.
The users with the students group will have read access to anything within the share1 folder, and any files they have created within the homework folder, unless denyed further up the tree or on the files. but they will not have write access or owners access to files withing homework as they only have read access to the share.
If we now allow then full control over a new share to H;/share1/homework they will be able to read their files and wrote new ones and also modify exsting files they've made. But through this share only, not the first.
17th December 2009, 10:56 PM #14
mjs_mjs makes a good point. If you are relying on a combination of share and file/folder permissions for your security model, you need to be careful if introduce an additional share at another point in the tree that this does not weaken the security. If you need to do this, then it might be safer to have a simple and standard share permission model and do the trickier stuff with NTFS.
Thanks to ajbritton from:
mjs_mjs (17th December 2009)
17th December 2009, 11:20 PM #15
Indeed. I use it to my effect to increase security, but it can be used badly and leave an even bigger whole in your security. Another thing to watchout for is other admins trying to change/changing permisssions and doing it in the wrong place, communication is key as is a policy.
Originally Posted by ajbritton
To throw more into the mix for me i have individule accounts on each machine within a DFS that i also allow access to certain shares, at share and NTFS levels. And it becomes even more complex when your in a multidomain forest (i'm not), where things like domain users may not actually include users from other trusted domains unless explisitly added to that group, hense why if you have custom groups it can be alot easier to work with and understand. But thats beond my level of tinkering so far.
make a security group, with users, for that access,
create a folder and share it with the minimum possible permissions on the share,
set the NTFS permissions using 'special' to the lowest possible to achieve the task, (you may need to set the folder to not inherit permissions),
DO NOT REMOVE SYSTEM or ADMINISTRATORS users/groups, there is nothing worse than locking yourself out from making changes. You should not use administrator (domain or on the machine unless you really need to.)
The last bit of good practice is to test for access AND to make sure unauthorised access cannot occur.
Oh and make sure you document things down for others who work on the system, and for red bus scenarios.
Dont think i've missed anything?
This is the real world way i use, so probably not the MS way, but it should be close.
By Jobos in forum Web Development
Last Post: 28th November 2009, 07:21 PM
By mickeyh080 in forum Windows
Last Post: 18th November 2009, 10:27 AM
By moggy in forum Virtual Learning Platforms
Last Post: 27th November 2008, 02:38 PM
By kennysarmy in forum Windows
Last Post: 7th February 2008, 03:29 PM
Last Post: 21st June 2006, 06:21 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)