+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
Windows Thread, Back to basics - NTFS and Share permissions in Technical; I know that lots here are MS certified (my aim too!) and it's with that in mind that I post ...
  1. #1

    Join Date
    May 2009
    Location
    UK
    Posts
    294
    Thank Post
    64
    Thanked 21 Times in 20 Posts
    Rep Power
    16

    Back to basics - NTFS and Share permissions

    I know that lots here are MS certified (my aim too!) and it's with that in mind that I post the question.

    I know about the principles of Share and NTFS permissions:

    Share permissions are cumulative
    NTFS permissions are cumulative
    Share + NTFS permissions ... use the most restrictive
    Deny trumps Allow
    File permissions trump Folder permissions

    etc., but is there any logical or numerical way of knowing exactly the order of priority? For instance, if I'm asked to combine Full Share with Read NTFS, it's easy enough to determine the answer but what about Change Share with Modify NTFS or Change Share with Write NTFS? Is it as simple as the order in which the permissions are listed on the Properties pages? If so, is Write *really* more restrictive than Read?

    Finally, is there any clever trick (perhaps commandline) which will allow me to assess combined/effective permissions, rather like using RSOP or GPRESULT when dealing with Group Policies? I had a look at CACLS but that didn't seem to give me the solution that I'm looking for.

  2. #2

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,087
    Thank Post
    210
    Thanked 432 Times in 312 Posts
    Rep Power
    145
    I think the share permissions are largely ignored on most networks these days - I've certainly always been taught to share the folder so everyone has full control, and use NTFS permissions to control the folder security.

    In answer to one of your questions, yes write is more restrictive than read - if you think about it logically without read permissions you won't see or be able to access anything in the share, just simply be able to add new files to it - you can't even delete or see what you add. We use that permission to create 'drop boxes' for students work on our shared drive.

    Mike

  3. #3

    Join Date
    May 2009
    Location
    UK
    Posts
    294
    Thank Post
    64
    Thanked 21 Times in 20 Posts
    Rep Power
    16
    Thank you for the input. I realise that, in real life, Share permissions are ignored and configured to allow everyone to have Full control so security is provided by fine tuning NTFS permissions, but that doesn't help me (or anyone else) when doing MS exams! I (we) still need to understand the Share/NTFS permissions interaction as well as how Share permissions and NTFS permissions all combine in a logical manner.

    As far as Read vs. Write is concerned, I understand your explanation. Maybe it is down to the order that the various permissions are listed on the Properties sheet after all.

  4. #4

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,087
    Thank Post
    210
    Thanked 432 Times in 312 Posts
    Rep Power
    145
    Ahhhh, didn't realise it was for a M$ exam - sorry.

    Mike.

  5. #5

    Join Date
    May 2009
    Location
    UK
    Posts
    294
    Thank Post
    64
    Thanked 21 Times in 20 Posts
    Rep Power
    16
    NP. It's the same with all the IT exams that I've taken ... there's a "correct in the book" answer and there's a "correct in real life" answer. Unfortunately, the exams require the former!

  6. #6

    Join Date
    Nov 2007
    Location
    Rotherham
    Posts
    1,679
    Thank Post
    122
    Thanked 126 Times in 102 Posts
    Rep Power
    46
    Share permissions tend to come first. The actually NTFS permission you can use can be the same or lower than the permissions on the share. Thus if you have Full control on the share you can use, read, Change, and Full Controll NTF permissions. If you have Change on the share you can use Change and Read and if you have read on the share then you can only use read NTFS permissions.

    Folder NTFS permissions are, by default, applied from the top down with lower level's inheriting the permissions from those above. Ofcourse it's rarely that simple and usualy involves a lot of blocked inheirtance, denied groups, allowed groups and setting of permissions to get the set up correct for a real life organisation.

  7. #7
    Mr.Ben's Avatar
    Join Date
    Jan 2008
    Location
    A Pirate Ship
    Posts
    942
    Thank Post
    182
    Thanked 158 Times in 126 Posts
    Blog Entries
    2
    Rep Power
    66
    Agreed,

    Share permissions come first - then NTFS,

    So you theorectically can connect to a share (with share permissions) but then have no access to read or modify its contents (with NTFS permissions).

    My assumption (please correct me if i'm wrong, is that if you do not have the share permissions you can't connect to it - so they are like the garden gate, even though your through, the house is still locked.

  8. #8
    Galway's Avatar
    Join Date
    Jun 2007
    Location
    West Yorkshire
    Posts
    1,463
    Thank Post
    9
    Thanked 345 Times in 238 Posts
    Rep Power
    107
    If your not on the share permissions you cant access.

    Its also the minimum of permissions prevail...

    So if you have full share and read NTFS .... its read.
    If its read share and full NTFS ... its read.

    deny allways takes priority.

    Its mostly advised using educational software to allow full share and clamp down using NTFS.

  9. #9
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    35
    I too used to work on the basis of controlling permissions using NTFS alone, but would say now that using the share permissions provides a useful safety net. NTFS permissions can be complex things and it is not unknown for them to become incorrectly set. If you set up share permissions correctly, it's possible to limit possible security issues caused by incorrectly set NTFS permissions.

    For example, imagine a share which Students were allowed to read from and staff could update. If the share permissions were set to Everyone:Full, then a mistake setting NTFS permissions could result in students having write access to the files. If the share permissions were set as follows;

    IT Techs: Full Control
    Staff: Change
    Students: Read

    then students could never be accidentally granted any access higher than Read and staff could never be granted any access higher that Change.

  10. #10

    Join Date
    May 2009
    Location
    UK
    Posts
    294
    Thank Post
    64
    Thanked 21 Times in 20 Posts
    Rep Power
    16
    Quote Originally Posted by ajbritton View Post
    ...then students could never be accidentally granted any access higher than Read and staff could never be granted any access higher that Change.
    That's interesting Andy. I know that there are Share Change and NTFS Modify permissions and they *appear* to allow similar activity (I guess the major thing that they allow is deletion). Are there any subtle differences between them and which is the more restrictive (i.e. which would apply if they both applied to the same resource)?

  11. #11
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    35
    AFAIK (and without doing any research), Change and Modify are essentially the same.

    This may be useful: Windows 2003 NTFS and Share Permissions

    Here's another: Share Permissions
    - This suggests that best practice is to set share permissions to Authenticated User: Full Control and then control access using NTFS perms. though, which I still disagree with.

    This article: Share versus NTFS Permissions makes a good point which is that share permissions (and any restrictions you apply using them) are only effective when the resource is accessed across the network.

    Hope this helps

    Afterthought: The way I tend to think of permissions is like this. Change/Modify is all anyone (or any application) should ever need for normal (ie non administrative) operations. It lets you read/write/delete files & folders. That's the baseline. The most common restriction is to make files available for viewing only ie Read. That's one level down. If you are an administrator and need to actually change the permissions, then you need Full Control, which is one level up.
    Last edited by ajbritton; 16th December 2009 at 11:46 PM. Reason: Added afterthought

  12. #12

    Join Date
    May 2009
    Location
    UK
    Posts
    294
    Thank Post
    64
    Thanked 21 Times in 20 Posts
    Rep Power
    16
    Thank you Andy. The more that I look into this (and *think* that I have nailed it), the more I realise there is to learn about Share and NTFS permissions! I guess I can only learn so much and the rest is done "on the hoof" when administering a network. I suppose it's like learning to drive - passing the test doesn't make me an expert driver. It's just the first rung of a long learning ladder.

  13. #13
    mjs_mjs's Avatar
    Join Date
    Jan 2009
    Location
    bexleyheath, london
    Posts
    1,021
    Thank Post
    37
    Thanked 111 Times in 95 Posts
    Rep Power
    38
    I do use share permissions to lock down shares before adding them to my DFS. It's good practice and is more secure. I also use NTFS to lock down folders, but i do not use modify very often, as i normally use the special permissions and go through them all specifying exactly what i do and dont want. I do not use the authenticated users for anything. It's much better practice to lock things down to actual users or groups you've created yourself, than to a generic object that could lead to a massive security hole, especially if you allow full control. In windows the share security comes first as it's the method of access, then NTFS permissions of the tree structure, then the file it'self. BUT not all folders are in the tree, and not all follow the hirache. A deny may not always deny everything within a folder structure.

    eg:
    students (group) have read access to a share. The share is mapped to H:/share1.
    students have NTFS read access to folder share1. This contains a hand-in folder called homework, where the students (group) have NTFS write and creator owner access allowed.

    The users with the students group will have read access to anything within the share1 folder, and any files they have created within the homework folder, unless denyed further up the tree or on the files. but they will not have write access or owners access to files withing homework as they only have read access to the share.

    If we now allow then full control over a new share to H;/share1/homework they will be able to read their files and wrote new ones and also modify exsting files they've made. But through this share only, not the first.

  14. #14
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    35
    mjs_mjs makes a good point. If you are relying on a combination of share and file/folder permissions for your security model, you need to be careful if introduce an additional share at another point in the tree that this does not weaken the security. If you need to do this, then it might be safer to have a simple and standard share permission model and do the trickier stuff with NTFS.

  15. Thanks to ajbritton from:

    mjs_mjs (17th December 2009)

  16. #15
    mjs_mjs's Avatar
    Join Date
    Jan 2009
    Location
    bexleyheath, london
    Posts
    1,021
    Thank Post
    37
    Thanked 111 Times in 95 Posts
    Rep Power
    38
    Quote Originally Posted by ajbritton View Post
    mjs_mjs makes a good point. If you are relying on a combination of share and file/folder permissions for your security model, you need to be careful if introduce an additional share at another point in the tree that this does not weaken the security. If you need to do this, then it might be safer to have a simple and standard share permission model and do the trickier stuff with NTFS.
    Indeed. I use it to my effect to increase security, but it can be used badly and leave an even bigger whole in your security. Another thing to watchout for is other admins trying to change/changing permisssions and doing it in the wrong place, communication is key as is a policy.

    To throw more into the mix for me i have individule accounts on each machine within a DFS that i also allow access to certain shares, at share and NTFS levels. And it becomes even more complex when your in a multidomain forest (i'm not), where things like domain users may not actually include users from other trusted domains unless explisitly added to that group, hense why if you have custom groups it can be alot easier to work with and understand. But thats beond my level of tinkering so far.

    good practice;
    make a security group, with users, for that access,
    create a folder and share it with the minimum possible permissions on the share,
    set the NTFS permissions using 'special' to the lowest possible to achieve the task, (you may need to set the folder to not inherit permissions),
    DO NOT REMOVE SYSTEM or ADMINISTRATORS users/groups, there is nothing worse than locking yourself out from making changes. You should not use administrator (domain or on the machine unless you really need to.)
    The last bit of good practice is to test for access AND to make sure unauthorised access cannot occur.
    Oh and make sure you document things down for others who work on the system, and for red bus scenarios.

    Dont think i've missed anything?

    This is the real world way i use, so probably not the MS way, but it should be close.



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Ntfs permissions on webpage
    By Jobos in forum Web Development
    Replies: 0
    Last Post: 28th November 2009, 07:21 PM
  2. NTFS Permissions problem
    By mickeyh080 in forum Windows
    Replies: 7
    Last Post: 18th November 2009, 10:27 AM
  3. Back To VLE Basics
    By moggy in forum Virtual Learning Platforms
    Replies: 1
    Last Post: 27th November 2008, 02:38 PM
  4. Help with NTFS permissions problem...
    By kennysarmy in forum Windows
    Replies: 5
    Last Post: 7th February 2008, 03:29 PM
  5. Replies: 4
    Last Post: 21st June 2006, 06:21 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •