NTFS & Share Permissions Explained....

In general when you share a folder it has share permissions. For the most part, if your drives are formatted as NTFS then give the Authenticated Users Group ‘Full Control’ at the share level (you will need to change the default permission on the Sharing Tab as the Default is ‘Everyone’ Read). This may seem odd and insecure but it is not as NTFS itself allows you much greater control of permissions. In most cases it is OK to allow full control at the share level and then lock down permissions with NTFS.

If you right click on a folder and go to the Security Tab, it will show you the NTFS Permissions. Normally you will want a shared folder not to inherit permissions from its parent folder or drive, so go to the Advanced Tab and clear the ‘Inherit from parent’ box and COPY the permissions when prompted. You can then edit/add/remove groups from the security tab and assign each the required permissions. So if you want a specific Security Group to have full access to a folder, add that group and Assign them Full Control. If you want a different Security Group to be able to read the folder and files but not add/delete/change anything, add that specific group and leave the default permissions, (read, read and execute list folder contents). To stop others from accessing the folder remove the (everyone) group and (domain users) Group from the list.

You do not normally need to DENY. If a user is a member of two or more groups they get the best of their cumulative NTFS Permissions (unless deny is present in a permissions list, in which case it overrides). If users have both share and NTFS permissions they get the most restrictive of the combination of NTFS/Share permissions (which is why it is normal to allow Authenticated Users Full Control on the share and rely on NTFS permissions).

It is best practice to give permissions to groups, and not to users as this makes for easier management. If a new person joins the sales team, you just add them to the sales group and they automatically get all the permissions assigned to the Sales Group. If someone moves from Marketing to sales you remove them from the Marketing group and they lose all the Marketing Group permissions, when you then add them to sales they get all the permissions of the sales group. As already stated a user can be a member of multiple groups.

Your computer is a house. Your data is in a safe in the house. To gain access to the data, people from the outside have to go through the front door (the share), and then open the safe (NTFS). They need to have both the key to the door (share permissions) and the key to the safe (NTFS permissions) to get at the data – having one key or the other is no good – they must have both.

This article is from my personal blog - The Security Pub

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.