Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Difference between the share permissions and the security and how should these be set to access a folder?

Posted on 2004-09-21
10
Medium Priority
?
3,710 Views
Last Modified: 2010-03-10
I want to know what the difference is between the share permissions and the security tab on windows 2000 server.  I am trying to give users access to a program on an app server.  I gave full access to groups under the security tab, but the vendor tells me I need to give full access to the Everyone group which I do not want to do.  Do I need to put them in the share permissions tab also?  Or will this override the security tab?  Any help given would be greatly appreciate to clarify this situation.
0
Comment
Question by:manch03
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +3
10 Comments
 
LVL 6

Expert Comment

by:parkerig
ID: 12118578
Hi,
The easiest way of thinking about this is that the share permissions are who can do what via the network
The security permisions are who can do what at the server console or via terminal services

If an app is started via a share it is still possible that it needs to write or read from a server hard disk and therefore needs relevant security permissions ( eg if temp file created in same directory as APP then user needs both share and security permissions)

Security permissions over rule Share permissions
eg If I give a user rights change permissions on a share but security is read only then they cannot change files.

Best way to test is create a share and experiment.

It is disappointing programmers still write applications that need FULL rights to EVERYONE
Cheers
Ian
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12121132
Sharing permissions: Who may access the file/folder via network and what access degree it has? (Read/Change and forth)
Security: Who may do what to the file/folder being accessed? (Open/Edit/View/Execute...and forth).

Simple

:)

Thanks parkerig

Cyber
0
 

Author Comment

by:manch03
ID: 12129275
Boy did I mess things up - I  gave permissions to groups on the permissions and took away everything under security because the users should not be doing anything to the server, etc.  Nobody could gain access to the application.  So I put them back in the security tab and everything works.  This program must need users in that security tab because it absolutely would not let anyone in.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 12130351
you need at least read and execute permission on files, additional list permission on directories as NTFS permissions (probably that what you describe as "security tab"), set these for user/owner and group.
The share permissions then can be everyone doing all (probably what you describe as "share permission tab"), that's what M$ suggest allways, and as long as you belief in whatever M$ defines as security, it should work :-))
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 12157074
The two work in conjunction- the easiest way to setup a share, and allow only certain groups or people to access them is:
On the SHARING tab, get specific with the groups and users. And on the Security tab, place Everyone, if they need to write to the share, they'll have to have that right in both places (shring tab and security tab) at least.
http://www.practicallynetworked.com/sharing/xp_filesharing/05createshares.htm (good tutourial on this subject)

-rich
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12157858
> On the SHARING tab, get specific with the group and user. And on the Security tab, place Everyone, ...

dooh, richrumble, I'm shure you meant it the other way around ;-)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 12159795
yes, the otehrway around- sorry sleep deprived.
-rich
0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 12204559
" Do I need to put them in the share permissions "  yes on volume (like C:) but it will assigned by default  when you make sharing on any folder or file on the machine and also  on shared resource (file or folder...etc) , so that you should remove Full control sharing permissions from shared resource like folder not from C:
will this override the security tab? no the Security Permissions override the sharing permissions .
more information :
(good resource) : http://www.microsoft.com/mspress/books/sampchap/6112d.asp

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418

good luck

0
 
LVL 8

Accepted Solution

by:
nader alkahtani earned 1500 total points
ID: 12204617
BEST PRACTICES ACCORDING TO MICROSOFT
• Use NTFS permissions when possible and use share permissions
on FAT or FAT32 volumes only.
• Avoid using both share and NTFS permissions. The results can be
confusing, unpredictable, and difficult to troubleshoot.
• Assign permissions to groups, not individual users.
• Assign the most restrictive permissions possible.
• Avoid specifically denying permissions to a shared resource.
Only do so if you need to override specific permissions already
assigned.
• Limit membership to the Administrators group, as this group
has full control permissions by default.
• Avoid changing the default permissions for the Everyone group
when possible. The Everyone group includes numerous other
groups and your results could be unpredictable.
• Never deny access to the Everyone group because that group
includes Administrators. Instead, remove the Everyone group
rather than specifically denying the Everyone group.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question