Solved

Difference between the share permissions and the security and how should these be set to access a folder?

Posted on 2004-09-21
10
3,707 Views
Last Modified: 2010-03-10
I want to know what the difference is between the share permissions and the security tab on windows 2000 server.  I am trying to give users access to a program on an app server.  I gave full access to groups under the security tab, but the vendor tells me I need to give full access to the Everyone group which I do not want to do.  Do I need to put them in the share permissions tab also?  Or will this override the security tab?  Any help given would be greatly appreciate to clarify this situation.
0
Comment
Question by:manch03
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +3
10 Comments
 
LVL 6

Expert Comment

by:parkerig
ID: 12118578
Hi,
The easiest way of thinking about this is that the share permissions are who can do what via the network
The security permisions are who can do what at the server console or via terminal services

If an app is started via a share it is still possible that it needs to write or read from a server hard disk and therefore needs relevant security permissions ( eg if temp file created in same directory as APP then user needs both share and security permissions)

Security permissions over rule Share permissions
eg If I give a user rights change permissions on a share but security is read only then they cannot change files.

Best way to test is create a share and experiment.

It is disappointing programmers still write applications that need FULL rights to EVERYONE
Cheers
Ian
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12121132
Sharing permissions: Who may access the file/folder via network and what access degree it has? (Read/Change and forth)
Security: Who may do what to the file/folder being accessed? (Open/Edit/View/Execute...and forth).

Simple

:)

Thanks parkerig

Cyber
0
 

Author Comment

by:manch03
ID: 12129275
Boy did I mess things up - I  gave permissions to groups on the permissions and took away everything under security because the users should not be doing anything to the server, etc.  Nobody could gain access to the application.  So I put them back in the security tab and everything works.  This program must need users in that security tab because it absolutely would not let anyone in.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 51

Expert Comment

by:ahoffmann
ID: 12130351
you need at least read and execute permission on files, additional list permission on directories as NTFS permissions (probably that what you describe as "security tab"), set these for user/owner and group.
The share permissions then can be everyone doing all (probably what you describe as "share permission tab"), that's what M$ suggest allways, and as long as you belief in whatever M$ defines as security, it should work :-))
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 12157074
The two work in conjunction- the easiest way to setup a share, and allow only certain groups or people to access them is:
On the SHARING tab, get specific with the groups and users. And on the Security tab, place Everyone, if they need to write to the share, they'll have to have that right in both places (shring tab and security tab) at least.
http://www.practicallynetworked.com/sharing/xp_filesharing/05createshares.htm (good tutourial on this subject)

-rich
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12157858
> On the SHARING tab, get specific with the group and user. And on the Security tab, place Everyone, ...

dooh, richrumble, I'm shure you meant it the other way around ;-)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 12159795
yes, the otehrway around- sorry sleep deprived.
-rich
0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 12204559
" Do I need to put them in the share permissions "  yes on volume (like C:) but it will assigned by default  when you make sharing on any folder or file on the machine and also  on shared resource (file or folder...etc) , so that you should remove Full control sharing permissions from shared resource like folder not from C:
will this override the security tab? no the Security Permissions override the sharing permissions .
more information :
(good resource) : http://www.microsoft.com/mspress/books/sampchap/6112d.asp

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418

good luck

0
 
LVL 8

Accepted Solution

by:
nader alkahtani earned 500 total points
ID: 12204617
BEST PRACTICES ACCORDING TO MICROSOFT
• Use NTFS permissions when possible and use share permissions
on FAT or FAT32 volumes only.
• Avoid using both share and NTFS permissions. The results can be
confusing, unpredictable, and difficult to troubleshoot.
• Assign permissions to groups, not individual users.
• Assign the most restrictive permissions possible.
• Avoid specifically denying permissions to a shared resource.
Only do so if you need to override specific permissions already
assigned.
• Limit membership to the Administrators group, as this group
has full control permissions by default.
• Avoid changing the default permissions for the Everyone group
when possible. The Everyone group includes numerous other
groups and your results could be unpredictable.
• Never deny access to the Everyone group because that group
includes Administrators. Instead, remove the Everyone group
rather than specifically denying the Everyone group.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Let's recap what we learned from yesterday's Skyport Systems webinar.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Course of the Month5 days, 22 hours left to enroll

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question