• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3721
  • Last Modified:

Difference between the share permissions and the security and how should these be set to access a folder?

I want to know what the difference is between the share permissions and the security tab on windows 2000 server.  I am trying to give users access to a program on an app server.  I gave full access to groups under the security tab, but the vendor tells me I need to give full access to the Everyone group which I do not want to do.  Do I need to put them in the share permissions tab also?  Or will this override the security tab?  Any help given would be greatly appreciate to clarify this situation.
  • 2
  • 2
  • 2
  • +3
1 Solution
The easiest way of thinking about this is that the share permissions are who can do what via the network
The security permisions are who can do what at the server console or via terminal services

If an app is started via a share it is still possible that it needs to write or read from a server hard disk and therefore needs relevant security permissions ( eg if temp file created in same directory as APP then user needs both share and security permissions)

Security permissions over rule Share permissions
eg If I give a user rights change permissions on a share but security is read only then they cannot change files.

Best way to test is create a share and experiment.

It is disappointing programmers still write applications that need FULL rights to EVERYONE
Sharing permissions: Who may access the file/folder via network and what access degree it has? (Read/Change and forth)
Security: Who may do what to the file/folder being accessed? (Open/Edit/View/Execute...and forth).



Thanks parkerig

manch03Author Commented:
Boy did I mess things up - I  gave permissions to groups on the permissions and took away everything under security because the users should not be doing anything to the server, etc.  Nobody could gain access to the application.  So I put them back in the security tab and everything works.  This program must need users in that security tab because it absolutely would not let anyone in.
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

you need at least read and execute permission on files, additional list permission on directories as NTFS permissions (probably that what you describe as "security tab"), set these for user/owner and group.
The share permissions then can be everyone doing all (probably what you describe as "share permission tab"), that's what M$ suggest allways, and as long as you belief in whatever M$ defines as security, it should work :-))
Rich RumbleSecurity SamuraiCommented:
The two work in conjunction- the easiest way to setup a share, and allow only certain groups or people to access them is:
On the SHARING tab, get specific with the groups and users. And on the Security tab, place Everyone, if they need to write to the share, they'll have to have that right in both places (shring tab and security tab) at least.
http://www.practicallynetworked.com/sharing/xp_filesharing/05createshares.htm (good tutourial on this subject)

> On the SHARING tab, get specific with the group and user. And on the Security tab, place Everyone, ...

dooh, richrumble, I'm shure you meant it the other way around ;-)
Rich RumbleSecurity SamuraiCommented:
yes, the otehrway around- sorry sleep deprived.
nader alkahtaniNetwork EngineerCommented:
" Do I need to put them in the share permissions "  yes on volume (like C:) but it will assigned by default  when you make sharing on any folder or file on the machine and also  on shared resource (file or folder...etc) , so that you should remove Full control sharing permissions from shared resource like folder not from C:
will this override the security tab? no the Security Permissions override the sharing permissions .
more information :
(good resource) : http://www.microsoft.com/mspress/books/sampchap/6112d.asp


good luck

nader alkahtaniNetwork EngineerCommented:
• Use NTFS permissions when possible and use share permissions
on FAT or FAT32 volumes only.
• Avoid using both share and NTFS permissions. The results can be
confusing, unpredictable, and difficult to troubleshoot.
• Assign permissions to groups, not individual users.
• Assign the most restrictive permissions possible.
• Avoid specifically denying permissions to a shared resource.
Only do so if you need to override specific permissions already
• Limit membership to the Administrators group, as this group
has full control permissions by default.
• Avoid changing the default permissions for the Everyone group
when possible. The Everyone group includes numerous other
groups and your results could be unpredictable.
• Never deny access to the Everyone group because that group
includes Administrators. Instead, remove the Everyone group
rather than specifically denying the Everyone group.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 2
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now