?
Solved

Folder permissions

Posted on 2005-03-18
3
Medium Priority
?
940 Views
Last Modified: 2013-12-04
Hi!  We have redone our Windows 2003 enterprise member server and connected it to our SBS2003 domain.  We are in the process of creating the users folder and are concerned with permissions.  Within the Profile tab of the user, we specify their local file to connect as "Z" using \\server\users\theirshare.

What should proper permissions be on the folder Users and their individual folder?  What is the big difference between security at the Share Folder Permissions verses the Security tab of Folder Properties?

We don't want the users to be able to see the Users folder, only their share.  If there is no way to do this without them seeing the Users folder, then they must only be able to create, edit, and delete within their folder share but not delete the folder itself.  They must not be able to view, edit, or delete other User's folder shares.

Any quick advice or perhaps a "best practices" document would be greatly appreciated.  Also, what is normal security for the C$ drive?  I know windows adds and shares stuff for itself.  Some is inherited by default--such as the standard Everyone or Users groups.

Marcia
0
Comment
Question by:mporter05
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 96

Accepted Solution

by:
Lee W, MVP earned 2000 total points
ID: 13579625
Hi mporter05,
> What should proper permissions be on the folder Users and their individual
> folder?  

PERSONALLY, I'd set users as open to everyone.  BUT, there may be a better answer so see what others have to say.  As for individuals, I always set that to Username, Domain Admins, and System.  The latter two so that administration and general system services are assured to work (things such as backups, antivirus, and if you ever need to help the user).

> What is the big difference between security at the Share Folder
> Permissions verses the Security tab of Folder Properties?

The Security on the Share only applies to access through the share.  So if the user could sit on the console of the server, the share security wouldn't make any difference.  The Folder Properties (NTFS) security applies regardless of how the user is accessing the system.  PERSONALLY, I always leave share permissions open to everyone and rely on NTFS permissions (NOTE: The most restrictive permissions apply - so if you set SHARE permissions to EVERYONE READ and then NTFS permissions to JoeUser FULL, JoeUser only can read (share permissions are more restrictive in this case - and ONLY via network access).

> We don't want the users to be able to see the Users folder, only their
> share.  If there is no way to do this without them seeing the Users
> folder, then they must only be able to create, edit, and delete within
> their folder share but not delete the folder itself.  They must not be
> able to view, edit, or delete other User's folder shares.

Then share out each individual folder and append a $ to it.  That's what I've always done.  Don't share the users folder.

> Any quick advice or perhaps a "best practices" document would be greatly
> appreciated.  Also, what is normal security for the C$ drive?  I know
> windows adds and shares stuff for itself.  Some is inherited by
> default--such as the standard Everyone or Users groups.

The only shares Windows adds for you are administrative shares - which are for each hard drive (with a $ - C$, D$, etc) and the ADMIN$ share which is %windir% shared.  If you want to have remote admin capability using built in Windows tools and often other programs, you NEED to have these shares.  By default, only DOMAIN ADMINS can access them and you can't add other people to them, so they should be relatively secure and unless you're working with a whole bunch of hackers, I wouldn't worry about them.


Cheers!
0
 
LVL 5

Expert Comment

by:dr_binks
ID: 13580119
just to add to this, I personally have to the users folder so that everyone have read/write permissions
and then I just set the each user folder to only aloowing that use to vew it (ie. if a folder is \users\dr.binks then I just set the user dr.binks having full permissions on the folder).

another good thing you could do is under the 'security tab' click on 'advaned' and add user permissions there (but you get much more control i.e. you can say that the user cannot create folders)

not that with the shared folder, you have to set up the 'shared permissions', but for the individual user folder you need to set up the 'security' permissions.

hope this helps

~Binks

 
0
 
LVL 5

Expert Comment

by:dr_binks
ID: 13580128
correction:
*note* that with the shared folder, you have to set up the 'shared permissions', but for the individual user folder you need to set up the 'security' permissions.
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question