Solved

Steps for sharing, permissions and security

Posted on 2006-07-21
4
250 Views
Last Modified: 2010-04-18
Hi experts
I have read everything I can about setting security on a Windows server 2003, and I think I know what to do; then I try it and it does not work.  We are a fairly simple setup:
shared Drive: data e:
Shared folder: Data
20 folders underneath that everyone can access | subfolders under some that are restricted
Security Groups: everyone (of course), All team members, other department type groups
I want to map the shared folder Data to drive g for all team members in a login script, let them see the list of all the folders underneath, restrict them from some subfolders
I have read about security templates, they sound like something that will work for most of the folders under the shared folder Data
Ok, with all that said, where do I start with the security?
thanks so much
Donna
0
Comment
Question by:TECHDLS
  • 2
4 Comments
 
LVL 3

Assisted Solution

by:RA123987
RA123987 earned 300 total points
ID: 17154910
Start with the top level security permissions.  
After you set the permission to the proper groups, click apply.
Then click on the advance tab. Choose Replace permissions entries on all child objects with entries shown here that apply to child objects.  Choose ok.
That will force all of the folders to have the permissions of the root folder, if they were not already inherting the permissions.
Then go in to the sub folders that need to be modified.
Go in to the advanced feature again and uncheck, Inherit from parent the permission entries that apply to child objects.  Include these entries with entries explicitly defined here.
Choose Copy.  
This will copy the orginial permission to the folder and allow you to make the modification that you need.  Now you can remove the groups that were inherited if need be.  You can also add any groups/users that you need to add as well.

One PC of advice is to remove the everyone group and add authenticated users.  Everyone is EVERYONE.  Anyone in the office whether authenticated to the network or loggen on locally can access those folders and files.  It's always wise to remove that group and use authenticated users instead.  Authenticated users is the same as everyone except they must authenticate to the domain to get access.
0
 
LVL 26

Assisted Solution

by:Pber
Pber earned 200 total points
ID: 17155278
Further to RA123987's excellent advice....

Keep in mind that Share security can be more restrictive than NTFS on the files.  When defining share security if you grant Read and Execute at the share for Authenticated users (as RA123987 mentioned Everyone is a bad security risk), even if you grant Full control or Modify to Authenticated users, the user will receive the most restrictive Share permission.  Thus Authenticated Users would only have Read and Execute.


also look into Access Based Enumeration (ABE).  It hides files/folders that you don't have permissions to see instead of giving the access denied message.

http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx
http://www.microsoft.com/downloads/details.aspx?FamilyId=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en
0
 
LVL 26

Accepted Solution

by:
Pber earned 200 total points
ID: 17155297
Hmmm, that reads a little confusing.

It should say:

When defining share security if you grant Read and Execute at the share for Authenticated users (as RA123987 mentioned Everyone is a bad security risk), even if you grant Full control or Modify to Authenticated users on the NTFS permissions, the user will receive the most restrictive Share permission.  Thus Authenticated Users would only have Read and Execute.
0
 
LVL 9

Expert Comment

by:rpartington
ID: 17156005
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21862277.html

EXACT same theory to your situation just needs re-arranging to suit your situ.
Login scripts can be used easyily enough via GP
User Config> Windows Settings> Scripts> Logon and point to your script stored in sysvol>domian>policies>etc etc etc
with either a .bat or .vbs
however many companies offer GUI bolt on's to AD as in http://www.desktopstandard.com/PolicyMakerApplicationSecurity.aspx

we have it, was installed before I arrived, does have some nice features for using a GUI to easily set mapped drives etc I suppose but not my cup of tea I must confess, call me old fashioned I prefer to use my login scripts as I know for sure if set correctly they will work time and again and I dont have to worry about third party products bolted onto AD licences expiring and parts of the network dropping off.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now