Solved

fodler share security

Posted on 2006-11-10
4
208 Views
Last Modified: 2013-12-04
What is the difference between setting security on the share tab for a folder in windows 2000 and setting security on the security tab of a folder in windows 2000?

Please explain also how setting security in one versus the other affects access.
0
Comment
Question by:markkurten
  • 2
4 Comments
 
LVL 29

Accepted Solution

by:
Nightman earned 100 total points
ID: 17918832
Security via the share allows access to the share name via the network share.
Security via the security tab manages access to the physical folder/files on disk.

Access to the folder on disk allows access to the user, but no access via the share means that the user still cannot access the files via the network. The user would have to log on to the PC to access the folder. So a user may have full local permissions on a folder (and the files) from the local machine, but be prevented from updating (or even viewing) them accross the network.

Access via the share allows access to the network resource, but no access to the files on disk means that the user still can't do anything with them.

Does this makes things clearer or worse?
0
 

Author Comment

by:markkurten
ID: 17919161
thats exactly what i'm looking for - thank you..

so you can have a share and give full permissions to user x, but if you don't give them access using the security tab, they can't do anything with the files in the share?
0
 
LVL 29

Expert Comment

by:Nightman
ID: 17920444
That's it. Why don't you test it out?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17927816
Correct, the two work in tandem, the most restrictive setting is the one that is used... if you have everyone full control on the share, and you have userX denied delete on the NTFS permissions, UserX is denied delete as it is more restrictive than FC.
Share Permissions ( http://www.microsoft.com/technet/technetmag/issues/2006/01/HowITWorksNTFS/?related=y )

To access a file or folder remotely, both NTFS and Share Permissions are evaluated to determine the actual rights the user has to that object. Between NTFS and Share Permissions, the effective permissions are whichever is most restrictive. If the NTFS permission is Read and the Share Permission is Full Control, the effective permission is Read because it is the most restrictive. If the NTFS and Share Permissions were reversed, Read would still be the effective permission.

NTFS and Share Permissions work quite differently from each other. NTFS has a rather complex process of inheritance (see "NTFS Permissions" in the November-December 2005 issue of TechNet Magazine) but essentially a user gets the combination of NTFS permissions assigned to them and any groups they are in, including nested groups. In general, Deny overrides Allow. You have to enter the file system on a remote computer by accessing a share. The Share Permissions are evaluated on the share you use to enter the file system. There is no inheritance with shares. The Share Permissions assigned on the share you used to enter the file system are the permissions you have in that branch of the directory tree, even if there is another share lower in the tree with different permissions.
============
For ease of use/maintenance/administration, share permissions are fine to set Everyone- Full Control, and use the NTFS rights to apply restrictions. Do not include the everyone group on the NTFS (security tab), use authenticated users, and or the groups you need to apply the permissions to. Setting to FC on the share helps, because that right applies to all subfolders... NTFS can inherit or not inherit thier rights from parent folders.
http://technet2.microsoft.com/WindowsServer/en/library/86987829-3f74-412f-abb8-c8b22b07257d1033.mspx?mfr=true
-rich
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question