Pau Lo
asked on
Share Permissions
Can anyone explain to me that when you run sysinternals AccessEnum against a specific share / directory,it always tends to find hits when you select
select files with permissions less restrictive than the parent
I dont really understand why it does or should, surely if you set permissions at root level they should inherit all the way down. Otherwise there is a real risk of someone brute forcing a directory
i.e \\localhost\e$\backup\ and if backup has less restrictive permissions than root of e$ then people may well get access..
select files with permissions less restrictive than the parent
I dont really understand why it does or should, surely if you set permissions at root level they should inherit all the way down. Otherwise there is a real risk of someone brute forcing a directory
i.e \\localhost\e$\backup\ and if backup has less restrictive permissions than root of e$ then people may well get access..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You might have this, for instance:
c:\backup - (Explicit) Administrators: Full Control
- (Explicit) Users: Read
- Inheritance Disabled
c:\backup\1.bkf - (Implicit) Administrators: Full Control
- (Implicit) Users: Read
- (Explicit) John Doe: Full Control
- Inheritance EnabledThe last two are normally what AccessEnum refers to. John Doe has more rights than a group like "Users" would ordinarily give.
Does that help?
Chris
ASKER
I dont think thats true about the dollar sign automatically being an admin shaer. I know admin shares do have a $ but ive seen many non admin shares where the share has a $ to hide it from casual browsing in explorer
Just a quite addendum: I'm deliberately avoided "Share" permissions at this stage. The inheritance model doesn't really apply to rights granted at Share level, only NTFS.
When combining Share rights there are two things you should note:
- Share permissions apply to everything in the share, at every level
- The most restrictive permission applies between NTFS and Share (if Share says Read-Only you cannot make one file writable using NTFS)
Chris
ASKER
Chris, yes makes sense, out of interest, what is your advice if say your have a directory
\\localhost\team1 and all people need access who are in team1. This is a reserved area of a file server set a side for a specific team, and storage at company x is sparce so you cant ask for this share for this and this directory for something else.
However,, in \\localhost\team1\staffapp
are users indivudal team appraisals so not each memeber of the team1 require access to each others appraisal, is this where explicit acls are set to not inherit the root permissions and set i.e. manager plus relevant staff member, or are there more secure ways of structuring your directories in that case. Hope that makes sense.
\\localhost\team1 and all people need access who are in team1. This is a reserved area of a file server set a side for a specific team, and storage at company x is sparce so you cant ask for this share for this and this directory for something else.
However,, in \\localhost\team1\staffapp
are users indivudal team appraisals so not each memeber of the team1 require access to each others appraisal, is this where explicit acls are set to not inherit the root permissions and set i.e. manager plus relevant staff member, or are there more secure ways of structuring your directories in that case. Hope that makes sense.
> I dont think thats true about the dollar sign automatically being an admin shaer.
You're correct. It denotes a Hidden share. E$ is a hidden share that is likely to be an automatically created administrative share.
Chris
It's up to you, but I tend to use one of the two options below.
I prefer to keep inheritance enabled where possible, and I never grant anyone but administrative users Full Control on the NTFS level. I don't like people messing with permissions, they tend to remove things they shouldn't and stop backup jobs working.
Chris
SHARE:
\\localhost\team1
- Everyone (or just team1) Full Control
NTFS:
\\localhost\team1
- (Implicit) Administrators: Full Control
- (Implicit) SYSTEM: Full Control
- (Explicit) Team1: Modify
- Inheritance Enabled
NTFS Sub-Directory OPTION 1:
\\localhost\team1\staffappraisals
- (Implicit) Administrators: Full Control
- (Implicit) SYSTEM: Full Control
- (Explicit) Users: Read (DENY)
- (Explicit) HR Person: Modify
- Inheritance Enabled
NTFS Sub-Directory OPTION 2:
\\localhost\team1\staffappraisals
- (Explicit) Administrators: Full Control
- (Explicit) SYSTEM: Full Control
- (Explicit) HR Person: Modify
- Inheritance Disabled
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Edit: Please replace "Users" in option 1 with Team1, it was supposed to represent a deny for the thing we allowed on the parent.
Chris
ASKER
Interesting comment about:
>Files/folders moved on the same partition preserve their permissions. To inherit the parent folder permissions, they need to be copied, not moved.
I didnt know that!
>Files/folders moved on the same partition preserve their permissions. To inherit the parent folder permissions, they need to be copied, not moved.
I didnt know that!
ipajones:
Best practice with NTFS file systems is to simply leave the share permissions on created shares with everyone having full control.
I strongly disagree as this been a "best practice"...
Best practice with NTFS file systems is to simply leave the share permissions on created shares with everyone having full control.
I strongly disagree as this been a "best practice"...
ASKER