Go Premium for a chance to win a PS4. Enter to Win


Whats the best practice for user permissions on a shared folder on a file server?

Posted on 2011-09-28
Medium Priority
Last Modified: 2012-05-12
I have decided not to use the default permissions on my shared folder structure on my file share server.

Using Microsoft Server 2008 R2 and Windows 7 SP1 workstations:
What default security groups should i use?
I currently have:
Administrators: Full control

System: Full Control

Creator Owner: Full control

Group of Supervisors who aren't Domain admins: Full Control

User group A: Modify/ Read & Execute /List Folder contents / Read /Write

Authenticated Users: Read & Execute / List folder contents / Read

I assume authenticated users is everyone with a user name and password. I'm ok with this group perusing contents but not being able to delete or change anything
User Group A are people who require the ability to modify create and manage files. I don't want them to take ownership of the folder or have the ability to change permissions

Do i even need to list the "System" security group? Why?
Is it a good practice to list creator owner with full control?
Is there going to be a permissions issue/conflict  due to the authenticated users group having less permissions than User Group A?
What's a good set of groups to set for inheritable permissions at the root share? I don't want to use the everybody group.
Question by:Fureio
  • 4
  • 2
  • 2

Accepted Solution

knwarrior74 earned 1500 total points
ID: 36720107
Best practices
Assign permissions to groups, not user accounts.
Assigning permissions to groups simplifies management of shared resources, because you can then add users to or remove them from the groups without having to reassign permissions. To deny all access to a shared resource, deny the Full Control permission.

Assign the most restrictive permissions that still allow users to perform required tasks.
For example, if users need only to read information in a folder, and they will never delete, create, or change files, assign the Read permission.

If users log on locally to access shared resources, such as on a terminal server, set permissions by using NTFS file system permissions or access control.
Share permissions apply only to users who access shared resources over the network; they do not apply to users who log on locally. For this situation, use NTFS and access control. For more information, see Set, view, change, or remove permissions on files and folders.

Organize resources so that objects with the same security requirements are located in the same folder.
For example, if users require the Read permission for several application folders, store the application folders in the same parent folder. Then, share the parent folder, rather than sharing each individual application folder. Note that if you need to change the location of an application, you may need to reinstall it.

When you share applications, organize all shared applications in one folder.
Organizing all applications in one shared folder simplifies administration, because there is only one location for installing and upgrading software.

To prevent problems with accessing network resources, do not deny permissions to the Everyone group.
The Everyone group includes anyone who has access to network resources, including the Guest account, with the exception of the Anonymous Logon group. For more information, see Default security settings for groups and Differences in default security settings.

Avoid explicitly denying permissions to a shared resource.
It is usually necessary to explicitly deny permissions only when you want to override specific permissions that are already assigned.

Limit membership in, and assign the Full Control permission to, the Administrators group.
This enables administrators to manage application software and to control user rights.

In most cases, do not change the default permission (Read) for the Everyone group.
The Everyone group includes anyone who has access to network resources, including the Guest account. In most cases, do not change this default unless you want users to be able to make changes to the files and objects in the shared resource. For more information about share permissions, see Share permissions.

Grant access to users by using domain user accounts.
On computers running Windows XP Professional that are connected to a domain, grant access to shared resources through domain user accounts, rather than through local user accounts. This centralizes the administration of share permissions.

Use centralized data folders.
With centralized data folders, you can manage resources and back up data easily.

Use intuitive, short labels for shared resources.
This ensures that the shared resources can be easily recognized and accessed by users and all client operating systems.

Use a firewall.
A firewall protects shared resources from access through the Internet. In Windows XP and in the Windows Server 2003 family, you can take advantage of new firewall capabilities. For more information, see Internet Connection Firewall. Instead of Internet Connection Firewall, computers running Windows XP with Service Pack 2 (SP2) and computers running Windows Server 2003 with Service Pack 1 (SP1), use Windows Firewall. For more information, see Help: Windows Firewall.

Author Comment

ID: 36814128
Thanks for your elaborate answer. However, this broad answer doesn't really apply to the questions i have asked since i am already working with user groups and not individuals.
You mention:
"Best practices
Assign permissions to groups, not user accounts.
Assigning permissions to groups simplifies management of shared resources, because you can then add users to or remove them from the groups without having to reassign permissions. To deny all access to a shared resource, deny the Full Control permission

Did you mean, create a group of  users together in AD DS and delegate permissions to the group? What about the actual folder itself, what default set of groups should i list in my shared folder?

What about the permissions listed in folder properties\Security tab? Reading your advice on Best Practices, i will have to restructure the way my entire file share is structured permission wise. The default groups in a folder are
Creator Owner: Full Control
System: Full Control
Domain\Administrators: Full Control
Domain\Users: Read & Execute / List folder contents / Read

How do i modify the folder security permissions to fit with user groups that have permissions?
My confusion comes from the following:
A certain group will only have read & exe / list / read at tier 1 and 2 of a folder structure but have modify and write at tier 3 and forward.

Another question here that went unanswered, should i keep the creator owner and system permissions in place for a file share that won't host programs?

Author Comment

ID: 36814645
I have figured out answers to a lot of the questions i posed here. Thanks for pointing me in the right direction.

My core question is:
Should i keep the "system" permissions in place for a file share that won't host programs?
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 15

Expert Comment

by:Jaroslav Mraz
ID: 36892459
yes because even OS shouldn't be able to work with data.

Expert Comment

ID: 36892798
I agree yes the OS shouldn't have security permissions set for it.  

Author Comment

ID: 36893014
Ok, i'm understanding two different answers here. Yes, i should keep SYSTEM in the default folder permission or YES, REMOVE the SYSTEM group since it isn't needed for a file share?
LVL 15

Expert Comment

by:Jaroslav Mraz
ID: 36893163
Ok if you accessing files only throw network you can REMOVE SYSTEM.

Author Closing Comment

ID: 36893216
Vague answer with a long response time to what was a very simple answer. The answer appears to be cut and paste since nowhere in my question do i mention Windows XP and mentions using groups when i had already mentioned that i was using groups and not individual users. A lot of the sub-questions remain unanswered

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes how to set permissions to allow a limited-permissions user to start and stop a particular System Service.   It is always best to give users only the permissions that they need to perform their job, so tweaking particular permi…
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question