Solved

Whats the best practice for user permissions on a shared folder on a file server?

Posted on 2011-09-28
8
2,140 Views
Last Modified: 2012-05-12
I have decided not to use the default permissions on my shared folder structure on my file share server.

Using Microsoft Server 2008 R2 and Windows 7 SP1 workstations:
What default security groups should i use?
I currently have:
Administrators: Full control

System: Full Control

Creator Owner: Full control

Group of Supervisors who aren't Domain admins: Full Control

User group A: Modify/ Read & Execute /List Folder contents / Read /Write

Authenticated Users: Read & Execute / List folder contents / Read

I assume authenticated users is everyone with a user name and password. I'm ok with this group perusing contents but not being able to delete or change anything
User Group A are people who require the ability to modify create and manage files. I don't want them to take ownership of the folder or have the ability to change permissions


Do i even need to list the "System" security group? Why?
Is it a good practice to list creator owner with full control?
Is there going to be a permissions issue/conflict  due to the authenticated users group having less permissions than User Group A?
What's a good set of groups to set for inheritable permissions at the root share? I don't want to use the everybody group.
0
Comment
Question by:Fureio
  • 4
  • 2
  • 2
8 Comments
 
LVL 3

Accepted Solution

by:
knwarrior74 earned 500 total points
Comment Utility
Best practices
Assign permissions to groups, not user accounts.
Assigning permissions to groups simplifies management of shared resources, because you can then add users to or remove them from the groups without having to reassign permissions. To deny all access to a shared resource, deny the Full Control permission.


Assign the most restrictive permissions that still allow users to perform required tasks.
For example, if users need only to read information in a folder, and they will never delete, create, or change files, assign the Read permission.


If users log on locally to access shared resources, such as on a terminal server, set permissions by using NTFS file system permissions or access control.
Share permissions apply only to users who access shared resources over the network; they do not apply to users who log on locally. For this situation, use NTFS and access control. For more information, see Set, view, change, or remove permissions on files and folders.


Organize resources so that objects with the same security requirements are located in the same folder.
For example, if users require the Read permission for several application folders, store the application folders in the same parent folder. Then, share the parent folder, rather than sharing each individual application folder. Note that if you need to change the location of an application, you may need to reinstall it.


When you share applications, organize all shared applications in one folder.
Organizing all applications in one shared folder simplifies administration, because there is only one location for installing and upgrading software.


To prevent problems with accessing network resources, do not deny permissions to the Everyone group.
The Everyone group includes anyone who has access to network resources, including the Guest account, with the exception of the Anonymous Logon group. For more information, see Default security settings for groups and Differences in default security settings.


Avoid explicitly denying permissions to a shared resource.
It is usually necessary to explicitly deny permissions only when you want to override specific permissions that are already assigned.


Limit membership in, and assign the Full Control permission to, the Administrators group.
This enables administrators to manage application software and to control user rights.


In most cases, do not change the default permission (Read) for the Everyone group.
The Everyone group includes anyone who has access to network resources, including the Guest account. In most cases, do not change this default unless you want users to be able to make changes to the files and objects in the shared resource. For more information about share permissions, see Share permissions.


Grant access to users by using domain user accounts.
On computers running Windows XP Professional that are connected to a domain, grant access to shared resources through domain user accounts, rather than through local user accounts. This centralizes the administration of share permissions.


Use centralized data folders.
With centralized data folders, you can manage resources and back up data easily.


Use intuitive, short labels for shared resources.
This ensures that the shared resources can be easily recognized and accessed by users and all client operating systems.


Use a firewall.
A firewall protects shared resources from access through the Internet. In Windows XP and in the Windows Server 2003 family, you can take advantage of new firewall capabilities. For more information, see Internet Connection Firewall. Instead of Internet Connection Firewall, computers running Windows XP with Service Pack 2 (SP2) and computers running Windows Server 2003 with Service Pack 1 (SP1), use Windows Firewall. For more information, see Help: Windows Firewall.
0
 

Author Comment

by:Fureio
Comment Utility
Thanks for your elaborate answer. However, this broad answer doesn't really apply to the questions i have asked since i am already working with user groups and not individuals.
You mention:
"Best practices
Assign permissions to groups, not user accounts.
Assigning permissions to groups simplifies management of shared resources, because you can then add users to or remove them from the groups without having to reassign permissions. To deny all access to a shared resource, deny the Full Control permission
."

Did you mean, create a group of  users together in AD DS and delegate permissions to the group? What about the actual folder itself, what default set of groups should i list in my shared folder?

What about the permissions listed in folder properties\Security tab? Reading your advice on Best Practices, i will have to restructure the way my entire file share is structured permission wise. The default groups in a folder are
Creator Owner: Full Control
System: Full Control
Domain\Administrators: Full Control
Domain\Users: Read & Execute / List folder contents / Read

How do i modify the folder security permissions to fit with user groups that have permissions?
My confusion comes from the following:
A certain group will only have read & exe / list / read at tier 1 and 2 of a folder structure but have modify and write at tier 3 and forward.

Another question here that went unanswered, should i keep the creator owner and system permissions in place for a file share that won't host programs?
0
 

Author Comment

by:Fureio
Comment Utility
I have figured out answers to a lot of the questions i posed here. Thanks for pointing me in the right direction.

My core question is:
Should i keep the "system" permissions in place for a file share that won't host programs?
0
 
LVL 15

Expert Comment

by:Jaroslav Mraz
Comment Utility
yes because even OS shouldn't be able to work with data.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Expert Comment

by:knwarrior74
Comment Utility
I agree yes the OS shouldn't have security permissions set for it.  
0
 

Author Comment

by:Fureio
Comment Utility
Ok, i'm understanding two different answers here. Yes, i should keep SYSTEM in the default folder permission or YES, REMOVE the SYSTEM group since it isn't needed for a file share?
0
 
LVL 15

Expert Comment

by:Jaroslav Mraz
Comment Utility
Ok if you accessing files only throw network you can REMOVE SYSTEM.
0
 

Author Closing Comment

by:Fureio
Comment Utility
Vague answer with a long response time to what was a very simple answer. The answer appears to be cut and paste since nowhere in my question do i mention Windows XP and mentions using groups when i had already mentioned that i was using groups and not individual users. A lot of the sub-questions remain unanswered
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now