[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 739
  • Last Modified:

NTFS lower level best practice

Hey,

I have 2 spreadsheets in a directory quite well down a folder structure that require specific NTFS permissions.

Is there any general best practice when setting up folder structures with NTFS security in mind? Or any potential flaws in settings NTFS that differs from “higher permissions” in lower folders? Or any compensating controls required?

For example the folder with 2 excel spreadsheets that need more stringent security reside in:

\\server\share\dir1\dir2\dir3\spreadsheet1.xls
\\server\share\dir1\dir2\dir3\spreadsheet2.xls

So DIR3 requires more tighter security that dir1 and I believe at present dir2 and 3 are setup to inherit permissions set at dir 1.

Also, these people need “editor rights”. i.e. they need to be able to edit these excel files, and potentially drop new files into this folder. What is the NTFS equivalent to this permission?

Any advice welcome.
0
pma111
Asked:
pma111
  • 7
  • 3
  • 3
  • +2
7 Solutions
 
Miguel Angel Perez MuñozCommented:
Take a look to this guide: http://technet.microsoft.com/en-us/library/cc782737(WS.10).aspx

I use a group file permissions strategy:

On highest level only read or list only (depens on security requirements)
On sublevels use groups to assing different permissions and add this groups to list on high level, per example:
dir 1 List group
dir 2 RO group users + dir 1 list group
dir 2 RW group users + dir 1 list group
dir 3 RO group users + dir 2 ro group + dir 1 list group
dir 3 RW group + dir 2 ro group + dir 1 list group
then assing permissions to this folders.
0
 
MinoDCCommented:
If you just need to edit and create just the write permission.
If you want to also delete only, you can put , in the advanced permission, the flag on Delete .

Otherwise, you can read this guide for a better understanding, the NTFS permissions:

http://www.ntfs.com/ntfs-permissions.htm

http://www.windowsecurity.com/articles/understanding-windows-ntfs-permissions.html

http://support.microsoft.com/kb/313398/en-us
0
 
adamnlCommented:
A guide on how inheritance on folders works is explained in an article on Microsoft TechNet here: http://technet.microsoft.com/en-us/library/cc758779%28WS.10%29.aspx

Selecting where to apply permissions on these folders can be reviewed here: http://technet.microsoft.com/en-us/library/cc776140%28WS.10%29.aspx
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
pma111Author Commented:
Thanks for the links.

Could you suggest your recommendations to this issue though as opposed the links?

0
 
pma111Author Commented:
My worry was setting more stringent NTFS on dir 3, then finding on dir1 users have full control so can wipe out the NTFS set at dir3. i.e. tick

"replace permission on all child entries with entries shown here that apply to child objects"

Which then makes a mockery of setting any permission lower down the structure
0
 
adamnlCommented:
You mention that directory 2 and directory 3 are inheriting the permissions from directory 1.
Since directory 3 should have tighter security than directory 1 and d 2 (which I pick up as "only a select group of people should be able to list/view/edit the contents") the permissions for people not in this group should be zero (no listing, no viewing, ...). For example, if you set the permissions for directory 1 to anything else (for example you enable listing) and let directory 2/3 inherit the permissions from directory 1 this means that the people who have listing permission in directory 1 will also have listing permissions in directory 2/3.

Since I assume that you would like anyone (or at least a certain larger group) to list, view, edit in directory 1 and 2 this would mean you enable these permissions for directory 1 (and possibly 2). Inheriting this in directory 3 would transfer these permissions (After you set permissions on a parent folder, new files and subfolders that are created in the folder inherit these permissions, something that you do not want in this case). To break this chain, right-click on directory 3, click Properties, navigate to the Security tab, Advanced, and then clear the 'Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here'.

You can find out what permissions a user or group has using the Effective Permissions tool: http://technet.microsoft.com/en-us/library/cc756795%28WS.10%29.aspx
0
 
MinoDCCommented:
Here are some rules for resolving permissions conflicts:
 1."Deny" permissions generally take precedence over "allow" permissions.
2.Permissions applied directly to an object (explicit permissions) take precedence over permissions inherited from a parent (for example from a group).
3.Permissions inherited from near relatives take precedence over permissions inherited from distant predecessors. So permissions inherited from the object's parent folder take precedence over permissions inherited from the object's "grandparent" folder, and so on.
4.Permissions from different user groups that are at the same level (in terms of being directly-set or inherited, and in terms of being "deny" or "allow") are cumulative. So if a user is a member of two groups, one of which has an "allow" permission of "Read" and the other has an "allow" of "Write", the user will have both read and write permission--depending on the other rules above, of course.
0
 
MinoDCCommented:
To see effective permissions, in the Advanced Security Settings dialog box, click the Effective Permissions tab and select a user or group. These are the results of the permissions directly assigned to the file or folder and permission inherited from parent folders.

http://www.ntfs.com/ntfs-permissions-file-effective.htm
0
 
peter197911Commented:
Question, do all users need read access to this dir 3 xls files?
I'm asking because they way you're setting up NTFS permissions will work, but it's not nice to manage.. Having several folders into a structure with Deny permissions just sucks (i know, in some situations you dont really have a choise).

Personally i try to get NTFS permissions as strict as possible, and give extra persmissions when i go down in folders. Inheritance the is no problem and you dont have to use Deny permissions.....
0
 
pma111Author Commented:
Not "all users" peter - just 2 users. In dir 1 and 2 there is about 60 users currenrtly with access.
0
 
pma111Author Commented:
>>Having several folders into a structure with Deny permissions just sucks

I am not overly familiar with deny permissions?

Is this when I say no to inheritence? Is that a deny permission?

Why does this make it hard to manage - and who does it make it hard for?
0
 
pma111Author Commented:
I am open to a redesign of our share by all means - that was what I was after as I did assume setting non inheriting permissions further down the structure was probably causing a problem for someone. I just could decide who and why?
0
 
peter197911Commented:
>>I am not overly familiar with deny permissions
Deny permission always overrule the other permissions (nothing wrong with that)

Is this when I say no to inheritence? Is that a deny permission?
This is not a deny permission, this is exclusion for a folder to inherit the ntfs permissions of the folder above.

Why does this make it hard to manage - and who does it make it hard for?
I'm not sure it it's hard to manage, but it's not really logical. Sometimes you dont have a choice.
I'm not sure if  other admins do think the same thing, i can't speak for them. But to keep a nice overview of the full structure is really an advantage.

Let me check if i can get a copy of the structure (including ntfs permissions) of a customer (as example)


0
 
pma111Author Commented:
Ok thanks, look forward to:

>>Let me check if i can get a copy of the structure (including ntfs permissions) of a customer (as example
0
 
peter197911Commented:
Hellowah pma111,
Next monday i'm on my work and have access to a server environment. I will make a short setup of folders how i would set it up.
0
 
pma111Author Commented:
Brill thanks
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

  • 7
  • 3
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now