Solved

What are Best Practice settings for a file share server?

Posted on 2014-10-20
3
3,319 Views
Last Modified: 2014-10-31
I'll soon be migrating an old file share server to a new Windows 2012 R2 server.  I'd loved to here suggestions for default drive and folder permissions for the file share structure generally.  The permissions for shares in the past have been governed by SHARE permissions -- and I think I'd like to stay with that because everyone is used to that.  However, I'd like to lock down the drive and NTFS permissions a bit more -- however, I don't want to cause problems. The users seems to need NTFS  permissions equal to SHARE permissions, and I'd like Administrators to have permissions.  What other permissions are needed, SYSTEM, OWNER, Domain Users, etc.?  From testing it seems if users have SHARE permissions only, and nothing as far as NTFS (implied no access) -- they have no access.  If someone can provide some opinions, I'd be grateful.
Thanks.
0
Comment
Question by:apsutechteam
  • 2
3 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 40392716
Generally, the recommendations for permissions is to have the most restrictive permissions be the last permission list the user accesses. This means that the Share permissions would be less restrictive than the NTFS permissions, which are less restrictive than RBAC settings (RBAC is a new 2012 server feature). MS actually recommends setting Share Permissions to be Read and Write (or full control) for the Authenticated Users group. This allows all permissions to be controlled at the NTFS level and ensures that users who directly access the server can't bypass the permissions set on the Share. It also makes sure you don't have to set permissions in two locations for the same files, which can be a bit of a chore in addition to causing problems when trying to troubleshoot access issues.

The point that you need to remember is that the most restrictive permissions will always be the effective permissions that are granted. If you have a Deny permission set, that will always take precedence over any allow, and if you grant share permissions to a user, they won't be able to access the file unless NTFS permissions are also set.
0
 

Author Comment

by:apsutechteam
ID: 40392768
Do you know of a TechNet article, etc. that suggests the approach mentioned.  Since it's also been done differently, it would be helpful to have a basis to change it.  I've seen this approach mentioned in my research, but haven't found anything from MS.  Also, are there other users that are suggested - I need Administrators, and the appropriate departmental users/groups -- can I limit to that?  Is there a reason for SYSTEM, OWNER, etc.?  Thanks for your reply.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 40392782
http://technet.microsoft.com/en-us/library/cc754178.aspx Mentions it, but also outlines an alternate option of granting permissions to the Users group, then more strict permissions in NTFS. Microsoft doesn't give a firm "You should do it this way" recommendation, but the use of Authenticated Users with Read and Write access at a minimum has been the best practice recommendation since Windows 2000 came out.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits y…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now