Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

What are Best Practice settings for a file share server?

Posted on 2014-10-20
3
Medium Priority
?
5,078 Views
Last Modified: 2014-10-31
I'll soon be migrating an old file share server to a new Windows 2012 R2 server.  I'd loved to here suggestions for default drive and folder permissions for the file share structure generally.  The permissions for shares in the past have been governed by SHARE permissions -- and I think I'd like to stay with that because everyone is used to that.  However, I'd like to lock down the drive and NTFS permissions a bit more -- however, I don't want to cause problems. The users seems to need NTFS  permissions equal to SHARE permissions, and I'd like Administrators to have permissions.  What other permissions are needed, SYSTEM, OWNER, Domain Users, etc.?  From testing it seems if users have SHARE permissions only, and nothing as far as NTFS (implied no access) -- they have no access.  If someone can provide some opinions, I'd be grateful.
Thanks.
0
Comment
Question by:apsutechteam
  • 2
3 Comments
 
LVL 44

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 40392716
Generally, the recommendations for permissions is to have the most restrictive permissions be the last permission list the user accesses. This means that the Share permissions would be less restrictive than the NTFS permissions, which are less restrictive than RBAC settings (RBAC is a new 2012 server feature). MS actually recommends setting Share Permissions to be Read and Write (or full control) for the Authenticated Users group. This allows all permissions to be controlled at the NTFS level and ensures that users who directly access the server can't bypass the permissions set on the Share. It also makes sure you don't have to set permissions in two locations for the same files, which can be a bit of a chore in addition to causing problems when trying to troubleshoot access issues.

The point that you need to remember is that the most restrictive permissions will always be the effective permissions that are granted. If you have a Deny permission set, that will always take precedence over any allow, and if you grant share permissions to a user, they won't be able to access the file unless NTFS permissions are also set.
0
 

Author Comment

by:apsutechteam
ID: 40392768
Do you know of a TechNet article, etc. that suggests the approach mentioned.  Since it's also been done differently, it would be helpful to have a basis to change it.  I've seen this approach mentioned in my research, but haven't found anything from MS.  Also, are there other users that are suggested - I need Administrators, and the appropriate departmental users/groups -- can I limit to that?  Is there a reason for SYSTEM, OWNER, etc.?  Thanks for your reply.
0
 
LVL 44

Expert Comment

by:Adam Brown
ID: 40392782
http://technet.microsoft.com/en-us/library/cc754178.aspx Mentions it, but also outlines an alternate option of granting permissions to the Users group, then more strict permissions in NTFS. Microsoft doesn't give a firm "You should do it this way" recommendation, but the use of Authenticated Users with Read and Write access at a minimum has been the best practice recommendation since Windows 2000 came out.
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
A procedure for exporting installed hotfix details of remote computers using powershell
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question