?
Solved

What are Best Practice settings for a file share server?

Posted on 2014-10-20
3
Medium Priority
?
4,628 Views
Last Modified: 2014-10-31
I'll soon be migrating an old file share server to a new Windows 2012 R2 server.  I'd loved to here suggestions for default drive and folder permissions for the file share structure generally.  The permissions for shares in the past have been governed by SHARE permissions -- and I think I'd like to stay with that because everyone is used to that.  However, I'd like to lock down the drive and NTFS permissions a bit more -- however, I don't want to cause problems. The users seems to need NTFS  permissions equal to SHARE permissions, and I'd like Administrators to have permissions.  What other permissions are needed, SYSTEM, OWNER, Domain Users, etc.?  From testing it seems if users have SHARE permissions only, and nothing as far as NTFS (implied no access) -- they have no access.  If someone can provide some opinions, I'd be grateful.
Thanks.
0
Comment
Question by:apsutechteam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 42

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 40392716
Generally, the recommendations for permissions is to have the most restrictive permissions be the last permission list the user accesses. This means that the Share permissions would be less restrictive than the NTFS permissions, which are less restrictive than RBAC settings (RBAC is a new 2012 server feature). MS actually recommends setting Share Permissions to be Read and Write (or full control) for the Authenticated Users group. This allows all permissions to be controlled at the NTFS level and ensures that users who directly access the server can't bypass the permissions set on the Share. It also makes sure you don't have to set permissions in two locations for the same files, which can be a bit of a chore in addition to causing problems when trying to troubleshoot access issues.

The point that you need to remember is that the most restrictive permissions will always be the effective permissions that are granted. If you have a Deny permission set, that will always take precedence over any allow, and if you grant share permissions to a user, they won't be able to access the file unless NTFS permissions are also set.
0
 

Author Comment

by:apsutechteam
ID: 40392768
Do you know of a TechNet article, etc. that suggests the approach mentioned.  Since it's also been done differently, it would be helpful to have a basis to change it.  I've seen this approach mentioned in my research, but haven't found anything from MS.  Also, are there other users that are suggested - I need Administrators, and the appropriate departmental users/groups -- can I limit to that?  Is there a reason for SYSTEM, OWNER, etc.?  Thanks for your reply.
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 40392782
http://technet.microsoft.com/en-us/library/cc754178.aspx Mentions it, but also outlines an alternate option of granting permissions to the Users group, then more strict permissions in NTFS. Microsoft doesn't give a firm "You should do it this way" recommendation, but the use of Authenticated Users with Read and Write access at a minimum has been the best practice recommendation since Windows 2000 came out.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question