Solved

What are Best Practice settings for a file share server?

Posted on 2014-10-20
3
3,832 Views
Last Modified: 2014-10-31
I'll soon be migrating an old file share server to a new Windows 2012 R2 server.  I'd loved to here suggestions for default drive and folder permissions for the file share structure generally.  The permissions for shares in the past have been governed by SHARE permissions -- and I think I'd like to stay with that because everyone is used to that.  However, I'd like to lock down the drive and NTFS permissions a bit more -- however, I don't want to cause problems. The users seems to need NTFS  permissions equal to SHARE permissions, and I'd like Administrators to have permissions.  What other permissions are needed, SYSTEM, OWNER, Domain Users, etc.?  From testing it seems if users have SHARE permissions only, and nothing as far as NTFS (implied no access) -- they have no access.  If someone can provide some opinions, I'd be grateful.
Thanks.
0
Comment
Question by:apsutechteam
  • 2
3 Comments
 
LVL 39

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 40392716
Generally, the recommendations for permissions is to have the most restrictive permissions be the last permission list the user accesses. This means that the Share permissions would be less restrictive than the NTFS permissions, which are less restrictive than RBAC settings (RBAC is a new 2012 server feature). MS actually recommends setting Share Permissions to be Read and Write (or full control) for the Authenticated Users group. This allows all permissions to be controlled at the NTFS level and ensures that users who directly access the server can't bypass the permissions set on the Share. It also makes sure you don't have to set permissions in two locations for the same files, which can be a bit of a chore in addition to causing problems when trying to troubleshoot access issues.

The point that you need to remember is that the most restrictive permissions will always be the effective permissions that are granted. If you have a Deny permission set, that will always take precedence over any allow, and if you grant share permissions to a user, they won't be able to access the file unless NTFS permissions are also set.
0
 

Author Comment

by:apsutechteam
ID: 40392768
Do you know of a TechNet article, etc. that suggests the approach mentioned.  Since it's also been done differently, it would be helpful to have a basis to change it.  I've seen this approach mentioned in my research, but haven't found anything from MS.  Also, are there other users that are suggested - I need Administrators, and the appropriate departmental users/groups -- can I limit to that?  Is there a reason for SYSTEM, OWNER, etc.?  Thanks for your reply.
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 40392782
http://technet.microsoft.com/en-us/library/cc754178.aspx Mentions it, but also outlines an alternate option of granting permissions to the Users group, then more strict permissions in NTFS. Microsoft doesn't give a firm "You should do it this way" recommendation, but the use of Authenticated Users with Read and Write access at a minimum has been the best practice recommendation since Windows 2000 came out.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
document a domain users/computers 1 36
MS Endpoint Protection 2 25
Group Policy Printer Mapping to LPT2 6 26
Windows 2012 DNS island on Domain Contoller 2 22
OfficeMate Freezes on login or does not load after login credentials are input.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question