Solved

What are Best Practice settings for a file share server?

Posted on 2014-10-20
3
4,032 Views
Last Modified: 2014-10-31
I'll soon be migrating an old file share server to a new Windows 2012 R2 server.  I'd loved to here suggestions for default drive and folder permissions for the file share structure generally.  The permissions for shares in the past have been governed by SHARE permissions -- and I think I'd like to stay with that because everyone is used to that.  However, I'd like to lock down the drive and NTFS permissions a bit more -- however, I don't want to cause problems. The users seems to need NTFS  permissions equal to SHARE permissions, and I'd like Administrators to have permissions.  What other permissions are needed, SYSTEM, OWNER, Domain Users, etc.?  From testing it seems if users have SHARE permissions only, and nothing as far as NTFS (implied no access) -- they have no access.  If someone can provide some opinions, I'd be grateful.
Thanks.
0
Comment
Question by:apsutechteam
  • 2
3 Comments
 
LVL 39

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 40392716
Generally, the recommendations for permissions is to have the most restrictive permissions be the last permission list the user accesses. This means that the Share permissions would be less restrictive than the NTFS permissions, which are less restrictive than RBAC settings (RBAC is a new 2012 server feature). MS actually recommends setting Share Permissions to be Read and Write (or full control) for the Authenticated Users group. This allows all permissions to be controlled at the NTFS level and ensures that users who directly access the server can't bypass the permissions set on the Share. It also makes sure you don't have to set permissions in two locations for the same files, which can be a bit of a chore in addition to causing problems when trying to troubleshoot access issues.

The point that you need to remember is that the most restrictive permissions will always be the effective permissions that are granted. If you have a Deny permission set, that will always take precedence over any allow, and if you grant share permissions to a user, they won't be able to access the file unless NTFS permissions are also set.
0
 

Author Comment

by:apsutechteam
ID: 40392768
Do you know of a TechNet article, etc. that suggests the approach mentioned.  Since it's also been done differently, it would be helpful to have a basis to change it.  I've seen this approach mentioned in my research, but haven't found anything from MS.  Also, are there other users that are suggested - I need Administrators, and the appropriate departmental users/groups -- can I limit to that?  Is there a reason for SYSTEM, OWNER, etc.?  Thanks for your reply.
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 40392782
http://technet.microsoft.com/en-us/library/cc754178.aspx Mentions it, but also outlines an alternate option of granting permissions to the Users group, then more strict permissions in NTFS. Microsoft doesn't give a firm "You should do it this way" recommendation, but the use of Authenticated Users with Read and Write access at a minimum has been the best practice recommendation since Windows 2000 came out.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Resolve DNS query failed errors for Exchange
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question