RE: Any way to remove ADMIN$ only?
From: Deus, Attonbitus (Thor@HammerofGod.com)Date: 11/07/02
- Previous message: Roger Seielstad: "RE: Any way to remove ADMIN$ only?"
- Maybe in reply to: Palumbo, Dave (Factiva): "Any way to remove ADMIN$ only?"
- Next in thread: jmcguire@sbcs.com: "RE: Any way to remove ADMIN$ only?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 07 Nov 2002 08:24:18 -0800 To: Evan Mann <emann@questinc.org>, focus-ms@securityfocus.com From: "Deus, Attonbitus" <Thor@HammerofGod.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 05:08 AM 11/6/2002, Evan Mann wrote:
>Could this be elaborated more on the list by others? I do not recall any
>conversations about the practice of which is the "best practice" or "ideal"
>method of setting permissions between share level and file level within the
>past year and a half or so that I've begun monitoring the list. Perhaps its
>a good time to bring the subject up?
When it comes to combining share-level permissions with NTFS permissions, I
think it is difficult to assign a global "best" or "ideal" practices
model. It really comes down to what is best for your particular
environment. I would not necessarily say that Everyone FULL at the share
level is actually a "best" practice, but it certainly is the "easiest"
practice when it comes to administering your shares (assuming NTFS
permissions are in place.) And the defaults are different between Win2k
and XP: The default share permissions for Win2k shares is Everyone
FULL,CHANGE,READ (resulting in FULL) while the default share permissions in
XP are Everyone READ. In most of the text that I see, the recommendation
is not to use Everyone FULL, but to use Domain Users or Authenticated Users
instead. Of course, different references tell you different things.
Since the most restrictive combined share + NTFS permissions are applied
when accessing resources via the share, it can quickly make things
difficult to troubleshoot when you have many groups with specific
permissions for the share and many groups with specific NTFS
permissions. NTFS permissions are by far the best way to control resources
and they are far more granular, and as the prev poster said, they are
applied whether accessing data via the share or locally.
Whether you choose to use Everyone FULL or Domain Users/Authenticated Users
FULL at the share level is a matter of preference and policy; leaving the
default Win2k permissions in place is fine as long as you properly restrict
access with NTFS. Of course, policies that strictly dictate the use of
"minimal permissions to perform a given function" mandate stronger ACL's at
both levels.
To me, the real benefit of using non-default share permissions is where
your group structure allows the use of DENY permissions, which are always
checked first and always use the "most restrictive" model when it comes to
cross-group membership. That, however, is not that common.
- --
AD
"Don't be irreplaceable. If you can't be replaced, you can't be promoted."
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPcqTsohsmyD15h5gEQJbOACgyVEugyv29GdtdnJ4S/NHXsyzv3oAoLsd
Y+8kE8RxnGCwTmPBjQsHxi5i
=6Jns
-----END PGP SIGNATURE-----
- Previous message: Roger Seielstad: "RE: Any way to remove ADMIN$ only?"
- Maybe in reply to: Palumbo, Dave (Factiva): "Any way to remove ADMIN$ only?"
- Next in thread: jmcguire@sbcs.com: "RE: Any way to remove ADMIN$ only?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
