Re: NTFS and shared permissions
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: Wed, 6 Apr 2005 22:45:15 -0700
A few ? Matthew, that is quite a list of topics.
You could likely find some interesting discussions for
some of these in the Resource Kits, perhaps the XP RK
but more likely in one of the older server RKs
I attempt some comments inlined below . . .
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA <email@example.com> wrote in message news:firstname.lastname@example.org... > I have a few questions about NTFS permissions and share that I hope > someone can help me with. I know that NTFS permissions are applied to > both remote and local users and that shared permissions are only > applied to remote users. yep > When and why would you apply NTFS permissions > to a share or file?? Since share permissions effect an upper limit on what can be done, one will often see a share grant to an encompassing group, like Users, that is sufficient to allow any of the desired grants at the NTFS level that might be made to numerous specific custom groups (OfficeDocReaders, OfficeDocWriters, etc.) NTFS permissions are of course needed for control of accounts that log into the machine itself at the console, or with remote desktop. Sometimes you will see share level permissions specifically used to limit network logins so that they cannot do as much as they could if logged in locally (that is, to reduce their ability down from a more broad NTFS grant). > With the shared vs NTFS permissions the most > restrictive permission will take effect but which should you lock down > the shared or the NTFS permissions?? IMO both. You have two handles and choosing to use only one is to give up half of your leverage. The local vs remote aspect can be used in ways as indicated earlier to be able to do things one could not with just one or the other. > Can you give an example? Users change at share level, but no grants to Users at NTFS level, only grants to different custom groups, some read only, some can modify, etc. > > With NTFS permissions on a file what is the difference with the > "read" and "read & execute" permissions? read does not grant execute notepad.exe cannot be executed if the account has only read > And what is the > difference between "modify" and "write" permissions? write does not include delete In the NTFS permissions dialog, click on Advanced to see the individual ACEs (access control entries) that make up the ACL (access control list). Then, highlight one of the ACEs and click Edit to see the precise differences between the generic grants. > And the > "list folder content" and "transverse folders"? > listing a folder is being able to see the entries within that folder traversing the folder is being able to execute the directory in order to navigate through it > With the share permission I was also reading that there is no > difference between the "modify" and "full control" is this > true?? > false The highest NTFS permission that share level grant of change will allow is modify, Modify does not include the ability to change permission settings or to take ownership for example. > What does the auditing tab do on the advanced tab and what is effective > permissions and how are they different from the permissions that are > assigned? I didn't see a difference and was confused by it??? > NTFS (and other uses of permission ACLs) has a couple forms of access control lists in use, the DACL and the SACL (discretionary and security ACLs). The DACL controls what is allowed to happen The SACL controls what events will be recorded in the security event log when they happen The Auditing tab is where the SACL is seen/defined