Re: Security and Permissions

From: Andrew Mitchell (amitchell_at_removecasey.vic.gov.au)
Date: 08/05/04 

Date: Thu, 05 Aug 2004 07:21:33 -0700

"jmos" <anonymous@discussions.microsoft.com> said

> Thank you Steven
> Yes I am including the NTFS Permissions.
>
> What I'm doing is this:
>
> 1. Create a group (Share Group) and and GP 1-3 to it.
>
> Share Permissions -> Domain Admin -> Full Control
> -> Share Group -> Change
>
> Share NTFS -> Domain Admin -> Full Control
> -> Share Group -> Modify (Special)
>
> Share Sub folders no Inheritance
>
> Share Sub Folder 1-> Domain Admin -> Full Control
> NTFS -> Group1 -> Modify (Special)
>
> Share Sub Folder 2-> Domain Admin -> Full Control
> NTFS -> Group2 -> Modify (Special)
>
> Share Sub Folder 3-> Domain Admin -> Full Control
> NTFS -> Group3 -> Modify (Special)
>
> User Joe appears only in Group1
> User Mary appears in Group 1 and 3
>
> Now my understanding is that for user Joe they would get
> the most restrictive of both the Share and the NTFS of the
> share AND that the NTFS of the Sub Folder overrides the
> securities of the forementioned i.e only access to Share
> Sub folder 1. The same would apply to User Mary i.e access
> to only Sub Folders 1 and 3 not 2.
>
> Am I right in saying this?
>
> If so why is this not currently working in my domain and
> what else should I do or be looking for?
>

Make it easy on yourself and forget about the share permissions. Set them to
full access for everyone and use NTFS permissions to lock down the level of
access you want.

Create your root directory, share it and set the share permissions to full
control for everyone. You don't need to share each folder individually. The
users and admins can access them through \\server\share\folder1 , \\server
\share\folder2 etc.
Next click the 'Security' tab (this is where you set the NTFS permissions)
and give the Domain Admins group full control and the Everyone read and
execute permissions (this will put ticks in a few other boxes, which is
normal). If the check boxes are greyed out you will need to click the
'Advanced' button and disable inheritance.

For each of the sub folders, set the NTFS permissions to 'Modify' for the
groups you want to have access to that folder and 'Full control' for Domain
Admins. Make sure the 'Everyone' group is not listed as having any
permissions.

Using share permissions just confuses everyone involved (which is what I
think you've managed to do to yourself ;-) ) and also provides a false sense
of security.
You may think that you have set the share permissions OK but there could be
another share higher up the directory structure that will give users full
access if the NTFS permissions are not right. NTFS permissions can bypass
share permissions if you don't access the directory via a particular share.
Share level permissions can *never* over-ride NTFS permissions.
Much better to set the permissions at the file system level. That way there
can be no mistakes. 

-- 
Andy.