Re: Server 2003 share permissions
From: Pegasus \(MVP\) (I.can_at_fly.com)
Date: 01/13/05
- Next message: Miha Pihler [MVP]: "Re: Win2003 Course"
- Previous message: Ron: "Win2003 Course"
- In reply to: Steve: "Re: Server 2003 share permissions"
- Next in thread: Dmitry Korolyov [MVP]: "Re: Server 2003 share permissions"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 14 Jan 2005 09:59:51 +1100
There are obviously at least two different schools of thought
about the best method to tie down a system. You feel
comfortable with your method, I feel comfortable with mine.
In closing this discussion I would still like to add some
comments - see below.
"Steve" <Steve@discussions.microsoft.com> wrote in message
news:01B5912C-271B-4DB8-A3F4-43E169BB3653@microsoft.com...
> While I am a big fan of KISS, there are a few reasons I like to combine a
> simple share level permission with granular NTFS permissions. I typically
> apply "Authenticated Users:Change" permissions to the share level for the
> following reasons...
>
> 1) Allowing "Everyone:Full Control" permissions on the share allows anyone
> plugging into my network the ability to peek into a share. A share level
ACL
> insures a user has at least some sort of account on my system before they
can
> view a file.
I don't think so.
- A authenticated but unauthorised user can connect to any share
but he won't see anything at all.
- A user who is not authenticated will get challenged for an account
name / password before he gets connected to the share.
> 2) If you give "Everyone:Full Control" access to the share, users with
full
> permissions on a file/folder can remove the Administrator, or otherwise
muck
> around with the ACL. I have just enough distrust for our users that I
think
> this extra security is a good idea.
- Administrators can always seize ownership of a resource, even when they
get knocked out by a user.
- If you are concerned about users modifying the ACL then you can give
them "Modify" rather than "Full Control" rights under NTFS. In other
words, you would use a single tool to grant access rights, not two.
> 3) The few additional mouse-clicks can avoid future problems. I am, at
> times, somewhat harried and forgetful. On more than one occasion I (or a
> cow-orker) have added a file or folder to a share and not properly secured
it
> with NTFS/it hasn't inherited appropriate permissions. This at least
> guarantees some level of security on an inadvertently unsecured file (see
#2).
>
> Many say share level permissions have been made obsolete by the widespread
> use of NTFS, and you'll find no argument from me about how much better
NTFS
> secures files...there's no comparison. I also agree you would be nuts to
try
> to apply complex permissions on the share, trying to mirror your NTFS
> permissions. But, IMHO, it is a simple process to just apply
"Authenticated
> Users:Change" permissions (or whatever is appropriate for your
environment)
> any time you create a new share as an ounce of prevention. I suppose in
the
> end it comes down to personal preference. YMMV, but this approach has
worked
> well for me.
>
> -Steve Tyrol
>
>
>
> "Pegasus (MVP)" wrote:
>
> > I disagree. If you set your NTFS permissions to "Read only" for
> > group A, and "No access" for group B, then doing the the same
> > thing for the share permissions creates twice the amount of work
> > but does not give you twice the security.
> >
> > Furthermore, group permissions are very coarse. They do not
> > have the fine granularity of NTFS permissions. The result is
> > that you end up with different types of permissions, which is
> > confusing. It defies the KISS principle.
- Next message: Miha Pihler [MVP]: "Re: Win2003 Course"
- Previous message: Ron: "Win2003 Course"
- In reply to: Steve: "Re: Server 2003 share permissions"
- Next in thread: Dmitry Korolyov [MVP]: "Re: Server 2003 share permissions"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
