Re: Folder Permissions

mcp6453 <mcp6453@xxxxxxxxx> wrote:
As I have posted here on several occasions, I am a voluntary admin on
a Windows Server 2003 for a non-profit organization. There are
approximately 20 active users on the server, which has been running
well since it was installed in 2005. All service packs and updates
have been applied. It is the simplest of singe-server installations.

The issue of folder permissions is not clear to me at all. Today I
resolved to understand folder permissions by reading the help files,
but I am no further along than I was when I started.

For example, on a "jane user" folder, on the Security tab of the
Properties window, the two entries listed are "Administrators" and
"jane user". Both have full control If I click the Advanced tab,
under permission entries, I have the following two entries:

Allow Administrators Full Control <not inherited> This folder,
subfolders... Allow jane user Full Control <not inherited> This
folder, subfolders...
"Allow inherited permissions from the parent to propagate to this
object and all child objects. Include these with entries explicitly
defined here" is not checked. "Replace permission entires on all
child objects with entries shown here that apply to child objects" is
not checked.
On another user account, say "john user", the Group or user names
listed are Administrators, CREATOR OWNER, john user, SYSTEM, and
Users. On the Advanced tab, "Allow inherited permissions..." is
checked.
It seems to me that the Users group (Read & Execute, List Folder
Contents, Read, Special Permissions" has to be removed so that other
users cannot read the folder contents.

Yep. Doesn't look like Users should be in there.

If I try to remove Users, the
server will not allow me until I uncheck inheritance on the following
page. So, on another account, I unchecked it and removed it.

To be on the safe side: don't remove - click Copy, when prompted. Then
correct the permissions. Otherwise you can lock yourself out too!

If someone can explain or point me to a plain English primer that
will help me understand these permission issues, I would very much
appreciate it. I did not set up the server, so I don't know which set
of permissions is the right ones. I would also appreciate hearing
some recommendations for best practices for managing folder
permissions. The expensive book I bought on Windows Server 2003 seems
to be written by the same people who wrote the online help.

These might help:
http://www.mcmcse.com/microsoft/guides/ntfs_and_share_permissions.shtml
http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.html
http://www.eventreporter.com/Common/en/SecurityReference/SystemGroup-CREATOROWNER.php

My recommendation for permissions is basically this:

Administrators + System has full control, plus anyone else who needs it
My share permissions are Everyone=Full Control.
I like to use groups rather than individual users to set permissions
whenever possible

Inheritence from the parent (e.g., d:\data\) is *not* enabled for any
subfolder I plan to share (e.g., d:\data\share1)
Inheritence for the subfolder's subfolders (e.g., d:\data\share1\subfolder)
*is* enabled, so any NTFS permissions on share1 will exist on any
subfolder/files therein.

Anything that requires different/unique permissions, goes in its own share -
i.e., don't get in the habit of setting different NTFS permissions on
subfolders under a share. If there is accounting data, it doesn't go in
\\server\shared\accounting, it goes in \\server\accounting, and only the
Accounting security group has rights. And so on for all other 'department'
type of folders.

I usually have a folder called Users, with a subfolder for each user.
Administrators has permissions to all, as does system (both = full control).
Each individual user *also* has rights to his or her subfolder. No user has
rights to any other user's folder. This is easy if you let Windows create
the folders....see
"How to dynamically create security-enhanced redirected folders by using
folder redirection in Windows 2000 and in Windows Server 2003"
http://support.microsoft.com/kb/274443

Hope this helps.


.

Relevant Pages

  • Re: Default permissions for the "Default User" account folder
    ... > I gather that Windows uses the permissions from this ... > folder when adding new user accounts. ... > Full - Administrators - This folder, subfolders, and files ... and have created several templates ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Why do some folders/registry keys have 2 permissions instead of 1?
    ... > I'm trying to write a script that will compare permissions for a large ... But if you check the folder or registry key's ... > group/user when it only needed to save one ACE. ... > gives Full Control to myuser for subfolders and files, ...
    (microsoft.public.win2000.general)
  • Re: Why do some folders/registry keys have 2 permissions instead of 1?
    ... > I'm trying to write a script that will compare permissions for a large ... But if you check the folder or registry key's ... > group/user when it only needed to save one ACE. ... > gives Full Control to myuser for subfolders and files, ...
    (microsoft.public.win2000.registry)
  • Re: Why do some folders/registry keys have 2 permissions instead of 1?
    ... > I'm trying to write a script that will compare permissions for a large ... But if you check the folder or registry key's ... > group/user when it only needed to save one ACE. ... > gives Full Control to myuser for subfolders and files, ...
    (microsoft.public.win2000.security)
  • Re: Folder Permissions
    ... The issue of folder permissions is not clear to me at all. ... The expensive book I bought on Windows Server 2003 seems ... Inheritence for the subfolder's subfolders *is* enabled, so any NTFS permissions on share1 will exist on any subfolder/files therein. ...
    (microsoft.public.windows.server.general)
Loading