How to effectively set up file and printer shares
Scott Lowe
Published: 27 Jun 2003 13:42 BST
NTFS permissions
NTFS permissions are the authorization levels assigned to files and folders on a Windows system and are much more flexible than share permissions. For example, using NTFS permissions, you can restrict users so that they can list the contents of a folder but not do anything else. Figure B shows an example of the Security tab, where you configure NTFS permissions.
Figure B
NTFS permissions can be inherited from the folder's parent folder. For instance, if you assign the NTFS Full Control permission to the Program Files folder for the Power Users group, you can allow this set of permissions to automatically propagate to all of the folders under Program Files, if you want. (There's a check box to activate this.)
You can choose to allow or deny permissions to a particular user or group by selecting the Security tab in the Properties window of any folder on an NTFS partition. Assigning a user or group a particular permission to a file or folder allows that user or group to take actions enabled by that permission. If you grant the Read & Execute permission to files in a folder, users will be able to do those things, unless the Deny permission has been applied as well. That permission overrides all others.
Deny is a pretty strong security measure on Windows servers. When a user falls under this permission by virtue of a group membership or because of an explicit rights assignment, the user can't make use of that particular resource even if he or she is a member of another group that has permissions for it. For example, suppose you have assigned the Full Control permission to the Marketing folder for the Marketing group in your organisation, but you have also assigned JoeUser the Deny permission for Full Control on this folder. Even if JoeUser is a member of the Marketing group, he will not have access to this folder.
In cases where a user belongs to two groups that have permission for a resource, NTFS rights are cumulative--only no Deny permission is assigned. Let's suppose JaneUser is a member of the Sales group, which has been granted Read & Execute privileges to the Marketing folder. In addition, you've assigned Modify rights to the Management group, of which JaneUser is also a member. Because of the cumulative nature of NTFS rights, JaneUser will have both the Read & Execute and Modify NTFS rights to the Marketing folder.
Note that, out of the box, Windows 2000 and NT servers have poor security in place. Even the system volume has NTFS permissions, allowing everyone connected to the system Full Control rights. This issue has been addressed in Windows Server 2003, where the following changes to default permissions have been made:
- Only Administrators have Full Control at the root level of a volume.
- The Everyone group only has rights that allow people connected to the server to read and execute.
- Domain users can read and execute files and create new folders.
Effective permissions
Effective permissions are the rights that a user actually has based on the share and NTFS permissions assigned. Basically, the user is granted rights amounting to the most restrictive set of permissions. For example, suppose JoeUser is granted NTFS Full Control permissions to a folder and Read permissions on a share to that folder. He will have only Read access to the folder and its contents, since this is the most restrictive rights assignment. This represents JoeUser's effective permissions for that resource.
Likewise, suppose JaneUser has been assigned NTFS Read & Execute permissions to a folder and Full Control share permissions. Since the most restrictive rights in this case are the NTFS ones, they will be the rights that dictate her access level to that resource.
Summary
I've outlined the two major permissions models present in Windows networks -- share and NTFS permissions. Understanding these models is key to ensuring that your users can do their jobs without constantly encountering a security problem that results from a lack of planning in regard to proper permissions. It also lets you prevent users from accessing resources they have no business accessing.
The associated download offers a checklist of to-do items you should consider when setting up a new network. This checklist is especially aimed at small office networks, but any administrator who is setting up permissions for the first time on a new file and/or print server will find it helpful as well.
Previous
Did you find this article useful?
159 out of 281 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
