none
NTFS Permissions for a file server?!

    Question

  • Hi,

    At the risk of sounding very stupid I am going to ask this:

    Is there a standard way of create file shares for users? I have read various very specific articles for roaming profile shares and folder redirection shares, but there does not appear to be anything for a structure for home directory shares or just generic shares?

    I know with the multitude of NTFS permissions available and people's varying requirements available this could be difficult but I would be very interested if there were any documents or guidelines about this?

    For example at the moment for our main file share we have the following:

    D:\Root

    This folder is shared full control and has inheritance to it turned off (IE removing all permissions from D:\). It has Administrators on full control going to this folder, subfolders and files below. It also has Authenticated Users with list folder contents on this folder only

    Underneath this are the various departmental folders. These have inheritance turned off and have their own various security groups configured (For each department as necessary) and again administrators full control...

    However we have a big mess structure under this point with a lot of folders further down having their own permissions (No inheritance etc)... and I am wondering if there is a better way/guide to follow to keep it really simple using inheritance or do the pro's all do this??

    Thursday, April 08, 2010 1:47 PM

Answers

  • Suggested Reading
    Axioms of Permissions Administration
    http://networkadminkb.com/Shared%20Documents/Axioms%20of%20Permissions%20Administration.aspx

    The Golden Rules of Permissions Administration
    http://networkadminkb.com/Shared%20Documents/The%20Golden%20Rules%20of%20Permissions%20Administration.aspx

    Differences between Authenticated Users, Domain Users, and Everyone groups
    http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/Differences%20between%20Authenticated%20Users,%20Domain%20Users,%20and%20Everyone%20groups.aspx

    Recommended NTFS Permissions for New Drives
    http://networkadminkb.com/kb/Knowledge%20Base/Windows2003/Recommended%20NTFS%20Permissions%20for%20New%20Drives.aspx

    Creator Owner Explained
    http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/Creator%20Owner%20Explained.aspx

    Doing security is about creating an devloping a philosophy, there are many out there.  The one below is mine and works for most situations, this is just a simplified explanation of the Axioms and Golden Rules listed above.

    For shares you should do the following
    1) Everyone - Read  (optional not really needed but a nice just in case)
    2) Authenticated Users - Change
    3) Local Administators - Full Control
    4) File Strucutre Administrators - Full Control

    For Shares note the following:
    Alway limit Authenticated Users to Change at the Share to pervent non-admin users from accidently being given Full Control to the file structure.
    You should always configure Local Adminsitrators Full Control at the Share so they can administrate it remotely
    You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every share.  This allows them to remotely administrater shares without being local administartors.

    For your high level directories NTFS Permsisions where no files reside and only read access to folders is needed to get to the data in lower directories.
    1) Authenticated Users - Read
    2) Local Administators - Full Control
    3) File Strucutre Administrators - Full Control
    4) SYSTEM - Full Control

    For NTFS in this situation note:
    Alway limited Authenticated Users to Read to pervent non-admin users chaning folders and creating files here.
    You should always configure Local Adminsitrators Full Control at the folder so they can administrate it remotely
    You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every folder.  This allows them to remotely administrater shares without being local administartors.

    For NTFS permissions where users need to write data, stop inheritance, copy permissions and replace Authenticated users to two different groups
    1) Directory group - Read Only
    2) Directory group - Read and Write
    3) Local Administators - Full Control
    4) File Strucutre Administrators - Full Control
    5) SYSTEM - Full Control

    For NTFS in this situation note:
    Alway remove Authenticated Users so the appropriate group limite access
    You should always configure Local Adminsitrators Full Control at the folder so they can administrate it remotely
    You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every folder.  This allows them to remotely administrater shares without being local administartors.

     

     

    • Marked as answer by UselessUser Thursday, April 08, 2010 2:16 PM
    Thursday, April 08, 2010 2:06 PM

All replies

  • Suggested Reading
    Axioms of Permissions Administration
    http://networkadminkb.com/Shared%20Documents/Axioms%20of%20Permissions%20Administration.aspx

    The Golden Rules of Permissions Administration
    http://networkadminkb.com/Shared%20Documents/The%20Golden%20Rules%20of%20Permissions%20Administration.aspx

    Differences between Authenticated Users, Domain Users, and Everyone groups
    http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/Differences%20between%20Authenticated%20Users,%20Domain%20Users,%20and%20Everyone%20groups.aspx

    Recommended NTFS Permissions for New Drives
    http://networkadminkb.com/kb/Knowledge%20Base/Windows2003/Recommended%20NTFS%20Permissions%20for%20New%20Drives.aspx

    Creator Owner Explained
    http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/Creator%20Owner%20Explained.aspx

    Doing security is about creating an devloping a philosophy, there are many out there.  The one below is mine and works for most situations, this is just a simplified explanation of the Axioms and Golden Rules listed above.

    For shares you should do the following
    1) Everyone - Read  (optional not really needed but a nice just in case)
    2) Authenticated Users - Change
    3) Local Administators - Full Control
    4) File Strucutre Administrators - Full Control

    For Shares note the following:
    Alway limit Authenticated Users to Change at the Share to pervent non-admin users from accidently being given Full Control to the file structure.
    You should always configure Local Adminsitrators Full Control at the Share so they can administrate it remotely
    You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every share.  This allows them to remotely administrater shares without being local administartors.

    For your high level directories NTFS Permsisions where no files reside and only read access to folders is needed to get to the data in lower directories.
    1) Authenticated Users - Read
    2) Local Administators - Full Control
    3) File Strucutre Administrators - Full Control
    4) SYSTEM - Full Control

    For NTFS in this situation note:
    Alway limited Authenticated Users to Read to pervent non-admin users chaning folders and creating files here.
    You should always configure Local Adminsitrators Full Control at the folder so they can administrate it remotely
    You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every folder.  This allows them to remotely administrater shares without being local administartors.

    For NTFS permissions where users need to write data, stop inheritance, copy permissions and replace Authenticated users to two different groups
    1) Directory group - Read Only
    2) Directory group - Read and Write
    3) Local Administators - Full Control
    4) File Strucutre Administrators - Full Control
    5) SYSTEM - Full Control

    For NTFS in this situation note:
    Alway remove Authenticated Users so the appropriate group limite access
    You should always configure Local Adminsitrators Full Control at the folder so they can administrate it remotely
    You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every folder.  This allows them to remotely administrater shares without being local administartors.

     

     

    • Marked as answer by UselessUser Thursday, April 08, 2010 2:16 PM
    Thursday, April 08, 2010 2:06 PM
  • Truly excellent response.

    Thank you very much....

    Thursday, April 08, 2010 2:16 PM