I am sure this topic has been beaten to death, but in all of the searching I have done, I have yet to be able to find a post or article to explain what I am looking to accomplish. Instead, I am finding "this is how you set it up" -- regardless of what you want to do..
My company has 2 main file servers. There are a handful of shares off of each. each share contains most of the data that we use on a day to day basis (excel files / access databases / word docs /etc). These file servers have been in place longer than I have been here - and they are 98% set up so that everyone can access everything, full control.
As I am sure you can imagine, this has grown completely out of control and is just a complete mess at the moment. To make things even better, a few days ago we got hit with a virus that modified attributes on every top level directory in our shares - except for the folders that users didn't have access to modify. So now the push is on to "secure" our file servers.
I understand the difference between Share permission and NTFS - the small percentage of folders on our server that have some sort of security on them, I was the one that set it up. For these I have followed the AGDLP model.
My goals are:
a) We want to make it so that users cannot modify top level folders or create new ones. So if the share is \\server\share - none of our users should be able to create or delete a folder under the share folder. I would also love to make it so that exe / scripts in the share root would not run as well, if possible.
b) Given how historically we have been so wide open with our data - we have databases and macros and all sorts of things that pull from "anywhere" on the share - so we are not interested (right now) in getting too sophisticated, for example, only marketing people can access the marketing folder, same for accounting, same for distribution..etc. So if we had a \\server\share\accounting - authenticated users can do what they want in here. Create files, create folders, modify folders etc. It would be sweet if the end users could not modify permissions or attributes.
c) Once I know how to set this up - I will be looking for advice on how to implement it into our current shares. I already know that if I go to the top level folder that is shared and try to modify things ( I have had to do this before, as domain admin) - there are some folders that I do not have access to.
Is there some sort of doc / book / technet article out there that can give me some sort of direction on this? I have been searching for windows file share permissions best practices or ntfs best practices. I seem to keep coming back to NTFS vs Share permissions and how to apply them.
Thanks in advance.
Above all, feel free to give Everyone - Full Control permission in Share permission. We just need to change NTFS permission.
1. You would like to deny modify on top-level/root folder and its subfolders. Then you could give the folder Read Only permission, and apply to This Folder, Subfolders and Files (if you would like to allow users creating files under root folder then apply to This Folder and Subfolders only).
2. Remove "inheritable from parent folder" option on subfolders and give maybe Everyone - Modify (just not give users "Edit Permission" permission) and apply to "Subfolders and Files only".
3. If there is no account which could apply permission changes to all subfolders and files, you will need to take ownership first. You could try "icacls" to do this job if number of subfolders are large.
4. As you said we may not able to find an article which meet our requirement and all these things are depends. So you may have to do more tests to find out a perfect solution.
TechNet Subscriber Support in forum |If you have any feedback on our support, please contact firstname.lastname@example.org.
- Marked as answer by Shaon ShanMicrosoft contingent staff, Moderator Monday, December 03, 2012 3:09 AM