Sharing Permissions vs Security Permissions

[b4u]

Hi,

I'm setting up a windows network, with a Windows 2000 Advanced Server, and I'm having some questions on my mind ... permissions related ...

This are some basic questions, I know, but I'm no system administrator expert, and this basic questions came to my mind from time to time ... something like asking about the meaning of life 🙂

So, the properties of a directory came with 2 tabs (ignoring the rest of them): Sharing and Security.

Both have permissions to set, so what are the main difference between them?

On a specific case, I want to setup a Personal Folder for each domain user, so I have to play with this settings. I'll create a tree structure, "Personal_Folders" being the root, then I'll have each user inside ("Personal_Folders\user1", "Personal_Folders\user2", ...).

What's the best way of setting the permission settings? Each user would only be allowed to check their own directory, so I would do the following:

[1] Share the "Personal_Folders" to all "Domain Users" (Allow Read only), and remove "Everyone" from the list.

[2] On the "Personal_Folders" security tab, I would clear all list, leaving just the following 2 entries:
"Domain Admins" Full Control
"Domain Users" List and Read

[3] Then for each user specific directory, I would do the following (taking "Personal_Folders\user1" as an example:
Sharing -> No sharing
Security:
"Domain Admins" Full Control
"user1@dune.com" Read, Modify, Write (everything except Full Control)


So am I doing this correctly? Is there a better way of setting permissions up?


Thanks

 

[bsobel]

Both have permissions to set, so what are the main difference between them?

Think of them as layers to an onion.

At the lowest layer, you have the file system permissions. If the user requesting access (either locally or remotely) doesn't have it, they are not going to get access to the file.

At the next layer, you have the share permissions. Even if the user has rights locally to access the file, they ALSO need rights to access the share first if they are remote.

The file system permissions will always 'win' (e.g. even if I have rights to access the share, if I don't have file system rights, I can't access the file. But without share rights, I can access the file, just not remotely)

That help at all?

Bill

 

[b4u]

Yes, I got what you mean 🙂 thanks

Now, how would you configure a personal folder? What should be the best secure way of doing it?

 

[ITJunkie]

I am assuming you are talking about having your users have their own home folder?

Usually what I do is set "domain\users" on the share tab and remove the everyone group. Then on the permissions tab, set the personal folder user to have "change" permission on only their user share (though most people leave this at full control for the user, I believe) and give the Domain Admins group full control over everything.

Does this make sense?

Also when setting up their user accounts, you can have the user folder created automatically under the profile tab but it always gives the user full control and you still have to add the domain admins group.

 

[Tol]

Originally posted by: bsobel

Both have permissions to set, so what are the main difference between them?

Think of them as layers to an onion.

At the lowest layer, you have the file system permissions. If the user requesting access (either locally or remotely) doesn't have it, they are not going to get access to the file.

At the next layer, you have the share permissions. Even if the user has rights locally to access the file, they ALSO need rights to access the share first if they are remote.

The file system permissions will always 'win' (e.g. even if I have rights to access the share, if I don't have file system rights, I can't access the file. But without share rights, I can access the file, just not remotely)

That help at all?

Bill

Maybe just being anal here, but the Share part of your explanation bothers me. If I have ntfs permissions set for myself, there are two ways i can get to a shared folder remotely. I can skip the share completely and goto something like "\\fileserver\c$\shared folder" and if I also have permissions on the share I can goto "\\fileserver\share name". In the first case, it makes no difference even if the folder isn't shared because the hidden root share is always available. It's something that people who like to use share permissions to grant access don't seem to think about.

 

[b4u]

I'll try those settings ITJunkie, almost the same of what I have now ... (almost 🙂)

Well, about Share and Security permissions, I don't really know if it is usefull, or if Micro$oft couln't turn out with one cleaner option. It seems to generate a bit of a confusion sometimes, and a simple error on setting those permissions up could turn out to disable access, or worse ... giving access to someone not rightly entitled to it. Just my opinion though.

 

[Nothinman]

I can skip the share completely and goto something like "\\fileserver\c$\shared folder"

Only administrators can use the 'hidden' shares, so any permissions can be easily bypassed with a little work.

Generally just ignore share permissions, all they end up doing is causing you frustration and require you to document one more set of ACLs.

 

[bsobel]

Maybe just being anal here, but the Share part of your explanation bothers me. If I have ntfs permissions set for myself, there are two ways i can get to a shared folder remotely. I can skip the share completely and goto something like "\\fileserver\c$\shared folder" and if I also have permissions on the share I can goto "\\fileserver\share name". In the first case, it makes no difference even if the folder isn't shared because the hidden root share is always available. It's something that people who like to use share permissions to grant access don't seem to think about.

Only workstations (by default) have the drive shares, and they do have permissions set on them too, only administrators can access them. So, the same rule applies, you need access to the drive share (which you won't have unless your an admin) and access to the nfts data...