share and NTFS permission

Discussion in 'MCSE' started by Bay, Oct 20, 2003.

  1. Bay

    Bay Guest

    If I want to set permission, can I ignore the share permssion and only
    modify the NTFS permission? I am kinda confused by the Mike Meyer's books.
    In A+, he said ignore the share permission and use the NTFS permission. In
    70-270 XP passport, he said remove the "everyone" group for the share
    permission and modify the ACL from there and use NTFS permission later. So
    what should be the correct way to setup file permission?

    1. Ignore share permission and only modify the ACL and NTFS permission in
    the security tab?
    2. Modify the ACL is share permission and redo the same thing again under
    the NTFS permission?

    Bay, Oct 20, 2003
    1. Advertisements

  2. Bay

    bee Guest

    Keep "everyone" for the share permission and fix NTFS
    permissions as you wish.
    bee, Oct 20, 2003
    1. Advertisements

  3. Bay

    dave Guest

    i just did the 2152 course so see if i remembered

    i think if you remember that deny takes precedence over
    allow and that the least restrictive from share and least
    restrictive from NTFS will give two results which then
    you will take the most restrictive even it has a full
    deny control

    hope thats right

    dave, Oct 20, 2003
  4. Bay

    Guest Guest

    You need to bear in mind that share + NTFS file
    permissions serve two scenarios:

    1) when accessing files and folders locally on a PC, then
    only NTFS permissions apply

    2) when accessing files and folders across a network, say
    on a file server, then both share permissions and NTFS
    permissions apply.

    Most of the time you will be concerned with setting
    security on files and folders accessed over the network.

    Both NTFS and Share permissions are cumulative, that is to
    say if a user belongs to 2 groups, one group has read
    perms and the other group has write perms, then the user's
    effective permission is write.

    When combining share + NTFS permissions, remember that the
    most restrictive permissions apply.

    In the scenario that you present, assigning the Everyone
    group Full control for share permission, and then setting
    the NTFS more restrictive permissions, then user accessing
    the files over the network, will end up with the more
    restrictive permissions assigned by the NTFS file and
    folder permissions.

    Generally, you can leave the default share, e.g. Everyone
    Full Control, so long as you set the appropriate NTFS file
    and folder permissions.

    Personally, I prefer to set restrictive permissions on
    both the share and NTFS file permissions. THat way, if
    someone inadvertantly sets the incorrect NTFS file
    permissions, the files will still be protected because of
    the share permissions.

    Hope this helps
    Guest, Oct 21, 2003
  5. Bay

    Kjell Guest

    There are some shares that you dont like people accessing
    (mapping, browsing and so on), just to see the folder
    structure. In these cases i tend to set a very strict
    share permission, just so there are only a selceted group
    of people being able to connect to these shares.

    On the other shares, i use deafult permission.

    Have in mind that if backup these data, the NTFS
    permissions backed up with the files, and the share
    permissions are backed up with system state (registry).
    So if you reinstall a server, restores the data, you wont
    be able to restore the share permissions if you havent
    documented it properly.

    That was my 10 cents on this matter :)
    Kjell, Oct 23, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.