share and NTFS permission

If I want to set permission, can I ignore the share permssion and only
modify the NTFS permission? I am kinda confused by the Mike Meyer's books.
In A+, he said ignore the share permission and use the NTFS permission. In
70-270 XP passport, he said remove the "everyone" group for the share
permission and modify the ACL from there and use NTFS permission later. So
what should be the correct way to setup file permission?

1. Ignore share permission and only modify the ACL and NTFS permission in
the security tab?
2. Modify the ACL is share permission and redo the same thing again under
the NTFS permission?

Thanks

 

Keep "everyone" for the share permission and fix NTFS
permissions as you wish.

 

i just did the 2152 course so see if i remembered
everything,

i think if you remember that deny takes precedence over
allow and that the least restrictive from share and least
restrictive from NTFS will give two results which then
you will take the most restrictive even it has a full
deny control

hope thats right

Dave

 

You need to bear in mind that share + NTFS file
permissions serve two scenarios:

1) when accessing files and folders locally on a PC, then
only NTFS permissions apply

2) when accessing files and folders across a network, say
on a file server, then both share permissions and NTFS
permissions apply.

Most of the time you will be concerned with setting
security on files and folders accessed over the network.

Both NTFS and Share permissions are cumulative, that is to
say if a user belongs to 2 groups, one group has read
perms and the other group has write perms, then the user's
effective permission is write.

When combining share + NTFS permissions, remember that the
most restrictive permissions apply.

In the scenario that you present, assigning the Everyone
group Full control for share permission, and then setting
the NTFS more restrictive permissions, then user accessing
the files over the network, will end up with the more
restrictive permissions assigned by the NTFS file and
folder permissions.

Generally, you can leave the default share, e.g. Everyone
Full Control, so long as you set the appropriate NTFS file
and folder permissions.

Personally, I prefer to set restrictive permissions on
both the share and NTFS file permissions. THat way, if
someone inadvertantly sets the incorrect NTFS file
permissions, the files will still be protected because of
the share permissions.

Hope this helps

 

There are some shares that you dont like people accessing
(mapping, browsing and so on), just to see the folder
structure. In these cases i tend to set a very strict
share permission, just so there are only a selceted group
of people being able to connect to these shares.

On the other shares, i use deafult permission.

Have in mind that if backup these data, the NTFS
permissions backed up with the files, and the share
permissions are backed up with system state (registry).
So if you reinstall a server, restores the data, you wont
be able to restore the share permissions if you havent
documented it properly.

That was my 10 cents on this matter