Presentation is loading. Please wait.

Presentation is loading. Please wait.

When you combine NTFS permissions and share permissions the most restrictive effective permission applies. For example, if you share a folder and assign.

Published byAmber Walters Modified over 9 years ago

Similar presentations

Presentation on theme: "When you combine NTFS permissions and share permissions the most restrictive effective permission applies. For example, if you share a folder and assign."— Presentation transcript:

1 When you combine NTFS permissions and share permissions the most restrictive effective permission applies. For example, if you share a folder and assign the share permission READ to EVERYONE and assign FULL CONTROL NTFS permissions to Everyone, users connecting through the network will have Read permissions. When accessing a file locally, only NTFS permissions apply 1 Combining Shared Folder and NTFS Permissions

2 Calculating Effective Permissions Both Share and NTFS Permissions are Cumulative Cumulative permissions: Permissions are combined when a user is not explicitly denied access A user's effective permissions for a resource are the sum of the NTFS permissions that you assign to the individual user account and to all of the groups to which the user belongs. i.e. If a user has Read permissions for a folder and is a member of a group with write permissions for the same folder, the user’s cumulative permissions are both Read and Write 2

3 Calculating Effective Permissions To calculate effective permissions when combining share permissions and NTFS 1. Determine the effective NTFS permissions 2. Determine the effective share permissions 3. Take the most restrictive of the two. 3

4 4 You share a folder on your computer and you assign the share permission Change to Everyone. John, a user from the Sales Department, has been granted Full Control NTFS permissions to the folder. John is a member of the Sales Group, which has been assigned the READ NTFS permission. What are John’s effective permissions when connecting to the share from across the network? Share Permissions of PublicApps Everyone Change NTFS Permissions of PublicApps John: Full Control Sales: Read Sample Calculation

5 5 John’s Effective NTFS Permissions: Full Control John’s Effective Share Permissions: Change Most Restrictive of the two: Change Share Permissions of PublicApps Everyone Change NTFS Permissions of PublicApps John: Full Control Sales: Read Sample Calculation

6 Rules to Remember If you or a group you belong to is on both the share permissions access control list (ACL) and the NTFS ACL, you can browse into the share If you or a group you belong to is on only the share ACL, you cannot browse in but, if you have rights to folders beneath the shared folder you can access them using a UNC path. If you or a group you belong to are only on the NTFS ACL, you cannot browse into the share and you cannot access any folders beneath the share, even if you have rights to them. 6

7 7 Share Permissions Everyone Full Control A Suggested Security Assignment for PUBLIC APPLICATION FOLDERS Permissions assigned here assume that all users in the domain should be able to run programs that exist in any of the share’s subfolders. NTFS Permissions PublicApps: Administrators Full Control Users Read & Execute; List Folder Contents; Read If the PublicApps folder is created at the root of the drive and Microsoft’s default NTFS permissions haven’t been changed at the root, you can use the default NTFS permissions.

8 8 NTFS Permissions PublicApps: Administrators Full Control Users: Read and Execute List Folder Contents Read If the PublicApps folder is created at the root of the drive and Microsoft’s default NTFS permissions haven’t been changed at the root, you can use the default NTFS permissions. Share Permissions Users Read Administrators Full Control A Suggested Security Assignment for PUBLIC APPLICATION FOLDERS Permissions assigned here assume that all users in the domain should be able to run programs that exist in any of the share’s subfolders.

9 9 Share Permissions Everyone Full Control A Suggested Security Assignment for PUBLIC DATA FOLDERS NTFS Permissions PublicData: Administrators Full Control Users everything but Full Control Permissions assigned here assume that all users are able to add to, delete from and change the contents of files in the shared folder area. Users should not however be able to change permissions on a file or folder nor should they be able to take ownership of a file or folder.

10 10 Share Permissions Administrators Full Control Users Change A Suggested Security Assignment for PUBLIC DATA FOLDERS NTFS Permissions PublicData: Administrators Full Control Users everything but Full Control Permissions assigned here assume that all users are able to add to, delete from and change the contents of files in the shared folder area. Users should not however be able to change permissions on a file or folder nor should they be able to take ownership of a file or folder.

11 11 A Suggested Security Assignment for PRIVATE APPLICATION FOLDERS NTFS Permissions PrivateApps: Administrators Full Control Remove Inheritance from above (do not allow inheritable permissions from this object’s parent) After removing the inheritance make sure Administrators have full control applied to This folder, subfolders and files. Each subfolder Administrators should already be assigned full control because of inheritance Assign each group the following permissions to their department’s respective folder (i.e., Sales group to the Sales folder; Marketing group to the Marketing folder, etc.) (users in each department will have to access their respective folder via the UNC path) Read and Execute, List Folder Contents Read Permissions assigned here assume that users in each department should only have access to their department’s applications. (i.e., Accounting can only access Accounting; Sales can only access Sales, etc.) Share Permissions Everyone Full Control

12 12 A Suggested Security Assignment for PRIVATE APPLICATION FOLDERS NTFS Permissions PrivateApps: Administrators Full Control Users Read and Execute, List Folder Contents, Read If the PrivateApps folder is created at the root of the drive and Microsoft’s default NTFS permissions haven’t been changed at the root, you can use the default NTFS permissions. Each subfolder Remove Inheritance from above (do not allow inheritable permissions from this object’s parent) After removing the inheritance make sure Administrators have full control applied to This folder, subfolders and files. Assign each group the following permissions to their department’s respective folder (i.e., Sales group to the Sales folder; Marketing group to the Marketing folder, etc.) Read and Execute, List Folder Contents Read Permissions assigned here assume that users in each department should only have access to their department’s applications. (i.e., Accounting can only access Accounting; Sales can only access Sales, etc.) Share Permissions Everyone Full Control

13 13 Share Permissions Everyone Full Control A Suggested Security Assignment for PRIVATE DATA FOLDERS NTFS Permissions PrivateData: Administrators Full Control Remove Inheritance from above (do not allow inheritable permissions from this object’s parent) After removing the inheritance make sure Administrators have full control applied to This folder, subfolders and files. Each subfolder Administrators should already be assigned full control because of inheritance Assign each group everything but Full Control to their respective folder (i.e., Sales group to the Sales folder; Marketing group to the Marketing folder, etc.) (users in each department will have to access their respective folder via the UNC path) Permissions assigned here assume that users in each department should only have access to their department’s data. Users in each department should be able to add to, delete from and change the contents of files in their department’s folder.

14 14 Share Permissions Everyone Full Control A Suggested Security Assignment for PRIVATE DATA FOLDERS Permissions assigned here assume that users in each department should only have access to their department’s data. Users in each department should be able to add to, delete from and change the contents of files in their department’s folder. NTFS Permissions PrivateData: Administrators Full Control Users Read and Execute, List Folder Contents, Read If the PrivateData folder is created at the root of the drive and Microsoft’s default NTFS permissions haven’t been changed at the root, you can use the default NTFS permissions. Each subfolder Remove Inheritance from above (do not allow inheritable permissions from this object’s parent) After removing the inheritance make sure Administrators have full control applied to This folder, subfolders and files. Assign each group everything but Full Control to their department’s respective folder (i.e., Sales group to the Sales folder; Marketing group to the Marketing folder, etc.)

Download ppt "When you combine NTFS permissions and share permissions the most restrictive effective permission applies. For example, if you share a folder and assign."

Similar presentations

Lecture 10 Sharing Resources. Basics of File Sharing The core component of any server is its ability to share files. In fact, the Server service in all.

Lecture 10 Sharing Resources. Basics of File Sharing The core component of any server is its ability to share files. In fact, the Server service in all.
File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
11 CONFIGURING AND MANAGING SHARED FOLDER SECURITY Chapter 8.

11 CONFIGURING AND MANAGING SHARED FOLDER SECURITY Chapter 8.
1 Module 6 Securing Network Resources with NTFS Permissions.

1 Module 6 Securing Network Resources with NTFS Permissions.
1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.

1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.
1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.

1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
1 File systems security: Shared folders & NTFS permissions, EFS (Week 6, Monday 2/12/2007) © Abdou Illia, Spring 2007.

1 File systems security: Shared folders & NTFS permissions, EFS (Week 6, Monday 2/12/2007) © Abdou Illia, Spring 2007.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
MIS 431 - Chapter 51 Chapter 5 – Managing File Access MIS 431 Created Spring 2006.

MIS Chapter 51 Chapter 5 – Managing File Access MIS 431 Created Spring 2006.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Lesson 4: Configuring File and Share Access

Lesson 4: Configuring File and Share Access
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
Group Accounts; Securing Resources with Permissions

Group Accounts; Securing Resources with Permissions
Microsoft ® Official Course Module 7 Configuring File Access and Printers on Windows ® 8 Clients.

Microsoft ® Official Course Module 7 Configuring File Access and Printers on Windows ® 8 Clients.

Similar presentations

Ads by Google