The cornerstone of a secure infrastructure is the appropriate assignment of permissions for shared folders, file systems, and printers. For administrators setting up a new network or undertaking a migration, planning permissions assignments can be a daunting task, and the consequences of missing something in the process can be disastrous for network security. To help you make sure you touch all the bases, I’ve put together a step-by-step checklist you can download for free. Here’s a look at the issues involved in the assignment process.

Start with physical security
Since the assignment of permissions is primarily an IT security issue, it should come as no surprise that the first step in deploying a protected file/print server involves a fundamental security measure: You need to keep the server hardware under lock and key, and keep it logged off at all times unless there are administrative tasks to perform. Do not leave the server out where anyone can simply sit down at a desk and work at it. If you do, you provide the opportunity for an attacker to bypass much of the permissions structure you’re about to put in place.

Assign permissions to groups
Whenever possible, assign permissions to groups rather than to individual users. It’s likely that each user in your organization will have rights to multiple folders, shares, printers, etc. Once you provide these permissions via the user’s group membership, if the user leaves the organization, you can grant his or her replacement identical rights simply by assigning the person to the same groups. It’s also much easier to make permission changes to a group rather than to each individual user.

Permission categories
Windows-based servers make use of three main categories of permissions:

  • Share permissions: A share under Windows is any location that you’ve enabled users to access by setting options in the Sharing tab in a folder’s Properties window. A share can be considered a virtual folder on the server that contains all of the files and folders under the location you’ve selected.
  • NTFS permissions: NTFS permissions limit which physical files and folders are accessible on the server after the user has obtained access through the share. NTFS permissions are more granular than share permissions and are available only on partitions that are formatted with the NTFS file system. You access NTFS permission in the Security tab of a folder’s Properties window. (If the Security tab doesn’t exist, the partition is not NTFS formatted.) These are also the permissions in force if a user logs in at the server console, which needs to be limited to administrators.
  • Printer permissions: Printer permissions are separate from share and NTFS permissions and identify which users have access to specific printing resources. We won’t focus on printer permissions in this article.

Initially, the difference between share and NTFS permissions can create confusion, and figuring out how to troubleshoot permission problems can be tricky if you don’t understand the differences. An analogy may help you distinguish between the two. Consider share permissions to be the swipe card that you use to enter your company’s building, and NTFS permissions to be the keys you use to unlock the doors to the individual offices.

Least common denominator
You should apply the most restrictive permissions possible to all users (with the natural exception of the administrator accounts, and even those can be limited on a more granular level in Windows 2000). However, you shouldn’t be overzealous, either. In this context, “most restrictive” means applying a level of security that allows a user to perform his or her job, but no more.

For example, perhaps you have a share on your network for all of your corporate expense form templates. A typical user in your organization simply needs to be able to read the form—not overwrite it with his or her completed version. In this situation, standard users should be granted only Read permissions, while the person or group responsible for maintaining the forms folder will be granted permissions for changing and overwriting.

Share permissions
When you create a new share on a Windows 2000 server, the Everyone account is assigned Full Control rights, which means exactly what it says—anyone can add, delete, or modify anything on that share. In Windows Server 2003, when you create a new share, it’s assigned only the Read permission by default. Share permissions offer these three options:

  • Read: Users accessing the share have only the ability to read the contents of the files and folders in this share, regardless of their NTFS permissions.
  • Change: Users have Read permissions and can modify the contents of files and folders as long as their NTFS permissions allow this activity.
  • Full Control: Users have the same capabilities as the Change permission but can also modify the share permissions for this share. Obviously, this should be reserved for admins.

Clicking on the Permissions button in the Sharing tab for a shared folder results in a list of the users with share permissions assignments and provides you with a place to make changes. Figure A shows a sample screen from the share permissions of a folder on a Windows Server 2003 system.

Figure A

NTFS permissions
NTFS permissions are the authorization levels assigned to files and folders on a Windows system and are much more flexible than share permissions. For example, using NTFS permissions, you can restrict users so that they can list the contents of a folder but not do anything else. Figure B shows an example of the Security tab, where you configure NTFS permissions.

Figure B

NTFS permissions can be inherited from the folder’s parent folder. For instance, if you assign the NTFS Full Control permission to the Program Files folder for the Power Users group, you can allow this set of permissions to automatically propagate to all of the folders under Program Files, if you want. (There’s a check box to activate this.)

You can choose to allow or deny permissions to a particular user or group by selecting the Security tab in the Properties window of any folder on an NTFS partition. Assigning a user or group a particular permission to a file or folder allows that user or group to take actions enabled by that permission. If you grant the Read & Execute permission to files in a folder, users will be able to do those things, unless the Deny permission has been applied as well. That permission overrides all others.

Deny is a pretty strong security measure on Windows servers. When a user falls under this permission by virtue of a group membership or because of an explicit rights assignment, the user can’t make use of that particular resource even if he or she is a member of another group that has permissions for it. For example, suppose you have assigned the Full Control permission to the Marketing folder for the Marketing group in your organization, but you have also assigned JoeUser the Deny permission for Full Control on this folder. Even if JoeUser is a member of the Marketing group, he will not have access to this folder.

In cases where a user belongs to two groups that have permission for a resource, NTFS rights are cumulative—only no Deny permission is assigned. Let’s suppose JaneUser is a member of the Sales group, which has been granted Read & Execute privileges to the Marketing folder. In addition, you’ve assigned Modify rights to the Management group, of which JaneUser is also a member. Because of the cumulative nature of NTFS rights, JaneUser will have both the Read & Execute and Modify NTFS rights to the Marketing folder.

Note that, out of the box, Windows 2000 and NT servers have poor security in place. Even the system volume has NTFS permissions, allowing everyone connected to the system Full Control rights. This issue has been addressed in Windows Server 2003, where the following changes to default permissions have been made:

  • Only Administrators have Full Control at the root level of a volume.
  • The Everyone group only has rights that allow people connected to the server to read and execute.
  • Domain users can read and execute files and create new folders.

Effective permissions
Effective permissions are the rights that a user actually has based on the share and NTFS permissions assigned. Basically, the user is granted rights amounting to the most restrictive set of permissions. For example, suppose JoeUser is granted NTFS Full Control permissions to a folder and Read permissions on a share to that folder. He will have only Read access to the folder and its contents, since this is the most restrictive rights assignment. This represents JoeUser’s effective permissions for that resource.

Likewise, suppose JaneUser has been assigned NTFS Read & Execute permissions to a folder and Full Control share permissions. Since the most restrictive rights in this case are the NTFS ones, they will be the rights that dictate her access level to that resource.

Summary
I’ve outlined the two major permissions models present in Windows networks—share and NTFS permissions. Understanding these models is key to ensuring that your users can do their jobs without constantly encountering a security problem that results from a lack of planning in regard to proper permissions. It also lets you prevent users from accessing resources they have no business accessing.

The associated download offers a checklist of to-do items you should consider when setting up a new network. This checklist is especially aimed at small office networks, but any administrator who is setting up permissions for the first time on a new file and/or print server will find it helpful as well.