General discussion


Share Permissions and Security

By R. Long - VA ·
I want to share a folder on our Windows 2000 Server, I am trying to find out how sharing permissions on the sharing tab and the settings on the Security tab play out. I cannot figure what to set on each tab. If someone could explain each tab a little better, maybe I can grasp it better than all the sites I have been to. Each site woiuld only explain one or the other and not both.

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by sgt_shultz In reply to Share Permissions and Sec ...

the Permissions are 'who can have permission to get into this over the network' this is the one you usually think of when thinking of folder permissions
the Security settings are 'who can have permission locally to get into this'.
it is good idea to take out the everyone group in both places.

Collapse -

by Joseph Moore In reply to Share Permissions and Sec ...

Ok, here's how it all goes together.
As the Sarge posted, the Share permissions only apply to users connecting to the share over the network; the NTFS Security permissions apply to both remote network users AND to local users on the machine physically. Now normally, a local user on a machine does not connect to a Share that is physically on that machine; the local user would navigate locally (using My Computer and drilling down the C: drive for example) to access the folder that is also Shared out.

Ok so far? Good.
Now, in regards to Share Permissions and NTFS Security permissions for remote network users, basically the toughest set of permissions wins. Here's how that works. Whatever users you allow into a Share on the Sharing tab AND on the NTFS Security tab, it is the most strict interpretation of permissions on BOTH tabs determines who has what rights to the Shared folder.

Ok, that's still not very clear. Let me just list how I normally set permissions for a Shared folder, using the Shared tab and the Security tab.

Collapse -

by Joseph Moore In reply to

When I set up a Shared folder, I set the Sharing tab permissions to be AUTHENTICATED USERS have FULL CONTROL rights, and that's it. I remove the default Everyone group having FC rights. I do NOT put individual users into the Sharing tab permissions. AUTHENTICATED USERS are all valid domain user accounts in the domain the server with the Shared folder resides in.

Then on the Security tab permissions, I set it exactly how I want. I add the users/groups on the Security tab to have the rights I want them to have.

So, the Sharing tab has a general all access permission set, and the Security tab has the specific access permission set.

Now time for an example. Say I have a new shared folder called Development on \\SERVER1. I want to give my DEVELOPMENT group (a group in AD that my programmers all belong to) Change rights to the shared folder. I also don't want anyone else getting to the shared folder.

So, on the Sharing tab for this root folder (say it's C:\DEVELOPMENT on the \\SERVER1 machine), I set AUTHENTICATED USERS to have Full Control. Now, more users than just my programmers will be "authenticated users," but we're gonna take care of that.

Then on the Security tab, I remove all groups (probably the Everyone group by default) that are listed with permissions. I then Add the DEVELOPMENT group, and I give it Change rights. (NOTE: I would also add the Domain Admins group to have FC rights, but that is neither here nor there! Never lock out your Admin accounts from accessing a folder!)

So, only the DEVELOPMENT group is listed with rights.

Collapse -

by Joseph Moore In reply to

Now, when a member of DEVELOPMENT tries to access the Shared folder, here is the authentication logic. The Sharing permissions say that Authenticated Users have FC rights; the acutal user account trying to access the Share is checked to see if it's an authenticated user (VS an "anonymous" user, which does not authenticate). As its a member of this group, they are authenticated, so that works ok; their permissions at this point are Full Control.

Then the NTFS Security permissions kick in. Those are then checked after the Share permissions. Now, the Security permissions say that members of DEVELOPMENT group have Change rights (slightly less than FC rights; no Take Ownership right, basically). The user account is checked to see what groups it belongs to; as it belongs to DEVELOPMENT, then it gets Change rights for access to the Share.

And that's it. That's the permission level my Development member gets: Change rights.

Now, let's say that user BOB were a member of the DEVELOPMENT group, and BOB tried to access this share. Well, let's also say that BOB was an idiot, and his manager told me to limit BOB's rights to Read Only on this share. What to do?

I would ADD BOBs account to the NTFS Security tab specifically, giving him Read only access (and probably List Folder Contents, technically).

Collapse -

by Joseph Moore In reply to

And to get this to work right for BOB, I would also DENY him the Modify right.

(NOTE: I forgot that the Change right on the Security tab is actually called MODIFY. So, whenever I used "Change" replace with "Modify". Sorry! My bad!)

Ok, so when BOB connected, his group membership would give him Modify rights, but the Deny to Modify and the allow checks for Read would change his permissions to Read only. Remember a Deny trumps everything!

So, I think that is clear enough. I hope this long, rambling explanation helps!

Collapse -

by CG IT In reply to Share Permissions and Sec ...

well Joe sums it all up except What-About-Bob???

Back to Windows Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums