Best practice for assigning share level permissions

plettner · April 2007

I'm going to do my 70-290 on Friday but am a little unlcear on what best practice is for assigning share level perimissions. I've done some research and found a few things. I'm interested to see what members of this forum think.

According to this link http://www.techexams.net/forums/viewtopic.php?t=13112, it is best practice to assign Full Control to the required groups at a share level.

Accoding to the TechNotes, there is alink to the Microsoft site that says Assign the most restrictive permissions that still allow users to perform required tasks.

Is Micosoft only referring to NTFS permissions or permissions on the whole? If they refer to both share and NTFS permissions, this can become a dog's breakfast with restrictions and so forth.

My understanding is assign "Authetnticated Users" full-control on the share (remove all other groups from the list) and then restrict everything therein using NTFS. This is what an instructor taught us at a Windows 2000 class we did for work.

I'm worried that a question will come up like "Accroinding to best practice, ..."

royal · April 2007

Well, there are two types of best practice to me. The first is thinking about security and another is thinking about administrative upkeep. The most secure way to do things is of course to make things as secure as possible which would not be everyone full control at share level. It would be ONLY what someone needs to do their job; also known as Principle of Least Privilege. Best practice in the real world is different. Just about every admin you will encounter, including me, will always assign full control to everyone at share level and lock things down at the ntfs level.

sprkymrk · April 2007

plettner wrote:

I'm going to do my 70-290 on Friday but am a little unlcear on what best practice is for assigning share level perimissions.

The key phrase here is "share level permissions", which is related to, but different than, NTFS security level permissions.

plettner wrote:

According to this link http://www.techexams.net/forums/viewtopic.php?t=13112, it is best practice to assign Full Control to the required groups at a share level.

This is a security and administrative best practice, but here again we are talking about more than just "share level" permissions. The reasoning is that since someone accessing the share has to deal with BOTH share level and NTFS level permissions, why create the headache and confusion of assigning share level permissions when you can just use the NTFS level permissions for a choke point. Bt setting "Everyone=Full Control" at the share level, you never need to worry about it when performing trouble shooting, auditing or administration. You manage everything at the NTFS level, whether for local access or network access.

plettner wrote:

Accoding to the TechNotes, there is alink to the Microsoft site that says Assign the most restrictive permissions that still allow users to perform required tasks.

When speaking strictly about permissions, yes the best thing to do is assign the least access necessary fir someone to perform their job. This is a case where you must read the question carefully to determine what the "best" answer is, given the choices. If it is asking about securing a share across the network using share level permissions, then you wouldn't select an answer that says "Everyone, Full Control" because the information presented didn't state anything implicitly about other means of securing the share, such as NTFS, firewalls or IPSec policies.

plettner wrote:

My understanding is assign "Authetnticated Users" full-control on the share (remove all other groups from the list) and then restrict everything therein using NTFS. This is what an instructor taught us at a Windows 2000 class we did for work.

Under W2K this was true. In W2K3 it is incorrect. Changes were made to the "Everyone" group to leave out Anonymous users, which was the only functional difference between Everyone and Authenticated Users. So now you simply use the Everyone group.

Hope that helps!

theseman · April 2007

Don't forget to use AGLP for assigning permissions to resources. (NTFS)

plettner · April 2007

sprkymrk wrote:

plettner wrote:

I'm going to do my 70-290 on Friday but am a little unlcear on what best practice is for assigning share level perimissions.

The key phrase here is "share level permissions", which is related to, but different than, NTFS security level permissions.

plettner wrote:

According to this link http://www.techexams.net/forums/viewtopic.php?t=13112, it is best practice to assign Full Control to the required groups at a share level.

This is a security and administrative best practice, but here again we are talking about more than just "share level" permissions. The reasoning is that since someone accessing the share has to deal with BOTH share level and NTFS level permissions, why create the headache and confusion of assigning share level permissions when you can just use the NTFS level permissions for a choke point. Bt setting "Everyone=Full Control" at the share level, you never need to worry about it when performing trouble shooting, auditing or administration. You manage everything at the NTFS level, whether for local access or network access.

plettner wrote:

Accoding to the TechNotes, there is alink to the Microsoft site that says Assign the most restrictive permissions that still allow users to perform required tasks.

When speaking strictly about permissions, yes the best thing to do is assign the least access necessary fir someone to perform their job. This is a case where you must read the question carefully to determine what the "best" answer is, given the choices. If it is asking about securing a share across the network using share level permissions, then you wouldn't select an answer that says "Everyone, Full Control" because the information presented didn't state anything implicitly about other means of securing the share, such as NTFS, firewalls or IPSec policies.

plettner wrote:

My understanding is assign "Authetnticated Users" full-control on the share (remove all other groups from the list) and then restrict everything therein using NTFS. This is what an instructor taught us at a Windows 2000 class we did for work.

Under W2K this was true. In W2K3 it is incorrect. Changes were made to the "Everyone" group to leave out Anonymous users, which was the only functional difference between Everyone and Authenticated Users. So now you simply use the Everyone group.

Hope that helps!

Thaks for the reply. So your thoughts were basically what I was tossing up. I didn't know about the change between 2000 and 2003. That makes things easier!

At work, we use Novell and obviously there is no Share permissions so although I understand the differences and how to find the effective permissions, the "best-practice" side of things is/was unclear to some extent.

Thanks for the reply.

sprkymrk · April 2007

Good luck on Friday!

rock360 · April 2007

Even though i get your guys' real world way of doing this im still unsure about what would be the correct answer on a test if it was vaque but with the microsoft questions i dont think we get anything like that.

plettner · April 2007

sprkymrk wrote:

Good luck on Friday!

Thanks. I always get nervous around the MS exams. I've never failed any but I always seem to imagine they'll throw in some really difficult questions not once but numerous.

The CompTIA exams I always have confidence taking them.

plettner · April 2007

I've been reading through the great TechNotes. They have actually made some things clearer than the Microsoft Press, especially around the group scope area.

Best practice for assigning share level permissions

Comments