Understanding Security....

Can someone post a link to an indepth of what all the NTFS security permissions and Folder Permissions actually mean. Which setting over rides what permission etc. I am having a tough time understanding them completely due to the fact that I always set Folder Share permissions to Everyone Full control and then base my restrictions via NTFS security.

Find more posts tagged with

Comments

seuss_ssues

http://www.techtutorials.net/tutorials/nt/ntfs_share.shtml

TechJunky

Ok, so basically the least restrictive permission is the effective permission?

Joe is part of the Marketing group and the Sales Group. What are his permissions?

Folder Permissions
Sales Read
Marketing Full Control
Legal Change

NTFS Permissions
Sales Write
Marketing Read
Legal Modify

I am guessing Read, because his folder permissions least restrictive are set to Read and his NTFS permissions least restrictive are set to Read on Marketing. Is this correct?

Still confused.

LOL

royal

He would have Full Control.

Share Permissions = Accumulate all permissions for a user based on access given to him or groups he is in
NTFS = Accumulate all NTFS Permissions for a user based on access given to him or groups he is in

Now take the most restrictive between Share and NTFS

So let's look at your example and add on to it:

Joe is a a member of both Marketing and Sakes

We are working on the Share "Files"

The Files folder is shared out and has the following share permissions:
Marketing - No Permissions Configured
Sales - Read

The Files folder has the following NTFS permissions:
Marketing - Read/Write
Sales - Full Control

The Documents folder is shared out and has the following share permissions:
Marketing - Full Control
Sales - Read

The Documents folder has the following NTFS permissions:
Marketing - Full Control
Sales - Full Control

Files folder: Joe will land up with read access. - We added up all the NTFS Permissions and then all the Share permissions and whichever was more restrictive won.

Documents folder: Joe will land up with full control access - We added up all the NTFS Permissions and then all the Share permissions and whichever was more restrictive won.

Think of it using this analogy. NTFS is a team and Share is a team. In order to win, you're going to try to accumulate as many members (permissions) as possible to defeat your opponent. In this case, NTFS accumulates as many permissions as possible for the NTFS team. Share is going to accumulate as many members (permissions) as possible for the Share Team. It is now NTFS vs Share (the most restrictive wins).

Does this help?

TechJunky

I was doing ok, until at the end you stated he would only have read access.

First you stated he would have full control?...

Still confused.

I am curious as to what permissions he would be granted if he was trying to access via a network share.

Lets say Joe is trying to access a shared folder called \\Server\PCWS01\Files. Joe is part of Marketing and Sales. Maketing has Read access, Sales users have write access. So the least restrictive of the share permissions is Read, so he has read? Accumilative means you add them together and then use the least restrictive correct? So he essentially has read/write access, but since read is the lesser of the two he has a share permission of read? I will just try and focus on share folder access right now and not NTFS to make it easier.

Sorry for all the questions. I was always taught to restrict via NTFS permissions because these apply both locally and remotely.

JdotQ

royal wrote:

Think of it using this analogy. NTFS is a team and Share is a team. In order to win, you're going to try to accumulate as many members (permissions) as possible to defeat your opponent. In this case, NTFS accumulates as many permissions as possible for the NTFS team. Share is going to accumulate as many members (permissions) as possible for the Share Team. It is now NTFS vs Share (the most restrictive wins).

Good analogy, royal.

TechJunky wrote:

Lets say Joe is trying to access a shared folder called \\Server\PCWS01\Files. Joe is part of Marketing and Sales. Maketing has Read access, Sales users have write access. So the least restrictive of the share permissions is Read, so he has read? Accumilative means you add them together and then use the least restrictive correct? So he essentially has read/write access, but since read is the lesser of the two he has a share permission of read? I will just try and focus on share folder access right now and not NTFS to make it easier.

Be careful with your terms of "least restrictive" vs. "most restrictive". "Least restrictive" would have an effect of "Full Control", as that is the most least restrictive (lots of double negatives there, hope it makes sense). Permissions that are the most restrictive (most secure) will take precedence. So, read is more restrictive than write -- so out of the combination of permissions, read would "win" in the NTFS Team vs. Share Team Security War (going off royal's analogy)

royal

TechJunky wrote:

I was doing ok, until at the end you stated he would only have read access.

Good catch. I forgot to go back and revise my post before posting. Check it out now and let me know if it makes sense.

TechJunky

Ok, So I am going to assume that the most restrictive security permission decides what a users permissions really are? But, with your analogy of the team method...

If I have Read/FullControl for Share permission and Write/Modify Permission for NTFS. Since the two are battling and since read is the most restrictive for the Share team fighting against NTFS with Write being the most restrictive on the NTFS Team, then The Share permission team wins and the user only gets Read Permission?

Please let me know if I am understanding this correctly.

sprkymrk

Long story short - for network access to a share:

Find the least restrictive of SHARE level permissions, then find the least restrictive NTFS level permissions. (If you encounter a deny that trumps everything* and you're done). Now out of those two, use the MOST restrictive.

For local access to an object, just use the least restrictive NTFS permissions, as share level permissions do not apply when accessing local resourses. Again, a deny trumps everything* in most cases.

*An explicit allow can override an inherited deny.

TechJunky

Ahh, that was my problem. I was doing most restrictive, most restrictive and then most restrictive again.

I now see I should have been doing least restrictive, least restrictive, and then most restrictive.

Thanks again for all the info!