Share permissions on sub-folders!!!

Hey all,

This is probably more of an observation as opposed to a query.

I considered myself pretty confident with respect to NTFS and Share permissions but it seems one never stops learning.

Ok, we all know that the best security strategy for a network is to use a combination of both NTFS and Share permissions.

But lets say for arguments sake we wanted to just use Share permissions to secure resources (note: we could do this by giving the Everyone group allow - full control NTFS permissions).

Ok, I realise this would be bad security practice but I am wanting to keep NTFS out of it to show you guys how inefficient Share permissions are if they are used on their own.

Take this example for instance:

Lets say we have a file server that contains a whole bunch of sub-folders that have been shared over the network. Note, at this stage, the parent folder has not been shared.

But lets now say that due to the number of these shared sub-folders folders becoming too large, we decide to share the parent folder (now the main share) as well and have all users go through this share to access the sub-folders (which are still shared).

Ok, some of you might say, "but the original sub-folder shares are still available on the network". However, if our users access shares via network drives only, we would map just the one network drive to the main share (the parent folder) to force users to go through the main share when accessing the subfolders. Or we could append the original shares with a "$" to make them not visible when browsing in My Network Places.

Ok, so now all our users are going through the main share (parent folder) when they access the sub-folders.

But here's the problem. What if we want to retain the original Share permissions that we had on the sub-folders. As far as I can tell, this cannot be done. Any Share permissions that are set on the subfolders are essentially ignored if a folder higher in the tree is also shared over the network.

The Share permissions set on the sub-folders are ignored but instead only inherit the permissions that are set on the main share (the parent). This is only true of course if we go through the main share to access the sub-folders. But we have already ensured this (as explained above).

But as I said, we don't want all of our sub-folders having the same share permissions that are set on the parent. We want our sub-folders to have the unique set of permissions that they had before. It seems that this cannot be achieved with Share permissions alone. We have to employ NTFS permissions.

If we set NTFS permissions on the sub-folders, we could give users a similar (if not identical) level of access that they had before the parent folder was shared over the network.

So the moral of the story is: Share permissions on sub-folders are totally ineffective if the parent folder is also shared (provided users access all shares through the parent).

I suppose I never realised how inefficient Share permissions are when used in isolation.

Ok, in the example above, we could continue to access the sub-folders directly so that their original share permissions apply. However, if we used this strategy, you would either run out of drive letters (if you used network drives) or you would have a ridiculous amount of shares to filter through when browsing My Network Places.

I guess my next question is: Why can't we configure inheritance on Share permissions like we can with NTFS permissions?

I suppose Microsoft has deliberately kept Share permissions more simple than NTFS permissions to accomodate the average user.

However, as decribed in the example above, Share permissions (used in isolation) would only be useful if you were happy to have all sub-folders and files having the same permissions as the main share (the parent).

I know that there is a lot of literature available with respect to NTFS and Share permissions. However, I have found a lot of the information on Share permissions to be over-simplified.

So, I decided to put my two cents in.

If anyone finds a fault with any of my interpretations, please post back.

Mark

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

dynamik

Yea, pretty much. Most people don't even bother with share permissions. They just give "everyone" full-control and lock things down with NTFS. It might seem like multiple layers of permissions would increase security. However, it can be difficult to keep track of everything in complex environments. Complexity is an enemy of security. For example, if you end up relying on a share permission to prevent write access, and then you do something like what you described above, you may inadvertently grant more access than you intended. Unless you have a compelling reason to adjust share permissions, it's best to just leave them wide open and set granular permissions with NTFS.

astorrs

Share permissions date back to FAT drives, when NTFS permissions didn't apply.

Like dynamik said, 99% of the time I set Everyone - Full Control (or Authenticated Users - Full Control) and do everything using NTFS permissions. I want that granularity... and the guarantee.

Markie

Share permissions date back to FAT drives, when NTFS permissions didn't apply.

My point exactly. I feel sorry for those poor souls that had to secure their network without the benefits of NTFS.

As my example explained, Im guessing the "My Network Places" would have looked like a dog's breakfast if you wanted to have different levels of permissions on all the subfolders. Can you imagine opening up My Network Places and discovering over 100 shares? Very nasty indeed.

astorrs

Markie wrote:

Can you imagine opening up My Network Places and discovering over 100 shares? Very nasty indeed.

I've seen servers with way over a thousand shares