Gearing up for the XP test...

NunyaNunya Member Posts: 12 ■□□□□□□□□□
so I'll have a couple of questions over the next couple of days, any clarification is welcome: So here's my first question and it's related to a question (here) in the XP sample test on Techexams.net...

The question is:

18. You share a folder on your computer and you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions.
What are John's effective permissions when connecting to the shared folder?
[SIZE=-1]a. Read[/SIZE][SIZE=-1]b. Read & Execute[/SIZE][SIZE=-1]c. Change[/SIZE][SIZE=-1]d. Full Control[/SIZE]

The sample exam gives the answer as "C Change" but why wouldn't it be READ if when combining Share and NTFS permissions the most restrictive applies?

Thanks, I'll be back with more!

~N

Comments

  • citinerdcitinerd Member Posts: 266
    Nunya wrote: »
    so I'll have a couple of questions over the next couple of days, any clarification is welcome: So here's my first question and it's related to a question (here) in the XP sample test on Techexams.net...

    The question is:

    18. You share a folder on your computer and you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions.
    What are John's effective permissions when connecting to the shared folder?
    [SIZE=-1]a. Read[/SIZE][SIZE=-1]b. Read & Execute[/SIZE][SIZE=-1]c. Change[/SIZE][SIZE=-1]d. Full Control[/SIZE]

    The sample exam gives the answer as "C Change" but why wouldn't it be READ if when combining Share and NTFS permissions the most restrictive applies?

    Thanks, I'll be back with more!

    ~N

    When it comes to NTFS user and group permissions unless the "Deny" permission is used then they receive the least restrictive of the 2, which in this case is Full Control.

    Now to find the effective permissions it is the most restrictive between the Share (Change) and the NTFS permission (Full Control). Which would make answer C correct.

    Permissions are fun! You can simulate this in a lab to test too.
  • Mojo_666Mojo_666 Member Posts: 438
    Nunya wrote: »
    so I'll have a couple of questions over the next couple of days, any clarification is welcome: So here's my first question and it's related to a question (here) in the XP sample test on Techexams.net...

    The question is:

    18. You share a folder on your computer and you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions.
    What are John's effective permissions when connecting to the shared folder?
    [SIZE=-1]a. Read[/SIZE][SIZE=-1]b. Read & Execute[/SIZE][SIZE=-1]c. Change[/SIZE][SIZE=-1]d. Full Control[/SIZE]

    The sample exam gives the answer as "C Change" but why wouldn't it be READ if when combining Share and NTFS permissions the most restrictive applies?

    Thanks, I'll be back with more!

    ~N

    Becuase he has been assigned Full Control on the NTFS permissions, read is not a restriction, an explicit deny would be though.

    The read and full control assigned to the NTFS permissions do not conflict with each other they conflict only with the share permisssions.


    What the books do not explain very well is this little factoid.

    Multiple NTFS permissions are cumulative. They stack upon each other, and the highest/least restrictive wins (unless there are explicit denies) Share permissions work the same way. BUT when you mix NTFS permissions with Share permissions, the most restrictive permission wins.

    Real world

    Most places assign "full control" on the shares to the "everyone" group (or if it is me to the "authenticated users" group) so they deal only with NTFS permissions 100% of the time after the initial share has been set up.
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    Nunya wrote: »
    so I'll have a couple of questions over the next couple of days, any clarification is welcome: So here's my first question and it's related to a question (here) in the XP sample test on Techexams.net...

    The question is:

    18. You share a folder on your computer and you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions.
    What are John's effective permissions when connecting to the shared folder?
    [SIZE=-1]a. Read[/SIZE][SIZE=-1]b. Read & Execute[/SIZE][SIZE=-1]c. Change[/SIZE][SIZE=-1]d. Full Control[/SIZE]

    The sample exam gives the answer as "C Change" but why wouldn't it be READ if when combining Share and NTFS permissions the most restrictive applies?

    Thanks, I'll be back with more!

    ~N

    Break this down, rather than the fancy wording, this same question could be written as:

    John has the Full Control NTFS permission and the read permission. (The read is actually already covered with the full control, but I leave it here to show that I am considering it.) John also has the Change share permission. What can he do?

    You are correct that is the most restrictive of the two, either the NFTS or the Share. But when only considering NTFS, it is the most permissive. Let me explain.

    Speaking in only NTFS permissions, If you give the everyone group Read. But then give yourself Full Control so that you can administer it, you are going to have Full control.

    A second example. You are working in 2 jobs. One with marketing and one with sales. So if you are in both sales and marketing groups. Sales has read and Marketing has write. It wouldn't make sense if you couldn't write because that permission is required for the marketing department to do their jobs.

    This is one of those things that is difficult to inilially understand, but once you have it you will laugh at how easy it is. Just keep working on it and trying questions.

    When you consider dual permissions. Say NTFS full control and share read. If you are on the local machine, you have full control. Your shared permissions are not even considered. If you are accessing over a share, then both are considered.

    Imagine that you have a hotel room. There are two doors. The first door is to get into the building. Lets assume that it is late at night and the door is locked. In order to get inside the building, you need to have an access card that has been assigned to the Customers group. Anyone with a room will be added to the Customers group and will be able to get past this door.

    The second door is to get into your room. While anyone in the Customers group was able to get inside the building, only members of the Room506 group will be able to get into Room 506.

    So in order to get into Room 506, you need to be both a member of the Customers group (to get through the front door) and a member of the Room506 group (to get into the room). If for some reason your membership was set up wrong, and you were added to the Room506 group but not to the Customers group, you would not be able to get into your room because you can't even get into the building.

    Does that make sense?
    Decide what to be and go be it.
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    Mojo_666 wrote: »
    Real world

    Most places assign "full control" on the shares to the "everyone" group (or if it is me to the "authenticated users" group) so they deal only with NTFS permissions 100% of the time after the initial share has been set up.

    I think this happens a lot, but sometimes there is confidential information that you don't want to be accessed from any computer. Maybe there is a banking database on a server and while I have a real reason to open it and modify it, in order to lock it down a little better, you could restrict it so that I can only view it when I am seated at that computer (or accessing over RDP, If you are using remote desktop, it is treated as if you are locally sitting there.) by not giving me any share permissions.

    Then even if someone shoulder surfed my password, they still wouldn't be able to access this information since they can't get to the machine which is in a locked room.
    Decide what to be and go be it.
  • NunyaNunya Member Posts: 12 ■□□□□□□□□□
    Starting to gel...thank you ALL so much for responding...looking forward to a long weekend to let it sink in and practice...I'll be back with more questions...again, thanks to all for savy answers
  • NunyaNunya Member Posts: 12 ■□□□□□□□□□
    OK, so, tell me this...if we are able to share a folder using share...and we're able to share a folder using NTFS (i.e. List Dir Contents), why do I have to "share" the folder (using shared-folder) at all? I mean, I understand that MS covers their bases by including the features of Workgroup sharing (folder access over the network, not file/folder attributes using NTFS)...but why use folder-sharing at all? To be clear, what I'm asking is: Is there a reason why I have to start a shared folder off by using folder-sharing? Or can I just build from NTFS that way the issues of Everyone Read never apply? I mean, there is a "Sharing" tab available when sharing NTFS style...Thanks for the forum and input!
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    Nunya wrote: »
    OK, so, tell me this...if we are able to share a folder using share...and we're able to share a folder using NTFS (i.e. List Dir Contents), why do I have to "share" the folder (using shared-folder) at all? I mean, I understand that MS covers their bases by including the features of Workgroup sharing (folder access over the network, not file/folder attributes using NTFS)...but why use folder-sharing at all? To be clear, what I'm asking is: Is there a reason why I have to start a shared folder off by using folder-sharing? Or can I just build from NTFS that way the issues of Everyone Read never apply? I mean, there is a "Sharing" tab available when sharing NTFS style...Thanks for the forum and input!

    Well really you don't need to share the folder, since windows automatically shares drives. ( [URL="file://\\server01\C$"]\\server01\C$[/URL] will show you the contents of the entire C drive if you have permission to view it). Creating additional shares is just easier for users to find what they need and better as an administrator because you have an added level of security to lock things down.

    You can also use shares as a way to hide your setup. For example, you physica directory could be "C:\employeefiles\personalrecords\faq" and you could simply share the folder as faq and nobody would ever know there is even a folder there with personal records in it, they would only have knowledge of the faq folder.

    EDIT:
    I read something at one point that said to never share the folder as the same name as the folder. Sure, there is an extra burden on the admin but there is no effect to the end users. And the folder rename could potentially fool a hacker. Not a great hacker if they get fooled by that, but defense in depth is all about sticking security wherever you can in hopes that one of the layers will trip them up.
    Decide what to be and go be it.
Sign In or Register to comment.