Options
Best practice for assigning share level permissions
plettner
Member Posts: 197
I'm going to do my 70-290 on Friday but am a little unlcear on what best practice is for assigning share level perimissions. I've done some research and found a few things. I'm interested to see what members of this forum think.
According to this link http://www.techexams.net/forums/viewtopic.php?t=13112, it is best practice to assign Full Control to the required groups at a share level.
Accoding to the TechNotes, there is alink to the Microsoft site that says Assign the most restrictive permissions that still allow users to perform required tasks.
Is Micosoft only referring to NTFS permissions or permissions on the whole? If they refer to both share and NTFS permissions, this can become a dog's breakfast with restrictions and so forth.
My understanding is assign "Authetnticated Users" full-control on the share (remove all other groups from the list) and then restrict everything therein using NTFS. This is what an instructor taught us at a Windows 2000 class we did for work.
I'm worried that a question will come up like "Accroinding to best practice, ..."
According to this link http://www.techexams.net/forums/viewtopic.php?t=13112, it is best practice to assign Full Control to the required groups at a share level.
Accoding to the TechNotes, there is alink to the Microsoft site that says Assign the most restrictive permissions that still allow users to perform required tasks.
Is Micosoft only referring to NTFS permissions or permissions on the whole? If they refer to both share and NTFS permissions, this can become a dog's breakfast with restrictions and so forth.
My understanding is assign "Authetnticated Users" full-control on the share (remove all other groups from the list) and then restrict everything therein using NTFS. This is what an instructor taught us at a Windows 2000 class we did for work.
I'm worried that a question will come up like "Accroinding to best practice, ..."
Comments
-
Optionsroyal Member Posts: 3,352 ■■■■□□□□□□Well, there are two types of best practice to me. The first is thinking about security and another is thinking about administrative upkeep. The most secure way to do things is of course to make things as secure as possible which would not be everyone full control at share level. It would be ONLY what someone needs to do their job; also known as Principle of Least Privilege. Best practice in the real world is different. Just about every admin you will encounter, including me, will always assign full control to everyone at share level and lock things down at the ntfs level.“For success, attitude is equally as important as ability.” - Harry F. Banks
-
Optionssprkymrk Member Posts: 4,884 ■■■□□□□□□□plettner wrote:I'm going to do my 70-290 on Friday but am a little unlcear on what best practice is for assigning share level perimissions.plettner wrote:According to this link http://www.techexams.net/forums/viewtopic.php?t=13112, it is best practice to assign Full Control to the required groups at a share level.plettner wrote:Accoding to the TechNotes, there is alink to the Microsoft site that says Assign the most restrictive permissions that still allow users to perform required tasks.plettner wrote:My understanding is assign "Authetnticated Users" full-control on the share (remove all other groups from the list) and then restrict everything therein using NTFS. This is what an instructor taught us at a Windows 2000 class we did for work.
Under W2K this was true. In W2K3 it is incorrect. Changes were made to the "Everyone" group to leave out Anonymous users, which was the only functional difference between Everyone and Authenticated Users. So now you simply use the Everyone group.
Hope that helps!All things are possible, only believe. -
Optionstheseman Member Posts: 230Don't forget to use AGLP for assigning permissions to resources. (NTFS)
-
Optionsplettner Member Posts: 197sprkymrk wrote:plettner wrote:I'm going to do my 70-290 on Friday but am a little unlcear on what best practice is for assigning share level perimissions.plettner wrote:According to this link http://www.techexams.net/forums/viewtopic.php?t=13112, it is best practice to assign Full Control to the required groups at a share level.plettner wrote:Accoding to the TechNotes, there is alink to the Microsoft site that says Assign the most restrictive permissions that still allow users to perform required tasks.plettner wrote:My understanding is assign "Authetnticated Users" full-control on the share (remove all other groups from the list) and then restrict everything therein using NTFS. This is what an instructor taught us at a Windows 2000 class we did for work.
Under W2K this was true. In W2K3 it is incorrect. Changes were made to the "Everyone" group to leave out Anonymous users, which was the only functional difference between Everyone and Authenticated Users. So now you simply use the Everyone group.
Hope that helps!
Thaks for the reply. So your thoughts were basically what I was tossing up. I didn't know about the change between 2000 and 2003. That makes things easier!
At work, we use Novell and obviously there is no Share permissions so although I understand the differences and how to find the effective permissions, the "best-practice" side of things is/was unclear to some extent.
Thanks for the reply. -
Optionsrock360 Member Posts: 20 ■□□□□□□□□□Even though i get your guys' real world way of doing this im still unsure about what would be the correct answer on a test if it was vaque but with the microsoft questions i dont think we get anything like that.
-
Optionsplettner Member Posts: 197sprkymrk wrote:Good luck on Friday!
Thanks. I always get nervous around the MS exams. I've never failed any but I always seem to imagine they'll throw in some really difficult questions not once but numerous.
The CompTIA exams I always have confidence taking them. -
Optionsplettner Member Posts: 197I've been reading through the great TechNotes. They have actually made some things clearer than the Microsoft Press, especially around the group scope area.