Options

Understanding Security....

TechJunkyTechJunky Member Posts: 881
in MCSA / MCSE on Windows 2003 General
Can someone post a link to an indepth of what all the NTFS security permissions and Folder Permissions actually mean. Which setting over rides what permission etc. I am having a tough time understanding them completely due to the fact that I always set Folder Share permissions to Everyone Full control and then base my restrictions via NTFS security.
· Share on FacebookShare on Twitter

Comments

  • Options
    seuss_ssuesseuss_ssues Member Posts: 629
    http://www.techtutorials.net/tutorials/nt/ntfs_share.shtml
    · Share on FacebookShare on Twitter
  • Options
    TechJunkyTechJunky Member Posts: 881
    Ok, so basically the least restrictive permission is the effective permission?

    Joe is part of the Marketing group and the Sales Group. What are his permissions?

    Folder Permissions
    Sales Read
    Marketing Full Control
    Legal Change

    NTFS Permissions
    Sales Write
    Marketing Read
    Legal Modify

    I am guessing Read, because his folder permissions least restrictive are set to Read and his NTFS permissions least restrictive are set to Read on Marketing. Is this correct?

    Still confused.

    LOL
    · Share on FacebookShare on Twitter
  • Options
    royalroyal Member Posts: 3,352 ■■■■□□□□□□
    He would have Full Control.

    Share Permissions = Accumulate all permissions for a user based on access given to him or groups he is in
    NTFS = Accumulate all NTFS Permissions for a user based on access given to him or groups he is in

    Now take the most restrictive between Share and NTFS


    So let's look at your example and add on to it:

    Joe is a a member of both Marketing and Sakes

    We are working on the Share "Files"

    The Files folder is shared out and has the following share permissions:
    Marketing - No Permissions Configured
    Sales - Read

    The Files folder has the following NTFS permissions:
    Marketing - Read/Write
    Sales - Full Control

    The Documents folder is shared out and has the following share permissions:
    Marketing - Full Control
    Sales - Read

    The Documents folder has the following NTFS permissions:
    Marketing - Full Control
    Sales - Full Control

    Files folder: Joe will land up with read access. - We added up all the NTFS Permissions and then all the Share permissions and whichever was more restrictive won.

    Documents folder: Joe will land up with full control access - We added up all the NTFS Permissions and then all the Share permissions and whichever was more restrictive won.

    Think of it using this analogy. NTFS is a team and Share is a team. In order to win, you're going to try to accumulate as many members (permissions) as possible to defeat your opponent. In this case, NTFS accumulates as many permissions as possible for the NTFS team. Share is going to accumulate as many members (permissions) as possible for the Share Team. It is now NTFS vs Share (the most restrictive wins).

    Does this help?
    “For success, attitude is equally as important as ability.” - Harry F. Banks
    · Share on FacebookShare on Twitter
  • Options
    TechJunkyTechJunky Member Posts: 881
    I was doing ok, until at the end you stated he would only have read access.

    First you stated he would have full control?...

    Still confused.

    I am curious as to what permissions he would be granted if he was trying to access via a network share.

    Lets say Joe is trying to access a shared folder called \\Server\PCWS01\Files. Joe is part of Marketing and Sales. Maketing has Read access, Sales users have write access. So the least restrictive of the share permissions is Read, so he has read? Accumilative means you add them together and then use the least restrictive correct? So he essentially has read/write access, but since read is the lesser of the two he has a share permission of read? I will just try and focus on share folder access right now and not NTFS to make it easier.

    Sorry for all the questions. I was always taught to restrict via NTFS permissions because these apply both locally and remotely.
    · Share on FacebookShare on Twitter
  • Options
    JdotQJdotQ Member Posts: 230
    royal wrote:
    Think of it using this analogy. NTFS is a team and Share is a team. In order to win, you're going to try to accumulate as many members (permissions) as possible to defeat your opponent. In this case, NTFS accumulates as many permissions as possible for the NTFS team. Share is going to accumulate as many members (permissions) as possible for the Share Team. It is now NTFS vs Share (the most restrictive wins).

    Good analogy, royal. icon_cool.gif
    TechJunky wrote:
    Lets say Joe is trying to access a shared folder called \\Server\PCWS01\Files. Joe is part of Marketing and Sales. Maketing has Read access, Sales users have write access. So the least restrictive of the share permissions is Read, so he has read? Accumilative means you add them together and then use the least restrictive correct? So he essentially has read/write access, but since read is the lesser of the two he has a share permission of read? I will just try and focus on share folder access right now and not NTFS to make it easier.

    Be careful with your terms of "least restrictive" vs. "most restrictive". "Least restrictive" would have an effect of "Full Control", as that is the most least restrictive (lots of double negatives there, hope it makes sense). Permissions that are the most restrictive (most secure) will take precedence. So, read is more restrictive than write -- so out of the combination of permissions, read would "win" in the NTFS Team vs. Share Team Security War (going off royal's analogy)
    · Share on FacebookShare on Twitter
  • Options
    royalroyal Member Posts: 3,352 ■■■■□□□□□□
    TechJunky wrote:
    I was doing ok, until at the end you stated he would only have read access.

    Good catch. I forgot to go back and revise my post before posting. Check it out now and let me know if it makes sense.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
    · Share on FacebookShare on Twitter
  • Options
    TechJunkyTechJunky Member Posts: 881
    Ok, So I am going to assume that the most restrictive security permission decides what a users permissions really are? But, with your analogy of the team method...

    If I have Read/FullControl for Share permission and Write/Modify Permission for NTFS. Since the two are battling and since read is the most restrictive for the Share team fighting against NTFS with Write being the most restrictive on the NTFS Team, then The Share permission team wins and the user only gets Read Permission?

    Please let me know if I am understanding this correctly.
    · Share on FacebookShare on Twitter
  • Options
    sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Long story short - for network access to a share:

    Find the least restrictive of SHARE level permissions, then find the least restrictive NTFS level permissions. (If you encounter a deny that trumps everything* and you're done). Now out of those two, use the MOST restrictive.

    For local access to an object, just use the least restrictive NTFS permissions, as share level permissions do not apply when accessing local resourses. Again, a deny trumps everything* in most cases.



    *An explicit allow can override an inherited deny.
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • Options
    TechJunkyTechJunky Member Posts: 881
    Ahh, that was my problem. I was doing most restrictive, most restrictive and then most restrictive again.

    I now see I should have been doing least restrictive, least restrictive, and then most restrictive.

    Thanks again for all the info!
    · Share on FacebookShare on Twitter
Sign In or Register to comment.