Hi,

Has the "best practices" for share permissions been chaged after all these years?

As of my Windows 2000 certification I have been taught that the proper way to set permissions for
the users on a server is to have the permissions set at the filesystem level and not at the share.
Share permissions should simply be set to everyone (or all users) FC unless there is a good reason
to do so otherwise.
And let me tell you as an admin I have had only negative experiences when I've set the share
permisions to a lowel level. It's a pain to finaly trace the problem why someone cannot do something
for which (s)he has permissions on the filesystem to the fact that the share strips of the right to
do so. :-(

So I was not amused when after setting up my new server, creating the filesystem, setting all
permissions testing everything and finaly giving my users access to the filesystem by opening up the
share, that all my users were suddenly Administrator equivalent and could read/change/delete every
file in every directory. !!!!!!!

Finaly traced the problem to the new "feature" that Windows 2008 wil assume I do not adhere to best
practices and am a "dumb administrator" so if I make everyone co-owner** on the share that must of
course mean that I want all users to have all rights on the directory tree below that share. :-(

Maybe MS changed this because more inexpercienced users are calling themself server administrators
and MS had to make it "easy" for them but this is taking it a step to far. I have not tested this in
2008 R2 but I sincerely hope they change this back to the way it was.
BTW I have not come acros this in my upgrade 2008 books but maybe I have not come to that part yet.



Bonno Bloksma


** As fas as I have been able to determine the old FC permission has been just renamed, it's either
Read, Write or Co-Owner.

Hello Bonno,

Share permissions will still win as before, but for good separation do it
as you now from before, share FC for system and authenticated users and not
everyone.

Then configure the NTFS permissions on the folders for your needs.

If your users have FC on NTFS level and are able to delete everythign you
have to reconfigure them. By default i have not seen that a normal user without
permission is able to change/delete/modify files/folders.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi,
>
> Has the "best practices" for share permissions been chaged after all
> these years?
>
> As of my Windows 2000 certification I have been taught that the proper
> way to set permissions for
>
> the users on a server is to have the permissions set at the filesystem
> level and not at the share.
>
> Share permissions should simply be set to everyone (or all users) FC
> unless there is a good reason
>
> to do so otherwise.
>
> And let me tell you as an admin I have had only negative experiences
> when I've set the share
>
> permisions to a lowel level. It's a pain to finaly trace the problem
> why someone cannot do something
>
> for which (s)he has permissions on the filesystem to the fact that the
> share strips of the right to
>
> do so. :-(
>
> So I was not amused when after setting up my new server, creating the
> filesystem, setting all permissions testing everything and finaly
> giving my users access to the filesystem by opening up the share, that
> all my users were suddenly Administrator equivalent and could
> read/change/delete every file in every directory. !!!!!!!
>
> Finaly traced the problem to the new "feature" that Windows 2008 wil
> assume I do not adhere to best practices and am a "dumb administrator"
> so if I make everyone co-owner** on the share that must of course mean
> that I want all users to have all rights on the directory tree below
> that share. :-(
>
> Maybe MS changed this because more inexpercienced users are calling
> themself server administrators
>
> and MS had to make it "easy" for them but this is taking it a step to
> far. I have not tested this in
>
> 2008 R2 but I sincerely hope they change this back to the way it was.
>
> BTW I have not come acros this in my upgrade 2008 books but maybe I
> have not come to that part yet.
>
> Bonno Bloksma
>
> ** As fas as I have been able to determine the old FC permission has
> been just renamed, it's either Read, Write or Co-Owner.
>

Hello Meinolf,

I have always seen the share permissions as a filter to the permissions on the underlying
filesystem.
If the filesystem allows write but the sharefilter only alows read then the write permission will
not pass the share filter and be denied. This stuff we used to lean about "The most restictive
permission wins" is misleading in my opinion.
If at the file level I deny read but allow write on a file** and on the share deny read then the
result will be nothing and not just the most restrictive.
** Not sure this can be done with NTFS permissions as it seems to add read when I select write so
there may be no equivalent to the Novell append right.

What I want complaining about is that changing the share permissions will change the NTFS
permissions which should NOT be connected that way in my opinion.

> Share permissions will still win as before, but for good separation do it as you now from before,
> share FC for system and authenticated users and not everyone.

Ok, that still gives all authenticated users FC on the NTFS as well which I then have to remove.

> Then configure the NTFS permissions on the folders for your needs.
>
> If your users have FC on NTFS level and are able to delete everything you have to reconfigure
> them.

Yup.

> By default i have not seen that a normal user without permission is able to change/delete/modify
> files/folders.

Nor have I. ;-)

>
>

>> Hi,
>>
>> Has the "best practices" for share permissions been chaged after all
>> these years?
>>
>> As of my Windows 2000 certification I have been taught that the proper
>> way to set permissions for
>>
>> the users on a server is to have the permissions set at the filesystem
>> level and not at the share.
>>
>> Share permissions should simply be set to everyone (or all users) FC
>> unless there is a good reason
>>
>> to do so otherwise.
>>
>> And let me tell you as an admin I have had only negative experiences
>> when I've set the share
>>
>> permisions to a lowel level. It's a pain to finaly trace the problem
>> why someone cannot do something
>>
>> for which (s)he has permissions on the filesystem to the fact that the
>> share strips of the right to
>>
>> do so. :-(
>>
>> So I was not amused when after setting up my new server, creating the
>> filesystem, setting all permissions testing everything and finaly
>> giving my users access to the filesystem by opening up the share, that
>> all my users were suddenly Administrator equivalent and could
>> read/change/delete every file in every directory. !!!!!!!
>>
>> Finaly traced the problem to the new "feature" that Windows 2008 wil
>> assume I do not adhere to best practices and am a "dumb administrator"
>> so if I make everyone co-owner** on the share that must of course mean
>> that I want all users to have all rights on the directory tree below
>> that share. :-(
>>
>> Maybe MS changed this because more inexpercienced users are calling
>> themself server administrators
>>
>> and MS had to make it "easy" for them but this is taking it a step to
>> far. I have not tested this in
>>
>> 2008 R2 but I sincerely hope they change this back to the way it was.
>>
>> BTW I have not come acros this in my upgrade 2008 books but maybe I
>> have not come to that part yet.
>>
>> Bonno Bloksma
>>
>> ** As fas as I have been able to determine the old FC permission has
>> been just renamed, it's either Read, Write or Co-Owner.
>>

>
>