NTFS and Shared Permissions

[matthewpascucci]

I have a few questions about NTFS permissions and share that I hope
someone can help me with. I know that NTFS permissions are applied to
both remote and local users and that shared permissions are only
applied to remote users. When and why would you apply NTFS permissions
to a share or file?? With the shared vs NTFS permissions the most
restrictive permission will take effect but which should you lock down
the shared or the NTFS permissions?? Can you give an example?

With NTFS permissions on a file what is the difference with the
"read" and "read & execute" permissions? And what is the
difference between "modify" and "write" permissions? And the
"list folder content" and "transverse folders"?

With the share permission I was also reading that there is no
difference between the "modify" and "full control" is this
true??

What does the auditing tab do on the advanced tab and what is effective
permissions and how are they different from the permissions that are
assigned? I didn't see a difference and was confused by it???

 

[Steven L Umbach]

Cooments are inline.

I have a few questions about NTFS permissions and share that I hope
someone can help me with. I know that NTFS permissions are applied to
both remote and local users and that shared permissions are only
applied to remote users. When and why would you apply NTFS permissions
to a share or file?? With the shared vs NTFS permissions the most
restrictive permission will take effect but which should you lock down
the shared or the NTFS permissions?? Can you give an example?

You should use the principle of least privilige for each type of permission.
That way for network users if one of the permissions types is misconfigured
you still have limited access. It would not make sense to give a group full
control share permission to a folder where they have only read permissions
or vice versa..

With NTFS permissions on a file what is the difference with the
"read" and "read & execute" permissions? And what is the
difference between "modify" and "write" permissions? And the
"list folder content" and "transverse folders"?

Read allows you to read text, doc, etc type files. Execute allows you to
start applications or an executable file. Modify also allows deletion -
write does not. List folder allows you to only see the files/folders in a
folder. Traverse folder allows to to access a file/folder through folders
that you have no permission to. This is also a default user right for all
users and the traverse folder permission is usually not needed but no harm
if allowed otherwise.

With the share permission I was also reading that there is no
difference between the "modify" and "full control" is this
true??

There is no modify share permission - only read/change/full and there is a
difference. A user who has full control ntfs permissions will not be able to
use all of them [change permissions/take ownership] if only change share
permission is used. Change allows a user to write/delete to a shared folder
assuming they have the necessary ntfs permissions.

What does the auditing tab do on the advanced tab and what is effective
permissions and how are they different from the permissions that are
assigned? I didn't see a difference and was confused by it???

When auditing of object access is enabled on a computer you can then audit
access to a folder/file for the users and permissions you want to monitor
and then you will find related object access events in the security log that
however are not user friendly to interpret. Effective permissions is what
the operating system calcualtes as the ntfs permision for a user/group based
on permissions applied via all the groups that a user/group belongs to with
some excpetions as noted below with creator owner being of note in that it
by default is included in advanced permissions. An owner of an object will
receive owner creator permissions if owner creator is present. Authentic
users are also often included in ntfs permissions. The links below may be
helpful. --- Steve

The calculation does not take these Security Identifiers into account: the
Anonymous Logon, Authenticated Users, Batch, Creator Group, Creator Owner,
Dialup, Enterprise Domain Controllers, Interactive, Network, Proxy,
Restricted, Self, Service, System, and Terminal Server User. An example
would be if a user were to access a file remotely.

http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419

 

[WinSysBee Support]

the NTFS Permissions and the shared permissions are complementary and must
be enabled in order to work together in a secured network.
First of all, in all the cases you must configure the NTFS permissions, this
will guarantee you a secured access to the servers and at least configure it
to the data folders of your servers.

Secondly, they are no war between NTFS permissions and shared permissions,
because the Windows OS applied first the shared permissions to the user who
is trying to browse and traverse the folder, and after the Windows OS checks
the NTFS permissions in order to let or not the user using the folder and
files. So usually you must configure your share permissions with more
permissive rights than NTFS permissions.
So do not waste your time to configure the shared permissions and loose a
lot of time with NTFS permissions, which are more important.

definitions:
"read": you can read the ressource it means that you can open it with an hex
editor for example
"read & execute": you can read it and also execute the file if it is an
executable file
"modifiy" you are able to read, write, execute and change the NTFS
permissions
"write" only you are just able to write the file of folder, for example if
you want to copy a new file in the foler
"list content": you can see the content of a folder
"traverse" : you are able to enter into this folder

The auditing tab lets you the power to control with the eventlog who is
using the folders or files, this a trace and audit tool.
The audit tab do not modify the behaviour of your NTFS permissions.

for more details, i invite you to read the microsoft site:
http://msdn.microsoft.com/library/d...z/security/access_rights_and_access_masks.asp
which gives you all "access_mask" details


WinSysBee Support
Sécurité et Expertise Informatique
http://www.winsysbee.com

 

[Roger Abell]

the NTFS Permissions and the shared permissions are complementary and must
be enabled in order to work together in a secured network.
First of all, in all the cases you must configure the NTFS permissions, this
will guarantee you a secured access to the servers and at least configure it
to the data folders of your servers.

Secondly, they are no war between NTFS permissions and shared permissions,
because the Windows OS applied first the shared permissions to the user who
is trying to browse and traverse the folder,

- - - only when that is done over the network

and after the Windows OS checks
the NTFS permissions in order to let or not the user using the folder and
files. So usually you must configure your share permissions with more
permissive rights than NTFS permissions.
So do not waste your time to configure the shared permissions and loose a
lot of time with NTFS permissions, which are more important.

definitions:
"read": you can read the ressource it means that you can open it with an hex
editor for example
"read & execute": you can read it and also execute the file if it is an
executable file
"modifiy" you are able to read, write, execute and change the NTFS
permissions

modify does NOT include permission to alter permissions
also, delete is part of modify but not mentioned here