NTFS vs Shared

  • Thread starter matthewpascucci
  • Start date
M

matthewpascucci

I have a few questions about NTFS permissions and share that I hope
someone can help me with. I know that NTFS permissions are applied to
both remote and local users and that shared permissions are only
applied to remote users. When and why would you apply NTFS permissions
to a share or file?? With the shared vs NTFS permissions the most
restrictive permission will take effect but which should you lock down
the shared or the NTFS permissions?? Can you give an example?

With NTFS permissions on a file what is the difference with the
"read" and "read & execute" permissions? And what is the
difference between "modify" and "write" permissions? And the
"list folder content" and "transverse folders"?

With the share permission I was also reading that there is no
difference between the "modify" and "full control" is this
true??

What does the auditing tab do on the advanced tab and what is effective
permissions and how are they different from the permissions that are
assigned? I didn't see a difference and was confused by it???
 
H

Herb Martin

I have a few questions about NTFS permissions and share that I hope
someone can help me with. I know that NTFS permissions are applied to
both remote and local users and that shared permissions are only
applied to remote users.
Click to expand...

Well, that is because if you access an NTFS file (from
anywhere) you are required to have permissions -- your
location is irrelevant.
When and why would you apply NTFS permissions
to a share or file??
Click to expand...

There are no NTFS permissions on shares, and NTFS
permissions on files are just that -- NTFS permissions.

Share permissions set a limit which can protect in case
the NTFS permissions are set incorrectly (layers of
defense.)
With the shared vs NTFS permissions the most
restrictive permission will take effect but which should you lock down
the shared or the NTFS permissions??
Click to expand...

Normally the NTFS permissions are the more critical
since they are more flexible. (More choices, more
granularity.)


Can you give an example?
Click to expand...

You can use NTFS to do odd things like "allow the creation
of files in a directory but NOT allow the creation of sub-
directories there."
With NTFS permissions on a file what is the difference with the
"read" and "read & execute" permissions?
Click to expand...

Read allows a file to be read, and with execute it can be run if
it is a program -- just what it says.
And what is the
difference between "modify" and "write" permissions?
Click to expand...

Mostly that modify includes Delete -- it is roughly equal to
change on the share.
And the "list folder content" and "transverse folders"?
Click to expand...

Do a directory listing command verses transfer to a subdirectory.


With the share permission I was also reading that there is no
difference between the "modify" and "full control" is this
true??
Click to expand...

No. Full control includes "security stuff"* and modify or change
does not.

"Security stuff" == take ownership, SET permissions, or SET auditing
What does the auditing tab do on the advanced tab
Click to expand...

It sets auditing (logging of access) instead of permissions (checking
with grant/deny of access.)
and what is effective
permissions and how are they different from the permissions that are
assigned? I didn't see a difference and was confused by it???
Click to expand...

This is beginning to sounds like your homework.

Effective permissions are what the user can actually DO
after all are calculated -- when a user

A particular permission may say one thing or another, but
the user may be in multiple groups which assist or conflict
(with deny's involved) -- and the user may be coming through
a share and ntfs giving different results than being local or
coming through a different share.

So the NTFS permissions might be effectively different than
is obvious.
 
J

Jerold Schulman

I have a few questions about NTFS permissions and share that I hope
someone can help me with. I know that NTFS permissions are applied to
both remote and local users and that shared permissions are only
applied to remote users. When and why would you apply NTFS permissions
to a share or file?? With the shared vs NTFS permissions the most
restrictive permission will take effect but which should you lock down
the shared or the NTFS permissions?? Can you give an example?

With NTFS permissions on a file what is the difference with the
"read" and "read & execute" permissions? And what is the
difference between "modify" and "write" permissions? And the
"list folder content" and "transverse folders"?

With the share permission I was also reading that there is no
difference between the "modify" and "full control" is this
true??

What does the auditing tab do on the advanced tab and what is effective
permissions and how are they different from the permissions that are
assigned? I didn't see a difference and was confused by it???
Click to expand...

See http://support.microsoft.com?kbid=308419
for a good description of NTFS permissions.
Always set NTFS permissions for the access required and then set share permissions.

Auditing allows you to track the use of permissions by recording events in the Security event log.




Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
 
W

WinSysBee Support

the NTFS Permissions and the shared permissions are complementary and must
be enabled in order to work together in a secured network.
First of all, in all the cases you must configure the NTFS permissions, this
will guarantee you a secured access to the servers and at least configure it
to the data folders of your servers.

Secondly, they are no war between NTFS permissions and shared permissions,
because the Windows OS applied first the shared permissions to the user who
is trying to browse and traverse the folder, and after the Windows OS checks
the NTFS permissions in order to let or not the user using the folder and
files. So usually you must configure your share permissions with more
permissive rights than NTFS permissions.
So do not waste your time to configure the shared permissions and loose a
lot of time with NTFS permissions, which are more important.

definitions:
"read": you can read the ressource it means that you can open it with an hex
editor for example
"read & execute": you can read it and also execute the file if it is an
executable file
"modifiy" you are able to read, write, execute and change the NTFS
permissions
"write" only you are just able to write the file of folder, for example if
you want to copy a new file in the foler
"list content": you can see the content of a folder
"traverse" : you are able to enter into this folder

The auditing tab lets you the power to control with the eventlog who is
using the folders or files, this a trace and audit tool.
The audit tab do not modify the behaviour of your NTFS permissions.

for more details, i invite you to read the microsoft site:
http://msdn.microsoft.com/library/d...z/security/access_rights_and_access_masks.asp
which gives you all "access_mask" details


WinSysBee Support
Sécurité et Expertise Informatique
http://www.winsysbee.com
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

NTFS vs Shared Permissions 2
NTFS and Shared Permissions 3
Ntfs permissions in a AD domain environment 1
Share and NTFS permissions 2
Questions regarding permissions 2
Using OU's to control access to shared resources 1
Converting to AD from NEtware 2
w3k profiles 1

Top