Understanding Share and NTFS Permission Interaction

Remember that by default the permissions on both NTFS and share resources are set to Everyone-Full Control. If you leave these permissions, any folder you share will be exposed to the network with no security at all in force. Any user on the network will be able to open the share, view files, and even modify or delete them.

To prevent this, either you must apply local security to the files (using NTFS permissions) or you must use share-level security on the shared folder itself. In deciding which of these to use, you will need to take a few key elements into account:

  • When accessing files locally, only NTFS permissions are considered.

  • When accessing resources across a share, share permissions are considered first. If users have only read access to a shared file, they cannot modify it, even if they have Full Control of the file at the NTFS level.

  • If NTFS permissions are more restrictive than permissions across the share, the more restrictive NTFS permissions will be used.

If you are concerned about providing maximum security for your shared resources, you will usually want to use NTFS permissions because they are more powerful and flexible than share permissions.

Consider this example:

click to expand

Scenario 1: Lars is a member of the Sales group and wants to access the DATA folder. If he accesses the folder locally, he will have only NTFS security applied and will have Modify access. If Lars accesses the DATA folder over a network share, the system will look at his NTFS access, which is Modify, and his share permission, which is Read. Because Read is more restrictive, this is the permission that will be applied over the share.

Access Control List (ACL)

List of users with permissions to a specific resource.

Access Control Entry (ACE)

List of permissions a specific user or group has to a specific resource.

Scenario 2: Peter is a member of the Everyone group and the Managers group and wants to access the DATA folder. If he accesses the folder locally, he will have only NTFS security applied and will have Full Control access. If Peter accesses the DATA folder over a network share, the system will look at his NTFS access, which is Full Control, and his share permission, which is Change. Because Change is more restrictive, this permission will be applied over the share.




MCSA. MCSE 2003 JumpStart. Computer and Network Basics
MCSA/MCSE 2003 JumpStart
ISBN: 078214277X
EAN: 2147483647
Year: 2003
Pages: 203
Authors: Lisa Donald

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net