Share-Level Security

Shares give domain users access to areas of the server disk across the network. SBS system administrators are familiar with a number of these shares, including the Users Shared Folders share. These network shares have their own security permissions that determine whether and how a user account will access the share. Table 9.5 describes the different share permissions available.

Table 9.5. Share Permissions
Permission	Description
Read	Allows objects to see file and folder names, open files and programs, and see file and folder attributes for objects stored within the share
Change	Allows objects to create new files and folders, modify contents, delete files and folders, and modify file attributes in addition to the actions allowed by the Read permission
Full Control	In addition to the actions allowed by the Read and Change permissions, allows objects to change permissions on files and take ownership of files

These share permissions work in conjunction with the NTFS permissions that have been assigned to the file path on the server. This is possibly the single most confusing aspect of Windows system administration for new and experienced admins alike. When dealing with share and NTFS permissions in combination, the more restrictive permission is the one that wins out. Table 9.6 shows the effective permissions for various combinations of share and NTFS permissions.

Table 9.6. Share and NTFS Permissions in Combination
Share Permission	NTFS Permission	Effective Permission
Read	Modify	Read
Change	Full Control	Modify
Read	Full Control	Read
Full Control	Read	Read
Full Control	Full Control	Full Control

Share permissions are accessed in the Sharing tab of a folder's Properties dialog box by clicking on the Permissions button. This brings up the Share Permissions dialog, shown in Figure 9.7, which shows the default share permissions for the Users Shared Folders folder.

Figure 9.7. Share Permissions for the Users share.

Of the three groups listed in the dialog box, two should be familiar to most Windows administratorsDomain Admins and Domain Users. By default, the Domain Users group is given Full Control permission for the share because the user needs Full Control access to her folder inside the Users share. The Domain Admins group is also given Full Control over the share so that the administrators can manage access to resources through the share and not just from the server console.

The third group may not be as familiarthe Folder Operators group, which is also given Full Control permissions by default. This group is created by the SBS installation, and members of the group are able to manage shared folders on the server and in Active Directory. This group contains the Domain Power Users group by default, so any account created as a Power User will be able to manage shared folders on the SBS network.

Like the NTFS permissions dialog, the individual permissions can be set to Allow or Deny. Just like with NTFS permissions, the Deny permission overrides the Allow permission, so care must be taken when setting the Deny permission on a shared folder.

Best Practice: Setting Shared Folder Permissions

In general, the Domain Users group should be given Full Control permissions on a share where user data is stored. This allows you to restrict access to areas within the share with NTFS permissions, if needed.

When you create a new share using the Share a Folder Wizard, you are given several options for setting share permissions. You can choose from the following options:

All users have read-only access.
Administrators and Folder Operators have full access; other users have read-only access.
Administrators and Folder Operators have full access; other users have read and write access.
Use custom share and folder permissions.

To give the Domain Users group Full Control, you must select the last option and enter the permissions manually.

Remember that setting share permissions affects how users access data through the share. If the Domain Admins group is given only Read permission on the share, a member of the group will be unable to modify any settings on files and folders when accessed through the share. When a member of the Domain Admins group accesses the files from the server console, only the NTFS permissions will apply.

Table 9.5. Share Permissions

Table 9.6. Share and NTFS Permissions in Combination

Figure 9.7. Share Permissions for the Users share.

Best Practice: Setting Shared Folder Permissions