|
Posted by Marka on August 10, 2006, 4:56 am
Please log in for more thread options
I have just setup an new domain file server and am now configuring the share
and ntfs permissions on my Raid5 Data drive.
I have Setup all Share Permissions to Everyone-Full Control so all I have to
configure are the NTFS perms.
My question is, When you create a new shared data folder, do you have to add
ntfs permissions for either Domain Admins or Domain Users?
The new folder has the default groups applied, Administrators-Creator
Owner-System-Users
On the Local Machine, by default (when you join it to a domain), Domain
Users group is added to Local Users Group and Domain Admins group is added
to Administrators group.
So am I correct in thinking that leaving the default ntfs perms on a folder
is the best practice when wanting to give domain users access to this
folder??
What is the correct best practice when applying domain groups to folders??
Any help/comments are greatly appreciated.
Thanks
Mark
|
|
Posted by Anthony on August 10, 2006, 5:49 am
Please log in for more thread options
I don't think you will find one correct best practice. The combination of
share permissions and ntfs permissions, local groups and domain groups is to
give you the flexibility you need for a thousand different situations.
From where you are starting, the defaults are good until you are explicitly
trying to achieve something else. You don't need to add domain groups where
these are default members of local groups. The next steps for you to think
about would be:
In terms of Share permissions for access over the network, do you really
want "Everyone" to be able to do everything unless the ntfs prevents them,
or do you want to restrict it a bit more? Look up Everyone to find the
definition and how it differs from Authenticated Users, for example. Also,
Full Control adds the rights to take ownership and change permissions,
whereas Change allows the user to modify. Do you really want Everyone to be
able to take ownership?
In terms of ntfs permissions, you just need to apply the permissions you
require. Start with leaving the defaults but changing the Users to be more
explicitly what you want.
Anthony
>I have just setup an new domain file server and am now configuring the
>share and ntfs permissions on my Raid5 Data drive.
>
> I have Setup all Share Permissions to Everyone-Full Control so all I have
> to configure are the NTFS perms.
>
> My question is, When you create a new shared data folder, do you have to
> add ntfs permissions for either Domain Admins or Domain Users?
> The new folder has the default groups applied, Administrators-Creator
> Owner-System-Users
> On the Local Machine, by default (when you join it to a domain), Domain
> Users group is added to Local Users Group and Domain Admins group is added
> to Administrators group.
>
> So am I correct in thinking that leaving the default ntfs perms on a
> folder is the best practice when wanting to give domain users access to
> this folder??
>
> What is the correct best practice when applying domain groups to folders??
>
> Any help/comments are greatly appreciated.
>
> Thanks
>
> Mark
>
>
>
|
|
Posted by Roger Abell [MVP] on August 10, 2006, 4:29 pm
Please log in for more thread options You will find opinions differ widely on this.
I have inlined some responsed in your post.
>I have just setup an new domain file server and am now configuring the
>share and ntfs permissions on my Raid5 Data drive.
>
> I have Setup all Share Permissions to Everyone-Full Control so all I have
> to configure are the NTFS perms.
>
Some feel that is how to go. I strongly disagree.
If a delegated admin makes a mistake setting the NTFS permissions, or
forgets
the effect of a move within a partition, or does not understand how Deny
actually
works when it gets inherited, etc.
then use of the no-op approach to Share level permissions has allowed to
mistake to be remotely useful whereas they potentially could have throttled
the mistake into something less hazardous.
> My question is, When you create a new shared data folder, do you have to
> add ntfs permissions for either Domain Admins or Domain Users?
No. In light of what you say later, if you want DA and DU to have the
grants
provided to the machine local Administrators and Users, and you are
comfortable
with DAs and DUs having memberships in these machine local group,
then no, they already have the NTFS grants you are after.
> The new folder has the default groups applied, Administrators-Creator
> Owner-System-Users
> On the Local Machine, by default (when you join it to a domain), Domain
> Users group is added to Local Users Group and Domain Admins group is added
> to Administrators group.
>
Yes, those are currently the defaults
> So am I correct in thinking that leaving the default ntfs perms on a
> folder is the best practice when wanting to give domain users access to
> this folder??
>
No, you are not correct in so thinking.
You could be correct in thinking that these are all OK if that is what you
need.
However, the defaults where choosen as a best guess of what would work
most of the time especially for those that did not do much in the way of
being
effective hands-on admins. Something needed to be choosen, so what was
set as the defaults was what would be most likely needed but also sufficient
to make sure it virtually always worked.
> What is the correct best practice when applying domain groups to folders??
>
Here is some of my opinion. First I will speak to NTFS vs Share, and then
come back to this question.
Set NTFS and Share permissions.
Set NTFS so that there is no over allocation, and try like crazy to avoid
using any Deny ACES. Set Share level to a reasonably minimized closure
that encompasses what NTFS grants but not too much more. For example,
suppose in the NTFS some account groups only have read, and some others
have modify. You could at the Share level just grant Change to Users and be
done with it, or you could define such as ShareChangers and ShareReaders
local groups and use these, with them being populated by the appropriate
groups as used in the NTFS grants. There is some balance point you should
aim for where Share is close to minimally sufficent without the reduction
from
a massively excess grant becoming overly complex and cumbersome.
As far as using machine local groups or domain groups for the granting,
which
I assume you mean by asking
> What is the correct best practice when applying domain groups to folders??
I would just ask you, if you defined a machine local group, would it have
multiple
domain groups in it? Would it have more machine local users in it?
If the answer is no, especially to the last of these, then using the domain
groups
directly on the resources is not loosing capability. It is counter to the
old wisdom
of global in local etc. but IMO that was NT4 era wisdom, before we could
nest
at the domain level (heck, I even questioned the "wisdom" of it back then).
If you can provision a storage for example, a fileserver for your users,
where
all ACLing on the store is with domain groups, that hardware can be moved to
a different server, or had the server rebuild around it, and it would be
good to go.
If you used machine local you would be looking at a lot of reACLing.
2 cents I guess.
> Any help/comments are greatly appreciated.
>
> Thanks
>
> Mark
>
Hopefully that did not confuse more than assist.
--
Roger Abell
Microsoft MVP (Windows Server : Security)
|
| Similar Threads | Posted | | Looking for best practices for setting up secure user home directory file structure | October 6, 2006, 8:47 pm |
| Security Best Practices; combining server roles (long) | February 19, 2007, 10:02 am |
| File Access Audit on File Server | June 20, 2007, 4:59 pm |
| File permissions | October 5, 2006, 2:38 am |
| File/Folder Permissions | October 31, 2006, 4:25 pm |
| File Security Permissions | January 16, 2008, 11:03 am |
| Setting Metabase File Permissions | November 27, 2007, 6:29 pm |
| Re: Problem with File Permissions lost | July 14, 2008, 8:03 pm |
| Utility to export file, folder, and share permissions | July 10, 2006, 7:24 pm |
| Why Do So Many Windows EXEs Require Write Attribute File Permissions? | December 23, 2006, 5:06 am |
|
XML Sitemap