|
Posted by Roger Abell [MVP] on October 11, 2006, 7:18 pm
Please log in for more thread options The share level needs to "encompass" the highest grants given in NTFS
that you do want them to be able to use via a remote share access.
Probably Users Change (that would disallow their changing permissions
or giving away ownership, if NTFS allows) but would not inhibit any read,
write, copy, move, delete type of actions (where NTFS allows).
--
Roger Abell
Microsoft MVP (Windows Server : Security)
> Once last question:
>
> What would the file level permissions look like, versus the Share level
> permissions?
>
>> If you were to isolate private folders at \host\private\username then
>> as you would be sharing the \host\private the "temptation" for user1
>> to poke at user2 would still be there.
>> Since the amount of differencing in NTFS permissions would be about
>> the same if one did or did not separate the private from the public there
>> seems no real gain in management simplicity one way or the other.
>>
>> So, I would consider going with
>> \host\users
>> \host\users\username1 the public area
>> \host\users\username1\private username1's private area
>>
>> This is more convenient for username1 as they work in one area,
>> published to others "up there" else shared with no one in "private".
>>
>> This quite possibly also minimizes the number of NTFS inheritance
>> points that are set up compared to other designs.
>>
>> I would strongly recommend that you share \host\users with Change,
>> NOT with Full in order to prevent their changing the NTFS permissions
>> on what they create from your intended constraints.
>>
>> I would also thing about using Access Based Enumeration, so in effect
>> each username1 would be able to see only one (their own) "private"
>>
>>
>> Roger
>>
>>>I am in process of trying to set up a secure home directory structure
>>>that would allow users to have two repositories each. One for keeping
>>>their confidential information in, and the other as a publicly available
>>>share, for anything they wanted to allow other users to be able to view.
>>>Domain Admins would of course have Full Control Access over all
>>>directories.
>>>
>>> The initial file structure that I'm considering it the following:
>>>
>>> Top Level = Users (i.e. \Users)
>>> Second Level = Home Directories for all corporate users (i.e.
>>> \Users\fred)
>>> Third Level = Private folder and Public folder for each individual user
>>> (i.e. \Users\Fred\Private would be accessible only to user Fred and
>>> \Users\Fred\Public as a publicly R/O share accessible by all users, but
>>> still allowing user Fred Full access to be able to post data to this
>>> directory)
>>>
>>> It is possible to set up this folder structure securely (both with file
>>> and share level security), or is it more logical to set up two directory
>>> structures (i.e. \Users\Public and \Users\Private) that each contain a
>>> directory dedicated to each corporate user (i.e. \Users\Public\Fred and
>>> \Users\Private\Fred)? This of course assumes that the permissions on
>>> the \Public directories will be R/O by all, and Full Control by the
>>> directory's owner, and permissions on the Private directory would be
>>> Full Control for the directory's owner only.
>>>
>>> All feedback is greatly appreciated. :)
>>>
>>
>>
>
>
| 
XML Sitemap