Click here to get back home

Share Permission vs NTFS
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Share Permission vs NTFS Bad Beagle 07-18-2006
Posted by Bad Beagle on July 18, 2006, 2:02 pm
Please log in for more thread options
 I have some remote work stations that have currently been added to our
domain. We cannot host their data on our servers so the remote work
stations have a data they share with other workstations in the office. It
is currently only locked down by share permissions. I have two issues:

1. NOw users on our lan can browse to these computers and see their data
2. Is there any advantage to go through the work of locking down with ntfs



Posted by Karl Levinson, on July 18, 2006, 6:46 pm
Please log in for more thread options
"Bad Beagle" wrote:

> I have some remote work stations that have currently been added to our
> domain. We cannot host their data on our servers so the remote work
> stations have a data they share with other workstations in the office. It
> is currently only locked down by share permissions. I have two issues:
>
> 1. NOw users on our lan can browse to these computers and see their data

If they are using Windows 2000 or XP workstations, it should be possible to
prevent users on your LAN from accessing that data if you want. How and
where was the sharing / password configured so that your users can access
those computers? What version of Windows is on those computers?

> 2. Is there any advantage to go through the work of locking down with ntfs

Well, with NTFS file permissions, you can get more granular and determine
what files in that share they can access.

--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
-------------------------
Microsoft Security FAQ:
http://www.securityadmin.info


Posted by Steven L Umbach on July 19, 2006, 12:01 am
Please log in for more thread options
Check the share permissions to make sure that only authorized users/groups
have permissions to the share rather than users/everyone/authenticated
users. For XP Pro computers if simple file sharing is enabled you want to
disable that but it should be disable when a computer is joined to the
domain. You can check by using Windows Explorer tools/folder options/view
and make sure that the last option for use simple file sharing is unchecked.
Also verify that the guest account is disabled on those computers. NTFS
permissions allow much more granular assignment of permissions than share
permissions and should be using along with share permissions. Note that it
may be possible for other users to see the computer and shares in My Network
Places but with proper share permissions they should not be able to
access/open any files that they do not have permissions to.

Steve

http://www.mcmcse.com/microsoft/guides/ntfs_and_share_permissions.shtml ---
using NTFS and share permissions

>I have some remote work stations that have currently been added to our
>domain. We cannot host their data on our servers so the remote work
>stations have a data they share with other workstations in the office. It
>is currently only locked down by share permissions. I have two issues:
>
> 1. NOw users on our lan can browse to these computers and see their data
> 2. Is there any advantage to go through the work of locking down with
> ntfs
>



Posted by Roger Abell [MVP] on July 19, 2006, 2:04 am
Please log in for more thread options
Opinions differ on this, and the answer to your item 2 can either fall out
from your use requirements, or your philosophy on things, or both.

Note that there are really three choices:
1. make the share permissions excessive and exert all control with
NTFS permissions only
2. make the NTFS permissions excessive and exert all control with
share permissions only
3. use both (effectively), whether necessary or not

There are many access control patterns that cannot be effected if one
uses only the share permissions with a sufficiently loose NTFS setting.
If the use cases do not force you to use of the NTFS permissions
then choices 1 and 2 could work.

I sort of see this like your having a car with an alarm system that you
can turn on and you also have one of those "club" steering-wheel locks.
So, do you use only the igition lock? or do you use the added protection?

The answer probably depends on the value of the car and how badly
you want to protect it, and also the difficulty of effecting the protection.
I see using both effectively (that is, to make minimally sufficient grants)
akin to turning on the car alarm - that is, it is simple (compare to using
the "club" which can be cumbersome).

So I guess you see where I stand, item 3, since it is a one-time action to
set up and results in your using what exists (as compared to voluntarily
disabling some of the available protection).


>I have some remote work stations that have currently been added to our
>domain. We cannot host their data on our servers so the remote work
>stations have a data they share with other workstations in the office. It
>is currently only locked down by share permissions. I have two issues:
>
> 1. NOw users on our lan can browse to these computers and see their data
> 2. Is there any advantage to go through the work of locking down with
> ntfs
>



Similar ThreadsPosted
Share folder and NTFS permission April 10, 2008, 6:47 pm
How to reset the permission on the "USERS" share June 5, 2008, 2:56 pm
NTFS Permission April 21, 2006, 10:04 am
possible to change Default Share Permission for Group "Everyone"? June 6, 2005, 1:26 pm
Fastest way to refresh security and share permission July 4, 2006, 7:53 pm
NTFS permission problem March 31, 2006, 11:36 am
NTFS permission problem November 30, 2006, 3:57 pm
ntfs special permission question September 1, 2006, 1:50 pm
NTFS Rname VS. Delete Permission April 23, 2008, 1:36 am
NTFS Permissions for public share October 5, 2006, 2:08 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap