Which of the following is true on how share permissions and NTFS permissions work together on the same folder?
SymptomsArticle Summary: This article discusses NTFS permissions and share permissions in Windows and how they work together to regulate access to files and folders. Show
Windows provides two sets of permissions to restrict access to files and folders: NTFS permissions and share permissions.
The most important thing to remember about NTFS permissions and share permissions is the manner in which they combine to regulate access.
I shouldn’t be surprised that some folks are still confused about the best way to handle share and NTFS permissions. But the best practices for setting permissions on Window Server are pretty simple, and following them can keep your permissions from getting messy and overly complicated while ensuring security. A Short History of Windows Server PermissionsLet’s start with where share permissions came from. At the beginning of Windows networking and creating shares, there were no NTFS permissions available. The file systems were FAT16. Since the file system had no underlying permissions available, the only way to secure access to the content was to have permissions on the entry point to the file system, which is the share. NTFS permissions came with the introduction of the NTFS file system, beginning with Windows NT 3.1. Not everyone adopted NTFS right away though, instead opting for the more backward-compatible FAT and HPFS file systems. By the time Windows NT 4.0 came around in 1996, NTFS was finally taking root. What are NTFS Permissions?NTFS permissions allow for granular control for Microsoft Windows NT and later operating systems files; they allow users access to data at several levels. They allow access to individual users at the Windows logon on, regardless of their location or the network they are using. NTFS permissions can be set for:
Limitations of Share PermissionsThe share permission structure is hindered by many limitations. It has only three levels of control.
Share permissions also lack granular control. Once permissions are granted at the share, those permissions apply files, folders, and sub-folders below that point. There is no way to be more granular and a lower level without creating yet another share. What About the Authenticated Users Group?Another issue is that of the "Everyone" account. Beginning with Windows NT 3.1, up through Windows NT 4.0, the Guest account was automatically enabled. As part of the Everyone group, even Guests were granted the same access as authenticated users wherever Everyone is found on an ACL. In Windows 2000, the Guest account was disabled by default, but the Internet Guest account came into play and was enabled out of the box on Windows 2000 Servers and Windows 2000 Clients. The Internet Guest is also a member of Everyone. To address this problem, Microsoft introduced the Authenticated Users group to differentiate between Guest and Non-Guest users. This is the reason why you find so many people using Authenticated Users on share permissions instead of Everyone. Fortunately, in modern versions of Windows Client and Server (beginning with Windows Server 2008), the Internet Guest account is no longer an issue, and the Guest account is still disabled by default. This means that the default Everyone account we find on a share does not need to be replaced with Authenticated Users everywhere we see it. And the short answer is you can just ignore Authenticated Users in the share. How Share & NTFS Can Allow Specific Access to Each IndividualI can sum up the approach in one sentence: Set Everyone – Full Control on the share, and focus on granular permissions through NTFS. (See, that was easy!) But, wait…how is it that Everyone is OK at the share? Isn’t that a security hazard? Not at all. Share as Primary Access, NTFS as Secondary AccessEven though Guests are no longer involved, it is true that Everyone includes all authenticated users from the entire forest (just like Authenticated Users, by the way). However, we can think of the share as the door to a vestibule or lobby area. In many organizations with a large corporate facility, you will have a door to get into the lobby area. Anyone can enter that door, but inside that door is a security person or key card gate/turnstile/door that only authorized users can go beyond. Well, that second layer is just like the NTFS permissions we use in a file system. Just imagine that we said only salespeople can come into the lobby even though the building has offices for the engineering, IT, and management folks as well. That’s what a share does. If a share is more restrictive than the NTFS permissions, even if lower-level folders and files allow access, the share would take precedence. So, in the office scenario, your keycard would let you in the door if you are part of sales, but you couldn’t enter the lobby as a non-sales individual even if the inner security would let you pass. The Problem with Adding Multiple ACLs to the ShareTo address these sharing shortcomings, Microsoft originally told people to add multiple ACLs to the share, mirroring what is set on the NTFS folders. This can create a complex and confusing assortment of permissions. The algorithm for calculating those permission interactions is:
Take the following scenario, for instance. There is a folder called E:\SalesData on a server that is shared as SalesData. Joe is a member of Sales and Management. On the NTFS folder, Joe has Read as a user, Modify from Sales, and Full Control from Management. On the share, the only entry is Sales with Read. When Joe attempts access to the folder, he can only Read the data because the share permissions are more restrictive. (Now you see where I’m getting the "under sharing" concept from!) The suggested best practice from Microsoft is to leave the share at Everyone – Full Control and diligently set your permissions on the NTFS folder. So, in our previous scenario, if we change the share permissions to Everyone – Full Control, Joe will now have full control of the folder as he should, since he is a manager. However, if Jane accesses the folder and is only a member of Sales, she will only get Read permissions since her NTFS permissions compute to Read and are more restrictive than the Everyone – Full Control from the share. If Bob comes along and is not a member of either group, he gets nothing. Nada. Zilch. Very simple, very easy to manage, and very secure, if you do your homework on the NTFS permissions. Does Granting Full Control at the Share Also Grant Permission to Manage the Share?The answer is no. Giving someone Full Control of the share does not give them permission to manage or do anything to the share. You can only control a share if you are an Administrator or Server Operator on the server where the share exists. What’s the Last Word on Best Practices?So, the bottom line is, go ahead and overshare on your share permissions. It’s OK. Nobody will think any worse of you for it. In fact, it may simplify your life as an Administrator to the point where you actually have time to do some of that oversharing on your social media for a change! How do NTFS and share permissions work?If the share permissions are “Read”, NTFS permissions are “Full control”, when a user accesses the file on the share, they will be given “Read” permission. If the share permissions are “Full Control”, NTFS permissions are “Read”, when a user accesses the file on the share, they will still be given a “Read” permission.
Which of the following best describes what happens when share and NTFS permissions combine?When using share permissions and NTFS permissions together, if there is a conflict in the configuration, the most restrictive permission prevails. For example, if a user has NTFS full access to a specific file in a folder that is not shared, the user cannot access the file from the network.
What is the correct statement about share permissions and NTFS permissions?NTFS permissions apply to users who are logged on to the server locally; share permissions don't. Unlike NTFS permissions, share permissions allow you to restrict the number of concurrent connections to a shared folder. Share permissions are configured in the “Advanced Sharing” properties in the “Permissions” settings.
In which of the following ways do the NTFS permissions differ from share permissions?What are the differences between share and NTFS permissions? Shared folder permissions apply only to users connected to the share through the network; NTFS permissions apply to both local and network access.
|