UEU-co logo


Previous Page Next Page

Hour 13. Understanding Share and NTFS Permissions

What You’ll Learn in This Hour:

In Hour 12, “Working with Network Shares and the Distributed File System,” you saw how to configure a file server and share drives and folders on the network. This hour looks at how you secure network shares. First, we examine share permissions. Then we cover the additional security from using NTFS permissions on your file server volumes. We also take a look at some of the options for encrypting files and drives on your server.

Understanding Share Permissions

When you use the Provision a Share Wizard to share a volume or folder on the network, the default share permission assigned to the newly created share is Read Only for all users and groups. A share permission is the access level that you give to a particular user or group of users in relation to a particular share on your file server (or other server on the network). Setting the share permission for a folder or volume also sets the share permission level for the files and folders contained in the share.

By the Way

Although Read Only was the default permission for a share created with the Provision a Share Wizard, the wizard supplied you with other options in terms of the level of access for administrators and users during the share-creation process. See Hour 12 for more information about creating a new share with the wizard.

When you have added the File Services role to a server, the “one-stop” tool for working with shares and volumes is the Share and Storage Management snap-in. You can run this snap-in in the Server Manager or in the MMC (Start, Administrative Tools, Share and Storage Management).

When you select the Share and Storage Management node (again in the Server Manager or the MMC), a list of all the shares on the server is provided in the Details pane. You can access a particular share in the Details pane and then view the share permissions for that share.

To view the permissions for a share, follow these steps:

1. With the Share and Storage Management node selected, right-click a share in the Details pane and then select Properties.

2. Click the Permissions tab on the Properties dialog box (see Figure 13.1).

Figure 13.1. The Permissions tab provides access to the share’s share and NTFS permissions.

3. To view the share permissions, click the Share Permissions button. The Permissions dialog box opens. This dialog box shows users and groups that have been assigned permissions. To view the specific permissions for a user or group (related to that share), select the user or group in the Group or User Names box (see Figure 13.2).

Figure 13.2. Select a user or a group to view the share permissions.

Share permissions can be set at three different levels: Full Control, Change, and Read. A description of each share permission level follows:

You have the option of either allowing each permission level (using the Allow check box) or denying a particular permission (using the Deny check box). Typically, you assign a permission level, such as a change to a user or group, by selecting the Allow check box to the right of the permission (in this case, Read).

The Deny setting is used to fine-tune permission levels. Typically, you will want to assign share access levels by domain groups. (It makes sense to create groups for users and then assign share permissions to the groups.) The Deny permission always overrides any granted permissions for the object.

You might run into a case, however, in which most of the users in a group need a higher permission level, such as the Full Control permission for a share. But you might not want to assign that level of access to a few other users in the group (perhaps they could destroy important files in the share).

Here’s what you do: You assign the Full Control permission to the group in the Allow check box. You then add the users from the group who do not need this level of access, and you change their Full Control permission from Allow to Deny. Denying the permission level at the user level overrides the higher level of permission that you provided to the group.

In some cases, you might want to assign a group or user the No Access permission level. This permission level allows a connection to the shared folder (the folder can be seen on the network), but access to the folder and its contents are denied. To assign No Access, clear all the Allow check boxes for a particular group or user.

This permission level is useful when fine-tuning individual user access in a group that has been assigned an access permission level. For example, you might want the Accounting group to see the database, with the exception of the support people in the group, such as administrative assistants. You can allow the group access but use the No Access permission for those users you don’t want to see this highly sensitive data.

You should now see that you need to plan the level of permissions that you will supply to your domain groups (and individual users, if necessary) for the shares on the network. You should analyze what users will be doing with the files in each share and plan access levels accordingly.

By the Way

You can also view (and edit) the Share permissions for a share via the Computer folder. Locate the share using the Computer folder; right-click the folder and select Properties. Select the Security tab to view the share’s current permissions.

Previous Page Next Page

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.


apply_now Pepperstone Group Limited