NTFS and Shared Permissions

Archived from groups: microsoft.public.win2000.security (More info?)

I have a few questions about NTFS permissions and share that I hope
someone can help me with. I know that NTFS permissions are applied to
both remote and local users and that shared permissions are only
applied to remote users. When and why would you apply NTFS permissions
to a share or file?? With the shared vs NTFS permissions the most
restrictive permission will take effect but which should you lock down
the shared or the NTFS permissions?? Can you give an example?

With NTFS permissions on a file what is the difference with the
"read" and "read & execute" permissions? And what is the
difference between "modify" and "write" permissions? And the
"list folder content" and "transverse folders"?

With the share permission I was also reading that there is no
difference between the "modify" and "full control" is this
true??

What does the auditing tab do on the advanced tab and what is effective
permissions and how are they different from the permissions that are
assigned? I didn't see a difference and was confused by it???
3 answers Last reply
More about ntfs shared permissions
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Cooments are inline.

    <matthewpascucci@yahoo.com> wrote in message
    news:1112843232.719853.159450@o13g2000cwo.googlegroups.com...
    >I have a few questions about NTFS permissions and share that I hope
    > someone can help me with. I know that NTFS permissions are applied to
    > both remote and local users and that shared permissions are only
    > applied to remote users. When and why would you apply NTFS permissions
    > to a share or file?? With the shared vs NTFS permissions the most
    > restrictive permission will take effect but which should you lock down
    > the shared or the NTFS permissions?? Can you give an example?

    You should use the principle of least privilige for each type of permission.
    That way for network users if one of the permissions types is misconfigured
    you still have limited access. It would not make sense to give a group full
    control share permission to a folder where they have only read permissions
    or vice versa..

    > With NTFS permissions on a file what is the difference with the
    > "read" and "read & execute" permissions? And what is the
    > difference between "modify" and "write" permissions? And the
    > "list folder content" and "transverse folders"?

    Read allows you to read text, doc, etc type files. Execute allows you to
    start applications or an executable file. Modify also allows deletion -
    write does not. List folder allows you to only see the files/folders in a
    folder. Traverse folder allows to to access a file/folder through folders
    that you have no permission to. This is also a default user right for all
    users and the traverse folder permission is usually not needed but no harm
    if allowed otherwise.
    >
    > With the share permission I was also reading that there is no
    > difference between the "modify" and "full control" is this
    > true??
    >
    There is no modify share permission - only read/change/full and there is a
    difference. A user who has full control ntfs permissions will not be able to
    use all of them [change permissions/take ownership] if only change share
    permission is used. Change allows a user to write/delete to a shared folder
    assuming they have the necessary ntfs permissions.

    > What does the auditing tab do on the advanced tab and what is effective
    > permissions and how are they different from the permissions that are
    > assigned? I didn't see a difference and was confused by it???

    When auditing of object access is enabled on a computer you can then audit
    access to a folder/file for the users and permissions you want to monitor
    and then you will find related object access events in the security log that
    however are not user friendly to interpret. Effective permissions is what
    the operating system calcualtes as the ntfs permision for a user/group based
    on permissions applied via all the groups that a user/group belongs to with
    some excpetions as noted below with creator owner being of note in that it
    by default is included in advanced permissions. An owner of an object will
    receive owner creator permissions if owner creator is present. Authentic
    users are also often included in ntfs permissions. The links below may be
    helpful. --- Steve

    The calculation does not take these Security Identifiers into account: the
    Anonymous Logon, Authenticated Users, Batch, Creator Group, Creator Owner,
    Dialup, Enterprise Domain Controllers, Interactive, Network, Proxy,
    Restricted, Self, Service, System, and Terminal Server User. An example
    would be if a user were to access a file remotely.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419


    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    the NTFS Permissions and the shared permissions are complementary and must
    be enabled in order to work together in a secured network.
    First of all, in all the cases you must configure the NTFS permissions, this
    will guarantee you a secured access to the servers and at least configure it
    to the data folders of your servers.

    Secondly, they are no war between NTFS permissions and shared permissions,
    because the Windows OS applied first the shared permissions to the user who
    is trying to browse and traverse the folder, and after the Windows OS checks
    the NTFS permissions in order to let or not the user using the folder and
    files. So usually you must configure your share permissions with more
    permissive rights than NTFS permissions.
    So do not waste your time to configure the shared permissions and loose a
    lot of time with NTFS permissions, which are more important.

    definitions:
    "read": you can read the ressource it means that you can open it with an hex
    editor for example
    "read & execute": you can read it and also execute the file if it is an
    executable file
    "modifiy" you are able to read, write, execute and change the NTFS
    permissions
    "write" only you are just able to write the file of folder, for example if
    you want to copy a new file in the foler
    "list content": you can see the content of a folder
    "traverse" : you are able to enter into this folder

    The auditing tab lets you the power to control with the eventlog who is
    using the folders or files, this a trace and audit tool.
    The audit tab do not modify the behaviour of your NTFS permissions.

    for more details, i invite you to read the microsoft site:
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/access_rights_and_access_masks.asp
    which gives you all "access_mask" details


    WinSysBee Support
    Sécurité et Expertise Informatique
    http://www.winsysbee.com


    <matthewpascucci@yahoo.com> wrote in message
    news:1112843232.719853.159450@o13g2000cwo.googlegroups.com...
    >I have a few questions about NTFS permissions and share that I hope
    > someone can help me with. I know that NTFS permissions are applied to
    > both remote and local users and that shared permissions are only
    > applied to remote users. When and why would you apply NTFS permissions
    > to a share or file?? With the shared vs NTFS permissions the most
    > restrictive permission will take effect but which should you lock down
    > the shared or the NTFS permissions?? Can you give an example?
    >
    > With NTFS permissions on a file what is the difference with the
    > "read" and "read & execute" permissions? And what is the
    > difference between "modify" and "write" permissions? And the
    > "list folder content" and "transverse folders"?
    >
    > With the share permission I was also reading that there is no
    > difference between the "modify" and "full control" is this
    > true??
    >
    > What does the auditing tab do on the advanced tab and what is effective
    > permissions and how are they different from the permissions that are
    > assigned? I didn't see a difference and was confused by it???
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    "WinSysBee Support" <support.nospam@winsysbee.com> wrote in message
    news:42558f7f$0$27764$626a14ce@news.free.fr...
    > the NTFS Permissions and the shared permissions are complementary and must
    > be enabled in order to work together in a secured network.
    > First of all, in all the cases you must configure the NTFS permissions,
    this
    > will guarantee you a secured access to the servers and at least configure
    it
    > to the data folders of your servers.
    >
    > Secondly, they are no war between NTFS permissions and shared permissions,
    > because the Windows OS applied first the shared permissions to the user
    who
    > is trying to browse and traverse the folder,

    - - - only when that is done over the network

    > and after the Windows OS checks
    > the NTFS permissions in order to let or not the user using the folder and
    > files. So usually you must configure your share permissions with more
    > permissive rights than NTFS permissions.
    > So do not waste your time to configure the shared permissions and loose a
    > lot of time with NTFS permissions, which are more important.
    >
    > definitions:
    > "read": you can read the ressource it means that you can open it with an
    hex
    > editor for example
    > "read & execute": you can read it and also execute the file if it is an
    > executable file
    > "modifiy" you are able to read, write, execute and change the NTFS
    > permissions

    modify does NOT include permission to alter permissions
    also, delete is part of modify but not mentioned here

    > "write" only you are just able to write the file of folder, for example if
    > you want to copy a new file in the foler
    > "list content": you can see the content of a folder
    > "traverse" : you are able to enter into this folder
    >
    > The auditing tab lets you the power to control with the eventlog who is
    > using the folders or files, this a trace and audit tool.
    > The audit tab do not modify the behaviour of your NTFS permissions.
    >
    > for more details, i invite you to read the microsoft site:
    >
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/access_rights_and_access_masks.asp
    > which gives you all "access_mask" details
    >
    >
    > WinSysBee Support
    > Sécurité et Expertise Informatique
    > http://www.winsysbee.com
    >
    >
    >
    > <matthewpascucci@yahoo.com> wrote in message
    > news:1112843232.719853.159450@o13g2000cwo.googlegroups.com...
    > >I have a few questions about NTFS permissions and share that I hope
    > > someone can help me with. I know that NTFS permissions are applied to
    > > both remote and local users and that shared permissions are only
    > > applied to remote users. When and why would you apply NTFS permissions
    > > to a share or file?? With the shared vs NTFS permissions the most
    > > restrictive permission will take effect but which should you lock down
    > > the shared or the NTFS permissions?? Can you give an example?
    > >
    > > With NTFS permissions on a file what is the difference with the
    > > "read" and "read & execute" permissions? And what is the
    > > difference between "modify" and "write" permissions? And the
    > > "list folder content" and "transverse folders"?
    > >
    > > With the share permission I was also reading that there is no
    > > difference between the "modify" and "full control" is this
    > > true??
    > >
    > > What does the auditing tab do on the advanced tab and what is effective
    > > permissions and how are they different from the permissions that are
    > > assigned? I didn't see a difference and was confused by it???
    > >
    >
    >
Ask a new question

Read More

NTFS Permissions Windows