« B2Evolution 2.3.0 rc1 Upgrade | B2Evolution 2.2.0 Beta Upgrade » |
I’m almost embarrased to blog about this. Every admin should know how this works, most think they do, some might, but many don’t really! What I am talking about is how the permissions work when you create a shared folder on a Windows based system. For the purposes of this discussion I am only referring to OS versions based on NT (NT4, 2000, XP, Vista, 2003). Hopefully I get it right and make it clear. If I had to summarize right here at the beginning I would just say that when creating a share you should probably just set the share permissions to "Everyone", "Full Control". That might sound like a security super no-no, but what many don’t realize is that in the NT based OS versions the NTFS or "Security" permissions are the real gateway to access. Ultimately, unless you grant "Security" or NTFS permissions for the folder, most users will not be able to access ANYTHING. One consideration that you need to know right off the bat is that this whole discussion is null and void if you have not formatted your drive using NTFS. If your drive is formatted FAT or FAT32 then all bets are off. I can’t think of any reason anyone would intentionally be using FAT, but I’ve seen it a lot. It is easy to upgrade, but that isn’t what this is about…
Share Permissions - From Technet:
So, in simple terms…
Example:
Directory: c:\MyShare
Share Name: MyShare
Computer Name: MyComputer
Permissions Set | Effective Permissions | |||
User | MyShare | MyShare NTFS Permissions | Remote Access through \\MyComputer\MyShare | Local Access through C:\MyShare |
User1 | None | Full Control | None | Full Control |
User2 | Read | Full Control | Read | Full Control |
User3 | Full Control | Full Control | Full Control | Full Control |
User4 | None | None | None | None |
User5 | Read | None | None | None |
User6 | Full Control | None | None | None |
User7 | None | Read | None | Read |
User8 | Read | Read | Read | Read |
User9 | Full Control | Read | Read | Read |
This is by no means an exhaustive list of permission combinations! There are many variations in between as well as explicit ‘Deny’ permissions, but this should give you the idea.
Managing permissions on a file server can be painfull, but it is doubly so if you have to duplicate all your permissions at the share level AND the NTFS level. My experience says that the easiest (and just as secure) way given the above information is to set the Share permissions to Full Control for EVERYONE. Then, you can set your actual permissions at the NTFS level.