Guy's Random Support

I’m almost embarrased to blog about this. Every admin should know how this works, most think they do, some might, but many don’t really! What I am talking about is how the permissions work when you create a shared folder on a Windows based system. For the purposes of this discussion I am only referring to OS versions based on NT (NT4, 2000, XP, Vista, 2003). Hopefully I get it right and make it clear. If I had to summarize right here at the beginning I would just say that when creating a share you should probably just set the share permissions to "Everyone", "Full Control". That might sound like a security super no-no, but what many don’t realize is that in the NT based OS versions the NTFS or "Security" permissions are the real gateway to access. Ultimately, unless you grant "Security" or NTFS permissions for the folder, most users will not be able to access ANYTHING. One consideration that you need to know right off the bat is that this whole discussion is null and void if you have not formatted your drive using NTFS. If your drive is formatted FAT or FAT32 then all bets are off. I can’t think of any reason anyone would intentionally be using FAT, but I’ve seen it a lot. It is easy to upgrade, but that isn’t what this is about…

Share Permissions - From Technet:

• Apply only to users who gain access to the resource over the network. They do not apply to users who log on locally, such as on a terminal server. In these cases, use access control on NTFS to set permissions.
• Apply to all files and folders in the shared resource. If you want to provide a more detailed level of security to the subfolders or objects in a shared folder, use access control on NTFS.
• Are the only way to secure network resources on FAT and FAT32 volumes, because NTFS permissions are not available on FAT or FAT32 volumes.
• Specify the maximum number of users who are allowed to access the shared resource over the network. This is in addition to the security provided by NTFS.

So, in simple terms…

• Share access permissions apply ONLY to network access to a folder and ALL of it’s subfolders and files. NTFS permissions apply to ALL access (network and local) to a folder, it’s subfolders, and files.
• Share access permissions apply to a folder and ALL of it’s subfolders and files. NTFS permissions apply to ALL access (network and local) to a folder and these permissions are inherited by default (passed to all subfolders and files), BUT the NTFS permissions can be completely granular. Individual subfolders or even individual files can have completely different permissions.
• Share access permissions are limited to READ and/or WRITE. NTFS permissions can consist of a combination of up to 14 different attributes READ, WRITE, DELTE, CREATE, etc, each of which can be granted or denied. Of course there is also FULL CONTROL available.
• When accessing files locally Share permissions are NOT in effect. NTFS permissions are ALWAYS in effect regardless of access method.
• When accessing files over the network, share and NTFS permissions are in effect and your resultant access is based upon the most restrictive of the two. So, if you have Full Control at the share level, but read only at the NTFS level then you end up with read only.

Example:
Directory:  c:\MyShare
Share Name:  MyShare
Computer Name:  MyComputer

This is by no means an exhaustive list of permission combinations!  There are many variations in between as well as explicit ‘Deny’ permissions, but this should give you the idea.

Managing permissions on a file server can be painfull, but it is doubly so if you have to duplicate all your permissions at the share level AND the NTFS level.  My experience says that the easiest (and just as secure) way given the above information is to set the Share permissions to Full Control for EVERYONE.  Then, you can set your actual permissions at the NTFS level.