I thought this was a really good post on permission/ACL design on Windows file servers.
Following repost is from reference: https://social.technet.microsoft.com/Forums/ie/en-US/c6242159-d15d-417e-91f8-eb19c0da3a35/best-practices-for-basic-ntfs-permissions-on-a-share?forum=winserverfiles
Suggested Reading
Axioms of Permissions Administration
http://networkadminkb.com/Shared%20Documents/Axioms%20of%20Permissions%20Administration.aspx
The Golden Rules of Permissions Administration
http://networkadminkb.com/Shared%20Documents/The%20Golden%20Rules%20of%20Permissions%20Administration.aspx
Differences between Authenticated Users, Domain Users, and Everyone groups
http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/Differences%20between%20Authenticated%20Users,%20Domain%20Users,%20and%20Everyone%20groups.aspx
Recommended NTFS Permissions for New Drives
http://networkadminkb.com/kb/Knowledge%20Base/Windows2003/Recommended%20NTFS%20Permissions%20for%20New%20Drives.aspx
Creator Owner Explained
http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/Creator%20Owner%20Explained.aspx
Doing security is about creating an developing a philosophy, there are many out there. The one below is mine and works for most situations, this is just a simplified explanation of the Axioms and Golden Rules listed above.
For shares you should do the following
1) Everyone - Read (optional not really needed but a nice just in case)
2) Authenticated Users - Change
3) Local Administators - Full Control
4) File Strucutre Administrators - Full Control
For Shares note the following:
Alway limit Authenticated Users to Change at the Share to pervent non-admin users from accidently being given Full Control to the file structure.
You should always configure Local Adminsitrators Full Control at the Share so they can administrate it remotely
You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every share. This allows them to remotely administrater shares without being local administartors.
For your high level directories NTFS Permsisions where no files reside and only read access to folders is needed to get to the data in lower directories.
1) Authenticated Users - Read
2) Local Administators - Full Control
3) File Strucutre Administrators - Full Control
4) SYSTEM - Full Control
For NTFS in this situation note:
Alway limited Authenticated Users to Read to pervent non-admin users chaning folders and creating files here.
You should always configure Local Adminsitrators Full Control at the folder so they can administrate it remotely
You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every folder. This allows them to remotely administrater shares without being local administartors.
For NTFS permissions where users need to write data, stop inheritance, copy permissions and replace Authenticated users to two different groups
1) Directory group - Read Only
2) Directory group - Read and Write
3) Local Administators - Full Control
4) File Strucutre Administrators - Full Control
5) SYSTEM - Full Control
For NTFS in this situation note:
Alway remove Authenticated Users so the appropriate group limite access
You should always configure Local Adminsitrators Full Control at the folder so they can administrate it remotely
You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every folder. This allows them to remotely administrater shares without being local administartors.
http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/68748d3a-575f-4ffa-bd98-c6b7fcb3a901
Thursday, October 26, 2017
Subscribe to:
Posts (Atom)
