What is the best practice in combining NTFS Permissions and Share Permissions? – This is a common question asked even by Administrators. Read here for an answer!
In this blog post we talk about the best practice in combining NTFS Permissions and Share Permissions. This question is asked a lot of times and I’d like to give you an answer.
In fact searching for this topic online yields quite a handful of results. You would also notice that some people have their own “best practice” as opposed to what Microsoft says. I believe the confusion stems from how Share Permissions are done in the past and with the changes made in the modern operating system.
If we take a quick look back, the Guest account is automatically enabled in older OS, and it is part of the “Everyone” group. This creates a problem because whatever access given to “Everyone”, Guests inherits it. This is why even today, Administrators are still using Authenticated Users group to separate Guest and non-Guest users. Fortunately, this has changed in the modern OS.
So, are you ready to know the best approach? Here we go!
Give “Everyone” Full Control on the Share permission and define specific permissions on the NTFS level
This is the best way and to better understand this, let’s have a quick comparison between Share Permission and NTFS Permission. To put simply, Share permission is what you set to a folder when you share it. The Share permissions determine the type of access others have to the shared folder across the network.
This is done by going to the Folder properties, click on Sharing tab, Advanced Sharing, and finally Permissions.
NTFS permission, on the other hand, determines who can access and what level of access can be made to the files and folder both across the network and locally. This can be viewed by going to the Folder properties and clicking on Security tab
The most restrictive wins!
The most restrictive permission applies when there is a conflict between Share and NTFS permission. Whichever of the two is more restrictive is applied as the effective permission – what the user can actually do to the files and folder.
To illustrate, suppose a user has a Share Permission – Read and NTFS Permission – Full Control. Applying what we’ve learned we can conclude that effective permission given to the user is only Read.
For the sake of fun let’s reverse that order. Now we have Share Permission – Full Control and NTFS Permission – Read. Does that change the effective permissions? Absolutely not! Again, the most restrictive permission applies.
We can liken this approach to a security system of large companies. In one of the offices I used to work, we have a lobby where everyone can enter. From the lobby, there are doors that lead to Operations, HR, and the IT Room. Each employee is given a badge, a proximity card that we swipe in to authorize our access. IT people can use their badge to enter the Operations area and the IT Room. HR people have access to HR and Operations area. Since I’m from Operations then I’m only given access to the Operations area. You see the point here?
The access to the lobby is the Share permission and the access programmed on each card to open specific doors is the NTFS permission.
I hope these clear things up. To learn more about NTFS Permissions, Share Permissions, and how to use them, get your free course HERE!
Prevent Unauthorized Access to Sensitive Windows Folders!
Get your free trial of the easiest and fastest NTFS Permission Reporter now!