I just wanted to add a few points: 1. Although windows combines the two sets of permissions, you should always be most specific with the NTFS permissions, because they control access to files no matter how the users accesses them (i.e., locally or via terminal services) whereas the share permissions only control access via the shared folder.
2. Share permissions don't use inheritance so you need to be extra careful with nested shared folders. 3. Yes, share permissions on NTFS volumes are redundant and really not necessary, but in other cases you do need them, such as when you want to share a CD-ROM, usb drive, a FAT drive, a non-windows drive, or any volume that does not support NTFS permissions. Mark http://xato.net -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thor (Hammer of God) Sent: Tuesday, December 26, 2006 4:52 PM To: dubaisans dubai; Focus-MS Subject: Re: Share and NTFS permissions I don't know that I would use "best way," but many people consider it the "easiest way." When combining share+NTFS (file) permissions, the most restrictive policy always "wins." IOW, if you create a share, and give it READ only rights, anyone accessing files through that share point will have READ only access even if your NTFS permissions allow for WRITE or FULL control. If your share has FULL permissions, but NTFS permissions only allow for READ, then users accessing the file through the share point will have only READ permissions. The recommended concept is based on giving the share point FULL permissions and using actual NTFS file permissions to limit access so that is it just easier to administer. If you have multiple shares that you have different permissions on from a share standpoint, it may be difficult to troubleshoot access issues unless you really have things documented well. Giving the share FULL permissions basically takes share permissions out of the equation when troubleshooting. The "duality" is provided just in case you really want to limit overall access globally from a share - as in if you know that all access is going to be READ only, then it would be more secure to make the share READ only. Share permissions are also used for non-NTFS volumes (not that anyone really does that anymore, but you never know). It's basically there just so you can do it however you want to. HTH t On 12/23/06 2:46 AM, "dubaisans dubai" <[EMAIL PROTECTED]> spoketh to all: > I have read that the best way to allocate permissions for shared > folders is - Share the folder . Give Share-Permissions as " Everyone > Full Control" and give the specific Allow/Deny permissions in the NTFS > tab. > > Is there any insecurity in giving Share-permissions as Full control > and only specifying the NTFS permissions accurately ? > > If no insecurities , why is Windows giving us the facility to give > permissions in 2 places and making it confusing? > >
