Yes, you can manage share permission as well as NTFS permissions. There is nothing logically wrong with that. It has the extra bit of security in case someone forgot to lock down the NTFS portion of the shared environment. But if you are sloppy with your NTFS permissions then I suspect you will also be sloppy with shared permissions. So the NET-NET is sloppy security, and trying to manage both share and NTFS gives one a false sense of security...
For LARGE environments, the TCO would be much higher if the administration staff needs to track both Shared and NTFS permissions. In actuality, the probability of mistakes increases when you try to manage both share and NTFS permissions. Setting a Share to Everyone-FULL and locking down the NTFS portion is much easier to troubleshoot then the other combination. It's a no brainer the shared permission is not the one that is denying the access... The only time you need to worry about setting the appropriate shared permissions is when you are securing a shared FAT or FAT32 file system. The Best Practice is not mine...it's from the Millions of customers that Microsoft and Compaq has had to secure over the pass decade. I've applied it to large banking companies that used to problems with Shares/NTFS permission problems...and auto-magically the problems when away when I applied the theory...Wow....I guess best-practices do work sometimes... Lastly, on the other hand, if one ABSOLUTELY need to remove Everyone from Share and lock down both Share/NTFS...so be it. If the environment is well administrated and proper controls are in place, then the amount of security would amount to the same as having the Open Share/locked down NTFS. If the environment is small and not complicated the cost of doing more work is ok, but when you look at what the BIG guys are doing...because they have scaling issues...they don't practice more making more work when it's not necessary. Regards, Leonard Lee > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > [EMAIL PROTECTED] > Sent: April 17, 2002 9:48 AM > To: NT 2000 Discussions > Subject: RE: Share/Default Permissions > > > As a general rule I always remove Everyone from a share. The settings > you're using are a good general method, but you may consider > replaceing > "Domain Admins" with "Administrators" since Domain Admins is > a member of > Administrators by default and this allows you to extend administrator > privileges on the server. > > I've read recomendations that suggest you open up the share > to Everyone and > use NTFS to lock down the folders/files. I prefer to keep the share > permissions as tight as possible and use NTFS permissions to > fine-tune the > access. It's more work for the administrator, but I don't > want the door any > wider than it needs to be. > > _VT_VT_VT_VT_VT_VT_VT_VT_VT_VT_VT_VT_VT_VT_VT > > Todd Pukanecz MCSE, GCWN > Virginia Tech, AHNR IT > Blacksburg, Virginia > --- > It is hard to imagine a more stupid or more dangerous way of making > decisions than by putting those decisions in the hands of > people who pay no > price for being wrong. > - Thomas Sowell > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, April 17, 2002 5:39 AM > > To: NT 2000 Discussions > > Subject: Share/Default Permissions > > > > > > > > Hello, > > > > This is just a basic question.... While rambling in the mess > > which I call a > > 'brain' > > > > When you create a share - which permissions do you set? There > > are so many > > conflicts.... at current I just set :- > > > > Domain Admin - Full Control > > Authenticated Users - Change > > > > > > Robert Rutherford > > MIS Department - DEK International GmbH > > +44 (0)1305 208232 > > +44 (0)7970 122362 > > > > > > > > ************************************************************** > > ****************************** > > This E-mail and any files transmitted with it are in commercial > > confidence and intended solely for the use of the > individual or entity > > to whom they are addressed. If you have received this > E-mail in error > > please notify the Administrator by E-mail ([EMAIL PROTECTED]). > > > > Any views or opinions expressed are solely those of the > author and do > > not necessarily represent those of DEK Printing Machines > > Ltd., or its affiliates. > > ************************************************************** > > ****************************** > > > > > > ------ > > You are subscribed as [EMAIL PROTECTED] > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe send a blank email to %%email.unsub%% > > > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
