Ken, If they don't have at least read on the directory, they aren't getting access to it, which means they aren't going to have write, unless you explicitly add that accordingly, which I believe also adds read.
I agree the NTFS permissions need to be correct, and you should lay down auditing, ( by Group, user or per-user auditing) to ensure that your permissions are working as needed. And TEST TEST TEST. Been using ABE for quite a while and it's a nice way to streamline things. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 -----Original Message----- From: Ken Schaefer [mailto:[email protected]] Sent: Tuesday, August 10, 2010 7:48 AM To: NT System Admin Issues Subject: RE: File server structure and perms -----Original Message----- From: Ziots, Edward [mailto:[email protected]] Sent: Tuesday, 10 August 2010 9:34 PM To: NT System Admin Issues Subject: RE: File server structure and perms > Have you had experience is Access Based Enumeration? You can setup one master share, and unless you have NTFS permissions of read to the directory underneath, the user doesn't even see the directory, which means they wouldn't be able to read/write from it, and should solve the problem. Just because someone can't see a directory doesn't mean they can't read/write from it - they just need to know that the folder is there. Only appropriate NTFS permissions stop this, which means that ABE or no, the NTFS permissions have to be setup correctly. This is one reason why Microsoft didn't introduce ABE for a long time - it adds next to nothing from a security perspective. It just stops inquisitive users attempting to poke around. Cheers Ken ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
