Sharing a folder in A Windows Domain environment
Posted by freddy91761@reddit | sysadmin | View on Reddit | 57 comments
One of our server engineers shared a folder for the users. When the users tried to open or save anything it would open in read-only. I told him it was the sharing permission. They spent about 3 hours trying to troubleshoot. It was almost time for me to go home and i said just reshare the folder. They finally found the problem. It was a sharing permission issue.
They said the it should not be shared with everyone and given full control. I told them that you should share it as everyone- full control and let NTFS do the heavy lifting. They said no, we should add the groups at the share level and not at the NTFS level.
Who is correct?
zer04ll@reddit
you use groups thats what AD was invented for and the proper way. GPO, group policy object is the whole point of a domain controller and nothing comes close to what it can do based on groups.
Call_Me_Papa_Bill@reddit
You are correct. Trying to layer share and NTFS permissions is a nightmare. It has always been recommended to use NTFS only to control access. That said, it’s a minor (but important) improvement to use Authenticated Users instead of Everyone else n order to block anonymous access.
Source: I used to teach Microsoft certification courses.
man__i__love__frogs@reddit
Trying to layer share and NTFS permissions is a nightmare
What? It's not at all. CIFS is the highest possible permission allowed over the share, NTFS is the actual permission.
If CIFS is lower than NTFS it masks/limits.
Microsoft modern practice is Domain Admins - Full Control, Domain Users - Change. Everything else is done with NTFS. https://learn.microsoft.com/bs-latn-ba/iis/web-hosting/configuring-servers-in-the-windows-web-platform/configuring-share-and-ntfs-permissions
BatemansChainsaw@reddit
this and documenting every share properly helps a ton.
cyberman0@reddit
Ok so your way is not wrong but unless everyone needs access it's a very bad idea security wise. There are 2 places for security on the share itself and in the folder those need to be set correctly. When adjusting permissions I usually set to authenticated users, the ou for the group who need access an of course the domain admins. Typically I set this at the folder share. You do need to sceck the folder perms because where that folder actually is can do some ...odd... Things because of the whole inheritance for permissions. Setting it to everyone is just bad security.
JustinVerstijnen@reddit
In the MCSA 2016 course back in the day it was told that it is indeed best practice to set the share permissions as "Everyone -> Full Control" and to decide access on NTFS based on groups. The least restrictive of the two will be the effective permissions.
So yeah, I agree on you.
xendr0me@reddit
It should be "Authenticated Users" not "Everyone"
Frothyleet@reddit
I don't have a problem with this, but I am skeptical whether there is a real benefit in attack surface reduction.
Like, what's the scenario where an attacker is stymied by this specific thing?
r00g@reddit
I can confirm the MCSA stuff suggests using 'everyone' on the share permissions and uses NTFS to apply further restrictions... at least as far back as the early oughts. Things just didn't work right trying to apply permissions to both ends.
I don't know what the functional difference is when the most restrictive of either permission set is used. I don't even think you can get a directory listing if you leave the share permissions at 'everyone' because the NTFS permissions also apply to the directory you're sharing, not just the files shared. I'll have to try and setup that experiment sometime though.
GremlinNZ@reddit
So much this, absolutely not everyone.
Knyghtlorde@reddit
This.
8bit_dr1fter@reddit
20 years I’ve been doing this and never have I seen it acceptable to give Everyone permission on a share let alone give Everyone the Full Control permission. Not a chance in hell I’d ever do that.
Hamburgerundcola@reddit
Why not? Sure, not everyone. You should use at least Authenticated Users. But why not use Full Control on share level?
8bit_dr1fter@reddit
Full Control allows for other users to add/edit/remove share permissions. Do you want your users to be able to do that? Additionally, you’re losing out on the ability to leverage access based numeration on your share. Sure it’s a little bit old-school “security through obscurity“, but aside from the security benefit if you have a lot of shares on a server it keeps things tidy so that users aren’t being confused/overwhelmed by all of the available shares.
Frothyleet@reddit
This is incorrect, you are conflating NTFS "full control" with share permission functionality.
man__i__love__frogs@reddit
Share permissions are CIFS, they are masked by NTFS permissions.
Users can't get full control on a share unless they have full control in NTFS permissions.
That being said I still wouldn't use everyone, nor full control, I typically do Domain Users with modify. If IT admins need full control access, they can request PIM and log in locally on the share to do it.
Hamburgerundcola@reddit
Afaik you can hide the share tab from normal users. Altgough maybe they could edit it via powershell. Im not deep enough in this to be confident about how it should be done.
raip@reddit
20 years you've been doing this and you've never seen this setup? I've been doing this for 25-ish years and it's the typical setup. It's basically required for a Folder Redirection user share.
Frothyleet@reddit
Everyone else has properly discussed your actual question, but I feel compelled to pipe in here - how did it take 3 hours? This would have been discovered in 5 minutes with someone opening the "effective access" tool, which should be your first stop with any sharing/permissions issue.
alexwhit80@reddit
This is what I do. Everyone full control on the share and then restrict it with NTFS
Knyghtlorde@reddit
Authenticated users, never everyone.
korewarp@reddit
Go on then. Explain the difference. And I don't mean difference between "Everyone" and "Authenticated Users" groups.
If you start regulating with Share perms, then why not go all the way? Oh that's right M$ says it's best practice to use "Everyone".
If we agree internally to regulate rights with NTFS security, and I see someone free styled with the Share perms, I'm going to lose it. 🫠🦧🐒👁️👄👁️
redtollman@reddit
Here is Microsoft modern guidance. Old school is everyone full at share, let ntfs do the rest. Modern is more aligned with ZT principles
https://learn.microsoft.com/bs-latn-ba/iis/web-hosting/configuring-servers-in-the-windows-web-platform/configuring-share-and-ntfs-permissions
purplemonkeymad@reddit
I don't think they were talking about websites though.
redtollman@reddit
The article isn’t about websites, it’s about share permissions in the cloud. Same exact process for on-premises permissions.
Nexzus_@reddit
Best practice, I believe right now, is to give Authenticated Users full access on the share itself, and then use NTFS on the folders underneath.
Used to be that you normally gave "Everyone" full control on the share, but I remember reading somewhere that that's outdated.
autogyrophilia@reddit
The difference is that Everyone means users outside the domain can access the SMB endpoint, they should be rejected by NTFS permissions. But it is better to reject them outright.
Minor security enancement.
raip@reddit
Unauthenticated users haven't been part of the "Everyone" group since Server 2003/XP days.
The difference between Everyone and Authenticated Users are Guests and Virtual Service Accounts. I personally push for Everyone/Full Control on the Sharing Permissions because auditing two places for permissions is a pain. I'm dubious on the "security enhancement" if the rejection ends up on the SMB Stack or the NTFS Stack - but as long as service accounts don't need access to the share, Authenticated Users + Full Control is fine.
Ph03n1X1@reddit
I've been doing Authenticated Users with Modify and controlling actual permissions at the folder level for years and it's worked perfectly. Picked it up from an MS certification class a long time ago.
The only difference between Full Control and Modify is the ability to set permissions and that is (generally) not needed. The only exception I know of of the to of my head is Folder Redirection.
paleologus@reddit
I’ve been doing it this way since NT4. Set NTFS permissions for groups and add people to the group. That way when a person quits their replacement gets the same permissions.
pressure_13@reddit
I’ve been doing this sort of stuff for longer than I can but i was always of the book share everybody - full control and NTFS permissions for the granularity. MS least privileges always wins so if share is read only for everyone guess what permissions everyone will get.
Unique-Path4099@reddit
same and same and it works just fine so @freddy91761 you are correct imo
grumpyolddude@reddit
I'm a retired architect/admin/mcse/mct/IT Manager/etc. The "correct" way depends on the needs of the organization and these permissions are flexible on purpose. I'll share what worked for me and why, but I'll stop short of prescribing it for everyone as a best practice because a single standalone file server is different than a large domain with DFS and of course the needs and expectations of the organization using it.
First thing I believe is that setting up file shares is a one-time operation and if done correctly it's a 5 minute task and doesn't ever need to be touched again. All share and top level shared folder permissions are set using custom groups. I never use built-in groups (authenticated users, everyone, domain admins) for shares or permissions. In small installations this might never be an issue, but in my experience eventually a user, service account or something needs to be created that is part of one of the built in groups but should not have access to the share.
Once your shares and root permissions are set up correctly, all future granting and removing of access is putting users into groups, and removing users from groups. This can be easily delegated to service desk or junior admins without them needing to know NTFS or Share permissions. It's easy to look at a user and see what groups they are in (and determine what they have access to) and it's easy to look at a group and see what users have access.
I find that the fewer shared folders the better. Often it's easier to create one generic file share, and then create subfolders for different departments in the root folder. Often when a department requests a share they really just need their own folder with their own access on an existing share. Everyone uses the same unc path to get to the root and once there they only have access to what they need, and access based enumeration does a good job of making sure they see the stuff they have access to.
When creating a new share, I create one new group for user access. (xxx share access) xxx always matches the name of the share (\\server\xxx) Users get modify, never full control. I also usually already have a "share admins" group I've created which has full control, and in some casues a "share audit" group that has read only at the share level.
For the NTFS root folder of the share I disable permissions inheritance and then set appropriate NTFS permissions for the xxx share access group, admins, and audit/read only. I usually prefer admins to create and manage all the top level folders so the xxx share access group gets read only on the root folder and that permission is for the root folder only and doesn't get inherited.
xxx share access is a group that should never contain any users. Only groups. At this point the share is done and probably will never need to be looked at or touched again. Next is creating actual working folders in the root of the share.
Say the sales department needs a shared folder. Create a new folder in the root of the share called "Sales", create a new group called "Sales folder Access" and add the "Sales Folder Access" group to the "xxx share access" group. Set Sales folder Access Modify NTFS permissions to their folder.
In organizations with existing and managed "sales users" groups you can just add that group into the sales folder access group. Otherwise if you do things manually you tell the helpdesk about the "sales folder access" group and tell them to add any users that need access. Or you can delegate control and let the sales manager or whomever manage the membership of that group.
When future tickets come in for "new shares" just create a new folder instead.
You can easily use the groups to track or enforce quota if needed.
Another rule I like to enforce is that NTFS permissions on the Sales folder and everything created below are all the same. If someone needs a different set of permissions or users on a group of files then create a new top level folder for that. For example if sales managers wanted their own private folder I wouldn't create that under the sales folder, I'd create a new "Sales Manager Folder access" group and top level folder for them. It makes it much easier to reset NTFS permissions on a heirarchy of files if it gets messed up. It's also much easier from an auditing standpoint to be able to tell who whas access to specific things.
Clearly this isn't perfect, and it won't work for all needs, but it's worked very well in a number of organizations.
PianistWhich1665@reddit
Your not wrong, but from a security aspect/locked down environment, never use everyone group on share permission. Either use "Authenticated users", or the specific groups. Guest is part of Everyone group so avoid using that. In your scenario NTFS of course will win. But your shareroot is open to be listed, unless you remove the List/traverse permissions.
From my seat, we are dealing to big storage for multiple customer we are using strict groups for each customer. Using Everyone group on all shares would open so everybody can browse and see. We also using $ hidden shares.
byronnnn@reddit
But if guest is disabled (as it should be), isn’t everyone the same as Authenticated users? I’m with you not using everyone, this instance has just always been different it seemed. I would only use specific groups at share level if I only want those groups of people to know it exists.
PianistWhich1665@reddit
it's pretty clear from the names. Authenticated Users is based on users who gain accesses based on an access given and validated their connection with a username and password. While Everyone is basically everybody who managed to browse themself to the share, validated or not.. Basically letting unauthorised users stumble on a share and list its content is an invitation to start looking how to gain access.
So it all depends on what layer of security and policy you need to follow, and the systems in use. As I wrote , we deal with many customers, lots of shares, Citrix Environment, now Office 365 and Hybrid On-Prem AD, for us it is documented in our ISO documentation to use least privilidge, so we follow strict rules on the type of groups used on Share and NTFS permission. No AD wide groups are used on any customer. Each customer with their respectiv groups. Simple and strict.
in small environment , this is no issuse. They work on the trust principle. and do not need think about it. Thats why this is not a questions whos wrong, is more a question of the type of security you need.
byronnnn@reddit
I agree with avoiding Everyone as a best practice, but I was referring specifically to SMB share permissions, not NTFS ACLs.
If Guest/anonymous access is disabled, Everyone and Authenticated Users are usually functionally very similar at the share layer. “Everyone” doesn’t automatically mean unauthenticated users can browse the share. Actual listing/access still depends on the NTFS permissions underneath.
So I agree Authenticated Usersor specific groups are cleaner, but I don’t think Everyone necessarily implies anonymous users can stumble into the share.
PianistWhich1665@reddit
totally agree with you. Best practice is to disable the guest account . From a company own infrastructure point of view, where only their company data is present, then its a case of what type of security and exposure you feel is acceptable.
As i stated , depends a bit on what kind of network you're working with. Our environment is big network of Citrix plattform mainly. Lots of app server with sql +++. it's a multi customer plattform. We dedicate network subnets for each Customer. Their app servers and citrix server are all on dedicated subnets, all controlled through a firewall. Access to their shares is based on network controll and access groups.
Although, we want to limit any opportunity of exposure of whats inside the folders. that's why we rely on hidden shares , not that its the most secure, and also we make sure each customer has it own access groups and no domain wide groups to be used. Also access only comes from the Citrix environment, where there are other messures and lockdowns that makes harder for users to browse network.
Cheers!
brokensyntax@reddit
Even Authenticated users is too broad for most scenarios.
Domain Users is often plenty.
BrentNewland@reddit
Only if the computer's System account doesn't need to access the share.
PianistWhich1665@reddit
for us , only customer dedicated groups on each hidden share. no domain users, no everyone group,
Call_Me_Papa_Bill@reddit
You’re doing it wrong. And it’s not any more secure.
PianistWhich1665@reddit
To a certain degree is safer to hide and use dedicated groups rather then open shares and everyone. so your wrong.
justaguyonthebus@reddit
It's more that you should always use NTFS for the proper permissions. Hard stop.
What you do with share permissions is less important. If NTFS is already doing access consider the share authorization.
So tell him it's fine to be granular at the share as long as he is granular at the NTFS. It's just easier to troubleshoot if you only really have to look at NTFS knowing the share is more open.
Jawshee_pdx@reddit
We lock down share permissions. It ain't that hard and helps prevent permissions creep.
scytob@reddit
It depend on what you want to achieve and where you want your point of audit. But never use the everyone group.
esfirmistwind@reddit
Set auth users access then restrict with ntfs and some light obscurity with enumerated access (makes share not visible from root if no ntfs permission).
More proper way is to have ressource groups on ntfs geving permissions (R, RW, manage) and usergroups members of that gr in AD. It's called ADGLP.
byronnnn@reddit
NTFS permissions are different than the legacy Share permissions that existed before ACLs. Giving full access at the share level was (and might still be) Microsoft’s recommended method since ACLs were introduced. I still do Everyone at the share and then restrict at the NTFS level, unless the share is something only people with access should know exists.
xXFl1ppyXx@reddit
What's the reason for full control?
The only benefit I can come up with is that you really wanted to change permissions through the share and not from the server itself like any sane person would do
So I share with r/w and can call it a day
Muh least privilege permission structure aside from shares because someone on the Internet told me to go all out with full control
There are cases where you would actually need full control, but from the top of my head that's just redirected folders, roaming profiles and Rds user disks
PianistWhich1665@reddit
i was about to give you an example before I read the last lines . Yes , in an RDS/Citrix environment, with redirected folders for users home folder/and-or profiles folders, it is required a minimum of Modify for the folders to work properly. Users redirected folders require special permissions. Even in this scenario, we try to avoid using Full Controll, and Modify is enough.
Longjumping_Law133@reddit
This is a question for Helpdesk
danekan@reddit
Gosh I hope help desk isn’t making these kinds of architectural security decisions.
AxisNL@reddit
MCSE2000 here. I remember being thought to set share permissions to everyone, and use ntfs acls to limit access.
RedShift9@reddit
I've always handled permissions at the NTFS level. I set share permissions to authenticated users to full control.
Managing permissions at two levels is just making it complicated for yourself.
Sometimes you just have to let people make mistakes, they don't learn from advice.
Shot-Document-2904@reddit
The everyone group alone is a terrible idea. Everyone full-control is a stupid irresponsible idea. A lazy way to permission. Like making a domain admin that manages workstations.
No_Wear295@reddit
Why is a user messing with sharing and permissions?
niamh-k@reddit
I've always known to to be set the share to the least restrictive permissions, then let the NTFS permissions deal with the actual granular control.
Doesn't mean we always set the share to the "Everyone" group, but generally we'd always grant full control at the share to whatever groups needed access... then lock it down in NTFS.