Information regarding NTFS perms vs Share perms and what takes precedence
Posted by Rich_Shame9806@reddit | sysadmin | View on Reddit | 8 comments
Hey folks, been a loooong time since i've had to untangle a permissions issue and i had a difference of opinion about how it should work. Previously, I feel like most of the time unless something is super restricted, the Share permissions are everyone getting full control, and then the root folder and the sub folders all have their (ntfs) permissions more locked down, so that in theory anyone can get to the share and subfolders, until they hit those NTFS perms and get blocked. It appears that at some point, someone in our org configured everything that way, and i never really thought anything of it, but someone else on my team is now adamant that this is wrong and leaves a gaping security whole in the file perms, and the SHARE perm should be read only (or less, depending on what it is), with the NTFS perms on all the folders allowing MORE access as needed.
Again, it's been a minute, i know stuff changes all the time, so i was just wondering if anyone had a current best practice guide or explanation on how all the pros are doing standard file share permissions nowadays.
BWMerlin@reddit
Ideally you set the share and NTFS permissions the same with only the people who require access being granted share and NTFS permissions.
Your method is fine and stops shares becoming a nightmare to manage.
Have the other person provide evidence to support their claim.
EViLTeW@reddit
On a NetApp, "share permissions" are checked first, and if access should be granted, NTFS permissions are checked. So neither "takes precedence" because they are checked independently, but the share is checked first.
FarmboyJustice@reddit
Precedence is from the word precede, meaning to come before
xendr0me@reddit
Set your shares to "Authenticated Users" - Full and use NTFS permissions to control the graniular user/group access.
Master-IT-All@reddit
The least permissions always applies. So if Share is Modify, and NTFS is Full Control, your user has Modify.
It is recommended to set Share permissions to Authenticated Users: Modify and then use group entries on NTFS for actual scoping and control.
So all the shares at customer X are set that way, but for example the Finance share, the NTFS permissions list only the Finance group.
justaguyonthebus@reddit
The most restricted permission wins.
Instead of everyone on the share, use authenticated users. Then set specific permissions at the NTFS layer.
The reason why is that you need to be server admin to see and set share permissions. Where you just need full control on the NTFS to change but the user can still see. It's a lot easier to troubleshoot when you can just check the NTFS permissions as the user knowing the share is more open.
mixduptransistor@reddit
the more restrictive permission takes precedence. So a full access share, with zero NTFS permissions = no access. Full access share with read only NTFS permissions = read only. Read only share with full access NTFS permissions = read only.
appmapper@reddit
I've got a bit of a headache, and the lack of formatting isn't helping.
It will use the least permissive of the two.
Both Read = Read
One Write, one Read = Read
Both Write = Write