In an Active Directory networking environment, there are two forms of permissions: share and NTFS (NT file system). In this article, we will discuss the share permissions that are available for all Windows shared folders.
Before Windows XP SP1, network computers by default allowed full control access to the share with share permissions. Full-control access is not as bad a configuration as you might think, considering the fact that the NTFS permissions can be used to control access to the resource as well as to the share permission.
Still, when an administrator configured complex share permissions for a shared folder, problems with user access to the resource generally followed. For example, since setting share permissions was not a standard practice, it could take a long time to track down why users were not gaining access to resources behind the shared folder. In many cases, the administrator would add the user to an "admin" group to try to rectify the problem, which wouldn't work because of the share permissions. When the share permissions were finally corrected, administrators often forgot that they had previously added a user to an elevated group. This caused a security issue.
Post-Windows XP SP1 -- and including Windows Server 2003 -- Microsoft embedded a new perspective and default setting for share permissions. The new share permission -- Everyone: Read -- was not well documented and initially caused severe problems. This default configuration almost always requires a change to allow a realistic permission set, like Change or Full Control. Very few resources on a production network can suffice with only Read access.
To reduce administrative troubleshooting time and increase security for all shared resources, all share permissions should be configured to allow Authenticated Users: Full Control. Then, NTFS permissions for the shared folder and subsequent folders and files behind the shared folder can be configured with the necessary detailed access control. When share permissions and NTFS permissions are combined, it creates the most restrictive access, which are the permissions established by the NTFS permissions.
Derek Melber manages http://www.auditingwindows.com, the first dedicated Web site for Windows auditing and security. Derek's new book series on "Auditing Windows Security" is now available at The IIA Bookstore. Online training is also available which coincides with the books, which you can find at http://www.auditlearning.org. Derek provides customized training for auditors, security professionals, and network admins; e-mail Derek for more details. You can contact Derek Melber at email@example.com.