Best practices for Active Directory and share permissions

In an Active Directory networking environment, there are two forms of permissions: share and NTFS (NT file system). In this article, we will discuss the share permissions that are available for all Windows shared folders.

Before Windows XP SP1, network computers by default allowed full control access to the share with share permissions. Full-control access is not as bad a configuration as you might think, considering the fact that the NTFS permissions can be used to control access to the resource as well as to the share permission.

Still, when an administrator configured complex share permissions for a shared folder, problems with user access to the resource generally followed. For example, since setting share permissions was not a standard practice, it could take a long time to track down why users were not gaining access to resources behind the shared folder. In many cases, the administrator would add the user to an "admin" group to try to rectify the problem, which wouldn't work because of the share permissions. When the share permissions were finally corrected, administrators often forgot that they had previously added a user to an elevated group. This caused a security issue.

Post-Windows XP SP1 -- and including Windows Server 2003 -- Microsoft embedded a new perspective and default setting for share permissions. The new share permission -- Everyone: Read -- was not well documented and initially caused severe problems. This default configuration

Requires Free Membership to View

almost always requires a change to allow a realistic permission set, like Change or Full Control. Very few resources on a production network can suffice with only Read access.

To reduce administrative troubleshooting time and increase security for all shared resources, all share permissions should be configured to allow Authenticated Users: Full Control. Then, NTFS permissions for the shared folder and subsequent folders and files behind the shared folder can be configured with the necessary detailed access control. When share permissions and NTFS permissions are combined, it creates the most restrictive access, which are the permissions established by the NTFS permissions.

Derek Melber manages http://www.auditingwindows.com, the first dedicated Web site for Windows auditing and security. Derek's new book series on "Auditing Windows Security" is now available at The IIA Bookstore. Online training is also available which coincides with the books, which you can find at http://www.auditlearning.org. Derek provides customized training for auditors, security professionals, and network admins; e-mail Derek for more details. You can contact Derek Melber at derekm@braincore.net.

This was first published in May 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.