The problem with this is that NTFS permissions are stored against the file, but the share permissions are stored in the OS. So, for example, if the drive was removed, and stuck in another machine, then the share permissions would be gone. Granted, if this happens, then NTFS permissions are still fairly easy to bypass, but it is still one more layer of security.
The other issue is that NTFS permissions are less prone to mis-configurations. For example, let us imagine that you have a folder called Documents, which contains another folder called Excel. If you share Excel Documents with Read Only access, but share Documents with Full Access, then everybody will get Full Access to the excel folder by simply connecting to the documents share, and going into the excel folder. In same example, but using NTFS permissions, even in this sort of configuration would disallow write access to the excel folder, as the NTFS permissions are applied however you access a file, whether though a share, or by console access, SMB, terminal services etc. Share permissions are only applied when accessing the files through that particular share. Benjamin Meade System Administrator LanWest Pty Ltd -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, 25 June 2003 4:04 AM To: [EMAIL PROTECTED] Subject: RE: NTFS Permissions (was Share Permissions) This is interesting because our system (NT 4.0) has been set up exactly opposite this - ntfs permissions allow full control access to everyone and share permissions are used to allow/restrict access to the share. This seems to work pretty well, but are there hidden pitfalls? I inherited this system and questioned the apparent inconsistency, but was told that it was what MS recommends. My own research couldn't confirm/deny this and I hadn't seen any issues raised anywhere until now. Thanks in Advance, Sharon Joyner, CISSP IS Security Administrator Warner Publisher Services 9210 King Palm Drive Tampa, FL 33619 Tel: 813-664-8147 Fax: 813-664-8195 -----Original Message----- From: Benjamin Meade [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2003 3:10 AM To: 'Security-Basics' Subject: Share Permissions Hey all, Just wondering in Win2K server, when I share a folder, I set the share permissions to full access for everybody, and then control access using the file permissions. (Basically cos it cuts down on administration, and I'm lazy.) Are there any security issues running this way, or is it much of a muchness? Thanks, Benjamin Meade System Administrator LanWest Pty Ltd Ph: (08) 9440 3033 Fax: (08) 9440 3370 ------------------------------------------------------------------------ --- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ------------------------------------------------------------------------ ---- ----------------------------------------------------------------------- This message is the property of Time Inc. or its affiliates. It may be legally privileged and/or confidential and is intended only for the use of the addressee(s). No addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is strictly prohibited. If you have received this communication in error, please immediately notify the sender and delete this message. Thank you. ------------------------------------------------------------------------ --- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------