Security Basics mailing list archives
Re: Windows Fileserver Pemissions
From: Kurt Buff <kurt.buff () gmail com>
Date: Mon, 15 Jun 2009 11:36:28 -0700
On Fri, Jun 12, 2009 at 09:00, Robert McIntyre<1tgeye () surewest net> wrote:
You do not have to partition your hard drive in order to isolate the HR folder. What you do need to do is prevent the folder from inheriting permissions from the parent (root in this case.)
IMNSHO - This is absolutely the wrong way to go about it. Blocking inheritance complicates things unnecessarily and is very human-error prone, and it's much better to fix the problem from the top (in both senses of that term - that is, from the top of the directory tree, and at the beginning of the implementation). Two related rules should be used. 1) Permissions at the top of a directory tree are very liberal, but granted to only very few accounts or groups. 2) Permissions lower down the directory tree are more restricted as they are granted to more accounts or groups. In line with this, permissions at the root should be Full, but granted only to System and the local machine Administrators - remove all permissions for the local machine Users group and any others that you find there. Then a set of groups should be created created for each of the top-level directories, granting Modify permissions to the owner(s) of those directories, and Read-Only permissions to those who should have them, on each directory. Thus, for instance, if there's an Engineering directory, in Active Directory (assuming that's the environment in which you're working), and assuming that your fileserver's name is FILESERVER you could create a group called FsEngineering-RW, indicating to which server the group is applied, and that its members have Read-Write (Modify) permissions for the entire directory. There would similarly be a group called FsEngineering-RO, which would have only Read-Only permissions for the directory. If permissions need to be managed further down the tree than that, use of the special "Creator Owner" permission is indicated, as well as the Advanced button on the Security tab. I'd also become familiar with one or more of several tools available to manager permissions on files and directories. My personal favorite is fileacl.exe, but dumpsec, xcacls, icacls and several others are out there for the finding. Kurt ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Windows Fileserver Pemissions fac51 (Jun 12)
- RE: Windows Fileserver Pemissions James Winzenz (Jun 15)
- Re: Windows Fileserver Pemissions Jeffrey Walton (Jun 15)
- Re: Windows Fileserver Pemissions Ansgar Wiechers (Jun 15)
- <Possible follow-ups>
- Re: Windows Fileserver Pemissions Robert McIntyre (Jun 15)
- Re: Windows Fileserver Pemissions Kurt Buff (Jun 15)