laker
network
services
How to Secure Shared Data on a Windows
Computer
There's three sets of rules that govern file-level security on Window.
Rule 1. Share-level security is additive
unless there's a "Deny".
A user's permissions for a file share are the Most Permissive possible.
If the Everyone Group has the Read permission on a Share, and the
Dialup Users Group has Full Control, and I'm a member of Dialup Users,
I inherit Read and Full Control.
There are 3 share-level permissions. Share Permissions are only set at
the Folder Level:
- Read - Which, go
figure, lets you read the contents of folders, read files inside, and
run programs.
- Change: Adds the
ability to modify files, and to create and delete files and folders.
- Full Control: Adds the
ability to modify Share permissions
Obviously, Denies shouldn't be set unless you REALLY mean it.
Rule 2: NTFS-level security is additive
unless there's a "Deny".
A user's NTFS permissions for a file are the Most Permissive possible.
There are six File/Folder Permissions for NTFS:
- List Folder Contents
- Read
- Read and Execute
- Write - Allows creation
of new files and appends to existing files
- Modify - Allows
deletion of files
- Full Control - Allows
"Take Ownership" and permission modification
Deny permission still exists, and should only be used to absolutely
prevent a behavior.
Rule 3: The combination of NTFS and Share permission is Subtractive, always
resulting in the most
restrictive combination of permissions.
If I'm a member of Dialup Users, and as such I have Full Control
Share permission, but Dialup Users have only Read, Read and Execute and
Write NTFS permissions on a the folder that's being shared, the net
effect is that I cannot
Delete anything, as I do not have the NTFS modify right. I can still
write to files that already exist.