Re: Windows Fileserver Pemissions

[Kurt Buff <kurt.buff () gmail com>]

On Fri, Jun 12, 2009 at 09:00, Robert McIntyre<1tgeye () surewest net> wrote:
> You do not have to partition your hard drive in order to isolate the HR folder.  What you do need to do is prevent 
> the folder from inheriting permissions from the parent (root in this case.)


IMNSHO - This is absolutely the wrong way to go about it. Blocking
inheritance complicates things unnecessarily and is very human-error
prone, and it's much better to fix the problem from the top (in both
senses of that term - that is, from the top of the directory tree, and
at the beginning of the implementation).

Two related rules should be used.

1) Permissions at the top of a directory tree are very liberal, but
granted to only very few accounts or groups.

2) Permissions lower down the directory tree are more restricted as
they are granted to more accounts or groups.

In line with this, permissions at the root should be Full, but granted
only to System and the local machine Administrators - remove all
permissions for the local machine Users group and any others that you
find there. Then a set of groups should be created created for each of
the top-level directories, granting Modify permissions to the owner(s)
of those directories, and Read-Only permissions to those who should
have them, on each directory. Thus, for instance, if there's an
Engineering directory, in Active Directory (assuming that's the
environment in which you're working), and assuming that your
fileserver's name is FILESERVER you could create a group called
FsEngineering-RW, indicating to which server the group is applied, and
that its members have Read-Write  (Modify) permissions for the entire
directory. There would similarly be a group called FsEngineering-RO,
which would have only Read-Only permissions for the directory.

If permissions need to be managed further down the tree than that, use
of the special "Creator Owner" permission is indicated, as well as the
Advanced button on the Security tab. I'd also become familiar with one
or more of several tools available to manager permissions on files and
directories. My personal favorite is fileacl.exe, but dumpsec, xcacls,
icacls and several others are out there for the finding.

Kurt

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------