Security Basics mailing list archives
RE: share permissions
From: Steve Anderson <steve.anderson () bipsolutions com>
Date: Thu, 30 Sep 2010 17:45:53 +0100
It's an OR with the groups, not an AND, with NTFS permissions. When you add in share permissions, it's a most restrictive combination. OR the NTFS permissions, OR the share permissions. Then AND the resultant set. If you have NTFS write, but not share write, you can't write. However, 1 Deny overrides any number of Allows. (Three settings. Deny, Allow, nothing set) Steve Anderson -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of John Wright Sent: 29 September 2010 11:42 To: 'Ansgar Wiechers'; security-basics () securityfocus com Subject: RE: share permissions ----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ansgar Wiechers Sent: Tuesday, September 28, 2010 1:25 PM To: security-basics () securityfocus com Subject: Re: share permissions On 2010-09-28 W W wrote:
Are then any best practices for setting permissions on shared folders? We have a discussion on whether we should be setting the access on the share itself or controlling it more at the NTFS level. I lean more to setting permissions on the share and at the NTFS level. Thoughts?
Common practice is to grant full access to everyone on the share level, and restrict access on the NTFS level. If you are super mega hyper paranoid, you can restrict share level permissions as well, but IMHO that has more disadvantages than advantages. For one, troubleshooting permissions becomes a pain when you have to deal with two sets of ACLs. Also, share level permissions apply only to the share, while NTFS permissions apply to the shared folder and all files and subfolders. Not to mention that NTFS permissions are far more fine-grained than share level permissions. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727 d1 ------------------------------------------------------------------------ I myself favor the super mega paranoid practice, but as an alterative to setting smb permissions to everyone/full-access, you could give full access to Authenticated Users, per the best practice suggestion in this article: http://www.windowsecurity.com/articles/Share-Permissions.html Incidentally, can anyone confirm that effective SMB permissions are an AND operation (e.g. effective write permission only results when every group specified in the ACL of which the user is a member has write permission)? I know that the user should be a member of only one group specified in the ACL for a share but, for curiosity's sake, I was hoping to find a definitive reference confirming that this is exactly how SMB permission are calculated. The dusty book on NTFS security that I've consulted is less specific on the subject that I'd like. Thanks for any help. John ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ______________________________________________ This email has been scanned by Netintelligence http://www.netintelligence.com/email BiP Solutions Limited is a company registered in Scotland with Company Number SC086146 and VAT number 383030966 and having its registered office at Medius, 60 Pacific Quay, Glasgow, G51 1DZ. **************************************************************************** This e-mail (and any attachment) is intended only for the attention of the addressee(s). Its unauthorised use, disclosure, storage or copying is not permitted. If you are not the intended recipient, please destroy all copies and inform the sender by return e-mail. This e-mail (whether you are the sender or the recipient) may be monitored, recorded and retained by BiP Solutions Ltd. E-mail monitoring/ blocking software may be used, and e-mail content may be read at any time.You have a responsibility to ensure laws are not broken when composing or forwarding e-mails and their contents. **************************************************************************** ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- share permissions W W (Sep 28)
- RE: share permissions Steve Anderson (Sep 28)
- Re: share permissions Ansgar Wiechers (Sep 28)
- Re: share permissions John Morrison (Sep 28)
- RE: share permissions John Wright (Sep 30)
- Re: share permissions Ansgar Wiechers (Sep 30)
- RE: share permissions Steve Anderson (Sep 30)
- Re: share permissions Jeffrey Walton (Sep 30)