Security Basics mailing list archives

RE: share permissions

From: Steve Anderson <steve.anderson () bipsolutions com>
Date: Thu, 30 Sep 2010 17:45:53 +0100

It's an OR with the groups, not an AND, with NTFS permissions.

When you add in share permissions, it's a most restrictive combination. OR the NTFS permissions, OR the share 
permissions. Then AND the resultant set.

If you have NTFS write, but not share write, you can't write.

However, 1 Deny overrides any number of Allows.

(Three settings. Deny, Allow, nothing set)


Steve Anderson

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of John Wright
Sent: 29 September 2010 11:42
To: 'Ansgar Wiechers'; security-basics () securityfocus com
Subject: RE: share permissions

----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ansgar Wiechers
Sent: Tuesday, September 28, 2010 1:25 PM
To: security-basics () securityfocus com
Subject: Re: share permissions

On 2010-09-28 W W wrote:

Are then any best practices for setting permissions on shared folders?
We have a discussion on whether we should be setting the access on the
share itself or controlling it more at the NTFS level.  I lean more to
setting permissions on the share and at the NTFS level. Thoughts?

Common practice is to grant full access to everyone on the share level, and restrict access on the NTFS level. If you
are super mega hyper paranoid, you can restrict share level permissions as well, but IMHO that has more disadvantages
than advantages. For one, troubleshooting permissions becomes a pain when you have to deal with two sets of ACLs.
Also, share level permissions apply only to the share, while NTFS permissions apply to the shared folder and all files
and subfolders. Not to mention that NTFS permissions are far more fine-grained than share level permissions.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches becoming available."
--Jason Coombs on Bugtraq

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and
who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------

I myself favor the super mega paranoid practice, but as an alterative to setting smb permissions to
everyone/full-access, you could give full access to Authenticated Users, per the best practice suggestion in this
article:
http://www.windowsecurity.com/articles/Share-Permissions.html

Incidentally, can anyone confirm that effective SMB permissions are an AND operation (e.g. effective write permission
only results when every group specified in the ACL of which the user is a member has write permission)?

I know that the user should be a member of only one group specified in the ACL for a share but, for curiosity's sake, I
was hoping to find a definitive reference confirming that this is exactly how SMB permission are calculated.
The dusty book on NTFS security that I've consulted is less specific on the subject that I'd like. Thanks for any help.

John

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

______________________________________________
This email has been scanned by Netintelligence
http://www.netintelligence.com/email

BiP Solutions Limited is a company registered in Scotland with Company
Number SC086146 and VAT number 383030966 and having its registered
office at Medius, 60 Pacific Quay, Glasgow, G51 1DZ.

****************************************************************************
This e-mail (and any attachment) is intended only for the attention of
the addressee(s). Its unauthorised use, disclosure, storage or copying
is not permitted. If you are not the intended recipient, please destroy
all copies and inform the sender by return e-mail.
This e-mail (whether you are the sender or the recipient) may be
monitored, recorded and retained by BiP Solutions Ltd.
E-mail monitoring/ blocking software may be used, and e-mail content may
be read at any time.You have a responsibility to ensure laws are not
broken when composing or forwarding e-mails and their contents.
****************************************************************************

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

share permissions W W (Sep 28)
- RE: share permissions Steve Anderson (Sep 28)
- Re: share permissions Ansgar Wiechers (Sep 28)
  - Re: share permissions John Morrison (Sep 28)
  - RE: share permissions John Wright (Sep 30)
    - Re: share permissions Ansgar Wiechers (Sep 30)
    - RE: share permissions Steve Anderson (Sep 30)
- Re: share permissions Jeffrey Walton (Sep 30)