Q

Best practices for setting NTFS/share permissions for each %USERNAME% on a file server

I'm seeking "best practice" advice for the reasonable setting of NTFS and share permissions for the home catalogs of each %USERNAME% on the common file server within AD. Is the following scheme good?
  1. The catalog, containing all home users' catalogs does not inherit from the parent volume, but in its turn permits for all child objects full access for the local admin group of this server (to allow further administering in critical conditions).

  2. In addition to that, each inner home catalog has Modify rights only for the corresponding %USERNAME% and Full Control for the Creator Owner.

  3. Each home catalog is shared separately as %USERNAME%$ with Change or Full Control for only the user himself.
Does this scheme allow for the "sufficient minimum" of rights/security/manageability?
I'm not sure what you are using as your definition ?- what is the home catalog? The home folder? The location of the user profile? The redirected documents folders? The place on the file server where the user can save files? A folder required by some application software?

I cannot comment if I don't know what you actually are looking for; however, I do wonder at statement number 2. Only the user has modify rights? But Creator Owner has full control? This seems to tell me that there may be files placed there for them to use, that you want to protect their change permissions on them, or delete subfolders and files, if this is a folder. If my assumption is correct, then in any circumstance where you want to control security on files within a folder, this is a very good move, as the Creator Owner group can help do just that.

It is also a very good idea to prevent permission inheritance when you develop permission for files that might be overwritten from above. It is also a good idea, most agree, to maintain some administrative control over user files and folders, although (truth be told) an administrator can, of course, take ownership and get back control if it is necessary for administration. So when needs for security are higher (i.e., avoiding casual access to files), you can remove those administrative rights.

This was first published in June 2003

Dig deeper on Network intrusion detection and prevention and malware removal

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close