Permissions Question - Flaw or Feature?

[MagnumVP]

Here is how understand it?

Share = R
NTFS = FC
Accessing over the Network = R
Accessing local = FC

Then I came accross this issue. Has anyone else had this issue? I've tried it on 3 different servers in three differnt domain with the same answer.

Share Name = Data
Share Permissions = Everyone FC
NTFS Permissions = Everyone FC

Inside the folder there is a file called "File1.doc". I Rt Click on the file and remove the inherited NTFS permissions. Then assign Everyone = R. That is all the permissions for the file.

The issue is that anybody accessing the file over the network can DELETE . WHY?

MOST RESTRICTIVE:
SHARE = FC
NTFS = R
Access over network = R

Am I missing something?

 

[MagnumVP]

I'm using Windows Server 2003.

 

[NickFerrar]

What do the effective permissions display as in the Advanced properties? It doesn't sound right to me, it seems the NTFS folder permission is allowing them to delete the file but the explicit file permission should take precedence.

 

[MagnumVP]

To answer your questions the Advanced Properties are;

Read Data
Read Attributes
Read Extended Attributes
Read Permissions

I figured out what the problem is. Ever head of File Delete Child (FDC)?

Here is what it is. If a group has FC of a folder and the file permissions are more restrictive (such as read) that file still inherits the Delete Child Objects.

Check out this article at Microsoft that further explains it. It is a product of NTFS from NT days and MS has no plans to fix it.

http://support.microsoft.com/?KBID=152763

 

[donnie4564]

Share permissions are for backward compatability with fat.
share everyone full control
ntfs permissions set at the folder level.
file permissions set only in special circumstances. (to deny access to that file)
deny always overides allow.
it is pointless to use share permissions on ntfs volume.

 

[m4a2t0t]

you have to use share permission in win2k3
shared permission- read only
NTFS permission - Full Control

effictive permissions - read


Hi!

 

[donnie4564]

Why......do "you have to use share permission in w2k3"???
Donnie

 

[jrbarnett]

Why......do "you have to use share permission in w2k3"???

Well, share permissions apply to access to files/folders via the network. Assuming that you are using Windows 2003 server as a server, and not as a workstation operating system, the chances are quite considerable that the vast majority of users will be connecting via the network rather than accessing the files/folders locally so share permissions do matter.
In addition, share permissions are the only restrictions that can be applied to FAT or FAT32 volumes, so in the very rare circumstances where NTFS is not used, these are the only way to apply restrictions there.

John

 

[NickFerrar]

Donnie is right it just reads weirdly Basically, assuming the server has NTFS volumes, you should leave share permissions open and use NTFS permissions to do the restrictions. If you use both share permissions and NTFS permissions to do restrictions you just double the admin workload. You do of course still need share permissions to allow clients to access the folder from the network, you just don't use them to restrict access.

Microsoft changing the default share permission to everyone read is just a security enhancement in case the admin neglects to apply NTFS permissions.