Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Proper way to secure a new file server 1

Status
Not open for further replies.
sbertram

sbertram

MIS
Joined
Aug 30, 2007
Messages
25
Location
US
Hi i am resetting up our file server and i have to parations one for Windows which is the c drive. One for data which is the F drive. I want every one at my work to have access to the files and folder, but i want to stop every one from deleting them. What permissions do i need to set on the root of the F drive so it propagates to all the subfolders and files so i never hear the pharse, my stuff is gone.
Thnaks
 
Sort by date Sort by votes
If you don't want people to be able to delete anything, then you'll want read-only rights on the shared folders. Of course, then they wouldn't be able to create new files or edit existing files, which would probably prevent them from doing their jobs (at least at most places).

So rather than trying to find a one-size fits all strategy for all folders, you're going to have to create multiple shares with different permissions for different people/groups. That way the appropriate parties will be able to read/write/modify/delete only the files that they are responsible for, and nobody else will have access to them (or read only).

Of course, that won't stop people from accidentally deleting their own files, but nothing will prevent that. You just have to assume that people are smart enough to not delete something that they need, much like you have to assume that most kindergarten students are smart enough to not eat paste.
 
Upvote 0 Downvote
My suggestion would be:

1. Set Everyone with full control in share permissions
2. In security permissions, go to advanced then edit and deselect delete subfolders and files, and delete.

Its probably not the best practice but its what I would do for my company. The one thing to remember about share vs NTFS is that share permissions are the entry point to the the resource and NTFS permissions take it to a more granular security level. Just because you grant everyone the full control share permission doesnt always mean the resource is accessible to everyone. This is where ACL's come into play.
 
Upvote 0 Downvote
Hi 702geek i just did as yout told me and i am able to delete folders a few levels deep that i made. Put if i make them from the windows server i can not. Is there a way to stop users from deleting their own files and folders?
You also said that there is a way with ACLs how do i use them in Server 2000?
thanks
 
Upvote 0 Downvote
It depends on the ACL. Are the users in a specific group that grants them full control NTFS permissions? Are the permissions inherited? Start from the root and work your way up. As you can already tell, permissions can be a nightmare.

But to answer your question, remove both delete permissions from the OWNER ace (access control entry).
 
Upvote 0 Downvote
Hi 702geek thanks for the pdf. We have no groups here. I only started he at the beging of the year and my boss did things the easy way. We have no GPO's, no groups, etc always done the easy way. Would it be better to make groups and then assgin them to folders then do the permissions or can i get this whole stopping deleting folder thing to work with the built in every one group? When you setup a new server what are the steps you take to share the drive that the files live on?
thanks
Steve
 
Upvote 0 Downvote
Is there a way to stop users from deleting their own files and folders?"
Not really, but to protect files and folders from user destruction and to be worshiped as a hero, look into Executive softwares Undelete, far superior to MS shadow copy mechanism...
This is a great product, a few hundred dollars but worth every buck; beats going to tape restore, provides for restoration of file revisions in seconds, unlike shadow copy, deleted or revisioned files are save in real time.

Personally on server setups I setup the shares with full access, then in the root of the volume I remove ALL rights, then create folders with the needed rights for groups/users. This way users can not create files/folders in the root, and can only see/access/delete, files/folders which they have been given rights to. Avoid giving specific rights to individual users (as much as possible), use groups or you will have nightmares which increase exponentially. Properly done the normal user will have fewer folders visible, and sensitive folders and file names will not be visible.




........................................
Chernobyl disaster..a must see pictorial
 
Upvote 0 Downvote
We have no groups here. I only started he at the beging of the year and my boss did things the easy way. We have no GPO's, no groups, etc always done the easy way.
Click to expand...

No groups, no GPOs, etc is not "the easy way". It might be "the lazy way" or the "I can't be bothered to try and figure it out way", but it's definitely not the easy way.

Security groups allow you to create collections of users that have similar security rights. For example, let's say that there is an Accounting shared folder, and you want all 10 people in the Accounting department to have access to it. You can either a) manually add each of the 10 users individually to the security tab of the share, and set them with the rights that you want the accounting department to have, or b) create an Accounting group and put your users into it, then manually assign permissions to that group once. Would you rather assign permissions 10 times or 1 time? Which is easier?

OK, now lets say that John in the Accounting department is moving to some other department. You need to take away his rights to access the Accounting data and get him permissions for the correct shares for his new group. Would you rather a) remove John from the Accounting group and add him to a new group, or b) manually inspect every share on all of the servers, find which ones John has access to, determine which of those he no longer needs access to, remove him from those shares, then determine what shares he doesn't have access to that he does need access to, then add him to those shares?

I know it seems strange to think it, but Microsoft doesn't generally make add features to their products to make things more complicated. They add features to make our jobs easier.
 
Upvote 0 Downvote
Hi technome after reading what you said there is no way to stop people from delting the files or folders right? If so why are those options there?
thanks
 
Upvote 0 Downvote
Hi kmcferrin thanks for the insite i guess we have to start doing this
thanks
 
Upvote 0 Downvote
No groups, no GPOs, etc is not "the easy way". It might be "the lazy way" or the "I can't be bothered to try and figure it out way", but it's definitely not the easy way.
Click to expand...

Agreed 100%. Groups make permissions so much easier to manage. It easy to set full access at the top level and then use granular ntfs permissions at the root resource. And for the record, it is possible to prevent users from deleting items that even they have created.

You should do more research on permissions, they are very powerful tools.
 
Upvote 0 Downvote
Hi 702geek what are the odd of me paying you for some phone help?
thanks
 
Upvote 0 Downvote
Hi technome after reading what you said there is no way to stop people from deleting the files or folders right?"

Yes you can stop users from deleting files/folders (and even seeing) them, but to be practical, for a user to use Word ,Excel (and most other programs), to be able to create a document, edit it, and save it with the original name, most programs need to be able to read, write and delete, this is the dilemma. Many programs create config files, log files, temp files, for users, which adds to the complexity
You can have folders which you users can not delete, but if the users need to modify the files within it, they need the file permissions as stated above on those files.
Novell has "delete inhibit", which Ms should have, maybe one day (in my dreams).
For one of the best books on server setups...
Mark Minasi's "Mastering Windows server 200x" Sybex

........................................
Chernobyl disaster..a must see pictorial
 
Upvote 0 Downvote
Hi technome from the playing around i have done that seems to be the case that i can not get server to allow every thing but stop people from deleting folders. In your server set ups have you been able to get this done? Is easier in Server 2003?
thanks
Steve
 
Upvote 0 Downvote
Your best bet is read the book as recommended above.

Do not worry excessively about users having the ability to delete/move data folders and contents(especially if it is their own data)... with the understanding you have Executive softwares "Undelete" installed..with this you can recover folders or files within seconds including multiple revisons...that is until you thoroughly understand folder/file permissions. System restore has limitations, especially as it does not save deleted items in real time. Win 2003 is not much different than 2000, except for the system restore. Also "Undelete" maintains a log of the person deleting or moving items.

When it comes to program folders, the folder and files for the most part can be read only, but there is usually a few files which need modify rights...this gets tricky. Again "undelete" will protect the folder and contents.

As to the personel with critical/sensitive data...normal users should not be given any permissions to files and folders involved with these groups or users, a normal user should not be able read, write or list folder to the folders/files...in other words they should not know they exist or have any means to there access, either by accident or on purpose.


........................................
Chernobyl disaster..a must see pictorial
 
Upvote 0 Downvote
Hi technome, thanks for the answers. On your servers do have you had luck setting up permissions so users can not delete folders or files? Or do you use the undelete software and not bother with these permissions. I guess i like you to give me a yes or no answer is it posablle with Windows server 2000 to allow users to do every thing but stop them from deleting files and folders
thanks
Steve
 
Upvote 0 Downvote
I know it sounds like we're talking in a circle here, but one more time for clarity:

Yes, it is possible to give people rights to do just about everything but delete a file. No, it is not practical or recommended to do so, especially for a file server/shared files.

Applications are written to assume that certain basic permissions are being used, those are usually Read, Write, Change, and Full Control (which is everything). Beneath that you can get more granular, down to Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Create Files/Write Data, Create Folders/Append Data, Write Attributes, Write Extended Attributes, Delete, Read Permissions, Change Permissions, and Take Ownership. These more granular components are the "building blocks" that are used to create the higher-level file permissions. If you grant users permissions at the most granular level, then applications may assume that they have the entire set of permissions for that higher-level permission, which could cause issues or unusual behavior.

So basically, don't do it. Give people read/write access to the files that they need to be able to read/write to, give them read access to the files that they need to read, and make sure that they have no access to files that they don't need. Don't worry about trying to keep people from deleting files that they have write access to. It happens sometimes, but your people are just going to have to learn not to delete things that they need. If they were dealing with paper documents and files, they wouldn't shred documents that they might need later, would they? So why would they delete files on a computer that they might need. The answer is education (for yourself and your users), not trying to come up with a technological silver bullet that prevents people from doing something stupid.
 
Upvote 0 Downvote
Hi the whole reason for us to try to get users to stop them from deleting the folders is becuase people have done it by mistake including my self. So it is not that they are not trained it is just to stop mistakes. Train all you want we are all human and all make mistakes
 
Upvote 0 Downvote
kmcferrin would you be able to help me over the phone get this done? I be happy to pay you.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MaioMaio
  • Locked
  • Question Question
Server Remote Desktop License
Replies
0
Views
706
MaioMaio
MaioMaio
Aquiles Vidal
  • Locked
  • Question Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
895
Aquiles Vidal
Aquiles Vidal
rzammit82
  • Locked
  • Question Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
1K
suncit
suncit
DrB0b
  • Locked
  • Question Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
1K
DrB0b
DrB0b
microsGuy16
  • Locked
  • Question Question
Can not copy files to Mapped drive
Replies
0
Views
980
microsGuy16
microsGuy16

Part and Inventory Search

Sponsor

Back
Top