How are the simple share permissions different from the advanced share permissions?
Organizations rely on share permissions and NTFS permissions to manage access to local resources. Both permission types serve the purpose of protecting sensitive data and preventing unauthorized access. But what is the proper way to combine them and how do NTFS vs. share permissions interact? In this guide, we’ll take a closer look at the differences between share permissions and NTFS permissions and illustrate some best practice examples for using both methods in Microsoft Windows environments. Show
What Are NTFS Permissions?NTFS (New Technology File System) is the standardized file system for Microsoft Windows NT and newer versions of Microsoft’s operating system. NTFS permissions govern access to folders and files on Windows drives. What’s special about NTFS permissions is that they apply both when access is made locally using a computer and for access via network. That’s the main difference between NTFS permissions and share permissions: The latter only applies when access is made via network. It does not apply for direct access on a machine, i.e. locally. Setting NTFS PermissionsSetting NTFS permissions is not overly complicated, though there are a couple of things you should be aware of. Our article Setting NTFS Permissions covers the 4 most common mistakes and outlines the best practices for dealing with NTFS permissions. To set an NTFS permission, right-click on a folder or file and select “Properties”, then navigate to the “Security” tab to edit permission levels for different groups. For maintenance and security reasons, you should not apply permissions to individual users. This is the window you will be looking at: How to set NTFS permissions While share permissions only allow the three options (Full access, Modify and Read), NTFS permissions allow you to set access at a more granular level, both for individuals and groups. The level of access you choose to set can be passed on to subordinate files or folders due to the NTFS permissions’ inheritance properties. The following NTFS permission levels are the most important ones:
How Do Share Permissions Work?Share permissions are used to control access to shared folders (and their subfolders and files) when accessed over a network. This means if access is made locally using a PC, the share permission has no influence. To set share permissions, right-click on the folder, go to “Properties“, click on the “Sharing“ tab, then “Advanced Sharing“ and, finally, click on “Permissions“. You will then see this window: Share Permissions Unlike NTFS permissions, share permission levels are limited to “Read”, “Modify” and “Full access”.
The Issue With Share PermissionsThe last thing you need in your company are complicated, messy and convoluted access structures. But if you decide to use share permissions only, that’s probably what you’re going to be dealing with – one reason being that share permissions allow you to have different levels of permission within the same folder hierarchy, and that can be very confusing and misleading. Users might unintentionally end up receiving more rights to a folder than intended because the share permission at the lower-level folder allows more access than the folder on a higher root. Click here for more information about the disadvantages of using share permissions only. Video Overview Watch Our Demo Video to See tenfold in Action! Is It Possible to Use NTFS and Share Permissions Simultaneously?The short answer is, yes, it is. But you need to know exactly which permission has priority over another. Otherwise, you might end up giving your employees too many or not enough rights. When accessing a folder or file via network, share permissions always have priority over NTFS permissions. If access is made locally on the file server, however, NTFS permissions rank first. Even if access is made via network, the share permission cannot be used as a means of extending the NTFS permission. It can only be used to further restrict the NTFS permission. Note: If share permissions and NTFS permissions are used together, the more restrictive permission overrules the other. Examples of Mixing Share and NTFS PermissionsLet’s examine how share and NTFS permissions behave when they are used together in the following example: Assume that access to our folder “\\srv\Department\Sales“ is made via network share and not locally. Example 1 If the sharing permission is set to “Read“ and the NTFS permission is set to “Full Control“, the user will only get “Read“ access to the file because the share permission prohibits “Full control“ access via network. NTFS vs. Share Permissions: The more restrictive permission overwrites the other. (c) tenfold Software Example 2 If the sharing permission is set to “Full Control“ and the NTFS permission is set to “Read & Execute“, the user will still only have “Read & Execute“ access to the file. While the share permission would permit “full“ access, the NTFS permission locally restricts access to “Read & Execute“. NTFS vs. Share Permissions: The more restrictive permission overwrites the other. (c) tenfold Software Best Practices for Sharing and NTFS PermissionsAs you can tell, with only 3 permission levels, the security options for folder shares are very limited. It is definitely more flexible to rely on NTFS permissions to access control and then to ensure that your share permissions do not block access at the network level. We therefore recommend setting share permissions for admins to “Full Control” and to “Change” for regular domain users. Do not set any other share permissions. This way, it is guaranteed that the NTFS permissions you set take effect and will not be restricted when access is made via network. Using NTFS to control access on file servers brings the following advantages:
Whitepaper Best Practices for Access Management In Microsoft® EnvironmentsAn in-depth manual on how to set up access structures correctly, including technical details. Also includes information on reporting and tips for implementation. About the Author: Nele NikolaisenNele Nikolaisen is a content manager at tenfold. She is also a book lover, cineaste and passionate collector of curiosities. What are the different share permissions?There are three types of share permissions: Full Control, Change, and Read. Full Control: Enables users to “read,” “change,” as well as edit permissions and take ownership of files. Change: Change means that user can read/execute/write/delete folders/files within share.
What is the difference between share permissions and NTFS permissions?Unlike Share permissions, NTFS permissions apply to users who are logged on to the server locally. , Unlike NTFS permissions, share permissions allow you to restrict the number of concurrent connections to a shared folder. Share and NTFS permissions are configured in different locations.
What is an advanced permission?Advanced Permissions. The advanced permissions are: Traverse Folder/Execute File: For folders: Traverse Folder allows or denies moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders. (Applies to folders only.)
What are the 3 share permissions?Basically, share permissions apply more generally to files, folders, and have three different levels of sharing: Full Control, Change, and Read. Each of these can either be allowed or denied when you share a folder and are defined as: Read: This is much like the NTFS permission above.
|