I don't know that I would use "best way," but many people consider it the
"easiest way."
When combining share+NTFS (file) permissions, the most restrictive policy
always "wins." IOW, if you create a share, and give it READ only rights,
anyone accessing files through that share point will have READ only access
even if your NTFS permissions allow for WRITE or FULL control. If your
share has FULL permissions, but NTFS permissions only allow for READ, then
users accessing the file through the share point will have only READ
permissions.
The recommended concept is based on giving the share point FULL permissions
and using actual NTFS file permissions to limit access so that is it just
easier to administer. If you have multiple shares that you have different
permissions on from a share standpoint, it may be difficult to troubleshoot
access issues unless you really have things documented well. Giving the
share FULL permissions basically takes share permissions out of the equation
when troubleshooting.
The "duality" is provided just in case you really want to limit overall
access globally from a share - as in if you know that all access is going to
be READ only, then it would be more secure to make the share READ only.
Share permissions are also used for non-NTFS volumes (not that anyone really
does that anymore, but you never know). It's basically there just so you
can do it however you want to.
HTH
t
On 12/23/06 2:46 AM, "dubaisans dubai" <dubaisans@gmail.com> spoketh to all:
I have read that the best way to allocate permissions for shared
folders is - Share the folder . Give Share-Permissions as " Everyone
Full Control" and give the specific Allow/Deny permissions in the NTFS
tab.
Is there any insecurity in giving Share-permissions as Full control
and only specifying the NTFS permissions accurately ?
If no insecurities , why is Windows giving us the facility to give
permissions in 2 places and making it confusing?
