What Permissions Do You Give ‘Everyone’?
Best Practice (Litmus Test)
Amateurs: Add users to NTFS permission list.
Professionals: Create a security group and add it to the permission list and then add users to that group.
David H Kendrick
Professionals: Remove the default permission ‘Everyone’ – Full Control.
Amateurs: Don’t mind ‘Everyone’ having full control of all shares.
Permissions – Everyone Full Control
Share permissions are like giving users a key to the office door. NTFS permissions are like giving them the key to the safe. Too many organisations leave the safe unlocked!
Make it your best practice to remove the group Everyone because they have full control, and substitute users and only give them read. It usually makes sense to also add the Administrators and give them full control.
right-click a shared folder, check the permissions under both Share and NTFS Tabs.
Note that there are two tabs to control permissions on any folder – Sharing (Key of the door) and Security (NTFS lock on the safe).
I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource. Give this permissions monitor a try – it’s free!
Windows Server 2003 – Best Practice
The default permissions in Windows Server 2003 has been changed to give users only Read permission. This is but one of numerous improvements to security in Windows Server 2003. It as if Microsoft has put security first ahead of ‘easy to use’ or ‘cool feature’. This is what people want, more security less flashy bells and whistles.
The biggest change compared with NT 4.0 is that you now have the Deny permission. In NT 4.0 the No Access was rather a blunt tool, it meant you could not read documents or list files. The new Deny means that you can explicitly Deny Write. That means that if a user is a member of another group that is give Change permission, they still only end up with Read.
Windows Server 2003 has a little know snap-in called Shared Folders, I use it to check and set share permissions.
Over 40 of Guy’s litmus tests. Have fun while you learn about aspects of computing. Stacks of ideas to check your servers, networks and security.
Your eBook has printer friendly pages and lots more screen shots.
Guy’s Litmus test is a concept that you can apply anywhere. Each test gives you an instant answer to the simple question:- ‘Are you dealing with a professional, or are they an amateur? Is this the real deal, or is it a turkey?’ The Litmus Test concept is rather like Best Practice, but it reduces a 27 page report to one sentence.