Combining Shared Folder Permissions and NTFS Permissions

This section will be of interest to an administrator who is familiar with security settings on a FAT32 volume where permissions for a shared folder are the only permissions protecting files and subfolders in the shared folder.

When using share permissions and NTFS permissions together, if there is a conflict in the configuration, the most restrictive permission prevails. For example, if a user has NTFS full access to a specific file in a folder that is not shared, the user cannot access the file from the network. In this case, the user can sit down at the computer that contains the file, log in and access the file, because sharing permissions do not affect local access.

One strategy for providing access to resources on an NTFS volume is to share folders with the default shared folder permissions and then control access to shared folders by assigning NTFS permissions. When you share a folder on an NTFS volume, both shared folder permissions and NTFS permissions combine to secure file resources.

Shared folder permissions provide limited security for resources. You gain the greatest flexibility by using NTFS permissions to control access to shared folders. Also, NTFS permissions apply whether the resource is accessed locally or over the network.

When you use shared folder permissions on an NTFS volume, the following rules apply:

  • You can apply NTFS permissions to files and subfolders in the shared folder. You can apply different NTFS permissions to each file and subfolder that a shared folder contains.

  • In addition to shared folder permissions, users must have NTFS permissions for the files and subfolders that shared folders contain to gain access to those files and subfolders.

  • When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.

Planning

The first step is planning how folders will be shared. To do this, make a list of what data will be stored and what user groups will require access. For example, types of data may be employee data, customer account status data, customer service data, management guideline data, and so on. Groups of users may be managers, administrators, sales reps, customer service reps, and so on.

Create a table with three columns:

  • Column 1 displays each data folder by name and location
  • Column 2 displays the shared folder name
  • Column 3 displays the name of the user group with assigned folder permissions
  • File and Printer Sharing for Microsoft Networks

To share any folders or other network objects, you must have "File and Printer Sharing for Microsoft Networks" as a networking component in your local area connection.

To add this component:

  1. In the Windows System Tray, right-click the Local Area Connection icon and choose Status from the context menu. The Local Area Connection Status dialog box appears.

  2. Click Properties. The Local Area Connection Properties dialog box appears.

    Local Area Connection Properties dialog box

  3. To add the File and Printer Sharing for Microsoft Networks check box, click Install… and choose it from the Services category.

  4. Select the File and Printer Sharing for Microsoft Networks check box and click OK.