Filestore Best Practices #1: Don’t give full permissions unless you really need to!

A large proportion of the calls to helpdesk relating to the Shared Filestore Service (Turrets) are around broken permissions with the Share Administrator and often the Server Administrator permissions being removed. This can interfere with day-to-day operations , backup procedures and become a real problem when it becomes necessary to copy data.

Even more worryingly there have have been occurrences when users have removed folders so that the Share Administrator cannot even see that the folder exists!

Looking over some random shares it seems that nearly all of the folders assigned to users are set with ‘Full Control’. This is not necessary for users to have read\write access.

Let’s have a look each type of permissions and what it really means:

Full Control

Change permissions and take ownership, plus perform the actions permitted by all other NTFS file permissions

Modify

Modify and delete the file plus perform the actions permitted by the Write permission and the
Read & Execute permission

Read & Execute

Run applications plus perform the actions permitted by the Read permission

Read

Read the file, and view file attributes, ownership, and permissions

Write

Overwrite the file, change file attributes, and view file ownership and permissions

The problems we have are often around a poor understanding of permissions but usually caused by end-users with ‘Full Control’ who try to set permissions themselves. In 99% percent of cases this is not required and users who need to work with and change files in a folder can accomplish this with ‘Modify’ access.

Modify

SUMMARY: Look at your folders. Do the assigned users need to have rights to change permissions? If not, take them away by changing ‘Full Control’ to ‘Modify’.

This entry was posted in FileStore, Security by James. Bookmark the permalink.

About James

I am an Infrastructure Systems Administrator in the Infrastructure Systems Group (ISG) within ISS. We are responsible for a number of the core services which support the IT Infrastructure of the University including Active Directory, Exchange, DNS, Central Filestore, VMware and SQL. I hold number of current Microsoft Certifications and am also a Symantec Certified Specialist (Netbackup) http://twitter.com/JamesAPocock

Leave a Reply

Your email address will not be published. Required fields are marked *