Are NTFS and Share Permissions a bit too complicated?

Most Windows Administrators know that NTFS permissions combine with Shared Folder permissions when it comes to working out effective permissions.

What I’ve generally found though is that while this is understood in theory, in practice effective permissions are implemented incorrectly. Users are granted write access to files that they should only have read access to and users have read access to files to which they are supposed to have write access.

The problem with NTFS permissions is that when combined with Share permissions, it takes a few minutes of head scratching for Administrators to figure out what access a person actually has, especially if the user is a member of multiple groups. It isn’t that these permissions don’t work when properly applied, it is just that they are complex and the more complex something is, the less likely it is to be used properly.

Anyone who has worked on a helpdesk can tell you about untangling permissions. When a user rings up and says that they should have access to a certain file that they do not have access to, a merry chase ensues with the person in question having to figure out if the permissions are indeed set correctly and the person calling should not have access to the file or whether the permissions have been set incorrectly and the permissions need to be changed.

NTFS permissions also aren’t entirely effective as a security mechanism. Although a person may only have read access to a file on a file server, they can copy that file away from the file server and change the permissions when the file is stored in another location. Similarly NTFS permissions can't stop you from emailing a file that you have read access to to someone outside your organization.

In the long term the best way of setting file access rights is probably going to be through Active Directory Rights Management Services, where the same read/write permissions apply to the file independently of where it is stored. With AD RMS, a user who has permissions that limit them to opening a file and making changes to it has those same permissions whether they’ve received the file in email, accessed it from a file share or downloaded it from a SharePoint site.

At the moment AD RMS is more complicated to configure than NTFS permissions and most administrators haven’t really played with it and are not aware of its capabilities. In the long run it will probably replace NTFS permissions as organizations move to platforms that support AD RMS’s capabilities
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish