Solved: What the best for permission setting for NTFS Cifs Share

leongkoklow · ‎2008-09-22

For a pure NTFS qtree cifs share what is the best configuration: hence i share our way of sharing CIFS.

Filer:

ABC/Admin - Full Control

Everyone - Read Only

ABC/Engr - Change

ABC/User - Change

Windows NTFS SACL

ABC/Admin - Full Control

Everyone - Read Only

ABC/Engr - Change

ABC/User - Change

Also, they are some engineer proposing to grant Everyone Full Control at Filer and control whatever permission set at Windows NTFS File Level.

Would this be an better options to grant everyone Full Control, is there any draback or overhead in term of performance.

Thx

adamfox · ‎2008-09-23

Everyone ~ Full Control at the share level isn't always a bad idea as long as you put proper controls on your files at the NTFS level. It avoids the issue of clashing permissions. But it really depends on what you are trying to accomplish. Share permissions can serve a good purpose if they accomplish what you want.

Just an opinion here.

View solution in original post

BrendonHiggins · ‎2008-09-23

Everyone ~ Full control. Not on my box!

I remove the everyone group from each CIFS share once I have correctly configured the groups and permissions as required. Less is more when it comes to access control...

adamfox · ‎2008-09-23

Everyone ~ Full Control at the share level isn't always a bad idea as long as you put proper controls on your files at the NTFS level. It avoids the issue of clashing permissions. But it really depends on what you are trying to accomplish. Share permissions can serve a good purpose if they accomplish what you want.

Just an opinion here.

scottgelb · ‎2008-09-23

It's always like Chevy vs. Ford when I have this conversation with customers. Whatever the customer is comfortable with ... we'll let you do what you want.. share vs. file ... I tend to see more everyone shares than not though in several years of working with NetApp at customers... and agree completely it is harder to troubleshoot when share and file permissions are fighting... One reason I can see locking down at the share is if Access Based Enumeration is or is going to be implemented.

reinoud7 · ‎2008-09-23

This is perfect question for a poll

All our shares are full control. All the security is set on ntfs. Works great, is easy to maintain and very easy for trouble shooting. But indeed, you must choose the model that's fits your company (and your administrators )

leongkoklow · ‎2008-09-23

Thanks guy for sharing your thought with me, indeed it help me to understand more on how industry is handling CIFS.

Btw, ABE is not yet enable for our filer.

And most likely it will not be approve by L3.

I myself prefer the file-level locking to Share-level as it give more control and easy to troubleshoot.

cebulrdcis · ‎2008-09-25

my recommendations is that to aviod or please dont put everyone full cifs/netapp level permission on your filers specially when your filer is in a heterogenous environment with NFS & CIFS or a multiprotocol filer (uses CIFS and NFS).. you can read more on http://media.netapp.com/documents/wp_3014.pdf (chapters 3 & 4)

for me the better way to replace the everyone full permisison is with NT AUTHORITY\Authenticated Users probably with change permission not with full..then implement a Active Directory Domain User grouping and add the group in the CIFS Level permission and create another group for security level permission.

example,

CIFS/NetApp level permission

Filer01> cifs shares Test

Test /vol/v_vol01/test
ADDomain\test_ms / Change
ADDomain\test_rs / Read

In security level permssion

Test

-- ADDomain\test_ms -- with modify permission

-- ADDomain\test_ms-- with read& execute permission

this will make sure that only the users who are member in the group can access in the share drive Test.. this is also good when you have a security audit..

Regards,

tons