Announcement

Collapse
No announcement yet.

Access-based Enumeration - file permissions

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Access-based Enumeration - file permissions

    Hey Guys

    im trying to setup a test 2008 server with file server role and enabling Access-based Enumeration. i have followed these instructions to create a share

    http://blog.vmpros.nl/2009/03/17/mic...d-enumeration/

    im not sure what file or NTFS file permissions i should be giving each AD group that has or doesnt have access...

    do i have to give any special permision on the root folder(share)??

    sorry if this is confusing

    thanks!

  • #2
    Re: Access-based Enumeration - file permissions

    What permissions? Wouldn't that just depend on what they are doing with them? I mean, if its an Accounting share, i would think only the accounting group should have read/modify. Maybe not even modify, who knows.

    As far as giving permission on the root share you could, and then let the inheritance feature trickle down the permissions (unless you specifically deny). Depending on the time frame the best advice I can give you (i'm a nub) is trial and error. You can always use the Effective Permissions tool on your share to check your work.
    Here is a link about inhertance with ABE:

    http://technet.microsoft.com/en-us/l.../dd834874.aspx

    Here is a MS whitepaper on ABE namespace:

    http://technet.microsoft.com/en-us/l.../dd759150.aspx

    hope that helps. yell at me if i'm wrong!

    Comment


    • #3
      Re: Access-based Enumeration - file permissions

      According to 'the books' the way to do this is create a group for each share. Something like ACL_Accounting_Read for your Accounting namespace share that has Read access. Just a side pointer though, doesn't really help you move along with the project. (or ACL_Accounting_Deny if you wanted an specific group with deny properties. You then have to go set that group to deny).

      Comment


      • #4
        Re: Access-based Enumeration - file permissions

        MS Best practice is to use AGULP:

        Accounts go into
        Global Groups, which go into
        Universal Groups (if you have multiple domains, otherwise skip) which go into
        Local (Domain Local) Groups, which have
        Permissions applied to them

        Global groups should be functional e.g. Accounts Dept
        DL groups should be resource based, e.g. Sales_R or Sales_RW
        If you do this properly, you only have to set permissions once for a new resource and can do everything by manipulating group memberships

        (and yes, I know everyone who's taken the Server 2008 courses will be falling over themselves to tell me its now "IGUDLP", but I'm old school and AGULP (especially of ) always sounds so much better)
        Last edited by Ossian; 1st April 2010, 16:14.
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Access-based Enumeration - file permissions

          well all i have is

          root share

          accounts (only accounts have access to this)

          finance (finance has access to this)

          IT (IT only has access to this)

          what permissions do i give each group Accounts, Finance, IT so that they have read, write, permissions but dont have any access to see the other groups?

          do i have to set any security permissions on the root folder?

          do you have to set inheritable permissions from parent folder?

          thanks again guys

          Comment


          • #6
            Re: Access-based Enumeration - file permissions

            For the Accounts share (do similar for the others)
            Create AccountsRW domain local group
            Share Accounts folder with (IMHO) Domain Admins Full Control, Authenticated Users Change
            Go to NTFS permissions
            Remove inherited permissions
            Add AccountsRW with modify permissions
            Add Domain Admins with FC permission
            Remove everything else except System and CreatorOwner

            To assign permissions, create another Global group "AccountsUsers"
            Add this to AccountsRW
            Add users to AccountsUsers
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Access-based Enumeration - file permissions

              i can see the folders and files.. but i get an access denied when i try to create a new document or new folder

              what do i have to put on the root share?

              \\server\data\accounts

              the data folder is the shared folder
              Last edited by krayzie; 7th April 2010, 06:49.

              Comment


              • #8
                Re: Access-based Enumeration - file permissions

                Have you changed the SHARE permissions as well as the SECURITY ones?
                Tom Jones
                MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                PhD, MSc, FIAP, MIITT
                IT Trainer / Consultant
                Ossian Ltd
                Scotland

                ** Remember to give credit where credit is due and leave reputation points where appropriate **

                Comment

                Working...
                X