Windows Server 2003 and Share Permissions - What’s New?

Share permissions haven’t changed with the times. Although it might be easier for the average test-goer if the share permissions were the same as NTFS permissions, this is not the case. Unfortunately, they do use some of the same names, which just serves to confuse the issue.

• Full Control: Allows a user to create, delete, modify, and grant share permissions

• Read: Allows a user to read the contents of a folder, but not modify any contents. Users cannot create files either.
• Change: Allows a user to create, delete, and modify the contents of a folder. This includes creating documents and subfolders.

There has been one fairly major change with Windows Server 2003: the default share permissions are (the group) Everyone|Read. Windows NT and 2000 are notorious for security issues because the default permissions are Everyone|Full Control. Realistically, this doesn’t cause problems for systems where NTFS permissions were the primary method of security. There’s nothing wrong with relying on NTFS permissions to stave off any problems. Newbie admins, however, often get confused between Share permissions and NTFS permissions and end up creating a jumble of permissions that not only are impossible to track and document, but frequently leave security holes wide open for bad guys to nail the data.

One hole in particular deals with the Guest account. Anonymous users who don’t have a local or domain account on the server will automatically be converted to the Guest account and allowed access to any resources that the Guest account can access. This is a pretty big hole, if you think about it. The solution, of course, is to disable the guest account, and create specialized accounts for any real guests that need access to the network data.

Another solution is to rely on NTFS permissions to stop any transgressions from occurring. Microsoft spent many years attempting to educate the population on how to best configure NTFS permissions in conjunction with Share permissions, but eventually they gave in and created Windows Server 2003 with the default share permissions of Everyone|Read. While this may be okay for ‘younger’ administrators, veteran admins who rely on NTFS permissions as the do-all, end-all of file and folder security may need to take this new default permission into account when integrating Windows Server 2003 shares into the rest of the network.