I'd also add that these are file servers only. They are not terminal servers, where someone other than a "Domain Admin" would be able to TS into the server. --- Original Message --- From: "Arthur Reyes" <ARTADMIN@xxxxxxxxxxxxx> To: thin@xxxxxxxxxxxxx Subject: [THIN] [OT] NTFS Share/File Security >I have a client that is in the process of adopting best practises >for File sharing on their MS 2003 File Servers. They have been >informed that ACLs need to be set both on the Share and on the >Folder itself. ie. > >Share$ = ShareUsers:Full >D:\Share = ShareUsers:Full > >For the life of me, I can't understand why anyone would do this. > I've reviewed groups and share permissions, and I see no >scenario where the more liberal share permission vs. the more >restrictive NTFS permission would somehow grant a group of users >more or less access than is intended. Nor do I know of a >vulnerability or exploit where one type of permission can be >hacked while preserving the other kind of permission. All I do >see, is convoluted a security practise and administrative >overhead, with no net gain. > >Age and experience has taught me that I can't possibly know >everything, so I present to you, the illustrious masters this >question. Can anyone think of a reason >(exploit/vulnerability/whatever) why you would set Share >permissions and NTFS permissions when using one or the other >would not result in more or less permissions than intended? > >I'm baffled. > >************************************************ >For Archives, RSS, to Unsubscribe, Subscribe or >set Digest or Vacation mode use the below link: >//www.freelists.org/list/thin >************************************************ ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************