Discussion:
NTFS permissions best practices
(too old to reply)
m***@gmail.com
2007-03-02 21:31:41 UTC
Permalink
Are there any best practices out there for applying group policy to
NTFS permissions? I've found all kinds of stuff for setting up said
groups but nothing about applying them. I'm looking for things like
managing inheritance.
Herb Martin
2007-03-02 21:41:30 UTC
Permalink
Post by m***@gmail.com
Are there any best practices out there for applying group policy to
NTFS permissions? I've found all kinds of stuff for setting up said
groups but nothing about applying them. I'm looking for things like
managing inheritance.
Very few people do it. Very few people are conformatable and
experienced enough with NTFS to actually do this is my guess.

First get the permissions correct ona a test (lab, prototype etc)
machine and then add them to the GPO for application to sets
of machines (domain, OU, or perhaps site).

Generally only those people who do their NTFS permission from
a command script ever maintain custom permissions carefully over
time -- but once you can move them to the GPOs successfully this
might work as well or even better.

Have you used SecEdit or Security Configuration and Analysis to
export/import/configure/analyze a systems security policies? This
can be a big help and those policies you export can be imported
into a GPO.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
Roger Abell [MVP]
2007-03-03 07:26:08 UTC
Permalink
Post by m***@gmail.com
Are there any best practices out there for applying group policy to
NTFS permissions? I've found all kinds of stuff for setting up said
groups but nothing about applying them. I'm looking for things like
managing inheritance.
Taking you words at their face value, i.e. applying filesystem
permissions via GPOs, I have over time come to some decided
beliefs. The main one is that one should not use filesystem
section in a GPO used for other policy settings that one changes.
This is because of how GPO client processing is done, namely
when a GPO is seen as changes it gets reapplied. Large stores
getting their ACLing set via GPO application can be lengthy.
Isolating filesystem sections into unchanged GPOs keeps this
most frequently unneeded work from being repeated.

As a side effect of the GPO client processing rules (upon
change of GPO), one does not really end up with the effect
one is after (i.e. state how it should be and get guaranteed
that it is so), but then that is true of GPO usage in general.
Because of this I tend to define filesystem settings in templates
first, rather than directly in GPOs. The templates can be applied
one-off on particular machines, but more importantly they may be
used for analysis for differences from the prescribed.

So much for usage of the filesystem section. I feel it to be a very
important capability but that it is very little used.

What you may be also indicating is group strategy design for use
in ACLing resources. That is another entire, larger topic.

Roger
Herb Martin
2007-03-03 09:24:51 UTC
Permalink
Post by Roger Abell [MVP]
Post by m***@gmail.com
Are there any best practices out there for applying group policy to
NTFS permissions? I've found all kinds of stuff for setting up said
groups but nothing about applying them. I'm looking for things like
managing inheritance.
Taking you words at their face value, i.e. applying filesystem
permissions via GPOs, I have over time come to some decided
beliefs. The main one is that one should not use filesystem
section in a GPO used for other policy settings that one changes.
This is because of how GPO client processing is done, namely
when a GPO is seen as changes it gets reapplied. Large stores
getting their ACLing set via GPO application can be lengthy.
Isolating filesystem sections into unchanged GPOs keeps this
most frequently unneeded work from being repeated.
Good point.
Post by Roger Abell [MVP]
As a side effect of the GPO client processing rules (upon
change of GPO), one does not really end up with the effect
one is after (i.e. state how it should be and get guaranteed
that it is so), but then that is true of GPO usage in general.
Because of this I tend to define filesystem settings in templates
first, rather than directly in GPOs. The templates can be applied
one-off on particular machines, but more importantly they may be
used for analysis for differences from the prescribed.
This is about "Security Templates" with SecEdit and Security
Configuration and Analysis MMC for those who don't use or know
these tools (well.)
Post by Roger Abell [MVP]
So much for usage of the filesystem section. I feel it to be a very
important capability but that it is very little used.
There is another issue with such ACL settings (File and Registry) in
that they are permanent even if the GPO is removed, or even if it is
just removes this section, unless another "counter" GPO is applied.

Since the NTFS permissions are actually applied to the file system
this will NOT go away just be removing the GPO.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
Roger Abell [MVP]
2007-03-03 17:47:45 UTC
Permalink
Post by Herb Martin
Post by Roger Abell [MVP]
Post by m***@gmail.com
Are there any best practices out there for applying group policy to
NTFS permissions? I've found all kinds of stuff for setting up said
groups but nothing about applying them. I'm looking for things like
managing inheritance.
Taking you words at their face value, i.e. applying filesystem
permissions via GPOs, I have over time come to some decided
beliefs. The main one is that one should not use filesystem
section in a GPO used for other policy settings that one changes.
This is because of how GPO client processing is done, namely
when a GPO is seen as changes it gets reapplied. Large stores
getting their ACLing set via GPO application can be lengthy.
Isolating filesystem sections into unchanged GPOs keeps this
most frequently unneeded work from being repeated.
Good point.
Post by Roger Abell [MVP]
As a side effect of the GPO client processing rules (upon
change of GPO), one does not really end up with the effect
one is after (i.e. state how it should be and get guaranteed
that it is so), but then that is true of GPO usage in general.
Because of this I tend to define filesystem settings in templates
first, rather than directly in GPOs. The templates can be applied
one-off on particular machines, but more importantly they may be
used for analysis for differences from the prescribed.
This is about "Security Templates" with SecEdit and Security
Configuration and Analysis MMC for those who don't use or know
these tools (well.)
Post by Roger Abell [MVP]
So much for usage of the filesystem section. I feel it to be a very
important capability but that it is very little used.
There is another issue with such ACL settings (File and Registry) in
that they are permanent even if the GPO is removed, or even if it is
just removes this section, unless another "counter" GPO is applied.
Since the NTFS permissions are actually applied to the file system
this will NOT go away just be removing the GPO.
Yep, and a very significant point Herb.
I generally have two cases. One, where I have prescribed how
a store should be structured and ACL'd, organized to maximize
use of inheritance, avoid all Deny, etc.. For that case I just define
a template of what should be. The other is a much more difficult
case, taking control of an existing hodge podge store but not
restructuring it. For that I attempt to get a template that matches
the existing. This then is copied and the copy(copies) morphed
into a best match to the apparent use cases. In the end I have a
template for what is believed should be, and one to revert the
store to what was. This case is tedious if the store has a long,
unplanned history.

Roger

Continue reading on narkive:
Loading...