2

We're in the process of migrating from Novell Netware to Windows 2K8 R2 infrastructure (AD, File server, print server... etc)

My question is about ACL. While Netware and Windows are totally different, I want to be sure my thnking is good before screwing everything up!

There's a scenario :

F:
|
+-- DATA <= Shared as DATA with Access based enumeration
     |
     +-- Folder 1
     +-- Team 1's Folder
     +-- Team 2's Folder
     ...

In that case, by default, rights are herited from the F: to the deepest folders.

What we want :

  • Administrators group have full control top - down.
  • From DATA, ABE list only folders that users have access. (ex. : I'm in group Team 2, I see Team 2's Folder).

From what I understand, at DATA I remove all NTFS ACL to be herited (ex. Users Group), be sure to keep Administrators Group and SYSTEM user.

After that, grant Full control (or any right needed) on each folder to Groups or Users that have to have access.

Does I'm wrong ? Anything I should take care of ?

Any help to my understanding will be very appreciated.

Regards.

Patrick Pellegrino
  • 133
  • 3
  • 13

2 Answers2

4

Correct.

I tend not to grant users Full Control, though because I've had too many mess up the permissions. So I grant them all permissions, except the Take Ownership and Change Permissions permissions.

And I'd probably advise setting up two groups for each folder you're granting access to: one for read-only access and one for modify access, since that tends to come up a lot in my experience, and the fewer people that can accidentally delete all the files, the less often I have to do restores from backup.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • There's a reason why (or maybe I'm doing something wrong) ABE work with a specific user and not with groups ? I made test with some folders with my user and ABE work and if I remove my user by a groups where I'm in, the folder is hidden! – Patrick Pellegrino Nov 21 '12 at 19:53
  • I found something weird (for me!!)... if I navigate to \\server\share via a non domain computer (authenticated with a domain account) I see no folders. If I logged in a domain computer with my account the ABE is in action and I only see folder that I've access (rights give by groups where I'm in). Normal ? – Patrick Pellegrino Nov 21 '12 at 20:17
  • @PatrickPellegrino I honestly don't know. Would make an interesting question, I'd think, as a quick Googleshoot is also silent on the topic of ABE behavior on a domain machine, accessed from a workgroup computer. – HopelessN00b Nov 21 '12 at 20:21
4

One thing I would definitely do is enable the limit of folder depth for which ABE applies. Without this limit, serious performance issues may occur. The actual appropriate limit can only be determined by you, an example for a depth of 3 is below. This requires an srv2.sys file version 6.1.7601.22055 or higher. 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters]  
"ABELevel"=dword:00000003

More information:

High CPU usage on Windows Server 2008 R2 with ABE enabled
http://support.microsoft.com/kb/2732618

[...]
The value of the above mentioned key is set as follows:
Value = 0 : ABE is enabled for all levels (default behavior without key as well)
Value = 1 : ABE enabled for depth of 1 (\server\share)
Value = 2: ABE enabled for depth of 2 (\server\share\folder)
And so on for multiple levels.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • By your experience, how deep you let the ABE to have a good "security" vs performance ? – Patrick Pellegrino Nov 21 '12 at 14:54
  • That can only be determined by you. If the share could potentially have thousands of folders that are very deep, it could be a serious problem. If you don't expect a lot of folders, it may not be a problem. ABE is not the security mechanism - that is the Access Control Lists. ABE is a cosmetic feature intended to replicate the functionality that previously existed in Novell. If a system doesn't have ABE enabled, that doesn't mean the data isn't secure. If someone can see a folder doesn't mean they can access the data within the folder or list the folder contents. – Greg Askew Nov 21 '12 at 16:30
  • You're right about the security thing. I shouldn't use that word. – Patrick Pellegrino Nov 21 '12 at 18:27