Results 1 to 9 of 9
  1. #1

    NTFS Security Question

    I'm writing up a FAQ series of documents for the other region IT departments for our company, and one of the subjects I'm writing on is how to setup AD groups. I'm also including a troubleshooting area for common problems.

    Thinking about this brought up a question I'm not sure on -- I know that typically, if you have a Deny permission set for an individual user, it will override any Allow permissions given elsewhere for the same directory. However, what about in a scenario where, say, a user is a member of two AD groups -- we'll call them Group1 and Group2 -- where Group1 has Allow permission set to a directory while Group2 has Deny permission set. Is the user, being a member of both groups, therefore denied access?

    Basically, whereas Deny permissions override Allow permissions for ONE user, what about a user in MUlTIPLE groups, where one group has Allow and the other Deny?

    My guess is Deny still overrides, but just wanted to confirm...
    Last edited by AngelicKnight; January 16th, 2008 at 10:56 PM.

  2. #2
    Senior Member
    Join Date
    Nov 2007
    Phoenix, Arizona
    Permissions are almost the same from Windows NT’s NTFS 4.0 to Windows 2000/XP/2003’s NTFS 5.0. One of the main differences is the way that permissions inherit down through the structure with inherited and explicit permissions. It used to be that, if there was a Deny permission on the ACL, it was always evaluated first, then the Allow permissions would follow. Now, the permission hierarchy must be evaluated considering not only the Deny vs. Allow, but whether the permission is explicitly set or inherited down from a parent resource.
    This is the Summary from the end of the Document HERE it looks like Inheritance has something to do with weather the individual would be Allowed or Denied access. Hope that helps..
    LOGIN: yes
    PASSWORD: I dont have one
    "Login Failed"

  3. #3
    Senior Member
    Join Date
    Dec 2007
    If a user is in multiple groups, and one of the groups has deny permissions to an object, the user will also be denied no matter what permissions the other groups have. The only way a user can access the object is if they have been explicitly allowed.

  4. #4
    Junior Member
    Join Date
    Dec 2006
    Gretna, LA
    "Groups are a great way to get increased comlexity without increasing the administrative burden on network administrators, because all network operating systems combine permission. When a user is a member of more than one group, which permissions does he have with respect to any particular resource? In all netowrk operating systems the permissions of the goups are combined, and the result is what we call the effective permissions the user has to access the resource. Lets use an example from Windows 2000. If Timmy is a member of the Sales group, which has list folder contents permission to a folder, and he is also a member of the Managers group, which has read and execute permissions to the same folder, Timmy will have both list Folder Contents and Read and Execute permissions to that folder"

    -All-In-One Network+ Certification Exam Guide Third Edition, by Mike Meyers


    In our scenario, we are going to look at a folder, C:\Data\HR, which contains both public and private files. We have allowed the C:\Data\HR folder to inherit the permissions from C:\Data, which includes just basic permissions from the root folder. We have also included the HR group on the ACL, giving the Group Allow-Read & Execute permissions. The final explicit entry on the ACL is for the non-HR group, which is given Deny-Full Control.
    Below the HR folder are two files: Public.doc and Private.doc. The Public folder just allows for normal permission inheritance, so there are no special permissions added to the ACL. However, the private file has some explicit permissions added to the ACL. Since the Executive group needs to be able to read the contents of the private folder, this group is added explicitly with the Allow-Read & Execute permission. The result of this configuration is shown in Figure 5, which clearly shows that the Allow permission for the Executive group has a higher precedence than the Deny permission associated with the non-HR group. Since every executive is included in both groups, you can see that here is a case where Allow permissions have precedence over Deny permissions.

    Figure 5: Allow permissions can have precedence over Deny permissions
    The scenario proves that there is a hierarchy of permissions for NTFS 5.0 resources. The hierarchy of precedence for the permissions can be summarized as follows, with the higher precedence permissions listed at the top of the list:
    Explicit Deny
    Explicit Allow
    Inherited Deny
    Inherited Allow"

    Author: Derek Melber

  5. #5
    Crazy NTFS permissions -- I find that everytime I start to think I have it figured out, someone proves me wrong.

    Thanks guys, this is just the kinda info I needed!

    I'm going to say that generally Deny overrides Allow...the exceptions seem to be in very unique situations like that described above...

  6. #6
    Apologies for double posting -- a final thought I wanted to add. Here's how I have it written so far:

    · Subdirectories created inside the shared directory by default are configured with the same permissions as the parent, unless manually specified otherwise.
    · Deny permissions usually override any Allow permissions specified elsewhere.
    · If a user is a member of multiple Active Directory groups, and any of one of those groups has permission to the drive, the user will likewise have access.
    · Likewise, if a user is a member of multiple Active Directory groups, and any one of those groups has Deny permission to the drive, the user will usually be denied access, even if the user is a member of another group with “Allow” permission.
    · Always consider that in subdirectories of network shares, explicit Allow permissions may in certain cases override inherited Deny permissions set for a user or group.

    Does that sound more or less accurate, as far as general troubleshooting tips go?

  7. #7
    Junior Member
    Join Date
    Jul 2003
    Most, Most , Least applies here.

  8. #8
    Most, Most , Least
    Afraid I don't follow...

    I have the feeling I'm missing something obvious?

  9. #9
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    3rd Rock from Sun
    permissions should be part of the planning process, but you must consider the GROUP set up as well. If you get the groups wrong, then no amount of tweaking permissions will help

    when setting up group strategy remember AGULP

    (A)ccounts can be members of-
    (G)lobal Groups can be members of-
    (U)niversal groups can be members of -
    (L)ocal or Domain Local Groups have -
    (P)ermissions assigned to them

    you can nest groups to ease administration, but only in one way, Universal can NEVER go into a Global Group

    Global groups would be the choice for people with the same job function, such as HR / Sales [MAX of 5000 per group, if more create additional groups.

    Universal Groups are used to combine similar Global groups from different domains.

    Use Group Policy to restrict users, apply these permissions to the local / domain local groups

    RSoP = Resultant Set of Policy
    Tool to quickly determine the outcome of your applied permissions and group policies

    Now, permissions

    NTFS – set against groups, add all permissions, LEAST restrictive is what you get

    File permissions override Folder permissions :-
    Normally folder permissions will propagate down to child objects, if this is NOT true, file permissions will override

    Permissions are cumulative :-
    If a user is in a group with read permission and a group with write permission, they will have read AND write.

    Deny permissions take precedence over Allow permissions :-
    Explicit deny permission will always ‘beat’ any other permission [explicit, as in that specific user has a deny access to a particular folder, that’s the end of the permission for him] if a group he is in has a deny set against them, then again he will lose all permissions given via other groups, should the deny be set higher, then an explicit allow will override that.

    Effective Permissions
    Quick check on effective NTFS permissions for user / group on a particular resource, by clicking on the effective permissions tab :doh:

    Share Permissions
    Set against a resource, again cumulative, add them up, LEAST restrictive is set

    When you have GROUPS accessing SHARED resources the following is used

    Add all NTFS permissions – least restrictive is set
    Add all share permissions – least restrictive is set
    Then take the most restrictive of the two sets

    Deny access overrides all(unless explicit access is granted)

    And AK grab books on MCSA exams 70-290 and 70-291
    also 70-270 for XP
    read em well, it's all in there
    and my head still hurts from the MCSE 2k3 exams
    Last edited by foxyloxley; January 18th, 2008 at 12:24 AM.
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 01:51 PM
  2. Asking smart questions
    By pwaring in forum Other Tutorials Forum
    Replies: 60
    Last Post: October 22nd, 2004, 09:15 PM
  3. A Guide to AntiOnline and the world of security.
    By Ennis in forum AntiOnline's General Chit Chat
    Replies: 5
    Last Post: December 27th, 2003, 04:28 PM
  4. NEWS: This weeks security news. 10/9/02
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 1
    Last Post: October 9th, 2002, 09:21 PM
  5. NEWS: This weeks security news. 10/2/02
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 1
    Last Post: October 2nd, 2002, 09:32 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.