NTFS (Security Permissions) and Sharing Permissions in Windows Server 2019 Part-1

I will be mentioning about Sharing Permissions in Windows Server 2019 and mentioning about how you can assign permissions to users in a shared folder in this essay.
Permissions (Permissions); It is a set of authorizations that determine what the access level assigned to the user or group on resources such as folders and files. For example, while a user is given Read Permission on a shared folder, another user can be given both Read Permission and Write Permission on a shared folder.
In short; You can provide which user or user group permissions on a shared folder, and arrange the authorizations of users or groups on these folders with Permissions.

Permission Types on File Servers are divided into two.
1- Sharing Permissions (Sharing & Shared Folder Permissions)
2- Security & NTFS permissions (Security & NTFS Permissions)

NOTE: My essay will consist of 2 parts; Part 1 is the essay about Sharing Permissions that you are reading right now.

1- Sharing Permissions (Sharing & Shared Folder Permissions)
In order to give sharing permissions to a folder on the network, it is necessary to open that folder to share first. It will not be possible to access resources over the Network without the sharing process.

Sample Scenario-1
I have a folder named COMPANY on my server. I will open this folder to share and provide the necessary permission assignments on the users I have created, but before we start, it is worth mentioning a few points;

• Sharing permissions can only be applied to folders.
• Sharing Permissions can be applied to folders on both FAT and NTFS formatted volumes.
• Sharing Permissions is a permission method that is valid only when the shared folder is accessed via the UNC (Universal Naming Convention) Path through \\ Host Name or \\ IP Address.

According to this information above, I am sharing my folder named COMPANY;

1-  I am clicking on the Advanced Sharing... button in the Sharing tab in the Folder Properties window.



2- I am selecting the Share this folder check box in the Advanced Sharing window.



3- The Permissions button, where we can assign permissions, becomes active after selecting the Share this folder check box



We will make the sharing permissions and definitions from the Permissions window. Sharing permissions consist of 3 parts and 2 basic permissions;

These permissions are under Allow and Deny groups;

• Read,
• Change,
• Full Control permissions.

ALLOW
● Read: By default, the permission assigned to the Everyone group on the folders. The features of this permission are:
• Ability to view the files and subfolders on the folder,



● Change: In addition to containing all the features of the Read permission, it also includes the following features:
• Ability to view the files and subfolders on the folder,
• Making changes on the files in the folder,
• Deleting subfolders and files,

NOTE: When no option is selected, that is, even if the Read permission is not active, when you select the Change permission option, both Change and Read permissions will be selected at the same time. In the opposite direction, when you remove the Read permission option while both are selected, both the Change and Read permission options will be removed at the same time.
However, when both are selected, leaving only the Change permission option will remove only the Change permission option.



● Full Control: It includes all the properties of Read and Change permissions, as well as the right to change the permission assignments on the folders.

NOTE: When no option is selected, that is, even if the Read and Change permissions are not active, when you select the Full Control permission option, both Full Control and Change and Read permissions will be selected at the same time. In the opposite direction, when you remove the Read permission option while all three are selected, both change and Full Control permission options will be removed at the same time. However, when all three are selected, leaving only the Change permission option will remove only the Full Control and Change permission options.



DENY
● Read: When this permission is selected, User and / or Groups cannot access folders in the share. Since they cannot gain access, they cannot do anything on the folder.



● Change: Since it will contain all the features of the Read permission, nothing can be done on the folder.



● Full Control: Since it will include all the features of Read and Change permissions, it will provide a full restriction for Users and / or Groups.



4- The field under Group or user names is called ACL (Access Control List). User and / or Group definitions for Sharing Permissions are also provided by adding the User and / or Group to the ACL here. Separate permission definitions can be made for each User and / or Group added to the ACL.



5- I am clicking on the Add... button to add a user and / or group.



6- In the Select Users, Computers, Service Account or Groups window that appears, the entire User and / or Group name can be typed in the Enter the object names to select field, or a part of the name can be typed and the system can be detected and completed automatically by clicking the Check Names button on the right. I am adding the user Fırat Boyan.









6.1- My advice to you is to remove the Everyone user group unless it is necessary and add only the users and / or groups you want to assign permission to the ACL.



7- I am giving Full Control ALLOW permission to the user named Fırat Boyan on the folder named COMPANY.





8- After this process, my folder named "COMPANY" was opened for sharing and necessary permission was given to the user named Fırat Boyan.



9- I am able to access the share through \\ Host Name or \\ IP Address by logging into the computer with PC01 Host Name with the user Fırat Boyan.



10- When I clicked on my share folder named "COMPANY", I encountered an error stating that I did not have the necessary permission to access even though I defined Full Control ALLOW for the user Fırat Boyan.

This is because I did NOT assign the actual folder permission Security (Security-NTFS) permission for the folder.



Info !: Whether a resource is accessed over the Network (network) or from the computer where the share is opened, it is absolutely necessary to assign Security (Security-NTFS) permissions.

However, there is a distinction at this point. This distinction is;

• If the shared folder is accessed over the Network, both Sharing Permission and Security Permission are actually compared, and the permissions on both sides are compared and the most restrictive one is applied.
• Sharing Permission will not be valid if the shared folder is accessed from the computer on which the sharing is opened. Only Security Permission is valid and there is no comparison between them.

11- In line with the above mentioned information, I will now define Security Permission (Security-NTFS Permission) for the user Fırat Boyan on the shared folder names "COMPANY" on the server.

11.1- I am clicking on the Edit... button.



12- I am clicking on the Add... button to add the user Fırat Boyan to ACL (Access Control List) in the window that appears



13- For Fırat Boyan, the user I want to add, I am typing the name of firat and clicking on the Check Names button. I am clicking on the OK button to add after completing the name.



14- After my user is added, the Read permission is assigned by default.





15- When I access the share through \\ Host Name or \\ IPAddress on the computer with the Host Name of PC01 with the user Fırat Boyan, I can now view the inside of the folder without having no issues.



16- I am creating a New Folder in my share folder.



16.1- It is clearly seen that I cannot create a new folder although I have defined Full Control ALLOW permission for the user Fırat Boyan user.



The reason of that is both Sharing Permission and Security Permission in the shared folder accessed over the network (network) is actually the comparison of the permissions on both sides.
At this point, as the most restrictive permissions are defined as Read on the Security Permission side, the most restrictive one will be applied even if Sharing Permission is Full Control ALLOW.

NOTE: That plays an important role since we are also subject to Security Permission (Security-NTFS Permission) when accessing Network (network) on a shared folder, but I will be dealing with it in more detail in my next essay with the title of Security & NTFS permissions (Security & NTFS Permissions).

Sample Scenario-2 (Continuation of Sample Scenario-1)
17- I am also including the user Fırat Boyan in the Security Group named IT, which I have created on Active Directory Users and Computers.



17.1- I am assigning Full Control ALLOW for Security Group named IT.



17.2- I am assigning Full Control DENY for the user Fırat Boyan this time.



17.3- I accessed the share on the computer with PC01 Host Name again through \\ Host Name or \\ IPAddress with the user Fırat Boyan, although my user has Full Control ALLOW permission on the Security Group named IT, I encountered the error stating that I did not have the necessary permission.



This is because;

Even if a user is defined from any group with ALLOW permission, DENY is always above ALLOW.

I am ending the first part of this essay series for Sharing Permissions, here.

I also recommend you to read my NTFS (Security Permissions) and Sharing Permissions Part-2 essay in Windows Server 2019, which is the second part of my essay series.

I hope it benefits ...