Access-based enumeration displays only the files and folders that a user has permissions to access. Make sure access-based enumeration is enabled. Then give Read permissions to the parent folder, rather than sharing each individual application folder separately. For example, if users require the Read permission for several application folders, store those folders in the same parent folder.
Organize your resources so that objects with the same security requirements are located in the same folder. Departments can organize their folders how they want, but don't allow junk folders. If you don't lock down the root-level hierarchy, your neat folder structure will quickly be destroyed. Don't even let managers or executive create folders at the top 1 or 2 levels. Create sub-folders in it to segregate and organize data according to job roles and security requirements.Įnsure that only IT can create root-level folders.
This approach centralizes the administration of share permissions.Īll permissions changes should be audited as they occur, and the permissions hierarchy should be audited at least once a year.Ĭreate a top-level folder that will serve as the root storage folder for all user-created data (for example, C:\Data). Have users log on using domain user accounts rather than local accounts. For example, if a you need to give someone Read/Write permissions for all of the \Finance folder but not \Finance\Budget, you're gonna have a bad time later.
If something would break inheritance, then it either needs to move up a level or you need to reassess who's got what permissions on the parent folder. There will be a few folders where this may be necessary, but generally avoid it. Remove the Everyone permission from every resource except the global folder designated for file exchanges.Ĭreate a Global Deny group so that when employees leave the company, you can quickly remove all their file server access by making them members of that group.Īvoid breaking permissions inheritance as much as possible. For example, if users need only to read information in a folder and not to change, delete or create files, assign the Read permission only. Modify rights should be all that's necessary for most users.Īssign the most restrictive permissions that still allow users to perform their jobs. Full Control enables users to change NTFS permissions, which average users should not need to do. Avoid giving users the Full Control permission.
0 kommentar(er)
