Opinions differ on this, and the answer to your item 2 can either fall out
from your use requirements, or your philosophy on things, or both.
Note that there are really three choices:
1. make the share permissions excessive and exert all control with
NTFS permissions only
2. make the NTFS permissions excessive and exert all control with
share permissions only
3. use both (effectively), whether necessary or not
There are many access control patterns that cannot be effected if one
uses only the share permissions with a sufficiently loose NTFS setting.
If the use cases do not force you to use of the NTFS permissions
then choices 1 and 2 could work.
I sort of see this like your having a car with an alarm system that you
can turn on and you also have one of those "club" steering-wheel locks.
So, do you use only the igition lock? or do you use the added protection?
The answer probably depends on the value of the car and how badly
you want to protect it, and also the difficulty of effecting the protection.
I see using both effectively (that is, to make minimally sufficient grants)
akin to turning on the car alarm - that is, it is simple (compare to using
the "club" which can be cumbersome).
So I guess you see where I stand, item 3, since it is a one-time action to
set up and results in your using what exists (as compared to voluntarily
disabling some of the available protection).
"Bad Beagle" wrote in message
>I have some remote work stations that have currently been added to our
>domain. We cannot host their data on our servers so the remote work
>stations have a data they share with other workstations in the office. It
>is currently only locked down by share permissions. I have two issues:
>
> 1. NOw users on our lan can browse to these computers and see their data
> 2. Is there any advantage to go through the work of locking down with
> ntfs
>
FAQ
Search
Profile
Private Messages
Log in
