Quantcast
Channel: File Services and Storage Forum
Viewing all articles
Browse latest Browse all 1766

Best Practices for DFS Structure and NTFS Permissions

$
0
0

We have a brand new DFS namespace (called "Data") which is currently hosted on a Windows Server 2008 R2 DC with no replication enabled at the moment.

"\\domain.local\Data"

Within this, we need to create other directories such as:

 - "Users" containing subdirectories for each user home directory, e.g. "\\domain.local\Users\John.Smith". Only the user in question and admin team (defined by a security group) must be able to access each home directory folder.
 - "Management" containing confidential company data. Only the admin team and the directors (again, defined by a security group) are allowed to access this.
 - "Departments" containing subdirectories for each department, e.g. "\domain.local\Departments\Sales". Only users in the appropriate department must be able to access their department's folder and not those belonging to other departments.
 - "Shared" which will be an area that all users can read and write to (Domain Users).

Previously, we have taken a least-privilege approach, whereby only the System account, Administrator account and built-in Domain Admins group have Full Access to the root of the folder structure. All subdirectories inherit their NTFS permissions from the parent and additional permissions are granted where necessary down the directory structure. This approach seemed to work well for basic file shares, but not so well when we used domain-based namespaces in DFS.

As an example, we have seen that if a user does not have at least "List Folder Contents" priviliges to the directories above their DFS-based home directory, Microsoft Office applications seem to hang when using the File > Open method to open files. Word/Excel/PowerPoint simply waits on "Trying to connect to \\domain.local\Users\John.Sm..." for about 20 mins, times out and then carries on as normal without any issues when browsing through folders. This is then fine until the application is restarted, at which point the same thing happens again.
Simply granting "List Folder Contents" NTFS permissions to all users on the "Users" directory or root namespace folder seems to correct this. However, with inheritance enabled, this will then allow all users to view the contents of all other home directories unless the inheritance is removed and the permissions manually set on each home directory.

I have found a lot of articles suggesting different approaches to securing DFS roots and folders, but was hoping to clarify the recommendations and best practices for assigning NTFS permissions to DFS namespaces and directories.

Also, I have read that it is recommended to apply any permission changes to the local data path (e.g. D:\Data\Departments and not \\domain.local\Data\Departments). Is this correct?

Finally, I was also interested to know if there is any benefit to creating new folders through DFS Management or if it is best to simply create them as normal through Explorer?

Thanks for any comments.


Viewing all articles
Browse latest Browse all 1766

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>