I am sure this topic has been beaten to death, but in all of the searching I have done, I have yet to be able to find a post or article to explain what I am looking to accomplish. Instead, I am finding "this is how you set it up" -- regardless of what you want to do..
My company has 2 main file servers. There are a handful of shares off of each. each share contains most of the data that we use on a day to day basis (excel files / access databases / word docs /etc). These file servers have been in place longer than I have been here - and they are 98% set up so that everyone can access everything, full control.
As I am sure you can imagine, this has grown completely out of control and is just a complete mess at the moment. To make things even better, a few days ago we got hit with a virus that modified attributes on every top level directory in our shares - except for the folders that users didn't have access to modify. So now the push is on to "secure" our file servers.
I understand the difference between Share permission and NTFS - the small percentage of folders on our server that have some sort of security on them, I was the one that set it up. For these I have followed the AGDLP model.
My goals are:
a) We want to make it so that users cannot modify top level folders or create new ones. So if the share is \\server\share - none of our users should be able to create or delete a folder under the share folder. I would also love to make it so that exe / scripts in the share root would not run as well, if possible.
b) Given how historically we have been so wide open with our data - we have databases and macros and all sorts of things that pull from "anywhere" on the share - so we are not interested (right now) in getting too sophisticated, for example, only marketing people can access the marketing folder, same for accounting, same for distribution..etc. So if we had a \\server\share\accounting - authenticated users can do what they want in here. Create files, create folders, modify folders etc. It would be sweet if the end users could not modify permissions or attributes.
c) Once I know how to set this up - I will be looking for advice on how to implement it into our current shares. I already know that if I go to the top level folder that is shared and try to modify things ( I have had to do this before, as domain admin) - there are some folders that I do not have access to.
Is there some sort of doc / book / technet article out there that can give me some sort of direction on this? I have been searching for windows file share permissions best practices or ntfs best practices. I seem to keep coming back to NTFS vs
Share permissions and how to apply them.
Thanks in advance.
sb