Avoiding Permissions Problems
It's no big secret that the most significant feature in Windows 2000 is security. Microsoft gives you lots of methods for securing your system. These methods include everything from digital certificates to encryption to simple file permissions.
In spite of all of the new features, you still have to use permissions effectively to get any security at all. Don't get me wrong--I'm not saying that all the new security features aren't important, because they are. However, if you don't take care of business at the lower levels first, then higher-level security features won't do you much good.
Because there are many ways to assign permissions, you may wonder which is the right way. There's really no right or wrong way to assign permissions--you should just be consistent with the methods you use. Jumping back and forth between security methods can lead to confusion and dramatically increases the potential for overlapping permissions.
When permissions overlap, Windows 2000 combines them and assigns the user the resulting combination. Normally, the result isn't too bad: If a user belongs to one group that has read access to a folder and to another group that has read and write access to the same folder, the combined permissions are read and write, which you wanted the user to have. However, if a user belongs to one group that has read access to a folder and to another group that denies access to the same folder, the denial always takes precedence--and thus the user will be locked out of the folder.
Fortunately, you can use some techniques to decrease the chances of overlapping permissions. The following methods offer the most security with the fewest potential problems:
- Always using file permissions at the resource level. This is a good practice because file permissions protect shared resources both locally and across the network. You'll still have to use network shares to make the resources available to users, but I recommend setting the share points to allow everyone to have full control. By doing so, you won't have the problems caused by double permissions. Anyone will be able to access the share point; but the permissions you assign at the file level will determine what they can do with the files and directories within the share.
- Never assign file-level permissions directly to users--only assign them to groups. This way, if a user has too many permissions or too few permissions to a shared resource, you won't have to chase down a million individual permissions. Instead, you can simply look at the user's group memberships to determine where the problem lies.
Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.