Are NTFS and Share Permissions a bit too complicated?

Most Windows Administrators know that NTFS permissionscombine with Shared Folder permissions when it comes to working out effectivepermissions.

What I’ve generally found though is that while this is understoodin theory, in practice effective permissions are implemented incorrectly. Usersare granted write access to files that they should only have read access to andusers have read access to files to which they are supposed to have writeaccess.

The problem with NTFS permissions is that when combined withShare permissions, it takes a few minutes of head scratching for Administrators to figure out whataccess a person actually has, especially if the user is a member of multiple groups. It isn’t that these permissions don’t work when properlyapplied, it is just that they are complex and the more complex something is,the less likely it is to be used properly.

Anyone who has worked on a helpdesk can tell you about untanglingpermissions. When a user rings up and says that they should have access to acertain file that they do not have access to, a merry chase ensues with theperson in question having to figure out if the permissions are indeed setcorrectly and the person calling should not have access to the file or whetherthe permissions have been set incorrectly and the permissions need to bechanged.

NTFS permissions also aren’t entirely effective as asecurity mechanism. Although a person may only have read access to a file on afile server, they can copy that file away from the file server and change thepermissions when the file is stored in another location. Similarly NTFS permissions can't stop you from emailing a file that you have read access to to someone outside your organization.

In the long term the best way of setting file access rightsis probably going to be through Active Directory Rights Management Services,where the same read/write permissions apply to the file independently of whereit is stored. With AD RMS, a user who has permissions that limit them toopening a file and making changes to it has those same permissions whetherthey’ve received the file in email, accessed it from a file share or downloadedit from a SharePoint site.

Atthe moment AD RMS is more complicated to configure than NTFS permissions andmost administrators haven’t really played with it and are not aware of its capabilities.In the long run it will probably replace NTFS permissions as organizations moveto platforms that support AD RMS’s capabilities