My Share level permissions catharsis
So, I had a run in once, a little while back, with a file migration from several Windows servers to a NetApp CIFS share. Super trivial stuff. Sys admin 101.
During this migration, I assigned permissions as I would always have. Share level permissions very loose, Full Control to Everyone or Authenticated Users (since no user(s) are local Administrators, then they can not access Share permissions); NTFS permissions very tight.
This specific item was cited by HR when I was severely reprimanded later, with my manager (a MSFT wizard) present.
Today, I faced a situation that caused a real, tangible catharsis of that experience and wanted to mention the details.
Where I am now, the SMB shares were “exposed,” Everyone had Full Control SMB permissions; so, the other night, since I was previously so severely punished, I scaled back permissions thusly: Removed Everyone, added Domain Users granted Change SMB permissions. NTFS permissions are very secure, of course.
Today, I walk in to find out that some of my co-worker’s software can no longer create files anywhere on one of the shares. “But why?” I ask myself, knowing and proving full well that the user’s ACE has Full Control on the folder.
Knowing my novice programming skills, the co-worker sends over the function call that is erroring with “Access Denied”:
CreateFile(Pchar(filename), GENERIC_ALL, 0, nil, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
To confuse everything even more, a native fileio API (Stream) is able to create the file without a problem.
This being interesting, I tested the function with and without Full Control SMB access. Sure enough, without access the function failed (“Access denied”), with access the function succeeded.
Tonight, I will be rolling back my overly securing of the SMB permissions… because, after all, as we all already know:
“If you want to manage folder access by using NTFS permissions exclusively, set Share permissions to Full Control for Everyone. This frees you from having to think about Share permissions, but NTFS permissions are more complex than Share permissions. ” – http://technet.microsoft.com/en-us/library/cc754178(WS.10).aspx
So, there you have it.
I guess I could argue (against myself) that I didn’t have the will or the want to bother doing this research when the issue arose. I suppose I had a feeling when I immediately “on-boarded” at the company that I was an unwanted risk. In fact, I didn’t even have warning or time to counteract the reprimanding, and having a letter offering me severance after three months employment was hard to pass up. Since, five days previous to my joining, a new director had joined the company to lead my team and a few others; my team was to take a journey down a pathway where my skill sets didn’t fit, exactly.
After all was said and done, I did get asked “Did you feel overwhelmed?” My answer was a wholehearted “No, I didn’t… Stressed trying to adjust to a new job, with a different corporate culture than I was used to [including days that started at 10AM, unheard of for production support in Finance]; yes. Overwhelmed; no.”
It has been hard to “come back” from such an event, attempting to put in perspective what had happened, and why everything worked out the way it did. Luckily for me, the entire situation was resolved within a single fiscal quarter, and I had learned a great lesson. My professional year 2010, showed me who I was professionally, how I can be better/where to improve my professional self, what I should be wary of, and motivated me to do these things.