Microsoft KB Archive/254219

= Security considerations when implementing clustered file shares =

Article ID: 254219

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows NT Server 4.0 Enterprise Edition

-



This article was previously published under Q254219



SUMMARY
This article describes how to administer file share security in Microsoft Windows Server 2003 and Microsoft Windows 2000 clustering, and to a limited extent Microsoft Windows NT 4.0 Enterprise Server.



MORE INFORMATION
This article assumes basic knowledge of the difference between share level and filesystem level security.

186496 Securing a common folder

You can also search for permissions, security, and share in Windows NT 4.0 Help.

General Information

 * In all cases, Microsoft recommends you keep security simple. The standards team, or appropriate IT division should determine which type of security to use, and lock down at that level. If you mix share level and filesystem level permissions, you can create signficant administrative difficulties. In most scenarios, filesytem permissions are preferred.
 * Regardless of the operating system, rights should not be granted to a local group for a directory hosted on the shared drive. Windows 2000 and Windows NT 4.0 Member Servers have their own unique user databases. Access Control Entries that reference a local SID have no meaning after the storage resource and share are failed over to another node. In theory, it is possible to duplicate local resources across the cluster nodes, however, in practice it involves entirely too much overhead, is more prone to error and is unsupported.
 * The cluster service account requires at least NTFS read privileges to the directory to properly create the share.

Normal Share
Normal Shares are the most flexible and easily understood in terms of security. The only real difference is that you administer share level security using the cluster user interface instead of Windows Explorer. You administer NTFS level security using Windows Explorer.

For more information about creating cluster file shares, click the following article number to view the article in the Microsoft Knowledge Base:

224967 How to create file shares on a cluster

Share Subdirectories
Subdirectory shares are available in versions of Windows NT later than Windows NT 4.0 Service Pack 4. Windows NT 4.0 Service Pack 5 or later automatically creates and deletes the shares. This share allows administrators to rapidly create directories to host large numbers of shares. A root share is specified, and all subdirectories one level below the specified root are created as regular shares. These shares inherit the same share level permissions as the root share. Unless this is the desired behavior, share-level permissions should be left to Everyone, and security implemented on the file system level.

For more information about subirectory shares, click the following article numbers to view the articles in the Microsoft Knowledge Base:

194831 SP4 Cluster shares must be reset to recognize added subdirectories

DFS Root
DFS root is only available in Windows 2000. You can administer stand-alone DFS roots within a cluster. You can use share level permissions for the root through the cluster administrator user interface and you can administer each link through file share permissions on the appropriate server. However, this method of controlling access can be difficult for DFS trees spanning a large number of servers and links. We recommend you administer DFS trees by leaving file share level permissions open and use NTFS filesystem permissions to restrict access. Note that filesystem security is not possible on links that point to FAT or FAT32 volumes.

For more information about DFS Roots in Cluster Server, click the following article numbers to view the articles in the Microsoft Knowledge Base:

220819 How to configure DFS root on a Windows 2000 Server cluster

241452 How to install Distributed File System (DFS) on Windows 2000

Additional query words: mscs

Keywords: kbclustering kbenv kbhowto kbnetwork KB254219

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.