Monday, November 4, 2013

Full Control v Modify - Why you should be using modify in most cases

Full control is a set of permissions that I see granted quite a bit, perhaps more frequently than it needs to be. For example, I see quite a large number of customers with the full control NTFS permission for each user set on their network home folders, or a group with full control to their departmental network shares. I'm a firm believer of using modify permission instead of full control in these situations and this is why:

When a user has full control, they are able to modify the permissions and owner of items that they have full control to. This is because the full control item in the permissions dialog grants Change Permissions and Take Ownership rights.

 
Modify contains every right that full control does, except for Change Permission and Take Ownership.

By granting modify instead of full control, the user can still create, delete, change, and move files within their folders, but they cannot change the permissions or change the owner of these files. This will ensure that your permissions that you as the administrator have set on these shares will remain uniform.

Even though users may not be malicious or mischievous and change these settings, many (poorly written) applications will break inheritance when saving files, and you end up with individual files and folders that are not following your designated permission model. By giving users modify instead of full control, these applications cannot misbehave since the files must be saved with the permissions and inheritance rules set on the parent folder.

In a typical scenario, say a payroll departmental share, I may use the following NTFS permissions. Consider using something like this as a base for your NTFS permissions on shares in your organizations.

NTFS Permissions

Full Control:
SYSTEM
Administrators

Modify:
Payroll_Share_Users


3 comments:

  1. Excellent post. Same reason I use Modify on user's home folders as well. They can still do everything they need to and it's one less thing to worry about causing a potential problem down the road.

    ReplyDelete
  2. Also, Cryptowall. Want to spread Cryptowall throughout your network? Giving all users full control to their folders is a good way to start.

    ReplyDelete