The case to limit share permissions

12th December 2019

I have been recommending to limit share permissions to all of my clients. Recently client wanted to allow access to a business partner via TsWeb. Because they wanted to view files they had Explorer published to them. I added them to Domain Guests (not Domain Users) but It immediately became apparent that Share security was wide open as they could see every server and browse through the shares, even creating and changing files.

Thus finally got approval to replace the Everyone group on share permissions with the Domain Users group.

Still need to test out restrictions to the Domain Controller SYSVOL and NETLOGON shares. a quick search suggests its safe to replace Everyone with Authenticated Users. But really i want that to be Domain Users.

NTFS permissions use the least restrictive group membership. Share permissions act like a filter but are only applied at the top-most level. (google least-restrictive most-restrictive rule)