NTFS\Share Permissions - Best Practice

Question

I can see still lots of resources on the web that state its best practice to set "Everyone\Full Control" at the share level and restrict access using NTFS permissions.

I can remember this being taught in the training courses back in the day, but I thought in the last decade, this was no longer the recommendation.

I've always mirrored the NTFS permissions on the share. I never use "Everyone" permissions on the Share or folder unless its specifically needed and the data isn't important (which has been never until this point in my life).

Can anyone point me in the direction of official Microsoft documentation that supports either scenario. Happy to be proven wrong.

I've always based this on the premise of least privilege. It's not least privilege if you given "Everyone" rights.

It also offers a level of protection if you do then set the NTFS permissions incorrectly which is why this question is being asked.
Too many instances of the NTFS permissions being set incorrectly, being compounded by the Everyone permissions on the share.

Answer 1

I'm not sure there is an official best practice anymore. As with most permissions/security based questions it depends.

Least privileges on the share, works if you only have a few permissions assign to the share and directories. However, if you have complex permissions structure on a large folder structure, then the management of the share permissions can become a significant overhead. So using everyone on share permissions simplifies the management, requiring changes to only to be made in one place.

The other advantage of using the everyone permission on the share, is that directory traversal is easier to implement.

The option to set the permissions on either the share or the files, or both, provides flexibility to deliver your use cases, based on your security, risk, trust, and management requirements.

Gary.