This article describes how to administer file share
security in Microsoft Windows Server 2003 and Microsoft Windows 2000
clustering, and to a limited extent Microsoft Windows NT 4.0 Enterprise Server.
This article assumes basic knowledge of the difference
between share level and filesystem level security.
Securing a common folder
You can also search for permissions, security, and
share in Windows NT 4.0 Help.
- In all cases, Microsoft recommends you keep security
simple. The standards team, or appropriate IT division should determine which
type of security to use, and lock down at that level. If you mix share level
and filesystem level permissions, you can create signficant administrative
difficulties. In most scenarios, filesytem permissions are
- Regardless of the operating system, rights should not be
granted to a local group for a directory hosted on the shared drive. Windows
2000 and Windows NT 4.0 Member Servers have their own unique user databases.
Access Control Entries that reference a local SID have no meaning after the
storage resource and share are failed over to another node. In theory, it is
possible to duplicate local resources across the cluster nodes, however, in
practice it involves entirely too much overhead, is more prone to error and is
- The cluster service account requires at least NTFS read
privileges to the directory to properly create the share.
File Shares By Type
Normal Shares are the most flexible and easily understood in
terms of security. The only real difference is that you administer share level
security using the cluster user interface instead of Windows Explorer. You
administer NTFS level security using Windows Explorer.
For more information about creating cluster file shares,
click the following article number to view the article in the Microsoft
How to create file shares on a cluster
Subdirectory shares are available in versions of Windows NT later
than Windows NT 4.0 Service Pack 4. Windows NT 4.0 Service Pack 5 or later
automatically creates and deletes the shares. This share allows administrators
to rapidly create directories to host large numbers of shares. A root share is
specified, and all subdirectories one level below the specified root are
created as regular shares. These shares inherit the same share level
permissions as the root share. Unless this is the desired behavior, share-level
permissions should be left to Everyone, and security implemented on the file
For more information about subirectory shares, click
the following article numbers to view the articles in the Microsoft Knowledge
SP4 Cluster shares must be reset to recognize added subdirectories
DFS root is only available in Windows 2000. You can administer
stand-alone DFS roots within a cluster. You can use share level permissions for
the root through the cluster administrator user interface and you can
administer each link through file share permissions on the appropriate server.
However, this method of controlling access can be difficult for DFS trees
spanning a large number of servers and links. We recommend you administer DFS
trees by leaving file share level permissions open and use NTFS filesystem
permissions to restrict access. Note that filesystem security is not possible
on links that point to FAT or FAT32 volumes.
For more information about DFS Roots in
Cluster Server, click the following article numbers to view the articles in the
Microsoft Knowledge Base:
How to configure DFS root on a Windows 2000 Server cluster
How to install Distributed File System (DFS) on Windows 2000