– Only allow Admins write access to root folders
– NTFS permissions at root directory for the “Everyone” group: Traverse Folder, List Folder
– Enable access based enumeration on the share to allow users to view ONLY folders in which they can access
– Create and apply security domain local groups with explicit permission semantics such as:
— FILESERVER1_Global_Accounting_ReadOnly or SHAREPOINT_Accounting_ReadOnly
— FILESERVER1 _Global_Accounting_Modify
— FILESERVER1 _Global_Accounting_FullControl
– Create a Global Deny group and add all disabled accounts into it
– Apply Global Deny group to root directory with Deny Full control permissions
Categories: