Should or shouldn't I remove the 'Everyone' group from my shared folders?
Solution 1
Normally it's perfectly fine to grant full access to Everyone
on a share, because you'll actually control access via file ACLs anyway. Share permissions only apply to the share itself, while file ACLs apply to anything below. Also file ACLs allow far more fine-grained control than share permissions. Enable Access-based Enumeration
and users won't even be able to see files and folders they don't have permission to access.
Solution 2
Yes i you want only for you to have access to the share you can remove the everyone group, but you will have to add yourself to the share permissions, if you remove everyone and don't add yourself to permissions then you have blocked yourself also from accessing it from network.
Also even if you leave everyone group, you can still allow/disallow access to others by NTFS permissions on security tab.
You have Network share permissions which control who can access the network shares and what they can do on the network, and then you have NTFS permissions which actually control who can read/write/modify the files.
If you allow somebody full access on NTFS but don't allow access on network share then you have only given them rights to the files when they are working on it directly from a machine.
For somebody to be able to read or modify the files over network he has to have network and NTFS permissions
Related videos on Youtube
WeDoTDD.com
Updated on September 18, 2022Comments
-
WeDoTDD.com over 1 year
I'm wondering whether to completely remove the Everyone group from my shared folders. I remember one time I did and it screwed up the machine meaning not even the Administrator account could access anything.
I just want to ensure only my login has access to whatever shared folder I setup. Normally I just add my login but I am just curious about the everyone group...should I remove that to ensure 100% I'm safe on our network?
-
Canadian Luke over 11 yearsWhat is the server OS? Are you on a domain network? Are you on the domain controller? Do you want anonymous user access?
-
WeDoTDD.com over 11 yearsOS is Windows 8
-
WeDoTDD.com over 11 yearsdomain network, and now sure what you mean by anonymous access...
-
WeDoTDD.com over 11 yearsdo I simply uncheck the read access on everyone and not remove the group?
-
Ansgar Wiechers over 11 yearsNo. If you want to remove access for the group: remove the group and add the groups/users you actually want to grant access to.
-
WeDoTDD.com over 11 yearsyea I know that Ansgar, I know how to add users and groups and share a folder. My main concern here surrounds the Everyone group. I want to focus the conversation on that.
-
-
WeDoTDD.com over 11 yearsso are you saying that when you initially share out a folder on your C Drive or whatever, The Everyone group is automatically there obviously in the shared permissions. But that not everyone can read the files within the folder you are sharing out?
-
WeDoTDD.com over 11 yearsI do not want the everyone group to be able to even read the files or see them in whatever folder I share out. So I just unchecked read for the everyone group but left the everyone group on the share with no boxes checked for perimissions (read write, etc. are unchecked).
-
WeDoTDD.com over 11 yearsso I guess yea there are 2 layers, share (network) permissions and the yea security tab for ACL...correct. Yea duh.
-
Ansgar Wiechers over 11 yearsCorrect. Access depends on the actual file/folder permissions. With access-based enumeration disabled they'll be able to see the files, but won't be able to access them unless the file ACLs grant them permission. With access-based enumeration enabled they won't even see files they cannot access.
-
WeDoTDD.com over 11 yearsforgive me but what is access-based enumeration enabled
-
Ansgar Wiechers over 11 yearsSee the link in my answer.