Security

Configure Advanced Security Scenarios in Windows Server 2012

What is an advanced security scenario in Windows Server 2012?

Windows Server 2012 introduces several improvements to the Advanced Security settings dialog when configuring NTFS access controls and auditing. In this Ask the Admin, I’ll look at how permissions configuration has been simplified for advanced security scenarios.

An example of an advanced security scenario is preventing users from accidentally deleting, moving, or renaming entire file structures. Administrators often configure NTFS permissions so that users can create, delete, and rename files, but not delete folders. While this doesn’t provide fool-proof protection, it does give a certain degree of damage limitation when simple finger trouble is the source of the problem.

Configure an Advanced Security Scenario in Windows Server 2012

Let’s configure the permissions set on a folder in Windows Server 2012, to see how the process is easier than in previous versions of Windows Server. Log on to a file server that’s joined to a domain with an account that has local administrator privileges.

  • On the desktop, press the Windows key + E to open File Explorer.
  • In File Explorer, right-click the folder you want to modify and select Properties from the menu.
  • In the Properties dialog, switch to the Security tab.
  • Click Advanced in the security tab.
  • In the Advanced Security Settings dialog, click Disable inheritance.
  • In the Block Inheritance dialog, click Convert inherited permissions into explicit permissions on this object.

In this example, I’m going to grant specific permissions for the Domain Users group. Before doing this, you should remove any existing permission entries for Domain Users.

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

  • Click Add.
  • In the Permission Entry dialog, click Select a principal.
  • Type domain users in the Enter the object name to select box and click OK.
  • Select Files only from the Applies to drop-down menu.
  • Click Show advanced permissions.
  • Under Advanced permissions, check all permissions apart from Full control, Change permissions and Take ownership.

Configuring an advanced security scenario in Windows Server 2012

  • Click OK.
  • In the Advanced Security Settings dialog, click Add again.
  • In the Permission Entry dialog, click Select a principal.
  • Type domain users in the Enter the object name to select box and click OK.
  • Select This folder and subfolders from the Applies to drop-down menu.
  • Under Advanced permissions, select: Traverse folder/execute file, List folder/read data, Read attributes, Read extended attributes, Create files/write data, and Read permissions.

Configure an advanced security scenario in Windows Server 2012

  • Click OK.
  • Now you should see two entries for the Domain Users group in the Advanced Security Settings dialog. Click OK.
  • Click OK in the Properties dialog.

That’s it! You’re done.

Related Topics:

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: