New episode!

Latest Episode: 5 GPO MDM Mistakes

In this week’s episode, Stephen talks to Jeremy Moskowitz about the top 5 mistakes IT Pros make when transferring Group Policy to MDM.
Happening now!

Unlock Secure Remote Working!

Dive into the latest Microsoft management technologies at our free 1-day GET-IT virtual conference. Sign up now!
On-demand!

Inside Access: Why Privileged Accounts Could Be Your Biggest Security Gap

What if your biggest vulnerability wasn't a misconfigured firewall? Don't miss our webinar on the hidden risks of standing privileges.

Configure Advanced Security Scenarios in Windows Server 2012

What is an advanced security scenario in Windows Server 2012?

Windows Server 2012 introduces several improvements to the Advanced Security settings dialog when configuring NTFS access controls and auditing. In this Ask the Admin, I’ll look at how permissions configuration has been simplified for advanced security scenarios.

An example of an advanced security scenario is preventing users from accidentally deleting, moving, or renaming entire file structures. Administrators often configure NTFS permissions so that users can create, delete, and rename files, but not delete folders. While this doesn’t provide fool-proof protection, it does give a certain degree of damage limitation when simple finger trouble is the source of the problem.

Configure an Advanced Security Scenario in Windows Server 2012

Let’s configure the permissions set on a folder in Windows Server 2012, to see how the process is easier than in previous versions of Windows Server. Log on to a file server that’s joined to a domain with an account that has local administrator privileges.

On the desktop, press the Windows key + E to open File Explorer.
In File Explorer, right-click the folder you want to modify and select Properties from the menu.
In the Properties dialog, switch to the Security tab.
Click Advanced in the security tab.
In the Advanced Security Settings dialog, click Disable inheritance.
In the Block Inheritance dialog, click Convert inherited permissions into explicit permissions on this object.

In this example, I’m going to grant specific permissions for the Domain Users group. Before doing this, you should remove any existing permission entries for Domain Users.

Click Add.
In the Permission Entry dialog, click Select a principal.
Type domain users in the Enter the object name to select box and click OK.
Select Files only from the Applies to drop-down menu.
Click Show advanced permissions.
Under Advanced permissions, check all permissions apart from Full control, Change permissions and Take ownership.

Click OK.
In the Advanced Security Settings dialog, click Add again.
In the Permission Entry dialog, click Select a principal.
Type domain users in the Enter the object name to select box and click OK.
Select This folder and subfolders from the Applies to drop-down menu.
Under Advanced permissions, select: Traverse folder/execute file, List folder/read data, Read attributes, Read extended attributes, Create files/write data, and Read permissions.

Click OK.
Now you should see two entries for the Domain Users group in the Advanced Security Settings dialog. Click OK.
Click OK in the Properties dialog.

That’s it! You’re done.