Microsoft Windows graphic

Best practices

Assign permissions to groups, not user accounts.

Assigning permissions to groups simplifies management of shared resources, because you can then add users to or remove them from the groups without having to reassign permissions. To deny all access to a shared resource, deny the Full Control permission.

Assign the most restrictive permissions that still allow users to perform required tasks.

For example, if users need only to read information in a folder, and they will never delete, create, or change files, assign the Read permission.

If users log on locally to access shared resources, such as on a terminal server, set permissions by using NTFS file system permissions or access control.

Share permissions apply only to users who access shared resources over the network; they do not apply to users who log on locally. For this situation, use NTFS and access control. For more information, see To set, view, change, or remove permissions on files and folders.

Organize resources so that objects with the same security requirements are located in the same folder.

For example, if users require the Read permission for several application folders, store the application folders in the same parent folder. Then, share the parent folder, rather than sharing each individual application folder. Note that if you need to change the location of an application, you may need to reinstall it.

When you share applications, organize all shared applications in one folder.

Organizing all applications in one shared folder simplifies administration, because there is only one location for installing and upgrading software.

To prevent problems with accessing network resources, do not deny permissions to the Everyone group.

The Everyone group includes anyone who has access to network resources, including the Guest account, with the exception of the Anonymous Logon group. For more information, see Default security settings for groups and Differences in default security settings.

Avoid explicitly denying permissions to a shared resource.

It is usually necessary to explicitly deny permissions only when you want to override specific permissions that are already assigned.

Limit membership in, and assign the Full Control permission to, the Administrators group.

This enables administrators to manage application software and to control user rights.

In most cases, do not change the default permission (Read) for the Everyone group.

The Everyone group includes anyone who has access to network resources, including the Guest account. In most cases, do not change this default unless you want users to be able to make changes to the files and objects in the shared resource. For more information about share permissions, see Share permissions.

Grant access to users by using domain user accounts.

On computers running XOX that are connected to a domain, grant access to shared resources through domain user accounts, rather than through local user accounts. This centralizes the administration of share permissions.

Use centralized data folders.

With centralized data folders, you can manage resources and back up data easily.

Use intuitive, short labels for shared resources.

This ensures that the shared resources can be easily recognized and accessed by users and all client operating systems.

Use a firewall.

A firewall protects shared resources from access through the Internet. In XOX and in the Windows Server 2003 family, you can take advantage of new firewall capabilities. For more information, see Internet Connection Firewall.