David,
I hate to be blunt here, but I am. I don't understand why you continue to say there is a huge security gap.
Sandeep, who I consider the smartest computer expert on here by far, just laid it out. And, as Wilford Brimley said in the classic Paul Newman movie, Absence of Malice, "I'm pretty smart myself."
I think the entire computer network setup and all of the IT jobs would be dead if it weren't for permissions. With sharing and permissions, you can sit down and take hours to give as little or as many permissions as you want. Here is a
table for permissions of XP Pro SP3 on a domain. WIN 7 has more default sharing. By using the security tab as Sandeep has clearly shown along with sharing of the folder itself, you can do anything you want with sharing.
Basically make another folder on the server with some files and folders and play around with it. When you get where you like the permissions, just use the same ones with AC. Don't make permissions for each individual user, make them for a group. Here, we just call them Domain Users. Don't use "Everyone." The classic test is browsing to the folder and doing the following:
Create a text file
Open the text file
Write to the text file
Save the text file
Copy the text file to the desktop
Delete the text file
That user would have full permissions. You really want them to see it and write to it only. Read/Write. If they can delete it or copy it, that's not good. It is actually very easy. It only gets difficult if you want users to have different properties.
The AC folder needs to be shared. You with admin privileges can access anything with proper sharing and pretty much anything in the permissions. For the users, they only need modify and not full, but it doesn't matter if they have full because your permissions will control them. Anything inside the folder including the child folders will import the same sharing.
Once that is set up, you can do your permissions. Just start by clicking on the top left column with your "user group" highlighted and see what they can do. They should be able to do everything. Then uncheck the top box. Always remember that Deny always trumps Allow. Even if a user were in another group (say MAs) that had allow permissions for Full, if they are denied as "user group," they will still be denied.
One way to look at it is this. Shares are for across the network. If a folder is shared, a user can access the folder. It has to be shared out to everyone for them to use it.
Permissions under the security tab as Sandeep has outlined, can be looked at like what permissions a user would have if they were sitting at that computer. This is just for understanding purposes.
Just for fun, share the folder with full privileges. Then highlight the users and uncheck every box. Then go to any computer and become that user and browse to that folder and see what you can do. You won't be able to do anything.
Remember, though, this is virtual or computer permissions. I assume your users or most of them have keys. All of the permissions or lack thereof, won't stop a user from coming in a 5 am on a Saturday, opening the server, removing the hard drive and walking off into the sunset.
That's where we start to talk about encryption. Which is a entirely different subject. And, think about paper. Every user in the place had access to every chart.
And, there are way too many hackers out there for encryption to stop them.
.png "ACUF Donor I")
