[SOLVED] Newbie needs help with NTFS security

[speed2001]

I'm an newbie IT person handling a small business (14 users) network. They have a file server running Windows Server Essentials - i was informed to avoid hitting the 20 max allowed connections - as part of a workgroup (no domain) that runs their HR System. They have all files (programs and files) in a public directory with no security at all (???).

What I want to do is create a directory out of the public area and allow the HR program to run (execute, update, create and delete files) while preventing the users to move or delete files by themselves. How should I configure the security for this directory to have it done?

Sorry, newbie here, still trying to understand how rights work and are related. Read a lot but can't find how to achieve what I'm looking for.

Thanks for any help.

 

[USAFRet]

"allow the HR program to run (execute, update, create and delete files) while preventing the users to move or delete files by themselves "

"update, create and delete files" is the same as " move or delete files"

From out here, it looks like this whole enterprise needs a full reconstruction.


As an initial thought concept, each User needs his/her own space on the server, for their specific files.
Applications really need to live on the client systems and not the server.

 

[SamirD]

Yeah, it seems like each 'user' has access to the storage and the program using the same credentials. You won't be able to restrict anything on a particular 'user' since the user's access is all or nothing.

An easy way to separate this out though is to move the program to its own share--either on the server or since they are just treating the server as a file server, on a nas unit. Nas units have gotten really good at 'just serving up files'.

 

[speed2001]

"allow the HR program to run (execute, update, create and delete files) while preventing the users to move or delete files by themselves "

"update, create and delete files" is the same as " move or delete files"

From out here, it looks like this whole enterprise needs a full reconstruction.


As an initial thought concept, each User needs his/her own space on the server, for their specific files.
Applications really need to live on the client systems and not the server.

You're right, I forgot to mention that the software is an old client/server and it has an workstation application directory that communicates with the server. To access the server, users map the network drive using a server login credential.

What I want is to define this server login to be able to execute the program - and the program creates and deletes files - but not giving the users access to do it manually as they have today...

Will read execute do the trick? I.E: User would have read/execute locally (workstation) and would connect using a credential (hidden from the user) that has read/execute on the server. Will this allow the application create and delete files on the server?

Thanks

 

[USAFRet]

You're right, I forgot to mention that the software is an old client/server and it has an workstation application directory that communicates with the server. To access the server, users map the network drive using a server login credential.

What I want is to define this server login to be able to execute the program - and the program creates and deletes files - but not giving the users access to do it manually as they have today...

Will read execute do the trick? I.E: User would have read/execute locally (workstation) and would connect using a credential (hidden from the user) that has read/execute on the server. Will this allow the application create and delete files on the server?

Thanks

Unknown to all.

This whole thing was added on to a single PC and "server" (actually just another PC hosting the application).
Over the years, more users, etc.
And all the faults that come with that.
I've seen this exact thing many many times.

If you want it "right" and a good way forward, it needs to be redone from the ground up.
Which will take planning, and almost certainly $$.

The network is sort of working currently. Not optimal, but it is what they are used to and does not affect day to day business.
Change nothing until you have a documented plan to "fix it".
Little changes you make now could easily bork up the whole thing.

 

[speed2001]

It is a wise suggestion and for sure it will be followed... I love my head over my neck...kkkk
But anyway one question I would like to have it answered since I couldn't find the answer anywhere: Does Read/Execute permission allow an application to create and delete files? The HR app generates and also deletes a lot of PDF files....

Thanks for all the help
Cheers

 

[USAFRet]

It is a wise suggestion and for sure it will be followed... I love my head over my neck...kkkk
But anyway one question I would like to have it answered since I couldn't find the answer anywhere: Does Read/Execute permission allow an application to create and delete files? The HR app generates and also deletes a lot of PDF files....

Thanks for all the help
Cheers

Read/Execute should only do that.

But if the HR application can currently "delete" things....do not change that.
Its inner workings are completely unknown. Possibly that 'delete' is a needed function.

 

[SamirD]

What I want is to define this server login to be able to execute the program - and the program creates and deletes files - but not giving the users access to do it manually as they have today...

Will read execute do the trick? I.E: User would have read/execute locally (workstation) and would connect using a credential (hidden from the user) that has read/execute on the server. Will this allow the application create and delete files on the server?

Thanks

You might be able to do this, but it is a tangled mess of permissions that will inevitably break.

What's the problem with the users accessing file directly? The program does it, so why not he users?