Notes on NTFS security enforcement on the storage pool

By default, the storage pool plays loose with NTFS security settings at the object level.
This choice was made in favor of usability. The recommendation is for users to secure their storage at the share level and not worry about intricate folder and file level security settings.

For one, a storage pool is allowed to have storage volumes with different file systems and therefore different security enforcement implementations.
Secondly, a folder representation could be multiple physical folders on different drives sharing only a common name.
All these variances could become sources of security access issues as Windows automatically denies access if there is any issue with interpreting or checking on the permissions.

It is easy for one to entangle himself/herself with strict object security.
For users on a domain based network, things get even more complicated as communication with the domain controller and effective permission checking can hit all kinds of snags.

Further more, many devices (such as media streaming devices) can’t deal with too strict security settings.

For all these reasons, it is recommended that strict ACL (Access Control Lists) mode be left at false in the RAID options. Use the KISS approach and keep your security settings simple by applying them at the share level only and enjoy your data without much fuss.

Nevertheless, there are many environments where strict security setting compliance is a must.
For those environments, the strict ACL mode can be enabled.

Once strict ACL mode is enabled, the following rules apply:

  • you are on your own on any denial of access security issue
  • No support staff will help troubleshoot such issues but you can freely post on the forum for community help
Be Sociable, Share!

Revisions

No comments yet.

Leave a Reply

2 + six =