How do I set permissions on network shares to allow SYSTEM account access in server cluster?

networking permissions windows-server-2008 active-directory

I want to share common data within a cluster of servers via network shares. There will be one share folder on each server, which all the other servers can access. The server processes that will be accessing this data are currently running as SYSTEM. I would like to restrict the permissions on these folders so that only the processes running on the other servers in the cluster can access the share. I do NOT want the network shares to be accessible to anyone else in the domain (except perhaps the admins who can remote into the servers anyway).

How do I configure the permissions on the file shares to accomplish this? Can it be done with the server processes running as SYSTEM? If there is no direct way to do this, is there a best practice work around?

We are running Windows Server 2008 R2.

Thanks, Jeff


In a terse, step-by-step fashion:

  • Create a group and make the AD computer accounts for the cluster computers members of that group.

  • Set the NTFS permissions on the folder to "SYSTEM / Full Control", "MACHINE\Administrators / Full Control", and "The Cluster Member Group / Full Control". (I always include "MACHINE\Administrators" and "SYSTEM" with "Full Control" in virtually every permission I apply. Call it force-of-habit...)

  • Share the folder and set the Share Permission to "Everyone / Full Control". This effectively nullifies this "feature". The NTFS permissions will enforce the security you're looking for.

  • You're in business.

Related

How are connections differentiated from behind NAT routers?
Problems with self-signed SSL certificate for SSTP in Windows Server Foundation 2008
How to free PHP-FPM memory?
Looking for a way to audit/monitor removable media on a Mac
SSRS report "unable to load client print control"
Determine which files a process opened (Linux)
I can run a script locally, but cannot do "ssh HOSTNAME /path/to/script.sh"
HP ProLiant ML310e Gen8 early system initialization hangs on 90%
Synchronizing time with only one NTP server
EC2 after restart can not access via ssh
Kernel upgrade CentOS 5.3 mount: could not find filesystem '/dev/root'
How to shorten DNS propagation effect