Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
1
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003
Environment, Enhanced
Chapter 5: Managing File Access
Guide to MCSE 70-290, Enhanced 2
Objectives
• Identify and understand the differences between the various file systems supported in Windows Server 2003
• Create and manage shared folders• Understand and configure the shared folder
permissions available in Windows Server 2003• Understand and configure the NTFS permissions
available in Windows Server 2003
2
Guide to MCSE 70-290, Enhanced 3
Objectives (continued)
• Determine the impact of combining shared folder and NTFS permissions
• Convert partitions and volumes from FAT to NTFS
Guide to MCSE 70-290, Enhanced 4
Windows Server 2003 File Systems
• Three main file systems• File Allocation Table (FAT)• FAT32• NTFS
• Final choice of file system depends on • How system will be used• Whether there are multiple operating systems• Security requirements
• NTFS is most highly recommended
3
Guide to MCSE 70-290, Enhanced 5
FAT
• Used by MS-DOS• Supported by all versions of Windows since• Traditionally limited to partitions up to 2 GB
• Windows Server 2003 version supports partitions up to 4 GB
• Limitations• Small partition sizes• No file system security features• Disk space usage is poor
Guide to MCSE 70-290, Enhanced 6
FAT32
• A derivative of the FAT file system• Supports partition sizes up to 2 TB• Still does not provide advanced security features
• Cannot configure permissions on file and folder resources
4
Guide to MCSE 70-290, Enhanced 7
NTFS• Introduced with Windows NT operating system• Current version (version 5)
• Windows NT 4.0• Windows 2000• Windows XP• Windows Server 2003
• Theoretically supports partition sizes of up to 16 Exabytes (EB)• Practically supports maximum partition sizes from 2
TB to 16 TB
Guide to MCSE 70-290, Enhanced 8
NTFS (continued)• Advantages of NTFS
• Greater scalability and performance on larger partitions• Support for Active Directory on systems configured as
domain controllers• Ability to configure security permissions on individual
files and folders• Built-in support for compression and encryption• Ability to configure disk quotas for individual users• Support for Remote Storage• Recovery logging of disk activities
5
Guide to MCSE 70-290, Enhanced 9
Creating and Managing Shared Folders
• Shared folder• A data resource made available over a network to
authorized network clients• Specific permissions required for creating, reading,
modifying
• Groups that can create shared folders:• Administrators• Server Operators• Power Users (only on member servers)
Guide to MCSE 70-290, Enhanced 10
Creating and Managing Shared Folders (continued)
• Several ways to create shared folders• Two important methods
• Windows Explorer Interface• Computer Management console
• Also allows shared folders to be monitored
6
Guide to MCSE 70-290, Enhanced 11
Using Windows Explorer
• Used since Windows 95 • Can create, maintain, and share folders• Folders can be on any drive connected to the
computer• Folders are shared in Windows Explorer by
accessing the Sharing tab of folder’s properties
Guide to MCSE 70-290, Enhanced 12
Activity 5-1: Creating a Shared Folder Using Windows Explorer• Objective is to create a shared folder using
Windows Explorer• Open Explorer from Start menu• Use Explorer to create and configure a new folder• Verify folder using net view command• Open Explorer from command line for alternative
verification
7
Guide to MCSE 70-290, Enhanced 13
Using Windows Explorer (summary)
• Shared name of folder does not have to be the actual folder name
• Hand icon used to indicate shared status• Shared folders can be hidden from My Network
Places and Network Neighborhood• Place dollar sign ($) after name, e.g., Salary$• Number of hidden administrative shares created
automatically at installation
Guide to MCSE 70-290, Enhanced 14
Using Computer Management
• Computer Management console is a pre-defined Microsoft Management Console (MMC)• Allows you to share and monitor folders for local and
remote computers• Allows you to stop sharing if desired
8
Guide to MCSE 70-290, Enhanced 15
Using Computer Management (continued)
• Share a Folder Wizard• Used to create folders in Shared Folders section of
Computer Management• Used to provide preconfigured or manual permissions
• All users have read-only access• Administrators have full access; others have read-
only access• Administrators have full access; others have read
and write access• Custom share and folder permissions
Guide to MCSE 70-290, Enhanced 16
Activity 5-2: Creating and Viewing Shared Folders Using
Computer Management• Objective is to create and view shared folders using
Computer Management• Open Computer Management and the Shared Folders node• Open Shares folder and note hidden files and other file
types• Open the Share a Folder Wizard• Configure the folder attributes• Configure the folder permissions• Verify folder accessibility from command line
9
Guide to MCSE 70-290, Enhanced 17
Using Command Line Utilities
• The Net Share command can also be used to share an existing folder from the command line• Syntax for sharing a folder:
• NET SHARE ShareName=FolderPath• Example: To share an existing folder from the command line and
name the share test. • NET SHARE TEST=C:\TestFolder
• The Net View command can be used to view the shares (non-hidden) on a computer.• Syntax: NET VIEW \\ComputerName• Example: To view all non-hidden shares on a computer named
SRV32• NET VIEW \\SRV32
Guide to MCSE 70-290, Enhanced 18
Monitoring Access to Shared Folders
• Monitoring involves• Who is using shared files• What shared files are open at any given time
• Other functions• Disconnect users from a share• Send network alert messages
• Primary monitoring tool is Computer Management
10
Guide to MCSE 70-290, Enhanced 19
Managing Shared Folder Permissions
• A shared folder has a discretionary access control list (DACL)• Contains a list of user or group references that have
been allowed or denied permissions• Each reference is an access control entry (ACE)• Accessed from Permissions button on Sharing tab of
folder’s properties
• Permissions only apply to network users, not those logged on directly to local machine
Guide to MCSE 70-290, Enhanced 20
Managing Shared Folder Permissions (continued)
11
Guide to MCSE 70-290, Enhanced 21
Managing Shared Folder Permissions (continued)
• Default permission is read access for Everyone group• Should be immediately addressed when a share is
created
• To deny access to a user or group• Must explicitly deny access to the user or group
• Folder permissions are inherited by all contained objects
Guide to MCSE 70-290, Enhanced 22
Managing Shared Folder Permissions (continued)
• Share permissions are cumulative• All the permissions assigned to a user, and any group of
which the user is a member, are combined and the combination of all the permissions applies.
• Deny permissions always overrides any permissions• When a user or group is denied a permission, the denied
entry always overrides any permissions that are allowed.
12
Guide to MCSE 70-290, Enhanced 23
Activity 5-3: Implementing Shared Folder Permissions
• Objective is to use shared folder permissions to control access to resources
• In this exercise, you configure permissions on a shared folder to implement specific requirements:• Domain Admins group has Full Control permission• Marketing Users group has Change permission• Other users have no access
Guide to MCSE 70-290, Enhanced 24
NTFS Permissions
• Resources located on an NTFS partition or volume can be given NTFS permissions
• An administrator must know• how permissions are applied• which Standard and special NTFS permissions
available• how effective permissions are determined
13
Guide to MCSE 70-290, Enhanced 25
NTFS Permission Concepts
• NTFS permissions are configured via the Security tab
• NTFS permissions are cumulative• Access denial always overrides permitted access• NTFS folder permissions are inherited unless
otherwise specified• NTFS permissions can be set at file or folder level
Guide to MCSE 70-290, Enhanced 26
NTFS Permission Concepts (continued)
• A new ACE has default permission • Read and Read and Execute for files• List Folder Contents for folders
• Windows Server 2003 has set of standard permissions plus special permissions
14
Guide to MCSE 70-290, Enhanced 27
NTFS Permission Concepts (continued)
Guide to MCSE 70-290, Enhanced 28
Activity 5-4: Implementing Standard NTFS Permissions
• Objective is to configure and test NTFS permissions on a local folder
• Implement standard NTFS permissions on a folder• Review default permissions • Explore behavior of permission inheritance
15
Guide to MCSE 70-290, Enhanced 29
Special NTFS Permissions
• Standard permissions are ‘made up’ of special permissions• Use to give permissions outside the boundaries of
standard permissions: Can provide more or less access than standard permissions
• Can also be used to control inheritance
• Special permissions accessed from Advanced button in the Security tab on Properties dialog box for resource
Guide to MCSE 70-290, Enhanced 30
Special NTFS Permissions (continued)
• Inheritance settings• This folder only• This folder, subfolders, and files (default)• This folder and subfolders• This folder and files• Subfolders and files only• Subfolders only• Files only
16
Guide to MCSE 70-290, Enhanced 31
Special NTFS Permissions (continued)
Guide to MCSE 70-290, Enhanced 32
Special NTFS Permissions (continued)
17
Guide to MCSE 70-290, Enhanced 33
Activity 5-5: Configuring Special NTFS Permissions
• Objective is to view, configure, and test special NTFS permissions• Deny a group the ability to read the NTFS permissions
associated with a folder• Verify that access has been denied
Guide to MCSE 70-290, Enhanced 34
Determining Effective Permissions
• Permissions that actually apply to a user can be the result of membership in multiple groups
• Prior to Windows Server 2003, determining effective permissions was done manually
• In Windows Server 2003, there is an Effective Permissions tab in Advanced Security Settings dialog box for resource• Shows specific permissions for a user or group
18
Guide to MCSE 70-290, Enhanced 35
Activity 5-6: Determining Effective NTFS Permissions
• Objective is to view effective permissions for a user on an NTFS folder
• Open the Effective Permissions tab for a test folder
• Enter the name of the user• Review the permissions specifically granted to
that user for that folder• Repeat with a group
Guide to MCSE 70-290, Enhanced 36
Combining Shared Folder and NTFS Permissions
• NTFS permissions can be combined with share permissions • When accessing a share across a network, if both apply,
use most restrictive• When accessing a file locally, only NTFS permissions
apply
19
Guide to MCSE 70-290, Enhanced 37
Activity 5-7: Exploring the Impact of Combined Shared
Folder and NTFS Permissions
• Objective is to determine effective permissions when combining shared folder and NTFS permissions
• Create a folder with both permissions• Attempt to create a new folder locally and over the
network
Guide to MCSE 70-290, Enhanced 38
NTFS PermissionsPublicApps: Administrators Full Control
Users: Read and ExecuteList Folder ContentsRead
If the PublicApps folder is created at the root of the drive and Microsoft’s default NTFS permissions haven’t been changed at the root, you can use the default NTFS permissions.
Share Permissions
•Users Read
•Administrators Full Control
A Suggested Security Assignment forPUBLIC APPLICATION FOLDERS
Permissions assigned here assume that all users in the domain should be able to run programs that exist in any of the share’s subfolders.
Share
20
39
A Suggested Security Assignment for PRIVATE APPLICATION FOLDERS
• NTFS Permissions• PrivateApps: Administrators Full Control
• Remove Inheritance from above (do not allow inheritable permissions from the parent to propagate to this folder). After removing the inheritance make sure Administrators have full control
• Each subfolder• Administrators should already be assigned full control because of inheritance• Assign each group the following permissions to their department’s respective folder (i.e., Sales
group to the Sales folder; Marketing group to the Marketing folder, etc.) (users in each department will have to access their respective folder via the UNC path)
• Read and Execute, • List Folder Contents• Read
Permissions assigned here assume that users in each department should only have access to their department’s applications. (i.e., Accounting can only access Accounting; Sales can only access Sales, etc.)
Share Permissions
Users Full Control
Share
Guide to MCSE 70-290, Enhanced 40
Share Permissions
•Administrators Full Control
•Users Change
A Suggested Security Assignment for PUBLIC DATA FOLDERS
NTFS Permissions• PublicData: Administrators Full Control
Users everything but Full Control
Permissions assigned here assume that all users are able to add to, delete from and change the contents of files in the shared folder area. Users should not however be able to change permissions on a file or folder nor should they be able to take ownership of a file or folder.
Share
21
Guide to MCSE 70-290, Enhanced 41
Share Permissions
•Users Full Control
A Suggested Security Assignment for PRIVATE DATA FOLDERS
NTFS Permissions• PrivateData: Administrators Full Control
• Remove Inheritance from above (do not allow inheritable permissions from the parent to propagate to this folder). After removing the inheritance make sure Administrators have full control
• Each subfolder• Administrators should already be assigned full control because of inheritance• Assign each group everything but Full Control to their respective folder (i.e., Sales group
to the Sales folder; Marketing group to the Marketing folder, etc.) (users in each department will have to access their respective folder via the UNC path)
Permissions assigned here assume that users in each department should only have access to their department’s data. Users in each department should be able to add to, delete from and change the contents of files in their department’s folder.
Share
Guide to MCSE 70-290, Enhanced 42
Share Permissions
•Users Full Control
A Suggested Security Assignment forPUBLIC APPLICATION FOLDERS
Permissions assigned here assume that all users in the domain should be able to run programs that exist in any of the share’s subfolders.
• NTFS Permissions• PublicApps: Administrators Full Control
Users Read & Execute; List Folder Contents; Read
If the PublicApps folder is created at the root of the drive and Microsoft’s default NTFS permissions haven’t been changed at the root, you can use the default NTFS permissions.
NTFS
22
43
A Suggested Security Assignment for PRIVATE APPLICATION FOLDERS
• NTFS Permissions• PrivateApps: Administrators Full Control
Users Read and Execute, List Folder Contents, Read
• If the PrivateApps folder is created at the root of the drive and Microsoft’s default NTFS permissions haven’t been changed at the root, you can use the default NTFS permissions.
• Each subfolder• Remove Inheritance from above (do not allow inheritable permissions from the parent to propagate to this
folder). After removing the inheritance make sure Administrators have full control • Assign each group the following permissions to their department’s respective folder (i.e., Sales group to the
Sales folder; Marketing group to the Marketing folder, etc.)• Read and Execute, • List Folder Contents• Read
Permissions assigned here assume that users in each department should only have access to their department’s applications. (i.e., Accounting can only access Accounting; Sales can only access Sales, etc.)
Share Permissions
Users Full Control
NTFS
Guide to MCSE 70-290, Enhanced 44
Share Permissions
•Users Full Control
A Suggested Security Assignment for PUBLIC DATA FOLDERS
NTFS Permissions• PublicData: Administrators Full Control
Users everything but Full Control
Permissions assigned here assume that all users are able to add to, delete from and change the contents of files in the shared folder area. Users should not however be able to change permissions on a file or folder nor should they be able to take ownership of a file or folder.
NTFS
23
45
Share Permissions
•Users Full Control
A Suggested Security Assignment for PRIVATE DATA FOLDERS
Permissions assigned here assume that users in each department should only have access to their department’s data. Users in each department should be able to add to, delete from and change the contents of files in their department’s folder.
NTFS
• NTFS Permissions• PrivateData: Administrators Full Control
Users Read and Execute, List Folder Contents, Read
• If the PrivateData folder is created at the root of the drive and Microsoft’s default NTFS permissions haven’t been changed at the root, you can use the default NTFS permissions.
• Each subfolder• Remove Inheritance from above (do not allow inheritable permissions from the parent to
propagate to this folder). After removing the inheritance make sure Administrators have full control
• Assign each group everything but Full Control to their department’s respective folder (i.e., Sales group to the Sales folder; Marketing group to the Marketing folder, etc.)
Guide to MCSE 70-290, Enhanced 46
Mapping Network Drives
• Two Methods:• Navigate to the share using My Network Places, right-click on the
share and Click Map Network Drive • The user mapping the drive must have permissions to the
share. If the user does not have permissions to the share but does have permissions to a folder within the share, the UNC path to the share\folder can be entered at the folder entry of the Map Network Dialogue box
• Syntax: Net Use driveletter uncpath• Example: Maps the letter to to a share named Apps on
ServerA• Net Use G: \\ServerA\Apps
24
Guide to MCSE 70-290, Enhanced 47
Understanding Ownership • Ownership
• Every folder and file on an NTFS partition of a Windows 2003 server has an owner
• The person who creates the file is the owner• The owner can always access the file/folder • The owner can always change its permissions
• This is true even if They’ve been removed from the security tab. Because they own it they can simply add themselves to the security tab!
• Administrators can take ownership of any file or folder• This is useful in a situation where the file is not otherwise accessible –
i.e, user who created the file had previously removed administrators from the security tab and that user has been deleted
• Any user who has the special NTFS Change Permission or the special NTFS Take Ownership permission to a file or folder can take ownership of that file or folder
• New to windows 2003 – a user who has the right to take ownership can also give ownership to another user or group.
Guide to MCSE 70-290, Enhanced 48
Viewing and Taking Ownership• Viewing Ownership
• View file or folder ownership of a file or folder from the Owner tab in the advanced security settings of the file/folder properties
• Properties of file or folder /Security / Advanced / Owner• Taking Ownership
• Take ownership of a file or folder from the Owner tab in the advanced security settings of the file/folder properties
• Properties of file or folder / Security / Advanced / Owner• Select a new owner from the Change Owner to Box or add a new user
to the list and select that new user (add a new user or group by using the Other Users or Groups button)
• Use the Replace Owners on Subcontainers and Objects with caution. • Taking ownership does not automatically add the owner to the file/folder’s
ACL.• Example: If an administrator has no permissions to a file or folder
he/she can take ownership of the file/folder but administrators are not automatically added to the security tab of that file or folder – the new entry must be added.
25
49
Replace Owners on Subcontainers and ObjectsWhen should you use it?
Replace Owners on Subcontainers and Objects checkbox • If the user who owns the folder/file no longer needs access to the folder,
then when the administrator takes ownership of the folder, this option should be selected.
• The process:• Select the Administrators group as the new owner and select the
Replace Owners on Subcontainers and objects. • Click OK and answer yes to the prompt regarding giving full control
• This will remove all entries from the folder’s ACL and it will add Administrators with full control. The original owner will lose access to the folder and all its contents.
50
Replace Owners on Subcontainers and ObjectsWhen should you use it?
Replace Owners on Subcontainers and Objects checkbox • If the user who owns the folder/file still needs access to the folder, do not select this
option. When you don’t select this option you will be the new owner but the ACL will remain in tact; which means you still won’t have permissions to the folder but since you now own it you can give yourself permission. If the goal is for the administrator and the original owner to have access to the folder, you must reconfigure the security on the folder.
• Process:• After taking ownership of the parent folder (without replacing owners on subcontainers),
add the Administrators group to the parent folder’s ACL with full control• Write down all other entries that exist on the ACL of the folder• Go back to the Owners tab for the parent folder and this time check off the Replace Owners
on Subcontainers” check box and answer yes to the question regarding replacing directory permissions with permissions grating you full control.
• Go back to the ACL for the folder and confirm that the list matches what you wrote down above. You should also check child files/folders and note that only Administrators exist on child file/folder ACLs.
• To force the parent permissions to all child files and folders, go to the Advanced Security tab of the parent folder and check off the check box for Replace permission entries on all child objects with entries shown here…. Answer yes to the warning.
26
Guide to MCSE 70-290, Enhanced 51
Converting a FAT Partition to NTFS
• For highest security, partitions and volumes should be configured to use NTFS
• Command-line utility, CONVERT, will convert FAT or FAT32 partitions and volumes to NTFS
• All existing files and folders are retained• CONVERT cannot convert NTFS to FAT or
FAT32
Guide to MCSE 70-290, Enhanced 52
Activity 5-8: Converting a FAT32 Partition to NTFS
• Objective is to convert a FAT32 partition to NTFS file system
• Create a small FAT32 partition on server (using New Partition Wizard)
• Create new file and folder on the partition• Use CONVERT to convert the partition to NTFS• Review permissions on the converted folder
27
Guide to MCSE 70-290, Enhanced 53
Summary• Windows Server 2003 supports 3 file systems
• FAT• FAT32• NTFS (preferred)
• Two types of permissions• Shared folder (network only)
• Tools are Windows Explorer, Computer Management, and NET SHARE command
• NTFS (local and network)• NTFS partitions only
Guide to MCSE 70-290, Enhanced 54
Summary (continued)• Permissions
• Shared folders, 3 standard permissions• NTFS, 6 standard and 14 special permissions
• Permissions are cumulative• Effective permissions can be determined from
Advanced Security Settings of a resource• Shared folder and NTFS permissions can be combined
• CONVERT utility can convert a FAT or FAT32 partition to the NTFS file system