Chapter 5: Managing File Access

1

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003

Environment, Enhanced

Chapter 5: Managing File Access

Guide to MCSE 70-290, Enhanced 2

Objectives

• Identify and understand the differences between the various file systems supported in Windows Server 2003

• Create and manage shared folders• Understand and configure the shared folder

permissions available in Windows Server 2003• Understand and configure the NTFS permissions

available in Windows Server 2003

2


Objectives (continued)

• Determine the impact of combining shared folder and NTFS permissions

• Convert partitions and volumes from FAT to NTFS


Windows Server 2003 File Systems

• Three main file systems• File Allocation Table (FAT)• FAT32• NTFS

• Final choice of file system depends on • How system will be used• Whether there are multiple operating systems• Security requirements

• NTFS is most highly recommended

3


FAT

• Used by MS-DOS• Supported by all versions of Windows since• Traditionally limited to partitions up to 2 GB

• Windows Server 2003 version supports partitions up to 4 GB

• Limitations• Small partition sizes• No file system security features• Disk space usage is poor


FAT32

• A derivative of the FAT file system• Supports partition sizes up to 2 TB• Still does not provide advanced security features

• Cannot configure permissions on file and folder resources

4


NTFS• Introduced with Windows NT operating system• Current version (version 5)

• Windows NT 4.0• Windows 2000• Windows XP• Windows Server 2003

• Theoretically supports partition sizes of up to 16 Exabytes (EB)• Practically supports maximum partition sizes from 2

TB to 16 TB


NTFS (continued)• Advantages of NTFS

• Greater scalability and performance on larger partitions• Support for Active Directory on systems configured as

domain controllers• Ability to configure security permissions on individual

files and folders• Built-in support for compression and encryption• Ability to configure disk quotas for individual users• Support for Remote Storage• Recovery logging of disk activities

5


Creating and Managing Shared Folders

• Shared folder• A data resource made available over a network to

authorized network clients• Specific permissions required for creating, reading,

modifying

• Groups that can create shared folders:• Administrators• Server Operators• Power Users (only on member servers)


Creating and Managing Shared Folders (continued)

• Several ways to create shared folders• Two important methods

• Windows Explorer Interface• Computer Management console

• Also allows shared folders to be monitored

6


Using Windows Explorer

• Used since Windows 95 • Can create, maintain, and share folders• Folders can be on any drive connected to the

computer• Folders are shared in Windows Explorer by

accessing the Sharing tab of folder’s properties


Activity 5-1: Creating a Shared Folder Using Windows Explorer• Objective is to create a shared folder using

Windows Explorer• Open Explorer from Start menu• Use Explorer to create and configure a new folder• Verify folder using net view command• Open Explorer from command line for alternative

verification

7


Using Windows Explorer (summary)

• Shared name of folder does not have to be the actual folder name

• Hand icon used to indicate shared status• Shared folders can be hidden from My Network

Places and Network Neighborhood• Place dollar sign ($) after name, e.g., Salary$• Number of hidden administrative shares created

automatically at installation


Using Computer Management

• Computer Management console is a pre-defined Microsoft Management Console (MMC)• Allows you to share and monitor folders for local and

remote computers• Allows you to stop sharing if desired

8


Using Computer Management (continued)

• Share a Folder Wizard• Used to create folders in Shared Folders section of

Computer Management• Used to provide preconfigured or manual permissions

• All users have read-only access• Administrators have full access; others have read-

only access• Administrators have full access; others have read

and write access• Custom share and folder permissions


Activity 5-2: Creating and Viewing Shared Folders Using

Computer Management• Objective is to create and view shared folders using

Computer Management• Open Computer Management and the Shared Folders node• Open Shares folder and note hidden files and other file

types• Open the Share a Folder Wizard• Configure the folder attributes• Configure the folder permissions• Verify folder accessibility from command line

9


Using Command Line Utilities

• The Net Share command can also be used to share an existing folder from the command line• Syntax for sharing a folder:

• NET SHARE ShareName=FolderPath• Example: To share an existing folder from the command line and

name the share test. • NET SHARE TEST=C:\TestFolder

• The Net View command can be used to view the shares (non-hidden) on a computer.• Syntax: NET VIEW \\ComputerName• Example: To view all non-hidden shares on a computer named

SRV32• NET VIEW \\SRV32


Monitoring Access to Shared Folders

• Monitoring involves• Who is using shared files• What shared files are open at any given time

• Other functions• Disconnect users from a share• Send network alert messages

• Primary monitoring tool is Computer Management

10


Managing Shared Folder Permissions

• A shared folder has a discretionary access control list (DACL)• Contains a list of user or group references that have

been allowed or denied permissions• Each reference is an access control entry (ACE)• Accessed from Permissions button on Sharing tab of

folder’s properties

• Permissions only apply to network users, not those logged on directly to local machine


Managing Shared Folder Permissions (continued)

11



• Default permission is read access for Everyone group• Should be immediately addressed when a share is

created

• To deny access to a user or group• Must explicitly deny access to the user or group

• Folder permissions are inherited by all contained objects



• Share permissions are cumulative• All the permissions assigned to a user, and any group of

which the user is a member, are combined and the combination of all the permissions applies.

• Deny permissions always overrides any permissions• When a user or group is denied a permission, the denied

entry always overrides any permissions that are allowed.

12


Activity 5-3: Implementing Shared Folder Permissions

• Objective is to use shared folder permissions to control access to resources

• In this exercise, you configure permissions on a shared folder to implement specific requirements:• Domain Admins group has Full Control permission• Marketing Users group has Change permission• Other users have no access


NTFS Permissions

• Resources located on an NTFS partition or volume can be given NTFS permissions

• An administrator must know• how permissions are applied• which Standard and special NTFS permissions

available• how effective permissions are determined

13


NTFS Permission Concepts

• NTFS permissions are configured via the Security tab

• NTFS permissions are cumulative• Access denial always overrides permitted access• NTFS folder permissions are inherited unless

otherwise specified• NTFS permissions can be set at file or folder level


NTFS Permission Concepts (continued)

• A new ACE has default permission • Read and Read and Execute for files• List Folder Contents for folders

• Windows Server 2003 has set of standard permissions plus special permissions

14


NTFS Permission Concepts (continued)


Activity 5-4: Implementing Standard NTFS Permissions

• Objective is to configure and test NTFS permissions on a local folder

• Implement standard NTFS permissions on a folder• Review default permissions • Explore behavior of permission inheritance

15


Special NTFS Permissions

• Standard permissions are ‘made up’ of special permissions• Use to give permissions outside the boundaries of

standard permissions: Can provide more or less access than standard permissions

• Can also be used to control inheritance

• Special permissions accessed from Advanced button in the Security tab on Properties dialog box for resource


Special NTFS Permissions (continued)

• Inheritance settings• This folder only• This folder, subfolders, and files (default)• This folder and subfolders• This folder and files• Subfolders and files only• Subfolders only• Files only

16





17


Activity 5-5: Configuring Special NTFS Permissions

• Objective is to view, configure, and test special NTFS permissions• Deny a group the ability to read the NTFS permissions

associated with a folder• Verify that access has been denied


Determining Effective Permissions

• Permissions that actually apply to a user can be the result of membership in multiple groups

• Prior to Windows Server 2003, determining effective permissions was done manually

• In Windows Server 2003, there is an Effective Permissions tab in Advanced Security Settings dialog box for resource• Shows specific permissions for a user or group

18


Activity 5-6: Determining Effective NTFS Permissions

• Objective is to view effective permissions for a user on an NTFS folder

• Open the Effective Permissions tab for a test folder

• Enter the name of the user• Review the permissions specifically granted to

that user for that folder• Repeat with a group


Combining Shared Folder and NTFS Permissions

• NTFS permissions can be combined with share permissions • When accessing a share across a network, if both apply,

use most restrictive• When accessing a file locally, only NTFS permissions

apply

19


Activity 5-7: Exploring the Impact of Combined Shared

Folder and NTFS Permissions

• Objective is to determine effective permissions when combining shared folder and NTFS permissions

• Create a folder with both permissions• Attempt to create a new folder locally and over the

network


NTFS PermissionsPublicApps: Administrators Full Control

Users: Read and ExecuteList Folder ContentsRead

If the PublicApps folder is created at the root of the drive and Microsoft’s default NTFS permissions haven’t been changed at the root, you can use the default NTFS permissions.

Share Permissions

•Users Read

•Administrators Full Control

A Suggested Security Assignment forPUBLIC APPLICATION FOLDERS

Permissions assigned here assume that all users in the domain should be able to run programs that exist in any of the share’s subfolders.

Share

20

39

A Suggested Security Assignment for PRIVATE APPLICATION FOLDERS

• NTFS Permissions• PrivateApps: Administrators Full Control

• Remove Inheritance from above (do not allow inheritable permissions from the parent to propagate to this folder). After removing the inheritance make sure Administrators have full control

• Each subfolder• Administrators should already be assigned full control because of inheritance• Assign each group the following permissions to their department’s respective folder (i.e., Sales

group to the Sales folder; Marketing group to the Marketing folder, etc.) (users in each department will have to access their respective folder via the UNC path)

• Read and Execute, • List Folder Contents• Read

Permissions assigned here assume that users in each department should only have access to their department’s applications. (i.e., Accounting can only access Accounting; Sales can only access Sales, etc.)

Share Permissions

Users Full Control

Share


Share Permissions

•Administrators Full Control

•Users Change

A Suggested Security Assignment for PUBLIC DATA FOLDERS

NTFS Permissions• PublicData: Administrators Full Control

Users everything but Full Control

Permissions assigned here assume that all users are able to add to, delete from and change the contents of files in the shared folder area. Users should not however be able to change permissions on a file or folder nor should they be able to take ownership of a file or folder.

Share

21


Share Permissions

•Users Full Control

A Suggested Security Assignment for PRIVATE DATA FOLDERS

NTFS Permissions• PrivateData: Administrators Full Control

• Remove Inheritance from above (do not allow inheritable permissions from the parent to propagate to this folder). After removing the inheritance make sure Administrators have full control

• Each subfolder• Administrators should already be assigned full control because of inheritance• Assign each group everything but Full Control to their respective folder (i.e., Sales group

to the Sales folder; Marketing group to the Marketing folder, etc.) (users in each department will have to access their respective folder via the UNC path)

Permissions assigned here assume that users in each department should only have access to their department’s data. Users in each department should be able to add to, delete from and change the contents of files in their department’s folder.

Share


Share Permissions


A Suggested Security Assignment forPUBLIC APPLICATION FOLDERS

Permissions assigned here assume that all users in the domain should be able to run programs that exist in any of the share’s subfolders.

• NTFS Permissions• PublicApps: Administrators Full Control

Users Read & Execute; List Folder Contents; Read

If the PublicApps folder is created at the root of the drive and Microsoft’s default NTFS permissions haven’t been changed at the root, you can use the default NTFS permissions.

NTFS

22

43

A Suggested Security Assignment for PRIVATE APPLICATION FOLDERS

• NTFS Permissions• PrivateApps: Administrators Full Control

Users Read and Execute, List Folder Contents, Read

• If the PrivateApps folder is created at the root of the drive and Microsoft’s default NTFS permissions haven’t been changed at the root, you can use the default NTFS permissions.

• Each subfolder• Remove Inheritance from above (do not allow inheritable permissions from the parent to propagate to this

folder). After removing the inheritance make sure Administrators have full control • Assign each group the following permissions to their department’s respective folder (i.e., Sales group to the

Sales folder; Marketing group to the Marketing folder, etc.)• Read and Execute, • List Folder Contents• Read

Permissions assigned here assume that users in each department should only have access to their department’s applications. (i.e., Accounting can only access Accounting; Sales can only access Sales, etc.)

Share Permissions

Users Full Control

NTFS


Share Permissions


A Suggested Security Assignment for PUBLIC DATA FOLDERS

NTFS Permissions• PublicData: Administrators Full Control

Users everything but Full Control

Permissions assigned here assume that all users are able to add to, delete from and change the contents of files in the shared folder area. Users should not however be able to change permissions on a file or folder nor should they be able to take ownership of a file or folder.

NTFS

23

45

Share Permissions


A Suggested Security Assignment for PRIVATE DATA FOLDERS

Permissions assigned here assume that users in each department should only have access to their department’s data. Users in each department should be able to add to, delete from and change the contents of files in their department’s folder.

NTFS

• NTFS Permissions• PrivateData: Administrators Full Control

Users Read and Execute, List Folder Contents, Read

• If the PrivateData folder is created at the root of the drive and Microsoft’s default NTFS permissions haven’t been changed at the root, you can use the default NTFS permissions.

• Each subfolder• Remove Inheritance from above (do not allow inheritable permissions from the parent to

propagate to this folder). After removing the inheritance make sure Administrators have full control

• Assign each group everything but Full Control to their department’s respective folder (i.e., Sales group to the Sales folder; Marketing group to the Marketing folder, etc.)


Mapping Network Drives

• Two Methods:• Navigate to the share using My Network Places, right-click on the

share and Click Map Network Drive • The user mapping the drive must have permissions to the

share. If the user does not have permissions to the share but does have permissions to a folder within the share, the UNC path to the share\folder can be entered at the folder entry of the Map Network Dialogue box

• Syntax: Net Use driveletter uncpath• Example: Maps the letter to to a share named Apps on

ServerA• Net Use G: \\ServerA\Apps

24


Understanding Ownership • Ownership

• Every folder and file on an NTFS partition of a Windows 2003 server has an owner

• The person who creates the file is the owner• The owner can always access the file/folder • The owner can always change its permissions

• This is true even if They’ve been removed from the security tab. Because they own it they can simply add themselves to the security tab!

• Administrators can take ownership of any file or folder• This is useful in a situation where the file is not otherwise accessible –

i.e, user who created the file had previously removed administrators from the security tab and that user has been deleted

• Any user who has the special NTFS Change Permission or the special NTFS Take Ownership permission to a file or folder can take ownership of that file or folder

• New to windows 2003 – a user who has the right to take ownership can also give ownership to another user or group.


Viewing and Taking Ownership• Viewing Ownership

• View file or folder ownership of a file or folder from the Owner tab in the advanced security settings of the file/folder properties

• Properties of file or folder /Security / Advanced / Owner• Taking Ownership

• Take ownership of a file or folder from the Owner tab in the advanced security settings of the file/folder properties

• Properties of file or folder / Security / Advanced / Owner• Select a new owner from the Change Owner to Box or add a new user

to the list and select that new user (add a new user or group by using the Other Users or Groups button)

• Use the Replace Owners on Subcontainers and Objects with caution. • Taking ownership does not automatically add the owner to the file/folder’s

ACL.• Example: If an administrator has no permissions to a file or folder

he/she can take ownership of the file/folder but administrators are not automatically added to the security tab of that file or folder – the new entry must be added.

25

49

Replace Owners on Subcontainers and ObjectsWhen should you use it?

Replace Owners on Subcontainers and Objects checkbox • If the user who owns the folder/file no longer needs access to the folder,

then when the administrator takes ownership of the folder, this option should be selected.

• The process:• Select the Administrators group as the new owner and select the

Replace Owners on Subcontainers and objects. • Click OK and answer yes to the prompt regarding giving full control

• This will remove all entries from the folder’s ACL and it will add Administrators with full control. The original owner will lose access to the folder and all its contents.

50

Replace Owners on Subcontainers and ObjectsWhen should you use it?

Replace Owners on Subcontainers and Objects checkbox • If the user who owns the folder/file still needs access to the folder, do not select this

option. When you don’t select this option you will be the new owner but the ACL will remain in tact; which means you still won’t have permissions to the folder but since you now own it you can give yourself permission. If the goal is for the administrator and the original owner to have access to the folder, you must reconfigure the security on the folder.

• Process:• After taking ownership of the parent folder (without replacing owners on subcontainers),

add the Administrators group to the parent folder’s ACL with full control• Write down all other entries that exist on the ACL of the folder• Go back to the Owners tab for the parent folder and this time check off the Replace Owners

on Subcontainers” check box and answer yes to the question regarding replacing directory permissions with permissions grating you full control.

• Go back to the ACL for the folder and confirm that the list matches what you wrote down above. You should also check child files/folders and note that only Administrators exist on child file/folder ACLs.

• To force the parent permissions to all child files and folders, go to the Advanced Security tab of the parent folder and check off the check box for Replace permission entries on all child objects with entries shown here…. Answer yes to the warning.

26


Converting a FAT Partition to NTFS

• For highest security, partitions and volumes should be configured to use NTFS

• Command-line utility, CONVERT, will convert FAT or FAT32 partitions and volumes to NTFS

• All existing files and folders are retained• CONVERT cannot convert NTFS to FAT or

FAT32


Activity 5-8: Converting a FAT32 Partition to NTFS

• Objective is to convert a FAT32 partition to NTFS file system

• Create a small FAT32 partition on server (using New Partition Wizard)

• Create new file and folder on the partition• Use CONVERT to convert the partition to NTFS• Review permissions on the converted folder

27


Summary• Windows Server 2003 supports 3 file systems

• FAT• FAT32• NTFS (preferred)

• Two types of permissions• Shared folder (network only)

• Tools are Windows Explorer, Computer Management, and NET SHARE command

• NTFS (local and network)• NTFS partitions only


Summary (continued)• Permissions

• Shared folders, 3 standard permissions• NTFS, 6 standard and 14 special permissions

• Permissions are cumulative• Effective permissions can be determined from

Advanced Security Settings of a resource• Shared folder and NTFS permissions can be combined

• CONVERT utility can convert a FAT or FAT32 partition to the NTFS file system

Documents

Chapter 5: Managing File Access