SHARING FILE SYSTEM RESOURCES

11

SHARING FILE SYSTEM RESOURCES

Chapter 9

Chapter 9: SHARING FILE SYSTEM RESOURCES 2

CHAPTER OVERVIEW

• Create and manage file system shares and work with share permissions

• Use NTFS file system permissions to control access to files

• Manage file sharing using Internet Information Services (IIS)


UNDERSTANDING PERMISSIONS OVERVIEW

• File system permissions• Share permissions• Active Directory permissions• Registry permissions – (REGEDIT)


ACCESS CONTROL LISTS (ACL)

Lab:Properties for root of a drive• Windows Explorer• Right-click• Properties

Access Control Entries

ACL has ACEs


PERMISSIONS

Permissions are keys to unlock access to resources.

Full Control permission is the master key.


INHERITANCE

• Allows permissions assigned at one folder to flow down to subsequent files and folders

• Can be overridden by explicit permission assignment or inheritance blocking

• Useful in reducing the number of permission assignments required


INHERITANCE

Folder User Permissions

(Grand) Parent Folder

Parent Folder 1

Child Folder 1A

Child Folder 1B

Parent Folder 2

Child Folder 2A

Child Folder 2B

Parent Folder 3

Child Folder 3A

Read Write Delete Folders/Files






???? ????? ?????? Folders/Files

???? ????? ?????? Folders/Files

???? ????? ?????? Folders/Files


EFFECTIVE PERMISSIONS

• Allowed permissions are cumulative.• Denied permissions override allowed

permissions.• Explicit permissions take precedence over

inherited permissions.


EFFECTIVE PERMISSIONS

Folder User Permissions(Grand) Parent Folder

Parent Folder 1

Child Folder 1A

(Grand) Child

Child Folder 1B

Deny All

???? ????? ?????? Folders/Files

Read ????? ?????? Folders/Files

???? ????? ?????? Folders/Files

???? ????? ?????? Folders/Files


SHARING FOLDERS

• Without shares, network clients cannot access folders on a server.

• Require:• Client for Microsoft

Networks• File and Printer Sharing

for Microsoft Networks


ADMINISTRATIVE SHARES

Administrative shares are hidden.

Appending a share with a $ creates a hidden share.


RESTRICTIONS ON CREATING FILE SYSTEM SHARES

• On a domain controller: • Administrators, Server Operators, Enterprise

Admins, Domain Admins groups

• On a domain member server or workstation:• Administrators, Server Operators, Power Users

groups

• On a workgroup or standalone computer:• Administrators or Power Users groups


CREATING A FILE SYSTEM SHARE USING WINDOWS EXPLORER

Lab:Create Share Folder• Create “C:\ShareMe”

folder• Right-click “C:\ShareMe”• Select “Share this

folder”


SHARING A VOLUME USING WINDOWS EXPLORER

Lab: Create Share for root• Start Windows Explorer• Select C:\ root • Right-click C:\ root• Select Sharing tab• Click “New Share…”


CREATING A FILE SYSTEM SHARE USING THE SHARED FOLDERS SNAP-IN

Lab: Create Share using MMC• Start Computer

Management Console

• Select Shared Folders

• Select Shares• Right-click• Click New Shares


CREATING A FILE SYSTEM SHARE USING NET.EXE

• Allows shares to be created from a command line

• Lets you configure permissions during creation

• Lets you configure offline settings for the share


MANAGING SHARED FOLDERS

Lab:Share properties• Select “ShareMe”• Right-click• Properties


CONTROLLING OFFLINE STORAGE

Lab: Offline Caching• Select “ShareMe”• Right-Click• Caching


PUBLISHING FILE SYSTEM SHARES IN ACTIVE DIRECTORY


MANAGING SHARE PERMISSIONS


USING SHARE PERMISSIONS

• Limited scope Can be applied only to folders and only when connecting to the share.

• Lack of flexibility Permissions applied to the share apply to all levels below.

• No replication Share permissions are not replicated.

• No resiliency Share permissions cannot be backed up or restored.


USING SHARE PERMISSIONS (continued)

• Fragility Shares (and therefore share permissions) are lost when a folder is moved or renamed.

• No auditing Share permissions do not facilitate auditing.


SHARE PERMISSION DEFAULTS

• When a new share is created, the following permissions are granted:• Everyone special identity: Read• Administrators: Full Control


CREATING A FILE SYSTEM SHARING STRATEGY

• Create logically named shares.• Use nesting where necessary to reduce

users’ need to navigate the directory structure.

• Share removable drives from the root to keep the share available when media are removed and reconnected or changed.


NESTING SHARES

• A share can be created on any folder in the file system.

• Multiple shares on the same folder can have different permissions.

• Permissions are applied at the share entry point.


USING NTFS PERMISSIONS

• Scope NTFS permissions apply no matter how the file is accessed.

• Flexibility Wide range of permissions allows assignments to be tailored.

• Replication NTFS permissions are included when a file is replicated.

• Resilience NTFS permissions are retained when objects are backed up.

• Less fragile NTFS permissions are not lost if a file is moved or renamed.

• Auditing NTFS permissions support auditing.


MANAGING STANDARD PERMISSIONS


USING ADVANCED SECURITY SETTINGS


MANAGING SPECIAL PERMISSIONS


VIEWING EFFECTIVE PERMISSIONS


RESOURCE OWNERSHIP

• Each file and folder is assigned an owner.• Ownership of a file makes the security

principle a member of the Creator/Owner special identity.

• Files that are owned go toward disk quota calculations.


ADMINISTERING IIS

• Web server platform included with all editions of Windows Server 2003.

• Version 6 has improved security over previous versions.

• Allows files to be published through a browser interface.

• Supports HTTP and FTP.


INSTALLING IIS

• Not installed during operating system installation

• Installed through the Windows Components Wizard (select Add Or Remove Programs in Control Panel, and click Add/Remove Windows Components) or through the Manage Your Server wizard


MANAGING AN IIS WEB SITE


USING THE WEB SITE TAB


USING THE HOME DIRECTORY TAB


USING THE DOCUMENTS TAB


USING THE PERFORMANCE TAB


CREATING VIRTUAL DIRECTORIES

• Allows you to include a folder from anywhere on the network in your Web site

• Appears to the Web site user as if it is a sub-directory of the main Web site folder

• Allows management of Web content to be distributed between departments.


CONFIGURING IIS SECURITY


CONFIGURING IIS AUTHENTICATION


CONFIGURING IP ADDRESS AND DOMAIN NAME RESTRICTIONS


CONFIGURING SECURE COMMUNICATIONS


SUMMARY

• Windows Server 2003 controls access to resources using a number of mechanisms, including share permissions and NTFS permissions.

• Every object protected by permissions has an ACL, which is a list of ACEs assigned to that object. Each ACE contains a security principal and indicates the level of access they are permitted or denied to the object.

• File system shares enable network users to access files and folders on other computers.


SUMMARY (continued)

• Share permissions provide basic protection for file system shares, but they lack the granularity and flexibility of NTFS permissions.

• NTFS permissions can be allowed or denied, and explicit or inherited. A Deny permission takes precedence over an Allow permission, and an explicit permission takes precedence over an inherited permission.


SUMMARY (continued)

• Access granted by NTFS permissions can be restricted by share permissions and other factors, such as IIS permissions on Web sites.

• Whenever two permission types are assigned to a resource, you must evaluate each set of permissions and then determine which of the two is more restrictive.

• Every NTFS file and folder has an owner. The owner of a file or folder is always permitted to modify the file or folder’s ACL.


SUMMARY (continued)

• Any user with the Allow Take Ownership permission or the Take Ownership Of Files Or Other Objects user right can take ownership of an object.

• IIS is a Windows Server 2003 application that allows you to share files and folders using Web and FTP server services.

Documents

SHARING FILE SYSTEM RESOURCES