Upload
rex
View
40
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Chapter 9. SHARING FILE SYSTEM RESOURCES. CHAPTER OVERVIEW. Create and manage file system shares and work with share permissions Use NTFS file system permissions to control access to files Manage file sharing using Internet Information Services (IIS). UNDERSTANDING PERMISSIONS OVERVIEW. - PowerPoint PPT Presentation
Citation preview
11
SHARING FILE SYSTEM RESOURCES
Chapter 9
Chapter 9: SHARING FILE SYSTEM RESOURCES 2
CHAPTER OVERVIEW
• Create and manage file system shares and work with share permissions
• Use NTFS file system permissions to control access to files
• Manage file sharing using Internet Information Services (IIS)
Chapter 9: SHARING FILE SYSTEM RESOURCES 3
UNDERSTANDING PERMISSIONS OVERVIEW
• File system permissions• Share permissions• Active Directory permissions• Registry permissions – (REGEDIT)
Chapter 9: SHARING FILE SYSTEM RESOURCES 4
ACCESS CONTROL LISTS (ACL)
Lab:Properties for root of a drive• Windows Explorer• Right-click• Properties
Access Control Entries
ACL has ACEs
Chapter 9: SHARING FILE SYSTEM RESOURCES 5
PERMISSIONS
Permissions are keys to unlock access to resources.
Full Control permission is the master key.
Chapter 9: SHARING FILE SYSTEM RESOURCES 6
INHERITANCE
• Allows permissions assigned at one folder to flow down to subsequent files and folders
• Can be overridden by explicit permission assignment or inheritance blocking
• Useful in reducing the number of permission assignments required
Chapter 9: SHARING FILE SYSTEM RESOURCES 7
INHERITANCE
Folder User Permissions
(Grand) Parent Folder
Parent Folder 1
Child Folder 1A
Child Folder 1B
Parent Folder 2
Child Folder 2A
Child Folder 2B
Parent Folder 3
Child Folder 3A
Read Write Delete Folders/Files
Read Write Delete Folders/Files
Read Write Delete Folders/Files
Read Write Delete Folders/Files
Read Write Delete Folders/Files
Read Write Delete Folders/Files
???? ????? ?????? Folders/Files
???? ????? ?????? Folders/Files
???? ????? ?????? Folders/Files
Chapter 9: SHARING FILE SYSTEM RESOURCES 8
EFFECTIVE PERMISSIONS
• Allowed permissions are cumulative.• Denied permissions override allowed
permissions.• Explicit permissions take precedence over
inherited permissions.
Chapter 9: SHARING FILE SYSTEM RESOURCES 9
EFFECTIVE PERMISSIONS
Folder User Permissions(Grand) Parent Folder
Parent Folder 1
Child Folder 1A
(Grand) Child
Child Folder 1B
Deny All
???? ????? ?????? Folders/Files
Read ????? ?????? Folders/Files
???? ????? ?????? Folders/Files
???? ????? ?????? Folders/Files
Chapter 9: SHARING FILE SYSTEM RESOURCES 10
SHARING FOLDERS
• Without shares, network clients cannot access folders on a server.
• Require:• Client for Microsoft
Networks• File and Printer Sharing
for Microsoft Networks
Chapter 9: SHARING FILE SYSTEM RESOURCES 11
ADMINISTRATIVE SHARES
Administrative shares are hidden.
Appending a share with a $ creates a hidden share.
Chapter 9: SHARING FILE SYSTEM RESOURCES 12
RESTRICTIONS ON CREATING FILE SYSTEM SHARES
• On a domain controller: • Administrators, Server Operators, Enterprise
Admins, Domain Admins groups
• On a domain member server or workstation:• Administrators, Server Operators, Power Users
groups
• On a workgroup or standalone computer:• Administrators or Power Users groups
Chapter 9: SHARING FILE SYSTEM RESOURCES 13
CREATING A FILE SYSTEM SHARE USING WINDOWS EXPLORER
Lab:Create Share Folder• Create “C:\ShareMe”
folder• Right-click “C:\ShareMe”• Select “Share this
folder”
Chapter 9: SHARING FILE SYSTEM RESOURCES 14
SHARING A VOLUME USING WINDOWS EXPLORER
Lab: Create Share for root• Start Windows Explorer• Select C:\ root • Right-click C:\ root• Select Sharing tab• Click “New Share…”
Chapter 9: SHARING FILE SYSTEM RESOURCES 15
CREATING A FILE SYSTEM SHARE USING THE SHARED FOLDERS SNAP-IN
Lab: Create Share using MMC• Start Computer
Management Console
• Select Shared Folders
• Select Shares• Right-click• Click New Shares
Chapter 9: SHARING FILE SYSTEM RESOURCES 16
CREATING A FILE SYSTEM SHARE USING NET.EXE
• Allows shares to be created from a command line
• Lets you configure permissions during creation
• Lets you configure offline settings for the share
Chapter 9: SHARING FILE SYSTEM RESOURCES 17
MANAGING SHARED FOLDERS
Lab:Share properties• Select “ShareMe”• Right-click• Properties
Chapter 9: SHARING FILE SYSTEM RESOURCES 18
CONTROLLING OFFLINE STORAGE
Lab: Offline Caching• Select “ShareMe”• Right-Click• Caching
Chapter 9: SHARING FILE SYSTEM RESOURCES 19
PUBLISHING FILE SYSTEM SHARES IN ACTIVE DIRECTORY
Chapter 9: SHARING FILE SYSTEM RESOURCES 20
MANAGING SHARE PERMISSIONS
Chapter 9: SHARING FILE SYSTEM RESOURCES 21
USING SHARE PERMISSIONS
• Limited scope Can be applied only to folders and only when connecting to the share.
• Lack of flexibility Permissions applied to the share apply to all levels below.
• No replication Share permissions are not replicated.
• No resiliency Share permissions cannot be backed up or restored.
Chapter 9: SHARING FILE SYSTEM RESOURCES 22
USING SHARE PERMISSIONS (continued)
• Fragility Shares (and therefore share permissions) are lost when a folder is moved or renamed.
• No auditing Share permissions do not facilitate auditing.
Chapter 9: SHARING FILE SYSTEM RESOURCES 23
SHARE PERMISSION DEFAULTS
• When a new share is created, the following permissions are granted:• Everyone special identity: Read• Administrators: Full Control
Chapter 9: SHARING FILE SYSTEM RESOURCES 24
CREATING A FILE SYSTEM SHARING STRATEGY
• Create logically named shares.• Use nesting where necessary to reduce
users’ need to navigate the directory structure.
• Share removable drives from the root to keep the share available when media are removed and reconnected or changed.
Chapter 9: SHARING FILE SYSTEM RESOURCES 25
NESTING SHARES
• A share can be created on any folder in the file system.
• Multiple shares on the same folder can have different permissions.
• Permissions are applied at the share entry point.
Chapter 9: SHARING FILE SYSTEM RESOURCES 26
USING NTFS PERMISSIONS
• Scope NTFS permissions apply no matter how the file is accessed.
• Flexibility Wide range of permissions allows assignments to be tailored.
• Replication NTFS permissions are included when a file is replicated.
• Resilience NTFS permissions are retained when objects are backed up.
• Less fragile NTFS permissions are not lost if a file is moved or renamed.
• Auditing NTFS permissions support auditing.
Chapter 9: SHARING FILE SYSTEM RESOURCES 27
MANAGING STANDARD PERMISSIONS
Chapter 9: SHARING FILE SYSTEM RESOURCES 28
USING ADVANCED SECURITY SETTINGS
Chapter 9: SHARING FILE SYSTEM RESOURCES 29
MANAGING SPECIAL PERMISSIONS
Chapter 9: SHARING FILE SYSTEM RESOURCES 30
VIEWING EFFECTIVE PERMISSIONS
Chapter 9: SHARING FILE SYSTEM RESOURCES 31
RESOURCE OWNERSHIP
• Each file and folder is assigned an owner.• Ownership of a file makes the security
principle a member of the Creator/Owner special identity.
• Files that are owned go toward disk quota calculations.
Chapter 9: SHARING FILE SYSTEM RESOURCES 32
ADMINISTERING IIS
• Web server platform included with all editions of Windows Server 2003.
• Version 6 has improved security over previous versions.
• Allows files to be published through a browser interface.
• Supports HTTP and FTP.
Chapter 9: SHARING FILE SYSTEM RESOURCES 33
INSTALLING IIS
• Not installed during operating system installation
• Installed through the Windows Components Wizard (select Add Or Remove Programs in Control Panel, and click Add/Remove Windows Components) or through the Manage Your Server wizard
Chapter 9: SHARING FILE SYSTEM RESOURCES 34
MANAGING AN IIS WEB SITE
Chapter 9: SHARING FILE SYSTEM RESOURCES 35
USING THE WEB SITE TAB
Chapter 9: SHARING FILE SYSTEM RESOURCES 36
USING THE HOME DIRECTORY TAB
Chapter 9: SHARING FILE SYSTEM RESOURCES 37
USING THE DOCUMENTS TAB
Chapter 9: SHARING FILE SYSTEM RESOURCES 38
USING THE PERFORMANCE TAB
Chapter 9: SHARING FILE SYSTEM RESOURCES 39
CREATING VIRTUAL DIRECTORIES
• Allows you to include a folder from anywhere on the network in your Web site
• Appears to the Web site user as if it is a sub-directory of the main Web site folder
• Allows management of Web content to be distributed between departments.
Chapter 9: SHARING FILE SYSTEM RESOURCES 40
CONFIGURING IIS SECURITY
Chapter 9: SHARING FILE SYSTEM RESOURCES 41
CONFIGURING IIS AUTHENTICATION
Chapter 9: SHARING FILE SYSTEM RESOURCES 42
CONFIGURING IP ADDRESS AND DOMAIN NAME RESTRICTIONS
Chapter 9: SHARING FILE SYSTEM RESOURCES 43
CONFIGURING SECURE COMMUNICATIONS
Chapter 9: SHARING FILE SYSTEM RESOURCES 44
SUMMARY
• Windows Server 2003 controls access to resources using a number of mechanisms, including share permissions and NTFS permissions.
• Every object protected by permissions has an ACL, which is a list of ACEs assigned to that object. Each ACE contains a security principal and indicates the level of access they are permitted or denied to the object.
• File system shares enable network users to access files and folders on other computers.
Chapter 9: SHARING FILE SYSTEM RESOURCES 45
SUMMARY (continued)
• Share permissions provide basic protection for file system shares, but they lack the granularity and flexibility of NTFS permissions.
• NTFS permissions can be allowed or denied, and explicit or inherited. A Deny permission takes precedence over an Allow permission, and an explicit permission takes precedence over an inherited permission.
Chapter 9: SHARING FILE SYSTEM RESOURCES 46
SUMMARY (continued)
• Access granted by NTFS permissions can be restricted by share permissions and other factors, such as IIS permissions on Web sites.
• Whenever two permission types are assigned to a resource, you must evaluate each set of permissions and then determine which of the two is more restrictive.
• Every NTFS file and folder has an owner. The owner of a file or folder is always permitted to modify the file or folder’s ACL.
Chapter 9: SHARING FILE SYSTEM RESOURCES 47
SUMMARY (continued)
• Any user with the Allow Take Ownership permission or the Take Ownership Of Files Or Other Objects user right can take ownership of an object.
• IIS is a Windows Server 2003 application that allows you to share files and folders using Web and FTP server services.