Chapter 9: SHARING FILE SYSTEM RESOURCES1 CHAPTER OVERVIEW Create and manage file system shares and...

Chapter 9: SHARING FILE SYSTEM RESOURCES 1

CHAPTER OVERVIEW

Create and manage file system shares and work with share permissions.

Use NTFS file system permissions to control access to files.

Manage file sharing using Internet Information Services (IIS).


UNDERSTANDING PERMISSIONS

File system permissions ***

Share permissions ***

Active Directory permissions users, groups computers, may delegate for more effective management

Registry permissions may require admin permissions to modify


ACCESS CONTROL LISTS

Used to set permissions on most Windows elements such as files, shares, Active Directory objects, and registry keys. The ACL is always stored/found with the element being controlled.

You set permissions on security principals like users, groups, and computers.

You can view the STANDARD permissions given to a security principal for an object.


PERMISSIONSThe advanced tab allows you to see the STANDARD permissions set on a security principal, as well as set SPECIAL permissions. This is a very “granular” method of setting permissions.


INHERITANCE

Allows permissions assigned at one folder to flow down to subsequent files and folders

Can be overridden by explicit permission assignment or inheritance blocking

Useful in reducing the number of permission assignments required

A DENY permission will ALWAYS override an inherited permission.


EFFECTIVE PERMISSIONS

Allowed permissions are cumulative.

Denied permissions override allowed INHERITED permissions. In other words, explicitly allowed permissions do not override inherited DENIED permissions

Explicit permissions take precedence over inherited permissions.

Remember, a security principal can receive permissions from multiple sources, either individually, by inheritance, and by group membership. The combination of these cumulative permissions is known as the EFFECTIVE PERMISSIONS.


SHARING FOLDERSWHY SHARE ???

You can access files and folders by sitting at the machine, provided you have the proper permissions.

You can make the files or folder available to users on the network by SHARING.

The Workstation service and the Server service make sharing and accessing the resources possible. The SERVER service makes the shared resource available on the network, and the WORKSTATION service enables other computers to access the shared resources.These services are implemented when you select Client for Microsoft networks (workstation service) and File and Printer Sharing (server service)


ADMINISTRATIVE SHARES

ADMIN$ is the System Root folder. C:\Windows by default is shared with the name Admin$. This is aHidden share that enables members of the Administrators group to have full control over the systemRoot folder without having to know exactly where it is.

IPC$ Used for remote administration of computers, it allows dedicated portions of one computer’s Memory (named pipe) to communicate with another computer’s named pipe to pass informationFrom one process to another.

Remember, when you use a “$” sign AFTER the share name, you will effectively hide the share from users on the network


RESTRICTIONS ON CREATING FILE SYSTEM SHARES

On a domain controller: Administrators, Server Operators, Enterprise Admins, Domain Admins groups only

On a domain member server or workstation: Administrators, Server Operators, or Power Users groups only

On a workgroup or standalone computer: Administrators or Power Users groups only


CREATING A FILE SYSTEM SHARE USING WINDOWS EXPLORER


SHARING A VOLUME USING WINDOWS EXPLORER


CREATING A FILE SYSTEM SHARE USING THE SHARED FOLDERS SNAP-IN


CREATING A FILE SYSTEM SHARE USING NET.EXE

Allows shares to be created from a command line

Lets you configure permissions during creation

Lets you configure offline settings for the shareExample:

net share documents=c:\docs /grant:users,read

where documents is the share name you want to useand docs is the name of the folder you want to share


MANAGING SHARED FOLDERS

You will see this by going to Computer Management, Shared Folders. Right click any shared folder then select the properties option for the shared folder.

Offline settings allows the Administrator tospecify whether network users are permittedto cache the shared folder contents on theircomputers.


CONTROLLING OFFLINE STORAGE


PUBLISHING FILE SYSTEM SHARES IN ACTIVE DIRECTORYA valuable option which creates a Shared folder object in AD which will “POINT” to the actual location of a shared folder. Users can search for this PUBLISHED SHARED FOLDER object in Active Directory without actually having to know the exact location of a shared folder.

VIEW THIS IN COMPUTER MANAGEMENT


MANAGING SHARE PERMISSIONS

Default share permissions

Use Explorer or the Shared Folders option in the Computer Management snap-in to manage shared folders.


USING SHARE PERMISSIONS

Limited scope Can be applied only to folders and only when connecting to the share.

Lack of flexibility Permissions applied to the share apply to all levels below.

No replication Share permissions are not replicated.

No resiliency Share permissions cannot be backed up or restored.


USING SHARE PERMISSIONS (continued)

Fragility Shares (and therefore share permissions) are lost when a folder is moved or renamed.

No auditing Share permissions do not facilitate auditing.


SHARE PERMISSION DEFAULTS

When a new share is created, the following permissions are granted: Everyone special identity: ReadDon’t forget that the Administrator can set whatever share

permissions are necessary to allow appropriate access by users, over the network.


CREATING A FILE SYSTEM SHARING STRATEGY

Create logically named shares.

Use nesting where necessary to reduce users’ need to navigate the directory structure.

Share removable drives from the root to keep the share available when media are removed and reconnected or changed. For example, when you share out the CDROM drive


NESTING SHARES

A share can be created on any folder in the file system.

Multiple shares on the same folder can have different permissions.

Permissions are applied at the share entry point.


USING NTFS PERMISSIONS Scope NTFS permissions apply no matter

how the file is accessed. Flexibility Wide range of permissions

allows assignments to be tailored. Replication NTFS permissions are included

when a file is replicated. Resilience NTFS permissions are retained

when objects are backed up. Less fragile NTFS permissions are not lost

if a file is moved (but they may change) or renamed. Auditing NTFS permissions support

auditing.


MANAGING STANDARD PERMISSIONS


USING ADVANCED SECURITY SETTINGS


MANAGING SPECIAL PERMISSIONS


VIEWING EFFECTIVE PERMISSIONS


RESOURCE OWNERSHIP

Each file and folder is assigned an owner.

Ownership of a file makes the security principle a member of the Creator/Owner special identity.

Files that are owned go toward disk quota calculations.


Multiple NTFS Permissions user 1 has READ for folder A,

and is a member of both groups. Group B has WRITE for folder A , Group A has been DENIED WRITE for file 2. What are user 1’s effective permissions to File 2 ??

NTFS Permissions Are Cumulative

File Permissions Override Folder Permissions

Deny Overrides Other Permissions

NTFS Partition C:\

File1File1

File2File2

FolderAFolderAGroupBGroupB

GroupAGroupA

Deny Write to File2 Deny Write to File2 Deny Write to File2 Deny Write to File2

WriteWriteWriteWrite

Read / WriteRead / Write

Read / WriteRead / Write

ReadRead

User1User1

ReadReadReadRead


Class Discussion: Applying NTFS Permissions Users Group

Write to Folder1

Sales Group Read to Folder1

User 1 to folder 1 ??

Users GroupWrite to Folder1

Sales Group Read to Folder1

User 1 to folder 1 ??

Users GroupRead to Folder1

Sales GroupWrite to Folder2

User 1 to Doc2 ??

Users GroupRead to Folder1

Sales GroupWrite to Folder2

User 1 to Doc2 ??

Users GroupModify to Folder1

Doc2 Should Only Be Accessible to Sales Group, and Only for Read Access

Users GroupModify to Folder1

Doc2 Should Only Be Accessible to Sales Group, and Only for Read Access

NTFS PartitionC:\

Doc2Doc2

Folder1Folder1

Folder2Folder2

Doc1Doc1

Users GroupUsers Group

Sales GroupSales Group

User1User1


• Copying and Moving Files and Folders

Copying Files and Folders

Moving Files and Folders

Class Discussion: Copying and Moving Files


Copying Files and Folders

NTFS PartitionC:\

Permissions =Destination Folder


Permissions =Full Control


NTFS PartitionC:\



Non-NTFS Partition

CopyCopyCopyCopy

Lose NTFS PermissionsLose NTFS Permissions

NTFS PartitionC:\



NTFS PartitionD:\

CopyCopyCopyCopy



Read, Write PermissionRead, Write PermissionRead, Write PermissionRead, Write Permission

CopyCopyCopyCopy


Moving Files and Folders

NTFS PartitionC:\





MoveMove

NTFS PartitionD:\



NTFS PartitionC:\



MoveMove

Non-NTFS Partition

Lose NTFS PermissionsLose NTFS Permissions

NTFS PartitionC:\



MoveMove

Write, Modify PermissionsWrite, Modify PermissionsWrite, Modify PermissionsWrite, Modify Permissions


Class Discussion: Copying and Moving Files

NTFS Partition

(D:)

DataData

FC

FileAFileA

NTFS Partition

(C:)

Users

MaryMary

None

FileAFileA

PublicM

CopyCopyCopyCopy

FileAFileA

MoveMoveMoveMove

MoveMoveMoveMove

Group 1Group 1


ADMINISTERING IIS

Web server platform included with all editions of Windows Server 2003.

Version 6 has improved security over previous versions.

Allows files to be published through a browser interface.

Supports HTTP and FTP.


INSTALLING IIS

Not installed during operating system installation

Installed through the Windows Components Wizard (select Add Or Remove Programs in Control Panel, and click Add/Remove Windows Components) or through the Manage Your Server Wizard


MANAGING AN IIS WEB SITE


USING THE WEB SITE TAB


USING THE HOME DIRECTORY TAB


USING THE DOCUMENTS TAB


USING THE PERFORMANCE TAB


CREATING VIRTUAL DIRECTORIES

Allows you to include a folder from anywhere on the network in your Web site

Appears to the Web site user as if it is a subdirectory of the main Web site folder

Allows management of Web content to be distributed between departments


CONFIGURING IIS SECURITY


CONFIGURING IIS AUTHENTICATION


CONFIGURING IP ADDRESS AND DOMAIN NAME RESTRICTIONS


CONFIGURING SECURE COMMUNICATIONS


SUMMARY

Windows Server 2003 controls access to resources using a number of mechanisms, including share permissions and NTFS permissions.

Every object protected by permissions has an ACL, which is a list of ACEs assigned to that object. Each ACE contains a security principal and indicates the level of access they are permitted or denied to the object.

File system shares enable network users to access files and folders on other computers.


SUMMARY (continued)

Share permissions provide basic protection for file system shares, but they lack the granularity and flexibility of NTFS permissions.

NTFS permissions can be allowed or denied, and explicit or inherited. A Deny permission takes precedence over an Allow permission, and an Explicit permission takes precedence over an Inherited permission.


SUMMARY (continued)

Access granted by NTFS permissions can be restricted by share permissions and other factors, such as IIS permissions on Web sites.

Whenever two permission types are assigned to a resource, you must evaluate each set of permissions and then determine which of the two is more restrictive.

Every NTFS file and folder has an owner. The owner of a file or folder is always permitted to modify the file or folder’s ACL.


SUMMARY (continued)

Any user with the Allow Take Ownership permission or the Take Ownership Of Files Or Other Objects user right can take ownership of an object.

IIS is a Windows Server 2003 application that allows you to share files and folders using Web and FTP server services.

Chapter 9: SHARING FILE SYSTEM RESOURCES1 CHAPTER OVERVIEW Create and manage file system shares and...

Documents

Transcript of Chapter 9: SHARING FILE SYSTEM RESOURCES1 CHAPTER OVERVIEW Create and manage file system shares and...