Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders...
-
Upload
elisabeth-stevens -
Category
Documents
-
view
244 -
download
3
Transcript of Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders...
Managing Groups, Folders, Files and SecurityLocalDomain localGlobalUniversalObjectsFoldersPermissionsInheritanceAccess Control ListNTFS PermissionsShare PermissionsUniversal Naming Convention
IT:Network:Microsoft Server 1 Copyright 2010
GroupsTwo kinds:1. Security Group: Granting
access to resource objects2. Distribution List: used for
email and organization
IT:Network:Microsoft Server 1 Copyright 2010
GroupsLocal: standalone servers that are not part of a
domain. Does not go beyond local serverDomain Local: used when there is a single
domain or used to manage resources in a particular domain so that global and universal groups can access those resources
Global: used to manage group accounts from the same domain so that those accounts can access resources in the same and in other domains.
Universal: used to provide access to resources in any domain within a forest.
IT:Network:Microsoft Server 1 Copyright 2010
Groups W2K3 comes with predefined domain local, global, and universal
groups.
Ie: Domain Admins, Domain Users, etc.
Default Local Groups: (More on p. 718) Account operators: administer user accounts and groups Administrators: Complete access Backup operators: enables members to back up folders and files
on computers Guests Power Users Print Operators Remote Desktop Users Users
IT:Network:Microsoft Server 1 Copyright 2010
GroupsBuilt In Global Groups:Domain Admins: Members can administer
home domain, workstations of the domain and any other trusted domain. Every system that is “joined” to a domain has the Domain Admins automatically added to the local administrators Group.
Domain Users: Every user created in a domain is automatically made a member of the Domain Users group
IT:Network:Microsoft Server 1 Copyright 2010
“Special” Built-in Groups INTERACTIVE: anyone using computer locallyNetwork: all users connected over the network to the
computerEveryone: All current users, including guests, and users
from other domainsSystem: the operating systemCreator Owner: the creator/owner of subdirectories, files,
and print jobsAuthenticated users: any user who has been authenticated
to the system. A more secure alternative to EveryoneAnonymous Logon: a user who has logged in anonymously,
such as an anonymous FTP userBatch: an account that has logged in as a batch jobService: an account that has logged in as a serviceDialup: users who are accessing the system via DUN
IT:Network:Microsoft Server 1 Copyright 2010
IT:Network:Microsoft Server 1 Copyright 2010
IT:Network:Microsoft Server 1 Copyright 2010
Must have file and printer sharing
enabled
IT:Network:Microsoft Server 1 Copyright 2010
Utilizes the SERVER service to provide access to Utilizes the SERVER service to provide access to local resourceslocal resourcesAll Microsoft Operating Systems install File and All Microsoft Operating Systems install File and Printer sharing by default.Printer sharing by default.
This means even your Windows XP, Vista, etc. This means even your Windows XP, Vista, etc. come out of the box as “servers”.come out of the box as “servers”.
The WORKSTATION service must be started in The WORKSTATION service must be started in order for that client to access resources across order for that client to access resources across the network.the network.
Share Permissions
IT:Network:Microsoft Server 1 Copyright 2010
Add Authenticated Users Group
Add Administrators GroupDelete Everyone Group
QUIZ QUESTION!!!
Default Permissions for
Share
Share PermissionsRead - Read files and folders and their attributes,
run application files, and change folders that are contained in the shared folder.
Change - Create folders and files. Change data and attributes in files and delete files and folders. The Change permission can also perform the same actions as the Read permission
Full Control - This permission can allow the same rights as READ and CHANGE. In addtion, it grants the user/group the right to modify the Access Control List(ACL). Modifying the ACL means changing permissions as well as adding or removing groups/users.
IT:Network:Microsoft Server 1 Copyright 2010
IT:Network:Microsoft Server 1 Copyright 2010
•To disable the creation of administrative shares, browse to: •http://www.petri.co.il/disable_administrative_shares.htm
IT:Network:Microsoft Server 1 Copyright 2010
IT:Network:Microsoft Server 1 Copyright 2010
IT:Network:Microsoft Server 1 Copyright 2010
CREATING A FILE SYSTEM SHARE USING NET.EXEAllows shares to be created from a command
lineLets you configure permissions during
creationLets you configure offline settings for the
share
IT:Network:Microsoft Server 1 Copyright 2010
Net.exe
IT:Network:Microsoft Server 1 Copyright 2010
Net.exeCan map logical drives using net.exe
Net use <drive letter>: \\computername\sharename /persistent:no
Net use x: \\server01\public /persistent:no Creates a non-persistent logical x drive to the share public
on server01 A persistent drive is similar to the Reconnect at Logon
check box when mapping a network drive in Windows Explorer. A non-persistent drive is flushed from memory when the system reboots.
Universal naming convention is represented as \\computername\sharename\folder\folder\...\...
IT:Network:Microsoft Server 1 Copyright 2010
IT:Network:Microsoft Server 1 Copyright 2010
CREATING A FILE SYSTEM SHARING STRATEGYCreate logically named shares.Use nesting where necessary to reduce users’
need to navigate the directory structure.Makes navigation easier for end userReduces the possibility of an accidental
click/drag of foldersShare removable drives from the root to keep
the share available when media are removed and reconnected or changed.
IT:Network:Microsoft Server 1 Copyright 2010
What Shares can doA share can be created with a share which is
referred to as nesting.A share can be created on any folder in the
file system.Multiple shares on the same folder can have
different permissions.Permissions are applied at the share entry
point.
IT:Network:Microsoft Server 1 Copyright 2010
SHARE PERMISSION CHARACTERISTICS
Limited scope. Can be applied only to folders and only when connecting to the share.
Lack of flexibility. Permissions applied to the share apply to all levels below.
No replication. Share permissions are not replicated.
No resiliency. Share permissions cannot be backed up or restored.
IT:Network:Microsoft Server 1 Copyright 2010
SHARE PERMISSION CHARACTERISTICS(continued)
Fragility Shares (and therefore share permissions) are lost when a folder is moved or renamed.
No auditing Share permissions do not facilitate auditing.
IT:Network:Microsoft Server 1 Copyright 2010
USING NTFS PERMISSIONSScope NTFS permissions apply no matter how the
file is accessed.
Flexibility Wide range of permissions allows assignments to be tailored.
Replication NTFS permissions are included when a file is replicated.
Resilience NTFS permissions are retained when objects are backed up.
Less fragile NTFS permissions are not lost if a file is moved or renamed.
Auditing NTFS permissions support auditing.
IT:Network:Microsoft Server 1 Copyright 2010
Folder and File Security Best PracticesTry not to manage by file, but rather by
folder if possibleAssign permissions by group rather than by
user.If a single user needs access to ANY resource,
create a group, add that user to the group and assign permissions to the group.
Reduces the possibility of “forgetting” that user assignment
Allows you to grant access to resource by just adding future users to group.
IT:Network:Microsoft Server 1 Copyright 2010
NTFS PermissionsThe drive must be
formatted using NTFS to be able to use NTFS permissions (Quiz!!!)
Non-NTFS (FAT32) will not have the Security tab (right)
IT:Network:Microsoft Server 1 Copyright 2010
NTFS PermissionsThe permission levels in NTFS are narrower than the Share
permissions, with 6 levels for folders and 5 levels for files. The file levels are as follows:
Read - Read the file and its ownership and attributes Write - In addition to the Read permissions, the user can
overwrite the file and change its attributes. Read & Execute - In addition to the Read permissions, the user
can run applications. In the folder permissions, this level can also traverse folders and list the folder contents.
Modify - In addition to the Read & Execute and Write permissions, the user can delete the file or folder.
Full Control - This permission is inclusive of previous rights. In addtion, it grants the user/group the right to modify the Access Control List(ACL). This right also allows a user/group to take ownership of files/folders.
List Folder Contents -allows the user to list the folder and subfolder contents.
IT:Network:Microsoft Server 1 Copyright 2010
RESOURCE OWNERSHIPEach file and folder is assigned an owner.Ownership of a file makes the security
principle a member of the Creator/Owner special identity.
Files/folders that are owned go toward disk quota calculations.
IT:Network:Microsoft Server 1 Copyright 2010
IT:Network:Microsoft Server 1 Copyright 2010
NTFS Permissions
IT:Network:Microsoft Server 1 Copyright 2010
IT:Network:Microsoft Server 1 Copyright 2010
IT:Network:Microsoft Server 1 Copyright 2010
INHERITANCEAllows permissions assigned at one folder to
flow down to subsequent files and foldersCan be overridden by explicit permission
assignment or inheritance blockingUseful in reducing the number of permission
assignments requiredA file permissions will always override its
folders' permissions
IT:Network:Microsoft Server 1 Copyright 2010
Inherited Permissions
IT:Network:Microsoft Server 1 Copyright 2010
Inherited PermissionsBy unchecking the
Inherited permissions option, you have the choice to copy or remove any inherited permissions.
IT:Network:Microsoft Server 1 Copyright 2010
EFFECTIVE PERMISSIONSAllowed permissions are cumulative.Denied permissions override allowed
permissions.Explicit permissions take precedence over
inherited permissions.
IT:Network:Microsoft Server 1 Copyright 2010
IT:Network:Microsoft Server 1 Copyright 2010
Summary: Share v. NTFSWhen applied to the same resource, the most
restrictive permissions apply.UserA has a share permission of ReadUserA has an NTFS permission of Full Control
UserA’s effective permission is Read because Read is the most restrictive between Share and NTFS
IT:Network:Microsoft Server 1 Copyright 2010