Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders...

Managing Groups, Folders, Files and SecurityLocalDomain localGlobalUniversalObjectsFoldersPermissionsInheritanceAccess Control ListNTFS PermissionsShare PermissionsUniversal Naming Convention

IT:Network:Microsoft Server 1 Copyright 2010

GroupsTwo kinds:1. Security Group: Granting

access to resource objects2. Distribution List: used for

email and organization


GroupsLocal: standalone servers that are not part of a

domain. Does not go beyond local serverDomain Local: used when there is a single

domain or used to manage resources in a particular domain so that global and universal groups can access those resources

Global: used to manage group accounts from the same domain so that those accounts can access resources in the same and in other domains.

Universal: used to provide access to resources in any domain within a forest.


Groups W2K3 comes with predefined domain local, global, and universal

groups.

Ie: Domain Admins, Domain Users, etc.

Default Local Groups: (More on p. 718) Account operators: administer user accounts and groups Administrators: Complete access Backup operators: enables members to back up folders and files

on computers Guests Power Users Print Operators Remote Desktop Users Users


GroupsBuilt In Global Groups:Domain Admins: Members can administer

home domain, workstations of the domain and any other trusted domain. Every system that is “joined” to a domain has the Domain Admins automatically added to the local administrators Group.

Domain Users: Every user created in a domain is automatically made a member of the Domain Users group


“Special” Built-in Groups INTERACTIVE: anyone using computer locallyNetwork: all users connected over the network to the

computerEveryone: All current users, including guests, and users

from other domainsSystem: the operating systemCreator Owner: the creator/owner of subdirectories, files,

and print jobsAuthenticated users: any user who has been authenticated

to the system. A more secure alternative to EveryoneAnonymous Logon: a user who has logged in anonymously,

such as an anonymous FTP userBatch: an account that has logged in as a batch jobService: an account that has logged in as a serviceDialup: users who are accessing the system via DUN



Must have file and printer sharing

enabled


Utilizes the SERVER service to provide access to Utilizes the SERVER service to provide access to local resourceslocal resourcesAll Microsoft Operating Systems install File and All Microsoft Operating Systems install File and Printer sharing by default.Printer sharing by default.

This means even your Windows XP, Vista, etc. This means even your Windows XP, Vista, etc. come out of the box as “servers”.come out of the box as “servers”.

The WORKSTATION service must be started in The WORKSTATION service must be started in order for that client to access resources across order for that client to access resources across the network.the network.

Share Permissions


Add Authenticated Users Group

Add Administrators GroupDelete Everyone Group

QUIZ QUESTION!!!

Default Permissions for

Share

Share PermissionsRead - Read files and folders and their attributes,

run application files, and change folders that are contained in the shared folder.

Change - Create folders and files. Change data and attributes in files and delete files and folders. The Change permission can also perform the same actions as the Read permission

Full Control - This permission can allow the same rights as READ and CHANGE. In addtion, it grants the user/group the right to modify the Access Control List(ACL). Modifying the ACL means changing permissions as well as adding or removing groups/users.



•To disable the creation of administrative shares, browse to: •http://www.petri.co.il/disable_administrative_shares.htm

CREATING A FILE SYSTEM SHARE USING NET.EXEAllows shares to be created from a command

lineLets you configure permissions during

creationLets you configure offline settings for the

share


Net.exe


Net.exeCan map logical drives using net.exe

Net use <drive letter>: \\computername\sharename /persistent:no

Net use x: \\server01\public /persistent:no Creates a non-persistent logical x drive to the share public

on server01 A persistent drive is similar to the Reconnect at Logon

check box when mapping a network drive in Windows Explorer. A non-persistent drive is flushed from memory when the system reboots.

Universal naming convention is represented as \\computername\sharename\folder\folder\...\...


CREATING A FILE SYSTEM SHARING STRATEGYCreate logically named shares.Use nesting where necessary to reduce users’

need to navigate the directory structure.Makes navigation easier for end userReduces the possibility of an accidental

click/drag of foldersShare removable drives from the root to keep

the share available when media are removed and reconnected or changed.


What Shares can doA share can be created with a share which is

referred to as nesting.A share can be created on any folder in the

file system.Multiple shares on the same folder can have

different permissions.Permissions are applied at the share entry

point.


SHARE PERMISSION CHARACTERISTICS

Limited scope. Can be applied only to folders and only when connecting to the share.

Lack of flexibility. Permissions applied to the share apply to all levels below.

No replication. Share permissions are not replicated.

No resiliency. Share permissions cannot be backed up or restored.


SHARE PERMISSION CHARACTERISTICS(continued)

Fragility Shares (and therefore share permissions) are lost when a folder is moved or renamed.

No auditing Share permissions do not facilitate auditing.


USING NTFS PERMISSIONSScope NTFS permissions apply no matter how the

file is accessed.

Flexibility Wide range of permissions allows assignments to be tailored.

Replication NTFS permissions are included when a file is replicated.

Resilience NTFS permissions are retained when objects are backed up.

Less fragile NTFS permissions are not lost if a file is moved or renamed.

Auditing NTFS permissions support auditing.


Folder and File Security Best PracticesTry not to manage by file, but rather by

folder if possibleAssign permissions by group rather than by

user.If a single user needs access to ANY resource,

create a group, add that user to the group and assign permissions to the group.

Reduces the possibility of “forgetting” that user assignment

Allows you to grant access to resource by just adding future users to group.


NTFS PermissionsThe drive must be

formatted using NTFS to be able to use NTFS permissions (Quiz!!!)

Non-NTFS (FAT32) will not have the Security tab (right)


NTFS PermissionsThe permission levels in NTFS are narrower than the Share

permissions, with 6 levels for folders and 5 levels for files. The file levels are as follows:

Read - Read the file and its ownership and attributes Write - In addition to the Read permissions, the user can

overwrite the file and change its attributes. Read & Execute - In addition to the Read permissions, the user

can run applications. In the folder permissions, this level can also traverse folders and list the folder contents.

Modify - In addition to the Read & Execute and Write permissions, the user can delete the file or folder.

Full Control - This permission is inclusive of previous rights. In addtion, it grants the user/group the right to modify the Access Control List(ACL). This right also allows a user/group to take ownership of files/folders.

List Folder Contents -allows the user to list the folder and subfolder contents.


RESOURCE OWNERSHIPEach file and folder is assigned an owner.Ownership of a file makes the security

principle a member of the Creator/Owner special identity.

Files/folders that are owned go toward disk quota calculations.


NTFS Permissions


INHERITANCEAllows permissions assigned at one folder to

flow down to subsequent files and foldersCan be overridden by explicit permission

assignment or inheritance blockingUseful in reducing the number of permission

assignments requiredA file permissions will always override its

folders' permissions


Inherited Permissions


Inherited PermissionsBy unchecking the

Inherited permissions option, you have the choice to copy or remove any inherited permissions.


EFFECTIVE PERMISSIONSAllowed permissions are cumulative.Denied permissions override allowed

permissions.Explicit permissions take precedence over

inherited permissions.


Summary: Share v. NTFSWhen applied to the same resource, the most

restrictive permissions apply.UserA has a share permission of ReadUserA has an NTFS permission of Full Control

UserA’s effective permission is Read because Read is the most restrictive between Share and NTFS


Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders...

Documents

Transcript of Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders...