SHARING FILE SYSTEM RESOURCES

1
SHARING FILE SYSTEM RESOURCES

• Chapter 9

2
CHAPTER OVERVIEW

• Create and manage file system shares and work
  with share permissions
• Use NTFS file system permissions to control
  access to files
• Manage file sharing using Internet Information
  Services (IIS)

3
UNDERSTANDING PERMISSIONS OVERVIEW

• File system permissions
• Share permissions
• Active Directory permissions
• Registry permissions (REGEDIT)

4
ACCESS CONTROL LISTS (ACL)

• Lab
• Properties for root of a drive
• Windows Explorer
• Right-click
• Properties

Access Control Entries ACL has ACEs
5
PERMISSIONS

• Permissions are keys to unlock access to
  resources.
• Full Control permission is the master key.

6
INHERITANCE

• Allows permissions assigned at one folder to flow
  down to subsequent files and folders
• Can be overridden by explicit permission
  assignment or inheritance blocking
• Useful in reducing the number of permission
  assignments required

7
INHERITANCE
Folder User Permissions
(Grand) Parent Folder Parent Folder 1 Child Folder 1A Child Folder 1B Parent Folder 2 Child Folder 2A Child Folder 2B Parent Folder 3 Child Folder 3A Read Write Delete Folders/Files Read Write Delete Folders/Files Read Write Delete Folders/Files Read Write Delete Folders/Files Read Write Delete Folders/Files Read Write Delete Folders/Files ???? ????? ?????? Folders/Files ???? ????? ?????? Folders/Files ???? ????? ?????? Folders/Files
8
EFFECTIVE PERMISSIONS

• Allowed permissions are cumulative.
• Denied permissions override allowed permissions.
• Explicit permissions take precedence over
  inherited permissions.

9
EFFECTIVE PERMISSIONS
Folder User Permissions
(Grand) Parent Folder Parent Folder 1 Child Folder 1A (Grand) Child Child Folder 1B Deny All ???? ????? ?????? Folders/Files Read ????? ?????? Folders/Files ???? ????? ?????? Folders/Files ???? ????? ?????? Folders/Files
10
SHARING FOLDERS

• Without shares, network clients cannot access
  folders on a server.
• Require
• Client for Microsoft Networks
• File and Printer Sharing for Microsoft Networks

11
ADMINISTRATIVE SHARES
Administrative shares are hidden. Appending a
share with a creates a hidden share.
12
RESTRICTIONS ON CREATING FILE SYSTEM SHARES

• On a domain controller
• Administrators, Server Operators, Enterprise
  Admins, Domain Admins groups
• On a domain member server or workstation
• Administrators, Server Operators, Power Users
  groups
• On a workgroup or standalone computer
• Administrators or Power Users groups

13
CREATING A FILE SYSTEM SHARE USING WINDOWS
EXPLORER

• Lab
• Create Share Folder
• Create C\ShareMe folder
• Right-click C\ShareMe
• Select Share this folder

14
SHARING A VOLUME USING WINDOWS EXPLORER

• Lab
• Create Share for root
• Start Windows Explorer
• Select C\ root
• Right-click C\ root
• Select Sharing tab
• Click New Share

15
CREATING A FILE SYSTEM SHARE USING THE SHARED
FOLDERS SNAP-IN

• Lab
• Create Share using MMC
• Start Computer Management Console
• Select Shared Folders
• Select Shares
• Right-click
• Click New Shares

16
CREATING A FILE SYSTEM SHARE USING NET.EXE

• Allows shares to be created from a command line
• Lets you configure permissions during creation
• Lets you configure offline settings for the share

17
MANAGING SHARED FOLDERS

• Lab
• Share properties
• Select ShareMe
• Right-click
• Properties

18
CONTROLLING OFFLINE STORAGE

• Lab
• Offline Caching
• Select ShareMe
• Right-Click
• Caching

19
PUBLISHING FILE SYSTEM SHARES IN ACTIVE DIRECTORY
20
MANAGING SHARE PERMISSIONS
21
USING SHARE PERMISSIONS

• Limited scope Can be applied only to folders
  and only when connecting to the share.
• Lack of flexibility Permissions applied to the
  share apply to all levels below.
• No replication Share permissions are not
  replicated.
• No resiliency Share permissions cannot be
  backed up or restored.

22
USING SHARE PERMISSIONS (continued)

• Fragility Shares (and therefore share
  permissions) are lost when a folder is moved or
  renamed.
• No auditing Share permissions do not facilitate
  auditing.

23
SHARE PERMISSION DEFAULTS

• When a new share is created, the following
  permissions are granted
• Everyone special identity Read
• Administrators Full Control

24
CREATING A FILE SYSTEM SHARING STRATEGY

• Create logically named shares.
• Use nesting where necessary to reduce users need
  to navigate the directory structure.
• Share removable drives from the root to keep the
  share available when media are removed and
  reconnected or changed.

25
NESTING SHARES

• A share can be created on any folder in the file
  system.
• Multiple shares on the same folder can have
  different permissions.
• Permissions are applied at the share entry point.

26
USING NTFS PERMISSIONS

• Scope NTFS permissions apply no matter how the
  file is accessed.
• Flexibility Wide range of permissions allows
  assignments to be tailored.
• Replication NTFS permissions are included when
  a file is replicated.
• Resilience NTFS permissions are retained when
  objects are backed up.
• Less fragile NTFS permissions are not lost if a
  file is moved or renamed.
• Auditing NTFS permissions support auditing.

27
MANAGING STANDARD PERMISSIONS
28
USING ADVANCED SECURITY SETTINGS
29
MANAGING SPECIAL PERMISSIONS
30
VIEWING EFFECTIVE PERMISSIONS
31
RESOURCE OWNERSHIP

• Each file and folder is assigned an owner.
• Ownership of a file makes the security principle
  a member of the Creator/Owner special identity.
• Files that are owned go toward disk quota
  calculations.

32
ADMINISTERING IIS

• Web server platform included with all editions of
  Windows Server 2003.
• Version 6 has improved security over previous
  versions.
• Allows files to be published through a browser
  interface.
• Supports HTTP and FTP.

33
INSTALLING IIS

• Not installed during operating system
  installation
• Installed through the Windows Components Wizard
  (select Add Or Remove Programs in Control Panel,
  and click Add/Remove Windows Components) or
  through the Manage Your Server wizard

34
MANAGING AN IIS WEB SITE
35

• USING THE WEB SITE TAB

36
USING THE HOME DIRECTORY TAB
37
USING THE DOCUMENTS TAB
38
USING THE PERFORMANCE TAB
39
CREATING VIRTUAL DIRECTORIES

• Allows you to include a folder from anywhere on
  the network in your Web site
• Appears to the Web site user as if it is a
  sub-directory of the main Web site folder
• Allows management of Web content to be
  distributed between departments.

40
CONFIGURING IIS SECURITY
41
CONFIGURING IIS AUTHENTICATION
42
CONFIGURING IP ADDRESS AND DOMAIN NAME
RESTRICTIONS
43
CONFIGURING SECURE COMMUNICATIONS
44
SUMMARY

• Windows Server 2003 controls access to resources
  using a number of mechanisms, including share
  permissions and NTFS permissions.
• Every object protected by permissions has an ACL,
  which is a list of ACEs assigned to that object.
  Each ACE contains a security principal and
  indicates the level of access they are permitted
  or denied to the object.
• File system shares enable network users to access
  files and folders on other computers.

45
SUMMARY (continued)

• Share permissions provide basic protection for
  file system shares, but they lack the granularity
  and flexibility of NTFS permissions.
• NTFS permissions can be allowed or denied, and
  explicit or inherited. A Deny permission takes
  precedence over an Allow permission, and an
  explicit permission takes precedence over an
  inherited permission.

46
SUMMARY (continued)

• Access granted by NTFS permissions can be
  restricted by share permissions and other
  factors, such as IIS permissions on Web sites.
• Whenever two permission types are assigned to a
  resource, you must evaluate each set of
  permissions and then determine which of the two
  is more restrictive.
• Every NTFS file and folder has an owner. The
  owner of a file or folder is always permitted to
  modify the file or folders ACL.

47
SUMMARY (continued)

• Any user with the Allow Take Ownership permission
  or the Take Ownership Of Files Or Other Objects
  user right can take ownership of an object.
• IIS is a Windows Server 2003 application that
  allows you to share files and folders using Web
  and FTP server services.