Transcript Chapter 1

Configuring, Managing, and
Troubleshooting Resource Access
• Manage object security for files and
folders
• Configure shared folders and share
permissions
• Troubleshoot a security conflict
1
Managing Object and Object
Security
• Each object has an access control list
(ACL) for shared resource management
• Access is controlled through common
security techniques:
– Attributes
– Permissions
– Auditing
– Ownership
2
Attributes
• Attributes are a carryover from earlier
DOS-based systems
• Used to convert files and directories from
NetWare
• Use by DOS and NetWare for security and
file management
• Stored as header information
3
FAT File System and Attributes
• FAT has three attributes for files and folders:
– Read-only
• Files in a read-only folder cannot automatically be read
• Instead, use the read-only permission to allow the files to
inherit the folder’s permission
– Hidden
• Can be defeated in post-Windows 95 systems
– Archive
• Files are automatically flagged to be backed up when new or
modified
4
NT File System and Attributes
• Allows the FAT attributes of:
– Read-only and hidden on the General tab
– Archive on the Extended tab
• Extended tab also contains:
– Index
– Compress
– Encrypt
• Extended attributes have the option to be
applied to:
– A folder and its files
– A folder, its files, and all subfolders and files
5
6
NT File System (cont.)
• Index
– Allows for quick searches
– Indexing Service must be installed and set to
start automatically
• Compress
– Saves space on infrequently used files or
limited disk space
– Takes longer to search compressed files
– Compressed files cannot be encrypted
7
NT File System (cont.)
• Encrypt
– Can only be read by the user who encrypted
the file or folder
– Uses the Microsoft Encryption File System
(EFS)
• Sets up a unique, private encryption key
– An encrypted file remains encrypted when
moved to another folder, even of renamed
– Can also encrypt and decrypt at the command
prompt with the cipher command
8
Folder and File Permissions
• Permissions control access to an object
• Use the folder properties Security tab
• Check the Allow and Deny boxes to set access
permissions for groups and users
– If none of the Allow and Deny boxes are checked, all
access is denied
– Deny overrides any other access
• Inherited permissions
– The permissions of the parent object applies to the
child objects
– Set by default but can be deactivated
9
10
11
12
13
Guidelines for permissions
• Protect the \Windows folder from general
users
– Traverse Folder / Execute File
• Protect server utility folders
– Access permissions only for Administrators,
Server Operators, and Backup Operators
• Protect software application folders from
users, but allow execution
– Read & Execute, Write
14
Guidelines for permissions
(cont.)
• Create publicly used folders for broad access
except for administrative tasks
– Modify
• Provide users Full Control of their own home
folders
• Remove general access groups from
confidential folders
– Everyone and Users
• Always err on the side of too much security
15
Configuring Folder and File
Auditing
• Track activity on a folder or file through auditing
• Windows Server NTFS folders and files allow
auditing of any or all of the special permissions
• Each type of access can be tracked according to
successful or failed attempts
• Set up an auditing policy to fully configure
auditing for an object
– Use the Domain Security Policy tool
16
17
Configuring Folder and File
Ownership
• Folders are first owned by the account that
creates them
• Folder owners may change permissions
for their folders
• Ownership can be transferred only by
having the Take Ownership or Full Control
permission
• Administrators group can take control of
any group, regardless of permissions
18
19
Configuring Shared Folders
• Shared folders can be accessed over the
network
• Specify number of users or allow the maximum
– Maximum is the number of Server 2003 client access
licenses
• Share Permissions
– Full Control: Full access control of share permissions
– Change: Read, add, modify, execute, and delete
– Read: Read and execute
• Option to hide shared folders from browser lists
– Place a $ sign just after its name
20
21
22
Troubleshooting a Security
Conflict
• Look at the Effective Permissions tab
– Calculates account group membership and
permission inheritance
• Take file and folder locations into account
– A new file inherits its folder permissions
– Files copied to a folder on the same volume inherits
the new folder’s permissions
– Files moved to a folder on the same volume keeps its
original permissions
– Files moved to another volume inherits the new
folder’s permissions
23
24
Distributed File System
• Shared folders on a network appear in one
hierarchy of folders
– Simplifies user access
• Fault tolerance is an option by replicating shared
folders
– Uses the Microsoft File Replication Service
• Load balancing can be performed by distributing
folder access across several servers
• Access is improved to Internet and Intranet sites
• Backups from one set of master folders
25
Summary
• Windows Server 2003 objects are managed
through tools that include folder and file
attributes, permissions, auditing, and ownership
• Attributes enable you to manage folder and file
properties such as read-only, archiving,
compression, and encryption
• Permissions are set to control who has access
to a folder or file
• Auditing is used to monitor who has been given
access to a folder or file
26
Summary
• Ownership is used to grant full control over a
folder or file
• Folder and files can be shared over a network
– Folder and file security can be managed through
share permissions
• Use security troubleshooting techniques and Windows
Server 2003 troubleshooting tools to diagnose a security
conflict
27