Transcript Chapter 5 – Managing File Access

Chapter 5 – Managing
File Access
MIS 431 Created Spring 2006
MIS 431 - Chapter 5
1
Permissions!!
 The main reason for implementing a network
is to allow users to access shared resources.
 Resources such as files, folders, and printers
are secured in WS03 via use of permissions.
 WS03 handles both FAT and NTFS volumes,
but NTFS is assumed – a richer permission
environment.
MIS 431 - Chapter 5
2
WS03 File Systems
 FAT – up to 4 GB; limitations are small partition size and no file
security features
 FAT32 – up to 2 TB partitions but no file security features
 NTFS – version 5 in WS03
 Supports up to 16 TB (terabytes)
 Greater scalability over FAT and better performance
 Support for WS03 AD – DC must have an NTFS partition
 Built-in encryption and compression
 Configure disk quotas for users
 Support for remote storage and removable media
 Recovery logging of disk activities for faster recovery after a
failure
MIS 431 - Chapter 5
3
Creating & Managing Shared Folders
 A shared folder is a data resource that is
made available over network to auth. Users
 Users must have proper rights to create a
shared folder


Be in the Administrators or Server Operators
groups
Be in the Power Users group on WS03
servers that are not domain controllers
MIS 431 - Chapter 5
4
To Create a Shared Folder
 Using Windows Explorer (Activity 5-1)
 Rt click on folder and click Sharing Tab - see
figure 5-2 on p. 185
 Choose Share this folder, give share name,
and specify Permissions
 Folder has shared icon (hand underneath)
 Administrative share name: Admin$
 Has dollar sign at end and is hidden
 Only Administrators can see and access root
of the drive with C$ or D$
MIS 431 - Chapter 5
5
To Create a Shared Folder, contd.
 Using Computer Management (Act. 5-2) MMC
 Use the Share a Folder Wizard in Shared Folders
section: expand and click Shares
 The wizard also lets you configure permissions
 All users have read-only access (Everyone group has
Read permission)
 Administrators have full access; others read-only
 Administrators have full access; others read and write
 Custom share permissions – Allows both share and
NTFS permissions to be defined manually by group
and/or user
 Using net share command from command line.
MIS 431 - Chapter 5
6
Monitoring Access to Shared Folders
 Keep track of the number of users connected
to specific resources


Use Computer Management MMC – examine
Sessions and Open Files lines
Can Rt-click Computer Management (Local)
and choose Connect to manage a different
server in the domain.
 Can disconnect a user or open file
connection: rt-click the entry in the Details
pane and choose Close Open File or Close
Session – takes place immediately.
MIS 431 - Chapter 5
7
Shared Folder Permissions
 DACL – discretionary access control list

Part of the security descriptor with list of users
that have been



Allowed access to that resource
Disallowed access to that resource
Applies to network only, not users logged in
locally to that computer
MIS 431 - Chapter 5
8
More WS03 Permissions…
 Permissions in WS03



Read – browse file and folder names, read
contents, execute programs
Change – same as Read plus ability to add or
delete files in the folder; also can read and edit
contents of existing files
Full Control – same as Read and Change
plus ability to change permissions for the
folder
MIS 431 - Chapter 5
9
Implementing WS03 Permissions
 See Act. 5-3


Click Sharing tab and then Permissions button
Within Group or user names list box





Click Add
Enter a group name or a user name, click OK
In Allow column, select Full, Change, or Read
In Deny column, select Full, Change, or Read
DENY trumps Allow: don’t deny and allow
same thing!
MIS 431 - Chapter 5
10
NTFS Permissions
 These add to the WS03 permissions and give finer
control
 NTFS Permission Concepts:






Configure with Security tab
Permissions are cumulative: they add based on
individual and group permissions
Denied permissions always override
Folder permissions are inherited by child folders and
files unless otherwise specified
Can be set at a file level as well as folder level
Default is Read; Read & Execute; List Folder Contents
MIS 431 - Chapter 5
11
Standard NTFS (Fig 5-12 p. 198)
 Full Control – make any changes
 Modify – Full except permission to delete subfolders and files,





change permissions, or take ownership
Read & Execute – Can traverse folders, list folders, read
attributes & permissions; inherited by folders and files
List Folder Contents – Same as Read & Execute but inherited
only by folders
Read – Same as Read & Execute except without permission to
traverse folders
Write – Create files and folders, write attributes, read
permissions, synchronize
Special – can choose custom combination (see Table 5-3)
 See Activity 5-5
MIS 431 - Chapter 5
12
Determine Effective Permissions
 Much better technique in WS03



Rt-click a folder
Click Effective Permissions tab in Advanced
Security Settings dialog box (Act. 5-6)
Select a user or group, and read the effective
permissions for that folder by that user/group
MIS 431 - Chapter 5
13
Combining Shared Folder and NTFS
Permissions (Act. 5-7)
 When combining WS03 and NTFS:



When a user access a share across the
network, the permissions combine
Most restrictive of the two becomes the
effective permission
When a user accesses a file locally, only
NTFS permissions apply.
MIS 431 - Chapter 5
14
Convert FAT Partition to NTFS
 Use command line utility called CONVERT to
convert a FAT or FAT32 partition to NTFS 5.
 In Activity 5-8, you will use Disk Management
to create a new partition





Requires that you have space available.
Specify FAT32 for this partition and size
Give name and drive letter (in this case, F:)
Then create a folder and examine properties
Do Start | Run | Convert f:/fs:ntfs
MIS 431 - Chapter 5
15