Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security Learning Objectives Chapter 9 Set up groups, including local, domain local, global, and universal groups,
Download ReportTranscript Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security Learning Objectives Chapter 9 Set up groups, including local, domain local, global, and universal groups,
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security Learning Objectives Chapter 9 Set up groups, including local, domain local, global, and universal groups, and convert Windows NT groups to Windows 2000 groups Manage objects, such as folders, through user rights, attributes permissions, share permissions, auditing, and Web permissions Learning Objectives (continued) Chapter 9 Troubleshoot a security conflict Determine how creating, moving, and copying folders and files affect security Managing Resources Chapter 9 Three ways of managing resources and user accounts include: By individual user By resource By group Managing resources by groups is one effective way to reduce time spent on management Scope of Influence Chapter 9 Scope of influence: The reach of a type of group, such as access to resources in a single domain or access to all resources in all domains in a forest Types of Security Groups Chapter 9 Local: Used on standalone servers that are not part of a domain Domain local: Used in a single domain or to manage resources in a domain so that global and universal groups can access those resources Types of Security Groups (continued) Chapter 9 Global: Used to manage accounts from the same domain and to access resources in the same and other domains Universal: Used to provide access to resources in any domain within a forest Local Security Group Chapter 9 Use local groups on a standalone server (Active Directory not implemented), such as to manage multiple accounts in a small office Domain Local Security Group Chapter 9 Typically a domain local security group is on the ACLs of resources such as folders, shared folders, printers, and other resources. Global security groups in the same or in a different domain gain access to those resources by becoming members of the domain local group. Domain local groups can contain accounts, but usually that is not the best approach. Membership Capabilities of a Domain Local Group Chapter 9 Active Directory Objects That Can Be Members of a Domain Local Group User accounts in the same domain Domain local groups in the same domain Global groups in any domain in a tree or forest (as long as there are transitive or two-way trust relationships maintained) Universal groups in any domain in a tree or forest (as long as there are transitive or two-way trust relationships maintained) Active Directory Objects That a Domain Local Group Can Join as a Member Access control lists for objects in the same domain, such as permissions to access a folder, shared folder, or printer Domain local groups in the same domain Table 9-1 Membership Capabilities of a Domain Local Group Implementing Global Groups Chapter 9 Use global groups to contain accounts for accessing resources in the same and in other domains via domain local groups Membership Capabilities of a Global Group Chapter 9 Active Directory Objects That Can Be Members of a Global Group User accounts from the domain in which the global group was created Other global groups that have been created in the same domain Levels of global groups, so that global groups can be nested to reflect the structure of organizational units (OUs) in a domain Active Directory Objects That a Global Group Can Join as a Member Access control lists for objects in any domain in a forest (as long as a transitive trust is maintained between domains) Domain local groups in any domain in a forest Global groups in any domain in a forest Universal groups in a forest Table 9-2 Membership Capabilities of a Global Group Nesting Global Groups Chapter 9 Global groups can be nested to reflect the structure of OUs Nesting Example Chapter 9 *Managers global group (top level global group) Amber Richards Joe Scarpelli Kathy Brown Sam Rameriz **Finance global group (second level global group) Martin LeDuc Sarah Humphrey Heather Shultz Sam Weisenberg Jason Lew ***Budget global group (third level global group) Michele Gomez Kristin Beck Chris Doyle Figure 9-1 Nested global groups Budget*** Finance** Managers* Planning Tip Chapter 9 Plan nesting to take into account that you may want to later convert specific global groups, because a global group cannot be converted if it is a member of another global group Keep in mind that global groups can only be nested in native mode domains Global Group Example Chapter 9 Figure 9-2 Managing security through domain local and global groups students.college.edu LocalExec domain local group research.college.edu LocalExec domain local group college.edu LocalExec domain local group GlobalExec global group Implementing Universal Groups Chapter 9 Use universal groups to provide access to forest-wide resources (to be included on the ACLs of resources such as servers, shared folders, and printers) Universal groups enable the scope of influence to span domains and trees Membership Capabilities of a Universal Group Chapter 9 Active Directory Objects That Can Be Active Directory Objects That a Universal Members of a Universal Group Local Group Can Join as a Member Accounts from any domain in a forest Access control lists for objects in any domain in a forest Global groups from any domain in a forest Any domain local group in a forest Universal groups from any domain in a forest Any universal group in a forest Table 9-3 Membership Capabilities of a Universal Group Guidelines for Using Groups Chapter 9 Use global groups to hold accounts as members. Give accounts access by joining them to a global group and then placing that global group into a domain local or universal group or both. Use domain local groups to provide access to resources in a specific domain by adding them to the ACLs of those resources. Guidelines for Using Groups (continued) Chapter 9 Use universal groups to provide extensive access to resources, such as when the Active Directory contains trees and forests. Make universal groups members of ACLs for objects in any domain, tree, or forest. Manage user account access by placing accounts in global groups and joining those global groups to domain local or universal groups. Example Universal Group Setup Chapter 9 students.college.edu Figure 9-3 Managing security through universal and global groups UniExec a universal group with access to resources in all three domains research.college.edu college.edu GlobalExec global group Creating a Group Chapter 9 To create a group: Click the container in which to create the group Click the Create a new group in current container icon Enter the name of the group Select the group scope Select the group type Click OK Entering the Group Parameters Chapter 9 Figure 9-4 Creating a group Group Properties Tabs Chapter 9 General: Used to enter a description, set the scope, and set the group type Members: Used to add group members Member Of: Used to join another group Managed By: Establishes who will manage the group Object: Provides information about the group as an object (on newer versions of Windows 2000) Security: Enables you to set up security (on newer versions of Windows 2000) Converting NT Groups to Windows 2000 Server Groups Chapter 9 Existing NT local groups on a PDC are converted to domain local groups Existing NT global groups on a PDC are converted to global groups If still running in mixed mode, universal groups are not recognized If running in native mode, but there are still Windows NT servers, the NT servers treat Windows 2000 universal groups as NT global groups Windows 2000 Predefined Security Groups Chapter 9 Security Group Scope Active Directory Description Container Location/Default Members Account Operators Built-in local 1 Builtin Used for administration of user accounts and groups Administrators Backup Operators Built-in local 1 Built-in local 1 Builtin/Administrator account; Provides complete access to all Domain Admins and Enterprise local computer and/or domain Admins groups resources Builtin Enables members to back up any folders and files on the computer Cert Publishers Global 1 Users Used to manage enterprise certification services for security 1The group scope cannot be changed Table 9-4 Windows 2000 Predefined Security Groups Windows 2000 Predefined Security Groups (continued) Chapter 9 Security Group Scope Active Directory Description Container Location/Default Members DCHP Administrators DCHP Users Domain local Domain local Users/Domain Used to manage the DHCP server services Admins group (when DHCP server services are installed) Users Enables users to access DHCP services when DHCP is enabled at the client (when DHCP server services are installed) DNSAdmins Domain local Users Used to manage the DNS server services (when DNS server services are installed) 1The group scope cannot be changed Windows 2000 Predefined Security Groups (continued) Chapter 9 Security Group Scope Active Directory Description Container Location/Default Members DNSUpdateProxy Global Users Enables each user access as an update proxy, so that a DHCP client can automatically update the DNS server information with its IP address Domain Admins Global 1 Users/Administrator account 1The group scope cannot be changed Used to manage resources in a domain Windows 2000 Predefined Security Groups (continued) Chapter 9 Security Group Scope Active Directory Description Container Location/Default Members Domain Computers Global 1 Users Used to manage all workstations and servers that join the domain Domain Controllers Global 1 Users/all DC Used to manage all domain controllers in a domain computers Domain Guests Global 1 Users/Guest account Used to manage all domain guest-type accounts, such as for temporary employees Domain Users Global 1 Users/all user accounts 1The group scope cannot be changed Used to manage all domain user accounts Windows 2000 Predefined Security Groups (continued) Chapter 9 Security Group Scope Active Directory Description Container Location/Default Members Enterprise Admins Everyone Universal 1 Built-in local 1 Users/Administrat Used to manage all resources in an or account enterprise Does not appear Used to manage default access to in a container and local or domain resources and all cannot be deleted user accounts are automatically members Group Policy Creator Global 1 Owners 1The group scope cannot be changed Users/Administrat Enables members to manage group or account policy Windows 2000 Predefined Security Groups (continued) Chapter 9 Security Group Scope Active Directory Description Container Location/Default Members Guests Pre-windows 2000 Built-in local 1 Built-in local 1 Compatible Access Builtin/Guest and IIS Used to manage guest accounts and accounts, Domain to prevent access to install software Guests group or change system settings Builtin/pre-Windows Used for backward compatibility to 2000 Everyone group the Everyone group on Windows NT servers and limits access to read Print Operators Built-in local 1 Builtin Members can manage printers on the local computer or in the domain 1The group scope cannot be changed Windows 2000 Predefined Security Groups (continued) Chapter 9 Security Group Scope Active Directory Description Container Location/Default Members RAS and IAS Servers Domain local 1 Users Enables member servers to have access to remote access properties that are associated with user accounts, such as security properties Replicator Built-in local 1 Builtin Used with the Windows File Replication service to replicate designated folders and files 1The group scope cannot be changed Windows 2000 Predefined Security Groups (continued) Chapter 9 Security Group Scope Active Directory Description Container Location/Default Members SchemaAdmins Universal 1 Users/Administrator account Members have access to modify schema in the Active Directory Server Operators Built-in local 1 Builtin Used for common day-to-day server management tasks Users Built-in local 1 Builtin/Domain Users group Used to manage general user access, including the ability to be authenticated as a user and to communicate interactively 1The group scope cannot be changed Rights Security Chapter 9 User rights: Enable an account or group to perform predefined tasks, such as the right to access a server or to increase disk quotas Rights Security Chapter 9 Privileges Logon Rights Act as part of the operating system (a program process can gain Access this computer from the security access as a user) network Add workstations to a domain Deny access to this computer from the network Backup files and directories Deny logon as a batch job Bypass traverse checking (enables a user to move through a Deny logon as a service folder that the user has no permission to access, if it is on the route to one that they do have permission to access) Change the system time Deny logon locally Table 9-5 Rights Security Rights Security (continued) Chapter 9 Privileges Logon Rights Create a pagefile Log on as a batch job Create a token object (a process can create a security access token to Log on as a service use any local resource; normally should be reserved for administrators) Create permanent shared objects Debug programs (can install and use a process debugger to trace problems; normally should be reserved for administrators) Enable computer and user accounts to be trusted for delegation Force shutdown from a remote system Generate security audits Log on locally Rights Security (continued) Chapter 9 Privileges Increase quotas Increase scheduling priority Load and unload device drivers Lock pages in memory (included for backward compatibility with Windows NT and should not be used because it degrades performance) Manage auditing and security log Modify firmware environment variables Profile single process (can monitor non-system processes) Profile system performance (can monitor system processes) Logon Rights Rights Security (continued) Chapter 9 Privileges Remove computer from docking station Replace a process level token (enables a process to replace a security token on one or more of its subprocesses) Restore files and directories Shut down the system Synchronize directory service data Take ownership of files or other objects Logon Rights Inherited Rights Chapter 9 Inherited rights: User rights that are assigned to a group and that automatically apply to all members of that group Configuring Rights Chapter 9 To configure rights in a domain: Open the Active Directory Users and Computers tool Right-click a domain or OU, for example Click Properties, click the Group Policy tab, click the group policy, and click Edit Double-click (if necessary) Computer Configuration,Windows Settings, Security Settings, and Local Policies Double-click User Rights Assignment Double-click any policies to configure them Configuring Rights (continued) Chapter 9 Figure 9-6 Configuring user rights as part of group policy File and Folder Attributes Chapter 9 Attributes: A characteristic associated with a folder or file used to help manage access and backups FAT Attributes Chapter 9 Read-only Hidden Archive FAT Attributes (continued) Chapter 9 Figure 9-7 Attributes of a folder on a FAT-formatted disk NTFS Attributes Chapter 9 Regular attributes Read-only Hidden Archive Extended attributes Index Compress Encrypt NTFS Attributes (continued) Chapter 9 Figure 9-8 Attributes of a folder on an NTFS-formatted disk Troubleshooting Tip Chapter 9 If you configure the Index attribute, but indexing it is not working check the following: Make sure that the Indexing Service is installed Makes sure that the Indexing Service is started and set to start automatically Troubleshooting Tip Chapter 9 Files that are compressed cannot be encrypted Encrypting File System Chapter 9 The encrypt attribute uses Microsoft Encrypting File System (EFS) that sets a unique private encryption key that is associated with the user account that encrypted the file or folder. Only that account has access to the encrypted file or folder contents. Troubleshooting Tip Chapter 9 De-encrypt an encrypted file or folder before you move it to another location, or else the file or folder remains encrypted in the new location Permissions Chapter 9 Permissions: Privileges to access and manipulate resource objects, such as folders and printers; for example, privilege to read a file, or to create a new file Auditing Chapter 9 Auditing: Tracking the success or failure of events associated with an object, such as writing to a file, and recording the audited events in an event log of a Windows 2000 server or workstation Ownership Chapter 9 Ownership: Having the privilege to change permissions and to fully manipulate an object. The account that creates an object, such as a folder or printer, initially has ownership. Design Tip Chapter 9 If possible, set permissions on folders and not on individual files, so you can minimize the number of permission exceptions to remember One variance from this recommendation is large database files that may require individual security Security Options Chapter 9 Figure 9-9 Configuring security options Inherited Permissions Chapter 9 Inherited permissions: Permissions of a parent object that also apply to child objects of the parent, such as to subfolders within a folder Configuring Permissions Chapter 9 Figure 9-10 Configuring permissions by groups and users Configuring Inherited Permissions Chapter 9 Figure 9-11 Configuring inherited permissions NTFS Folder and File Permissions Chapter 9 Permission Description Applies to Full Control Can read, add, delete, execute, and modify files plus Folders and files change permissions and attributes, and take ownership List Folder Can list (traverse) files in the folder or switch to a Contents subfolder, view folder attributes and permissions, and Folders only execute files, but cannot view file contents Modify Can read, add, delete, execute, and modify files; but Folders and files cannot delete subfolders and their file contents, change permissions, or take ownership Table 9-6 NTFS Folder and File Permissions NTFS Folder and File Permissions (continued) Chapter 9 Permission Description Applies to Read Can view file contents, view folder attributes and Folders and files permissions, but cannot traverse folders or execute files Read & Execute Implies the capabilities of both List Folder Contents Folders and files and Read (traverse folders, view file contents, view attributes and permissions, and execute files) Write Can create files, write data to files, appended data to files, create folders, delete files (but not subfolders and their files), and modify folder and file attributes Folders and files Special Permissions Chapter 9 You can customize permissions to meet particular security needs by using special permissions Configuring Special Permissions Chapter 9 Figure 9-12 Configuring special permissions NTFS Folder and File Special Permissions Chapter 9 Permission Description Applies to Traverse Folder/Execute File Can list the contents of a folder and execute program files in Folders/files that folder; keep in mind that all users are automatically granted Table 9-7 this permission via the Everyone and Users groups, unless it is removed or denied by you List Folder/Read Data Can list the contents of folders and subfolders and read the Folders/files contents of files Read Attributes Can view folder and file attributes (Read-only and Hidden) Folders and files Read Extended Attributes Enables the viewing of extended attributes (Archive, Index, Folders and files Compress, Encrypt) Create Files/Write Data Can add new files to a folder and modify, append to, or write Folders/files over file contents Create Folders/Append Data Can add new folders and add new data at the end of files (but otherwise not delete, write over, or modify data) Folders/files NTFS Folder and File Special Permissions (continued) Chapter 9 Permission Description Applies to Write Attributes Can add or remove the Read-only and Hidden attributes Folders and files Write Extended Can add or remove the Archive, Index, Compress, and Encrypt Folders and files Attributes attributes Delete Subfolders and Can delete subfolders and files (the following Delete Files permission is not required) Delete Can delete the specific subfolder or file to which this Folders and files Folders and files permission is attached Read Permissions Can view the permissions (ACL information) associated with a Folders and files folder or file (but does not imply you can change them) Change Permissions Can change the permissions associated with a folder or file Folders and files Take Ownership Can take ownership of the folder or file (Read Permissions and Folders and files Change Permissions automatically accompany this permission) Example Guidelines for Setting Permissions Chapter 9 Protect the Winnt folder by allowing limited access, such as Read & Execute Protect server utility folders, such as folders containing backup software, with access for Administrators only Protect software application folders with access such as Read & Execute (and Write if necessary for temporary or configuration files) Example Guidelines for Setting Permissions (continued) Chapter 9 Set up publicly used folders with Modify for broad user access Give users Full Control of their own home folders Remove groups such as Everyone and Users from confidential folders Planning Tip Chapter 9 Err on the side of too much security at first, because it is easier to give users more permissions later than to take away permissions after users are used to having them Configuring Auditing Chapter 9 Start by configuring a group policy for auditing Configure auditing on an as needed basis for particular objects, such as a folder or file Folder Auditing Chapter 9 Figure 9-13 Configuring folder auditing Setting an Audit Policy Chapter 9 Figure 9-14 Configuring audit policy as part of the default domain policy Ownership Chapter 9 Guidelines for ownership: The account that creates an object is the initial owner Ownership is changed by first having permission to take ownership and then by taking ownership Full Control permissions are required to take ownership (or the special permission, Take Ownership) Share Permissions Chapter 9 Share permissions: Limited permissions that apply to a particular shared object, such as a shared folder or printer Configuring Share Permissions Chapter 9 Figure 9-15 Configuring a shared folder Share Permissions for a Folder Chapter 9 Read: Permits groups or users to read and execute files Change: Enables users to read, add, modify, execute, and delete files Full Control: Permits full access to the folder, including the ability to take ownership control or change permissions Offline Access to a Folder through Caching Chapter 9 Use the Caching button in the folder Properties dialog box on the the Sharing tab to set up a folder for offline access via caching Caching a folder means that it can be accessed by a client even when the client computer is not connected to the network Folder Caching Options Chapter 9 Automatic Caching for Documents: Documents are cached without using intervention – all files in the folder that are opened by the client are cached automatically Manual Caching for Documents: documents are cached only per the user’s request Automatic Caching of Programs: document and program files are automatically cached when opened, but cannot be modified Troubleshooting Tip Chapter 9 If the Sharing tab is not displayed, make sure that the Server service is started Web Sharing Chapter 9 Use the Web Sharing tab in a folder’s properties to configure that folder for Web access Configuring Web Sharing Chapter 9 Figure 9-16 Entering Web sharing permissions Web Sharing Access Permissions Chapter 9 Access Permission Description Read Enables clients to read and display the contents of folders and files via an Internet or intranet Write Enables clients to modify the contents of folders and files; including the ability to upload files through FTP Script source Enables clients to view the contents of scripts containing access commands to execute Web functions Directory browsing Enables clients to browse the folder and subfolders, such as for FTP access Table 9-8 Web Sharing Access Permissions Web Sharing Application Permissions Chapter 9 Application Description Permission None No access to execute a script or application Scripts Enables the client to run scripts to perform Web-based functions Execute (includes Enables clients to execute programs and scripts via an Internet or scripts) intranet connection Table 9-9 Web Sharing Application Permissions Troubleshooting a Security Conflict Chapter 9 Check the groups to which a user or group belongs Look for group permissions that conflict, particularly because the Deny box is checked for a permission Moving and Copying Files and Folders Chapter 9 A newly created file inherits the permissions already set up in a folder A file copied from one folder to another on the same volume inherits the permissions of the folder to which it is copied A folder that is moved from one folder to another on the same volume takes with it the permissions it had in the original folder Moving and Copying Files and Folders (continued) Chapter 9 A file or folder that is moved or copied to a folder on a different volume inherits the permissions of the folder to which it is moved or copied A file or folder that is moved or copied from an NTFS volume to a shared FAT folder inherits the share permissions of the FAT folder A file or folder moved from a FAT to an NTFS folder inherits the NTFS permissions of that folder Chapter Summary Chapter 9 Without the Active Directory, use local groups to manage access to resources With the Active Directory implemented, use domain local, global, and universal groups to manage resources Chapter Summary Chapter 9 Windows 2000 Server objects are secured through ACLs, user rights, permissions, inherited rights and permissions, share permissions, Web permissions, auditing, and ownership Troubleshoot permissions conflicts by examining the security assigned to all groups to which a user account or group belongs