70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
Download ReportTranscript 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access Objectives • Identify and understand the differences between the various file systems supported in Windows Server 2003 • Create and manage shared folders • Understand and configure the shared folder permissions available in Windows Server 2003 • Understand and configure the NTFS permissions available in Windows Server 2003 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 2 Objectives (continued) • Determine the impact of combining shared folder and NTFS permissions • Convert partitions and volumes from FAT to NTFS 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 3 Windows Server 2003 File Systems • Three main file systems • File Allocation Table (FAT) • FAT32 • NTFS • Final choice of file system depends on • How system will be used • Whether there are multiple operating systems • Security requirements • NTFS is most highly recommended 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 4 FAT • Used by MS-DOS • Supported by all versions of Windows since • Traditionally limited to partitions up to 2 GB • Windows Server 2003 version supports partitions up to 4 GB • Limitations • Small partition sizes • No file system security features • Disk space usage is poor 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 5 FAT32 • A derivative of the FAT file system • Supports partition sizes up to 2 TB • Still does not provide advanced security features • Cannot configure permissions on file and folder resources 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 6 NTFS • Introduced with Windows NT operating system • Current version (version 5) • • • • Windows NT 4.0 Windows 2000 Windows XP Windows Server 2003 • Theoretically supports partition sizes of up to 16 Exabytes (EB) • Practically supports maximum partition sizes from 2 TB to 16 TB 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 7 NTFS (continued) • Advantages of NTFS • Greater scalability and performance on larger partitions • Support for Active Directory on systems configured as domain controllers • Ability to configure security permissions on individual files and folders • Built-in support for compression and encryption • Ability to configure disk quotas for individual users • Support for Remote Storage • Recovery logging of disk activities 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 8 Creating and Managing Shared Folders • Shared folder • A data resource made available over a network to authorized network clients • Specific permissions required for creating, reading, modifying • Groups that can create shared folders: • Administrators • Server Operators • Power Users (only on member servers) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 9 Creating and Managing Shared Folders (continued) • Several ways to create shared folders • Two important methods • Windows Explorer Interface • Computer Management console • Also allows shared folders to be monitored 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 10 Using Windows Explorer • Used since Windows 95 • Can create, maintain, and share folders • Folders can be on any drive connected to the computer • Folders are shared in Windows Explorer by accessing the Sharing tab of folder’s properties 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 11 Using Windows Explorer (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 12 Using Windows Explorer (continued) • Shared name of folder does not have to be the actual file name • Hand icon used to indicate shared status • Shared folders can be hidden from My Network Places and Network Neighborhood • Place dollar sign ($) after name, e.g., Salary$ • Number of hidden administrative shares created automatically at installation 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 13 Using Windows Explorer (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 14 Using Windows Explorer (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 15 Using Computer Management • Computer Management console is a pre-defined Microsoft Management Console (MMC) • Allows you to share and monitor folders for local and remote computers • Allows you to stop sharing if desired 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 16 Using Computer Management (continued) • Share a Folder Wizard • Used to create folders in Shared Folders section of Computer Management • Used to provide preconfigured or manual permissions • All users have read-only access • Administrators have full access; others have readonly access • Administrators have full access; others have read and write access • Custom share and folder permissions 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 17 Monitoring Access to Shared Folders • Monitoring involves • Who is using shared files • What shared files are open at any given time • Other functions • Disconnect users from a share • Send network alert messages • Primary monitoring tool is Computer Management 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 18 Monitoring Access to Shared Folders (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 19 Managing Shared Folder Permissions • A shared folder has a discretionary access control list (DACL) • Contains a list of user or group references that have been allowed or denied permissions • Each reference is an access control entry (ACE) • Accessed from Permissions button on Sharing tab of folder’s properties • Permissions only apply to network users, not those logged on directly to local machine 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 20 Managing Shared Folder Permissions (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 21 Managing Shared Folder Permissions (continued) • To deny access to a user or group • Windows Server 2003 does not include No Access share permission • Must explicitly deny access to each individually • Default permission is read access for Everyone group • Should be immediately addressed when a share is created • Folder permissions are inherited by all contained objects 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 22 NTFS Permissions • Resources located on an NTFS partition or volume can be given NTFS permissions • An administrator must • Know how permissions are applied • Standard and special NTFS permissions available • How effective permissions are determined 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 23 NTFS Permission Concepts • NTFS permissions are configured via the Security tab • NTFS permissions are cumulative • Access denial always overrides permitted access • NTFS folder permissions are inherited unless otherwise specified • NTFS permissions can be set at file or folder level 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 24 NTFS Permission Concepts (continued) • A new ACE has default permission • Read and Read and Execute for files • List Folder Contents for folders • Windows Server 2003 has set of standard permissions plus special permissions 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 25 NTFS Permission Concepts (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 26 Special NTFS Permissions • Can provide more or less access than standard permissions • Special permissions accessed from Advanced button in the Security tab on Properties dialog box for resource • Permission Entry dialog box enables assignment of permissions and control of inheritance settings 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 27 Special NTFS Permissions (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 28 Special NTFS Permissions (continued) • Inheritance settings • • • • • • • This folder only This folder, subfolders, and files (default) This folder and subfolders This folder and files Subfolders and files only Subfolders only Files only 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 29 Special NTFS Permissions (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 30 Special NTFS Permissions (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 31 Determining Effective Permissions • Permissions that actually apply to a user can be the result of membership in multiple groups • Prior to Windows Server 2003, determining effective permissions was done manually • In Windows Server 2003, there is an Effective Permissions tab in Advanced Security Settings dialog box for resource • Shows specific permissions for a user or group 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 32 Determining Effective Permissions (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 33 Combining Shared Folder and NTFS Permissions • NTFS permissions can be combined with share permissions • When accessing a share across a network, if both apply, use most restrictive • When accessing a file locally, only NTFS permissions apply 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 34 Converting a FAT Partition to NTFS • For highest security, partitions and volumes should be configured to use NTFS • Command-line utility, CONVERT, will convert FAT or FAT32 partitions and volumes to NTFS • All existing files and folders are retained • CONVERT cannot convert NTFS to FAT or FAT32 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 35 Summary • Windows Server 2003 supports 3 file systems • FAT • FAT32 • NTFS (preferred) • Two types of permissions • Shared folder (network only) • Tools are Windows Explorer, Computer Management, and NET SHARE command • NTFS (local and network) • NTFS partitions only 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 36 Summary (continued) • Permissions • Shared folders, 3 standard permissions • NTFS, 6 standard and 14 special permissions • Permissions are cumulative • Effective permissions can be determined from Advanced Security Settings of a resource • Shared folder and NTFS permissions can be combined • CONVERT utility can convert a FAT or FAT32 partition to the NTFS file system 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 37