Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security."— Presentation transcript:

1 Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security

2 Chapter 9 Learning Objectives n Set up groups, including local, domain local, global, and universal groups, and convert Windows NT groups to Windows 2000 groups n Manage objects, such as folders, through user rights, attributes permissions, share permissions, auditing, and Web permissions

3 Chapter 9 Learning Objectives (continued) n Troubleshoot a security conflict n Determine how creating, moving, and copying folders and files affect security

4 Chapter 9 Managing Resources n Three ways of managing resources and user accounts include: u By individual user u By resource u By group n Managing resources by groups is one effective way to reduce time spent on management

5 Chapter 9 Scope of Influence n Scope of influence: The reach of a type of group, such as access to resources in a single domain or access to all resources in all domains in a forest

6 Chapter 9 Types of Security Groups n Local: Used on standalone servers that are not part of a domain n Domain local: Used in a single domain or to manage resources in a domain so that global and universal groups can access those resources

7 Chapter 9 Types of Security Groups (continued) n Global: Used to manage accounts from the same domain and to access resources in the same and other domains n Universal: Used to provide access to resources in any domain within a forest

8 Chapter 9 Local Security Group n Use local groups on a standalone server (Active Directory not implemented), such as to manage multiple accounts in a small office

9 Chapter 9 Domain Local Security Group n Typically a domain local security group is on the ACLs of resources such as folders, shared folders, printers, and other resources. Global security groups in the same or in a different domain gain access to those resources by becoming members of the domain local group. n Domain local groups can contain accounts, but usually that is not the best approach.

10 Chapter 9 Membership Capabilities of a Domain Local Group Table 9-1 Membership Capabilities of a Domain Local Group

11 Chapter 9 Implementing Global Groups n Use global groups to contain accounts for accessing resources in the same and in other domains via domain local groups

12 Chapter 9 Membership Capabilities of a Global Group Table 9-2 Membership Capabilities of a Global Group

13 Chapter 9 Nesting Global Groups n Global groups can be nested to reflect the structure of OUs

14 Chapter 9 Nesting Example Figure 9-1 Nested global groups

15 Chapter 9 Planning Tip n Plan nesting to take into account that you may want to later convert specific global groups, because a global group cannot be converted if it is a member of another global group n Keep in mind that global groups can only be nested in native mode domains

16 Chapter 9 Global Group Example Figure 9-2 Managing security through domain local and global groups

17 Chapter 9 Implementing Universal Groups n Use universal groups to provide access to forest-wide resources (to be included on the ACLs of resources such as servers, shared folders, and printers) n Universal groups enable the scope of influence to span domains and trees

18 Chapter 9 Membership Capabilities of a Universal Group Table 9-3 Membership Capabilities of a Universal Group

19 Chapter 9 Guidelines for Using Groups n Use global groups to hold accounts as members. Give accounts access by joining them to a global group and then placing that global group into a domain local or universal group or both. n Use domain local groups to provide access to resources in a specific domain by adding them to the ACLs of those resources.

20 Chapter 9 Guidelines for Using Groups (continued) n Use universal groups to provide extensive access to resources, such as when the Active Directory contains trees and forests. Make universal groups members of ACLs for objects in any domain, tree, or forest. Manage user account access by placing accounts in global groups and joining those global groups to domain local or universal groups.

21 Chapter 9 Example Universal Group Setup Figure 9-3 Managing security through universal and global groups

22 Chapter 9 Creating a Group n To create a group: u Click the container in which to create the group u Click the Create a new group in current container icon u Enter the name of the group u Select the group scope u Select the group type u Click OK

23 Chapter 9 Entering the Group Parameters Figure 9-4 Creating a group

24 Chapter 9 Group Properties Tabs n General: Used to enter a description, set the scope, and set the group type n Members: Used to add group members n Member Of: Used to join another group n Managed By: Establishes who will manage the group n Object: Provides information about the group as an object (on newer versions of Windows 2000) n Security: Enables you to set up security (on newer versions of Windows 2000)

25 Chapter 9 Converting NT Groups to Windows 2000 Server Groups n Existing NT local groups on a PDC are converted to domain local groups n Existing NT global groups on a PDC are converted to global groups n If still running in mixed mode, universal groups are not recognized n If running in native mode, but there are still Windows NT servers, the NT servers treat Windows 2000 universal groups as NT global groups

26 Chapter 9 Windows 2000 Predefined Security Groups 1 The group scope cannot be changed Table 9-4 Windows 2000 Predefined Security Groups

27 Chapter 9 Windows 2000 Predefined Security Groups (continued) 1 The group scope cannot be changed

28 Chapter 9 Windows 2000 Predefined Security Groups (continued) 1 The group scope cannot be changed

29 Chapter 9 Windows 2000 Predefined Security Groups (continued) 1 The group scope cannot be changed

30 Chapter 9 Windows 2000 Predefined Security Groups (continued) 1 The group scope cannot be changed

31 Chapter 9 Windows 2000 Predefined Security Groups (continued) 1 The group scope cannot be changed

32 Chapter 9 Windows 2000 Predefined Security Groups (continued) 1 The group scope cannot be changed

33 Chapter 9 Windows 2000 Predefined Security Groups (continued) 1 The group scope cannot be changed

34 Chapter 9 Rights Security n User rights: Enable an account or group to perform predefined tasks, such as the right to access a server or to increase disk quotas

35 Chapter 9 Rights Security Table 9-5 Rights Security

36 Chapter 9 Rights Security (continued)

37 Chapter 9 Rights Security (continued)

38 Chapter 9 Rights Security (continued)

39 Chapter 9 Inherited Rights n Inherited rights: User rights that are assigned to a group and that automatically apply to all members of that group

40 Chapter 9 Configuring Rights n To configure rights in a domain: u Open the Active Directory Users and Computers tool u Right-click a domain or OU, for example u Click Properties, click the Group Policy tab, click the group policy, and click Edit u Double-click (if necessary) Computer Configuration,Windows Settings, Security Settings, and Local Policies u Double-click User Rights Assignment u Double-click any policies to configure them

41 Chapter 9 Configuring Rights (continued) Figure 9-6 Configuring user rights as part of group policy

42 Chapter 9 File and Folder Attributes n Attributes: A characteristic associated with a folder or file used to help manage access and backups

43 Chapter 9 FAT Attributes n Read-only n Hidden n Archive

44 Chapter 9 FAT Attributes (continued) Figure 9-7 Attributes of a folder on a FAT-formatted disk

45 Chapter 9 NTFS Attributes n Regular attributes u Read-only u Hidden u Archive n Extended attributes u Index u Compress u Encrypt

46 Chapter 9 NTFS Attributes (continued) Figure 9-8 Attributes of a folder on an NTFS-formatted disk

47 Chapter 9 Troubleshooting Tip n If you configure the Index attribute, but indexing it is not working check the following: u Make sure that the Indexing Service is installed u Makes sure that the Indexing Service is started and set to start automatically

48 Chapter 9 Troubleshooting Tip n Files that are compressed cannot be encrypted

49 Chapter 9 Encrypting File System n The encrypt attribute uses Microsoft Encrypting File System (EFS) that sets a unique private encryption key that is associated with the user account that encrypted the file or folder. Only that account has access to the encrypted file or folder contents.

50 Chapter 9 Troubleshooting Tip n De-encrypt an encrypted file or folder before you move it to another location, or else the file or folder remains encrypted in the new location

51 Chapter 9 Permissions n Permissions: Privileges to access and manipulate resource objects, such as folders and printers; for example, privilege to read a file, or to create a new file

52 Chapter 9 Auditing n Auditing: Tracking the success or failure of events associated with an object, such as writing to a file, and recording the audited events in an event log of a Windows 2000 server or workstation

53 Chapter 9 Ownership n Ownership: Having the privilege to change permissions and to fully manipulate an object. The account that creates an object, such as a folder or printer, initially has ownership.

54 Chapter 9 Design Tip n If possible, set permissions on folders and not on individual files, so you can minimize the number of permission exceptions to remember n One variance from this recommendation is large database files that may require individual security

55 Chapter 9 Security Options Figure 9-9 Configuring security options

56 Chapter 9 Inherited Permissions n Inherited permissions: Permissions of a parent object that also apply to child objects of the parent, such as to subfolders within a folder

57 Chapter 9 Configuring Permissions Figure 9-10 Configuring permissions by groups and users

58 Chapter 9 Configuring Inherited Permissions Figure 9-11 Configuring inherited permissions

59 Chapter 9 NTFS Folder and File Permissions Table 9-6 NTFS Folder and File Permissions

60 Chapter 9 NTFS Folder and File Permissions (continued)

61 Chapter 9 Special Permissions n You can customize permissions to meet particular security needs by using special permissions

62 Chapter 9 Configuring Special Permissions Figure 9-12 Configuring special permissions

63 Chapter 9 NTFS Folder and File Special Permissions Table 9-7

64 Chapter 9 NTFS Folder and File Special Permissions (continued)

65 Chapter 9 Example Guidelines for Setting Permissions n Protect the Winnt folder by allowing limited access, such as Read & Execute n Protect server utility folders, such as folders containing backup software, with access for Administrators only n Protect software application folders with access such as Read & Execute (and Write if necessary for temporary or configuration files)

66 Chapter 9 Example Guidelines for Setting Permissions (continued) n Set up publicly used folders with Modify for broad user access n Give users Full Control of their own home folders n Remove groups such as Everyone and Users from confidential folders

67 Chapter 9 Planning Tip n Err on the side of too much security at first, because it is easier to give users more permissions later than to take away permissions after users are used to having them

68 Chapter 9 Configuring Auditing n Start by configuring a group policy for auditing n Configure auditing on an as needed basis for particular objects, such as a folder or file

69 Chapter 9 Folder Auditing Figure 9-13 Configuring folder auditing

70 Chapter 9 Setting an Audit Policy Figure 9-14 Configuring audit policy as part of the default domain policy

71 Chapter 9 Ownership n Guidelines for ownership: u The account that creates an object is the initial owner u Ownership is changed by first having permission to take ownership and then by taking ownership u Full Control permissions are required to take ownership (or the special permission, Take Ownership)

72 Chapter 9 Share Permissions n Share permissions: Limited permissions that apply to a particular shared object, such as a shared folder or printer

73 Chapter 9 Configuring Share Permissions Figure 9-15 Configuring a shared folder

74 Chapter 9 Share Permissions for a Folder n Read: Permits groups or users to read and execute files n Change: Enables users to read, add, modify, execute, and delete files n Full Control: Permits full access to the folder, including the ability to take ownership control or change permissions

75 Chapter 9 Offline Access to a Folder through Caching n Use the Caching button in the folder Properties dialog box on the the Sharing tab to set up a folder for offline access via caching n Caching a folder means that it can be accessed by a client even when the client computer is not connected to the network

76 Chapter 9 Folder Caching Options n Automatic Caching for Documents: Documents are cached without using intervention – all files in the folder that are opened by the client are cached automatically n Manual Caching for Documents: documents are cached only per the user’s request n Automatic Caching of Programs: document and program files are automatically cached when opened, but cannot be modified

77 Chapter 9 Troubleshooting Tip n If the Sharing tab is not displayed, make sure that the Server service is started

78 Chapter 9 Web Sharing n Use the Web Sharing tab in a folder’s properties to configure that folder for Web access

79 Chapter 9 Configuring Web Sharing Figure 9-16 Entering Web sharing permissions

80 Chapter 9 Web Sharing Access Permissions Table 9-8 Web Sharing Access Permissions

81 Chapter 9 Web Sharing Application Permissions Table 9-9 Web Sharing Application Permissions

82 Chapter 9 Troubleshooting a Security Conflict n Check the groups to which a user or group belongs n Look for group permissions that conflict, particularly because the Deny box is checked for a permission

83 Chapter 9 Moving and Copying Files and Folders n A newly created file inherits the permissions already set up in a folder n A file copied from one folder to another on the same volume inherits the permissions of the folder to which it is copied n A folder that is moved from one folder to another on the same volume takes with it the permissions it had in the original folder

84 Chapter 9 Moving and Copying Files and Folders (continued) n A file or folder that is moved or copied to a folder on a different volume inherits the permissions of the folder to which it is moved or copied n A file or folder that is moved or copied from an NTFS volume to a shared FAT folder inherits the share permissions of the FAT folder n A file or folder moved from a FAT to an NTFS folder inherits the NTFS permissions of that folder

85 Chapter 9 Chapter Summary n Without the Active Directory, use local groups to manage access to resources n With the Active Directory implemented, use domain local, global, and universal groups to manage resources

86 Chapter 9 Chapter Summary n Windows 2000 Server objects are secured through ACLs, user rights, permissions, inherited rights and permissions, share permissions, Web permissions, auditing, and ownership n Troubleshoot permissions conflicts by examining the security assigned to all groups to which a user account or group belongs

Download ppt "Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security."

Similar presentations

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.

1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.
1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.

1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.
1 File systems security: Shared folders & NTFS permissions, EFS (Week 6, Monday 2/12/2007) © Abdou Illia, Spring 2007.

1 File systems security: Shared folders & NTFS permissions, EFS (Week 6, Monday 2/12/2007) © Abdou Illia, Spring 2007.
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
MIS 431 - Chapter 51 Chapter 5 – Managing File Access MIS 431 Created Spring 2006.

MIS Chapter 51 Chapter 5 – Managing File Access MIS 431 Created Spring 2006.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.

Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
Group Accounts; Securing Resources with Permissions

Group Accounts; Securing Resources with Permissions
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

Similar presentations

Ads by Google