70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access and Security

Guide to MCSE , Objectives Create and manage shared folders Configure shared folder permissions in Windows Server 2003 Configure NTFS permissions in Windows Server 2003 Determine the impact of combining shared folder and NTFS permissions

Guide to MCSE , Objectives (continued) Configure and work with offline files and folders Work with the Distributed File System Work with file and folder attributes Configure advanced attributes

Guide to MCSE , Creating and Managing Shared Folders Shared folder: Data resource made available over the network to authorized network clients –Users required to have appropriate rights to create shared folders Using Windows Explorer: Standard method for creating and sharing folders –Simple file sharing mode enabled by default in Windows XP in a Workgroup Disabled if system is member of a Domain Format of file sharing tab will change

Guide to MCSE , Creating and Managing Shared Folders (continued) Figure 9-2: Simple file sharing in XP Professional

Guide to MCSE , Creating and Managing Shared Folders (continued) Figure 9-3: The option for simple file sharing in Folder Options

Guide to MCSE , Creating and Managing Shared Folders (continued) Using Windows Explorer (continued): –Can create two share names –To hide shared folder, place $ after its name Windows XP and Windows Server 2003 create hidden administrative shares by default during installation Activity 9-1: Creating a Shared Folder in Windows Explorer –Objective: Create a shared folder on your Windows Server 2003 system in Windows Explorer

Guide to MCSE , Creating and Managing Shared Folders (continued) Using Computer Management: Can manage shares on multiple servers from single location Activity 9-2: Creating and Viewing Shared Folders in Computer Management –Objective: Create and view shared folders in Computer Management

Guide to MCSE , Creating and Managing Shared Folders (continued) Figure 9-6: Configuring permissions with the Share a Folder Wizard

Guide to MCSE , Creating and Managing Shared Folders (continued) Monitoring Access to Shared Folders: –Use Computer Management console to see who is connected, what files are open, and send messages Figure 9-7: Viewing information in the Sessions node

Guide to MCSE , Managing Shared Folder Permissions Each shared folder has associated discretionary access control list (DACL) –Contains list of Access control entries (ACEs) Table 9-1: Shared folder permissions for Windows XP and Server 2003

Guide to MCSE , Managing Shared Folder Permissions (continued) Figure 9-9: Denying permissions for a shared folder

Guide to MCSE , Managing Shared Folder Permissions (continued) When new share created, default permission grants read access to Everyone group Permissions configured on shared folders inherited by all objects the shared folder contains Activity 9-3: Implementing Shared Folder Permissions –Objective: Control access to resources by using shared folder permissions

Guide to MCSE , Working with NTFS Permissions Files and folders on Windows XP or Windows Server 2003 NTFS partitions or volumes can be secured through via NTFS permissions –Stored in NTFS directory table –Standard and special NTFS permissions –Effective permissions

Guide to MCSE , NTFS Permission Concepts Guidelines to use when setting NTFS permissions: –NTFS permissions are cumulative –Explicitly denied permissions override allowed ones –NTFS folder permissions inherited by child folders and files, unless otherwise specified –NTFS permissions can be set at file or folder level –Default permissions grant the user or group Read and Read & Execute permissions for files and the List Folder Contents permission for folders –Windows Server 2003 has standard and special permissions

Guide to MCSE , NTFS Permission Concepts (continued) Activity 9-4: Using Standard NTFS Permissions –Objective: Configure and test NTFS permissions on a local folder Table 9-2: Standard NTFS permissions

Guide to MCSE , Special NTFS Permissions Figure 9-12: Configuring how special permissions are applied

Guide to MCSE , Special NTFS Permissions (continued) Table 9-3: Special NTFS permissions

Guide to MCSE , Special NTFS Permissions (continued) Table 9-3 (continued): Special NTFS permissions

Guide to MCSE , Special NTFS Permissions (continued) Activity 9-5: Configuring Special NTFS Permissions –Objective: View, configure, and test special NTFS permissions

Guide to MCSE , Determining Effective Permissions Windows Server 2003 and XP include Effective Permissions tab in Advanced Security Settings dialog box for a file or folder Activity 9-6: Determining Effective NTFS Permissions –Objective: View effective permissions for a user on an NTFS folder

Guide to MCSE , Combining Shared Folder and NTFS Permissions Produce combination of local and remote security –When a user accesses a share across a network and both NTFS and share permissions apply, the most restrictive permission of becomes the effective combined permission –When a user accesses files locally, only NTFS permissions apply Activity 9-7: Exploring the Effect of Combined Share and NTFS Permissions –Objective: Determine the effect of combining shared folder and NTFS permissions

Guide to MCSE , Using Offline Files Offline files: Technology allowing files to be accessed in absence of network connection –File designation, data transfer, follow-up synchronization Figure 9-14: The Offline Settings dialog box in Windows Server 2003

Guide to MCSE , Using Offline Files (continued) To manually select shared folder for offline access from client computer: –View list of shared folders or files –Right-click shared item, click Make Available Offline Offline folder and file information automatically transferred to local storage area When system reconnected to network, offline files synchronized with their LAN-based originals

Guide to MCSE , Using Offline Files (continued) Figure 9-17: The Offline Files tab in Folder Options

Guide to MCSE , Using Offline Files (continued) Not all files can be cached –Creator of share can disable caching –Windows prevents caching of *.slm, *.mdb,*.ldb,*.mdw,*.mde,*.pst, and *.db? files Activity 9-8: Accessing Offline Files –Objective: Make files located on the network available while not connected to the network Activity 9-9: Sharing Folders for Automatic Offline Access –Objective: Configure shared folders for automatic caching of offline documents

Guide to MCSE , Working with the Distributed File System Distributed File System (DFS): Allows administrators to simplify access to multiple shared- file resources Figure 9-18: The Distributed File System console

Guide to MCSE , Working with the Distributed File System (continued) Figure 9-19: Shared folders organized using DFS

Guide to MCSE , DFS Models DFS root: Holds links to shared folders DFS link: Pointer to physical location of shared folders Replica set: Shared folders copied to server(s) in domain Table 9-4: Standalone and domain-based DFS models

Guide to MCSE , DFS Models (continued) Activity 9-10: Creating a Domain-Based DFS Root and DFS Links –Objective: Create a new domain-based DFS root and add DFS links Figure 9-20: A DFS link named Marketing Applications

Guide to MCSE , Managing DFS Several tasks involved in managing DFS root: –Deleting a DFS root –Removing a DFS link –Adding root and link replica sets –Checking the status of a root or link Replication enables fault tolerance and load balancing of requests between servers

Guide to MCSE , Managing DFS (continued) Figure 9-21: Viewing the status of a DFS link

Guide to MCSE , Working with File and Folder Attributes The Read-only Attribute: Designates that file’s contents can’t be changed –Level of security depends on file system –Attributes configured for files stored FAT or FAT32 volume are not secure inherently The Archive Attribute: Provides way to determine files and folders that have been created or changed –Particularly important to backup programs

Guide to MCSE , Working with File and Folder Attributes (continued) The System Attribute: Identifies OS files –Files/folders with both hidden and system attributes treated as protected OS files The Hidden Attribute: Protect files and folders from being visible to users in Windows Explorer or via command line –Can configure system to display hidden files/folders Activity 9-11: Viewing and Configuring File and Folder Attributes in Windows Explorer –Objective: Use Windows Explorer to view and configure file and folder attributes

Guide to MCSE , Working with File and Folder Attributes (continued) Figure 9-24: Configuring display settings for hidden files and folders

Guide to MCSE , Working with File and Folder Attributes (continued) The Attrib Command: Command line tool to view or configure attributes for files and folders –Only way to configure system attribute –Supports wildcards Activity 9-12: Changing File Attributes with the Attrib Command –Objective: View and change file attributes from the command line

Guide to MCSE , Configuring Advanced Attributes Figure 9-25: The Advanced Attributes dialog box for a file

Guide to MCSE , File Compression Enable compression to reduce amount of disk space that folders and files take up –After files compressed, automatically uncompressed when accessed Compression attribute can be affected when copying and moving files: –Files copied to another folder within same NTFS volume automatically inherit destination folder’s compression attribute –Files/folders moved within same NTFS volume retain compression attribute

Guide to MCSE , File Compression (continued) Compression attribute can be affected when copying and moving files (continued): –Files/folders copied between NTFS volumes inherit destination folder’s compression attribute –Files/folders moved between NTFS volumes inherit destination folder’s compression attribute Activity 9-13: Configuring Folder Compression Settings –Objective: Configure a folder to compress its contents

Guide to MCSE , File Compression (continued) The Compact Command: Change compression attribute of files/folders from command line –/c option: Compress files and folders –/u option: Uncompress files and folders –Can only be used on NTFS partitions and volumes

Guide to MCSE , File Encryption Encrypted File System (EFS): Uses public key cryptography to encrypt folders and files File and folder encryption implemented via two types of encryption keys –File encryption key (FEK) –Data decryption field (DDF) Encrypted with user’s public key If a user encrypts data and then leaves or loses his or her private key, user designated as the data recovery agent can recover the encrypted data

Guide to MCSE , File Encryption (continued) Points to keep in mind before using EFS: –When encryption attribute set on a folder, only the contents are encrypted –Any data saved, moved or copied into an encrypted folder is encrypted –Encrypted files copied/moved to unencrypted folder retain encryption attribute, if file system is NTFS –Encryption and compression are mutually exclusive

Guide to MCSE , File Encryption (continued) Activity 9-14: Encrypting Files in Windows Explorer –Objective: Implement and test file encryption security in EFS The Cipher Command: Encrypt contents of files stored on NTFS partitions and volume –/e option: Encrypt files and folders –/d option: Decrypt files and folders –Sets encryption attribute only on folders unless /a switch is used –Commonly used to perform bulk encryption

Guide to MCSE , File Encryption (continued) Activity 9-15: Encrypting Files with the Cipher Command –Objective: Encrypt and decrypt files with the Cipher command

Guide to MCSE , Summary Of FAT, FAT32, and NTFS, only NTFS allows configuration of local security permissions To create a shared folder, you are required to have the appropriate rights Windows Server 2003 supports three share permissions: read, change, and full control Windows Server 2003 supports both standard and special NTFS permissions NTFS permissions are cumulative

Guide to MCSE , Summary (continued) When a shared folder and NTFS permissions are combined, the most restrictive permission applies A denied permission always overrides an allowed permission Offline Files is a Microsoft technology that caches network files on the local computer’s hard disk The Distributed File System (DFS) offers a way for shared folders on different servers to appear to be part of a single logical hierarchy

Guide to MCSE , Summary (continued) The four standard file and folder attributes are archive, hidden, read-only, and system Windows Server 2003 supports advanced attributes on NTFS partitions, including archiving, indexing, compression, and encryption settings NTFS includes built-in support for compression NTFS includes support for the Encrypted File System (EFS)