70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access and Security
Guide to MCSE , Objectives Create and manage shared folders Configure shared folder permissions in Windows Server 2003 Configure NTFS permissions in Windows Server 2003 Determine the impact of combining shared folder and NTFS permissions
Guide to MCSE , Objectives (continued) Configure and work with offline files and folders Work with the Distributed File System Work with file and folder attributes Configure advanced attributes
Guide to MCSE , Creating and Managing Shared Folders Shared folder: Data resource made available over the network to authorized network clients –Users required to have appropriate rights to create shared folders Using Windows Explorer: Standard method for creating and sharing folders –Simple file sharing mode enabled by default in Windows XP in a Workgroup Disabled if system is member of a Domain Format of file sharing tab will change
Guide to MCSE , Creating and Managing Shared Folders (continued) Figure 9-2: Simple file sharing in XP Professional
Guide to MCSE , Creating and Managing Shared Folders (continued) Figure 9-3: The option for simple file sharing in Folder Options
Guide to MCSE , Creating and Managing Shared Folders (continued) Using Windows Explorer (continued): –Can create two share names –To hide shared folder, place $ after its name Windows XP and Windows Server 2003 create hidden administrative shares by default during installation Activity 9-1: Creating a Shared Folder in Windows Explorer –Objective: Create a shared folder on your Windows Server 2003 system in Windows Explorer
Guide to MCSE , Creating and Managing Shared Folders (continued) Using Computer Management: Can manage shares on multiple servers from single location Activity 9-2: Creating and Viewing Shared Folders in Computer Management –Objective: Create and view shared folders in Computer Management
Guide to MCSE , Creating and Managing Shared Folders (continued) Figure 9-6: Configuring permissions with the Share a Folder Wizard
Guide to MCSE , Creating and Managing Shared Folders (continued) Monitoring Access to Shared Folders: –Use Computer Management console to see who is connected, what files are open, and send messages Figure 9-7: Viewing information in the Sessions node
Guide to MCSE , Managing Shared Folder Permissions Each shared folder has associated discretionary access control list (DACL) –Contains list of Access control entries (ACEs) Table 9-1: Shared folder permissions for Windows XP and Server 2003
Guide to MCSE , Managing Shared Folder Permissions (continued) Figure 9-9: Denying permissions for a shared folder
Guide to MCSE , Managing Shared Folder Permissions (continued) When new share created, default permission grants read access to Everyone group Permissions configured on shared folders inherited by all objects the shared folder contains Activity 9-3: Implementing Shared Folder Permissions –Objective: Control access to resources by using shared folder permissions
Guide to MCSE , Working with NTFS Permissions Files and folders on Windows XP or Windows Server 2003 NTFS partitions or volumes can be secured through via NTFS permissions –Stored in NTFS directory table –Standard and special NTFS permissions –Effective permissions
Guide to MCSE , NTFS Permission Concepts Guidelines to use when setting NTFS permissions: –NTFS permissions are cumulative –Explicitly denied permissions override allowed ones –NTFS folder permissions inherited by child folders and files, unless otherwise specified –NTFS permissions can be set at file or folder level –Default permissions grant the user or group Read and Read & Execute permissions for files and the List Folder Contents permission for folders –Windows Server 2003 has standard and special permissions
Guide to MCSE , NTFS Permission Concepts (continued) Activity 9-4: Using Standard NTFS Permissions –Objective: Configure and test NTFS permissions on a local folder Table 9-2: Standard NTFS permissions
Guide to MCSE , Special NTFS Permissions Figure 9-12: Configuring how special permissions are applied
Guide to MCSE , Special NTFS Permissions (continued) Table 9-3: Special NTFS permissions
Guide to MCSE , Special NTFS Permissions (continued) Table 9-3 (continued): Special NTFS permissions
Guide to MCSE , Special NTFS Permissions (continued) Activity 9-5: Configuring Special NTFS Permissions –Objective: View, configure, and test special NTFS permissions
Guide to MCSE , Determining Effective Permissions Windows Server 2003 and XP include Effective Permissions tab in Advanced Security Settings dialog box for a file or folder Activity 9-6: Determining Effective NTFS Permissions –Objective: View effective permissions for a user on an NTFS folder
Guide to MCSE , Combining Shared Folder and NTFS Permissions Produce combination of local and remote security –When a user accesses a share across a network and both NTFS and share permissions apply, the most restrictive permission of becomes the effective combined permission –When a user accesses files locally, only NTFS permissions apply Activity 9-7: Exploring the Effect of Combined Share and NTFS Permissions –Objective: Determine the effect of combining shared folder and NTFS permissions
Guide to MCSE , Using Offline Files Offline files: Technology allowing files to be accessed in absence of network connection –File designation, data transfer, follow-up synchronization Figure 9-14: The Offline Settings dialog box in Windows Server 2003
Guide to MCSE , Using Offline Files (continued) To manually select shared folder for offline access from client computer: –View list of shared folders or files –Right-click shared item, click Make Available Offline Offline folder and file information automatically transferred to local storage area When system reconnected to network, offline files synchronized with their LAN-based originals
Guide to MCSE , Using Offline Files (continued) Figure 9-17: The Offline Files tab in Folder Options
Guide to MCSE , Using Offline Files (continued) Not all files can be cached –Creator of share can disable caching –Windows prevents caching of *.slm, *.mdb,*.ldb,*.mdw,*.mde,*.pst, and *.db? files Activity 9-8: Accessing Offline Files –Objective: Make files located on the network available while not connected to the network Activity 9-9: Sharing Folders for Automatic Offline Access –Objective: Configure shared folders for automatic caching of offline documents
Guide to MCSE , Working with the Distributed File System Distributed File System (DFS): Allows administrators to simplify access to multiple shared- file resources Figure 9-18: The Distributed File System console
Guide to MCSE , Working with the Distributed File System (continued) Figure 9-19: Shared folders organized using DFS
Guide to MCSE , DFS Models DFS root: Holds links to shared folders DFS link: Pointer to physical location of shared folders Replica set: Shared folders copied to server(s) in domain Table 9-4: Standalone and domain-based DFS models
Guide to MCSE , DFS Models (continued) Activity 9-10: Creating a Domain-Based DFS Root and DFS Links –Objective: Create a new domain-based DFS root and add DFS links Figure 9-20: A DFS link named Marketing Applications
Guide to MCSE , Managing DFS Several tasks involved in managing DFS root: –Deleting a DFS root –Removing a DFS link –Adding root and link replica sets –Checking the status of a root or link Replication enables fault tolerance and load balancing of requests between servers
Guide to MCSE , Managing DFS (continued) Figure 9-21: Viewing the status of a DFS link
Guide to MCSE , Working with File and Folder Attributes The Read-only Attribute: Designates that file’s contents can’t be changed –Level of security depends on file system –Attributes configured for files stored FAT or FAT32 volume are not secure inherently The Archive Attribute: Provides way to determine files and folders that have been created or changed –Particularly important to backup programs
Guide to MCSE , Working with File and Folder Attributes (continued) The System Attribute: Identifies OS files –Files/folders with both hidden and system attributes treated as protected OS files The Hidden Attribute: Protect files and folders from being visible to users in Windows Explorer or via command line –Can configure system to display hidden files/folders Activity 9-11: Viewing and Configuring File and Folder Attributes in Windows Explorer –Objective: Use Windows Explorer to view and configure file and folder attributes
Guide to MCSE , Working with File and Folder Attributes (continued) Figure 9-24: Configuring display settings for hidden files and folders
Guide to MCSE , Working with File and Folder Attributes (continued) The Attrib Command: Command line tool to view or configure attributes for files and folders –Only way to configure system attribute –Supports wildcards Activity 9-12: Changing File Attributes with the Attrib Command –Objective: View and change file attributes from the command line
Guide to MCSE , Configuring Advanced Attributes Figure 9-25: The Advanced Attributes dialog box for a file
Guide to MCSE , File Compression Enable compression to reduce amount of disk space that folders and files take up –After files compressed, automatically uncompressed when accessed Compression attribute can be affected when copying and moving files: –Files copied to another folder within same NTFS volume automatically inherit destination folder’s compression attribute –Files/folders moved within same NTFS volume retain compression attribute
Guide to MCSE , File Compression (continued) Compression attribute can be affected when copying and moving files (continued): –Files/folders copied between NTFS volumes inherit destination folder’s compression attribute –Files/folders moved between NTFS volumes inherit destination folder’s compression attribute Activity 9-13: Configuring Folder Compression Settings –Objective: Configure a folder to compress its contents
Guide to MCSE , File Compression (continued) The Compact Command: Change compression attribute of files/folders from command line –/c option: Compress files and folders –/u option: Uncompress files and folders –Can only be used on NTFS partitions and volumes
Guide to MCSE , File Encryption Encrypted File System (EFS): Uses public key cryptography to encrypt folders and files File and folder encryption implemented via two types of encryption keys –File encryption key (FEK) –Data decryption field (DDF) Encrypted with user’s public key If a user encrypts data and then leaves or loses his or her private key, user designated as the data recovery agent can recover the encrypted data
Guide to MCSE , File Encryption (continued) Points to keep in mind before using EFS: –When encryption attribute set on a folder, only the contents are encrypted –Any data saved, moved or copied into an encrypted folder is encrypted –Encrypted files copied/moved to unencrypted folder retain encryption attribute, if file system is NTFS –Encryption and compression are mutually exclusive
Guide to MCSE , File Encryption (continued) Activity 9-14: Encrypting Files in Windows Explorer –Objective: Implement and test file encryption security in EFS The Cipher Command: Encrypt contents of files stored on NTFS partitions and volume –/e option: Encrypt files and folders –/d option: Decrypt files and folders –Sets encryption attribute only on folders unless /a switch is used –Commonly used to perform bulk encryption
Guide to MCSE , File Encryption (continued) Activity 9-15: Encrypting Files with the Cipher Command –Objective: Encrypt and decrypt files with the Cipher command
Guide to MCSE , Summary Of FAT, FAT32, and NTFS, only NTFS allows configuration of local security permissions To create a shared folder, you are required to have the appropriate rights Windows Server 2003 supports three share permissions: read, change, and full control Windows Server 2003 supports both standard and special NTFS permissions NTFS permissions are cumulative
Guide to MCSE , Summary (continued) When a shared folder and NTFS permissions are combined, the most restrictive permission applies A denied permission always overrides an allowed permission Offline Files is a Microsoft technology that caches network files on the local computer’s hard disk The Distributed File System (DFS) offers a way for shared folders on different servers to appear to be part of a single logical hierarchy
Guide to MCSE , Summary (continued) The four standard file and folder attributes are archive, hidden, read-only, and system Windows Server 2003 supports advanced attributes on NTFS partitions, including archiving, indexing, compression, and encryption settings NTFS includes built-in support for compression NTFS includes support for the Encrypted File System (EFS)