Group Accounts; Securing Resources with Permissions Lecture 6

Group Accounts Group – AD objects that contain users, computers and other entities. (have SIDS) Groups are used for easier management of users/computers/resources Access token identifies groups to which a users belongs/rights assigned 2 Types of groups: Distribution group for e-mail Security groups to assign limited permission to groups that need access to resources or to deny access

Example of Access Token

Group Accounts Rights and privileges are assigned at the group level Up to 5000 members in a group Groups can be nested (membership by inheritance) User’s rights and privileges through group memberships are cumulative

Group/User relationship Group 3 is a member of Group 1 Group 2 Group 3

Group Scope A group’s scope determines the extent to which the group can be nested in other groups or referenced in ACLs on the resources in the AD domain or forest. | 3 Group scopes: Domain local groups Global domain groups Universal groups

Domain Local Groups To assign access permissions for local domain resources only (domain scope) Can have members from anywhere in the forest or from trusted domains in other forests –users accounts, other domain local, global and universal groups. Available only in native mode domains Used as resources group

Domain Local Group Example Domain C Domain B Domain A Engineering (Global Group) User 1 User 2 Printer Group (Domain Local) User 1 Engineering User 2 Printer ACL Printer Group - Print

Global Domain Groups To provide access to resources in other trusted domains, to group users Can have members from within their own domain only – only user accounts and other global groups Can be granted access to resources or placed into local/domain local groups in any trusting domain Exist in both mixed and native mode

Global Domain Group Example Domain B Domain A Group 2 User1 Group 1 Accountants Accountants (Global Group) Domain C User 1 Group 1 Printer ACL Accountants

Universal Groups Grant access to resources in all trusted domains Can have members from any domain in a forest or trusting domain in other forests Can be granted access to resources in any domain Available in native mode only Listed in a GC (all members also!!!) One member change – whole group membership replicated to all GCs!

Group Strategy Put users into global domain group. A global group can be thought of as an Accounts group. Put resources into domain local (or machine local) groups. A local group can be thought of as a Resource group. Put a global group into any domain local (or machine local) group in the forest Assign permissions for accessing resources to the domain local (or machine local) groups that contain them

Group Strategy Example Domain B Domain A Engineers (Global Group) Engineers (Global Group) Database Access (Domain Local G.) Domain C Domain A Engineers Domain B Engineers Domain C Engineers Engineers (Global Group) ACL Database Access Allow Write/Read Database

Default User Account Membership Built-in groups are automatically created in Windows Server 2003 to reflect most common attributes and tasks Domain Users/Users Domain Admins/Administrators

Special Groups EVERYONE Network Interactive Service System Authenticated Users SELF CREATOR OWNER

Folder Sharing Sharing is used to provide access to a file from one computer to another computer’s file system All files and subfolders within a shared folder are shared with the same permissions Share permissions apply to entire folders, not to specific files The only way to secure files on FAT volume

Folder Sharing Permissions can by set by using Allow or Deny. Deny permission always cancel out corresponding Allow permissions. A copy of a shared folder doesn’t retain the “shared” status Shared folder status is discarded when a folder is moved

Who can create shares? In a domain environment the built-in Administrators and Server Operators groups can establish shared folders thought the domain. In a workgroup, the Administrators and Power Users groups have authority to share folders on the individual server. These two groups can also share folders on standalone servers and on Win2K Professional installations.

Accessing a share Once a share has been created, clients may connect to a shared folder using one of those methods: Map a network drive Use My Network Places to browse Use the Run menu option with the UNC path

Shared Folder Permissions Shared folder permissions control what users can access a folder and what kind of access they can have. They apply only to the users connecting to the shared folders over the network, NOT to the local users. They are the only access control measure available on the FAT volumes. Permissions are Read (open files/see subfolders), Change (Read priv. + edit files, delete and create files/folders), Full Control (Change Priv. + take ownership and modify perm.)

How Permissions combine When a user belongs to multiple groups, the least restrictive permission wins, except when specifically Denied. Then any Deny overrides Allow. 

Publishing Files and Folders in AD Like users, computers and printers, files and folders may be published to the AD AD provides a way to locate published files and folders and secures permissions on the resources Published files/folders are available for lookup from Global Catalog

NTFS Permissions Affect files/folders on NTFS formatted volumes/partitions Affect both folders and individual files Affect both local and remote users NTFS permissions set on a folder are inherited by default by folder contents, but that can be changed – block inheritance

File/Folder Ownership Every file/folder has an owner (usually a user who created a file) Ownership doesn’t change by users simply editing a file An owner has Full Control permission for a file/folder and can grant other users NTFS permission to that file and folder A user with appropriate permission can take ownership of someone else’s file/folder

NTFS permissions NTFS permissions can be assigned by an owner, a user with Full Control, or a user with Change Permissions. Also, a user with Take Ownership permission can take ownership of the file/folder and then change permissions.

NTFS permissions NTFS permissions are specified in the object’s ACL and are used to control access to the object 2 Categories of permissions: Standard and Special Standard are pre-set, frequently used permissions for objects Special provide finer granularity to file/folder security

Standard NTFS Permissions Read Read&Execute List Folder Contents Write Modify Full Control

New, Moved and Copied files and folders permissions When a file or folder is moved or copied, it will inherit the destination folder permissions. The only exception is when a file/folder is moved within the same NTFS volume - then it will retain its original permissions.

How Permissions combine When a user belongs to multiple groups, the least restrictive permission wins, except when specifically Denied. Then any Deny overrides Allow. 

Effective permissions User and Group NTFS permissions combine for the least restrictive combination, except where Deny overrides Allow. Files may have different permissions that parent folder permissions. When combining share and NTFS permissions always chose the MOST restrictive combination

Effective NTFS permissions Determine effective shared by choosing the least restrictive of all shared. The exception is Denied permission overrides Allow. Determine effective NTFS by choosing the least restrictive of all shared. The exception is Denied permission overrides Allow.   Combine the results of steps 1 and 2 and choose the MOST restrictive permission out of share and NTFS. IF there is no overlap - no permissions are effective.

Troubleshooting Permissions Problems When permissions are granted through group membership, a user needs to log off and log back on Watch out for “Deny” Permissions Watch out for individual folder permissions Watch out for a conflicting combination of NTFS/Shared permissions File permissions change after being moved/copied A user with Full Control to a folder, can delete any file – even without file permissions