Presentation on theme: "Group Accounts; Securing Resources with Permissions"— Presentation transcript:
1 Group Accounts; Securing Resources with Permissions Lecture 6
2 Group AccountsGroup – AD objects that contain users, computers and other entities. (have SIDS)Groups are used for easier management of users/computers/resourcesAccess token identifies groups to which a users belongs/rights assigned2 Types of groups:Distribution group forSecurity groups to assign limited permission to groups that need access to resources or to deny access
4 Group Accounts Rights and privileges are assigned at the group level Up to 5000 members in a groupGroups can be nested (membership by inheritance)User’s rights and privileges through group memberships are cumulative
5 Group/User relationship Group 3 is a member of Group 1Group 2Group 3
6 Group ScopeA group’s scope determines the extent to which the group can be nested in other groups or referenced in ACLs on the resources in the AD domain or forest. | 3 Group scopes:Domain local groupsGlobal domain groupsUniversal groups
7 Domain Local GroupsTo assign access permissions for local domain resources only (domain scope)Can have members from anywhere in the forest or from trusted domains in other forests –users accounts, other domain local, global and universal groups.Available only in native mode domainsUsed as resources group
8 Domain Local Group Example Domain CDomain BDomain AEngineering (Global Group)User 1User 2Printer Group (Domain Local)User 1 Engineering User 2Printer ACLPrinter Group - Print
9 Global Domain GroupsTo provide access to resources in other trusted domains, to group usersCan have members from within their own domain only – only user accounts and other global groupsCan be granted access to resources or placed into local/domain local groups in any trusting domainExist in both mixed and native mode
10 Global Domain Group Example Domain BDomain AGroup 2User1 Group 1AccountantsAccountants (Global Group)Domain CUser 1 Group 1Printer ACLAccountants
11 Universal Groups Grant access to resources in all trusted domains Can have members from any domain in a forest or trusting domain in other forestsCan be granted access to resources in any domainAvailable in native mode onlyListed in a GC (all members also!!!)One member change – whole group membership replicated to all GCs!
12 Group StrategyPut users into global domain group. A global group can be thought of as an Accounts group.Put resources into domain local (or machine local) groups. A local group can be thought of as a Resource group.Put a global group into any domain local (or machine local) group in the forestAssign permissions for accessing resources to the domain local (or machine local) groups that contain them
13 Group Strategy Example Domain BDomain AEngineers (Global Group)Engineers (Global Group)Database Access (Domain Local G.)Domain CDomain A Engineers Domain B Engineers Domain C EngineersEngineers (Global Group)ACL Database Access Allow Write/ReadDatabase
14 Default User Account Membership Built-in groups are automatically created in Windows Server 2003 to reflect most common attributes and tasksDomain Users/UsersDomain Admins/Administrators
15 Special Groups EVERYONE Network Interactive Service System Authenticated UsersSELFCREATOR OWNER
16 Folder SharingSharing is used to provide access to a file from one computer to another computer’s file systemAll files and subfolders within a shared folder are shared with the same permissionsShare permissions apply to entire folders, not to specific filesThe only way to secure files on FAT volume
17 Folder SharingPermissions can by set by using Allow or Deny. Deny permission always cancel out corresponding Allow permissions.A copy of a shared folder doesn’t retain the “shared” statusShared folder status is discarded when a folder is moved
18 Who can create shares?In a domain environment the built-in Administrators and Server Operators groups can establish shared folders thought the domain.In a workgroup, the Administrators and Power Users groups have authority to share folders on the individual server. These two groups can also share folders on standalone servers and on Win2K Professional installations.
19 Accessing a shareOnce a share has been created, clients may connect to a shared folder using one of those methods:Map a network driveUse My Network Places to browseUse the Run menu option with the UNC path
20 Shared Folder Permissions Shared folder permissions control what users can access a folder and what kind of access they can have.They apply only to the users connecting to the shared folders over the network, NOT to the local users.They are the only access control measure available on the FAT volumes.Permissions are Read (open files/see subfolders), Change (Read priv. + edit files, delete and create files/folders), Full Control (Change Priv. + take ownership and modify perm.)
21 How Permissions combine When a user belongs to multiple groups, the least restrictive permission wins, except when specifically Denied. Then any Deny overrides Allow.
22 Publishing Files and Folders in AD Like users, computers and printers, files and folders may be published to the ADAD provides a way to locate published files and folders and secures permissions on the resourcesPublished files/folders are available for lookup from Global Catalog
23 NTFS PermissionsAffect files/folders on NTFS formatted volumes/partitionsAffect both folders and individual filesAffect both local and remote usersNTFS permissions set on a folder are inherited by default by folder contents, but that can be changed – block inheritance
24 File/Folder Ownership Every file/folder has an owner (usually a user who created a file)Ownership doesn’t change by users simply editing a fileAn owner has Full Control permission for a file/folder and can grant other users NTFS permission to that file and folderA user with appropriate permission can take ownership of someone else’s file/folder
25 NTFS permissionsNTFS permissions can be assigned by an owner, a user with Full Control, or a user with Change Permissions. Also, a user with Take Ownership permission can take ownership of the file/folder and then change permissions.
26 NTFS permissionsNTFS permissions are specified in the object’s ACL and are used to control access to the object2 Categories of permissions: Standard and SpecialStandard are pre-set, frequently used permissions for objectsSpecial provide finer granularity to file/folder security
27 Standard NTFS Permissions ReadRead&ExecuteList Folder ContentsWriteModifyFull Control
28 New, Moved and Copied files and folders permissions When a file or folder is moved or copied, it will inherit the destination folder permissions.The only exception is when a file/folder is moved within the same NTFS volume - then it will retain its original permissions.
29 How Permissions combine When a user belongs to multiple groups, the least restrictive permission wins, except when specifically Denied. Then any Deny overrides Allow.
30 Effective permissions User and Group NTFS permissions combine for the least restrictive combination, except where Deny overrides Allow. Files may have different permissions that parent folder permissions.When combining share and NTFS permissions always chose the MOST restrictive combination
31 Effective NTFS permissions Determine effective shared by choosing the least restrictive of all shared. The exception is Denied permission overrides Allow.Determine effective NTFS by choosing the least restrictive of all shared. The exception is Denied permission overrides Allow. Combine the results of steps 1 and 2 and choose the MOST restrictive permission out of share and NTFS. IF there is no overlap - no permissions are effective.
32 Troubleshooting Permissions Problems When permissions are granted through group membership, a user needs to log off and log back onWatch out for “Deny” PermissionsWatch out for individual folder permissionsWatch out for a conflicting combination of NTFS/Shared permissionsFile permissions change after being moved/copiedA user with Full Control to a folder, can delete any file – even without file permissions