Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders Permissions Inheritance Access Control List NTFS Permissions.

Published byElisabeth Stevens Modified over 9 years ago

Similar presentations

Presentation on theme: "Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders Permissions Inheritance Access Control List NTFS Permissions."— Presentation transcript:

1

2 Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders Permissions Inheritance Access Control List NTFS Permissions Share Permissions Universal Naming Convention IT:Network:Microsoft Server 1 Copyright 2010

3 Groups Two kinds: 1. Security Group: Granting access to resource objects 2. Distribution List: used for email and organization IT:Network:Microsoft Server 1 Copyright 2010

4 Groups Local: standalone servers that are not part of a domain. Does not go beyond local server Domain Local: used when there is a single domain or used to manage resources in a particular domain so that global and universal groups can access those resources Global: used to manage group accounts from the same domain so that those accounts can access resources in the same and in other domains. Universal: used to provide access to resources in any domain within a forest. IT:Network:Microsoft Server 1 Copyright 2010

5 Groups W2K3 comes with predefined domain local, global, and universal groups. Ie: Domain Admins, Domain Users, etc. Default Local Groups: (More on p. 718) Account operators: administer user accounts and groups Administrators: Complete access Backup operators: enables members to back up folders and files on computers Guests Power Users Print Operators Remote Desktop Users Users IT:Network:Microsoft Server 1 Copyright 2010

6 Groups Built In Global Groups: Domain Admins: Members can administer home domain, workstations of the domain and any other trusted domain. Every system that is “joined” to a domain has the Domain Admins automatically added to the local administrators Group. Domain Users: Every user created in a domain is automatically made a member of the Domain Users group IT:Network:Microsoft Server 1 Copyright 2010

7 “Special” Built-in Groups INTERACTIVE: anyone using computer locally Network: all users connected over the network to the computer Everyone: All current users, including guests, and users from other domains System: the operating system Creator Owner: the creator/owner of subdirectories, files, and print jobs Authenticated users: any user who has been authenticated to the system. A more secure alternative to Everyone Anonymous Logon: a user who has logged in anonymously, such as an anonymous FTP user Batch: an account that has logged in as a batch job Service: an account that has logged in as a service Dialup: users who are accessing the system via DUN IT:Network:Microsoft Server 1 Copyright 2010

8 ACCESS CONTROL LISTS IT:Network:Microsoft Server 1 Copyright 2010

9 SHARING FOLDERS IT:Network:Microsoft Server 1 Copyright 2010 Must have file and printer sharing enabled

10 File and Printer Sharing for Microsoft Networks IT:Network:Microsoft Server 1 Copyright 2010 Utilizes the SERVER service to provide access to local resources All Microsoft Operating Systems install File and Printer sharing by default. This means even your Windows XP, Vista, etc. come out of the box as “servers”. The WORKSTATION service must be started in order for that client to access resources across the network.

11 Share Permissions IT:Network:Microsoft Server 1 Copyright 2010 Add Authenticated Users Group Add Administrators Group Delete Everyone Group QUIZ QUESTION!!! Default Permissions for Share

12 Share Permissions Read - Read files and folders and their attributes, run application files, and change folders that are contained in the shared folder. Change - Create folders and files. Change data and attributes in files and delete files and folders. The Change permission can also perform the same actions as the Read permission Full Control - This permission can allow the same rights as READ and CHANGE. In addtion, it grants the user/group the right to modify the Access Control List(ACL). Modifying the ACL means changing permissions as well as adding or removing groups/users. IT:Network:Microsoft Server 1 Copyright 2010

13 ADMINISTRATIVE SHARES IT:Network:Microsoft Server 1 Copyright 2010 To disable the creation of administrative shares, browse to: http://www.petri.co.il/disable_administrative_shares.htm

14 CREATING A FILE SYSTEM SHARE USING WINDOWS EXPLORER IT:Network:Microsoft Server 1 Copyright 2010

15 SHARING A VOLUME USING WINDOWS EXPLORER IT:Network:Microsoft Server 1 Copyright 2010

16 CREATING A FILE SYSTEM SHARE USING THE SHARED FOLDERS SNAP-IN IT:Network:Microsoft Server 1 Copyright 2010

17 CREATING A FILE SYSTEM SHARE USING NET.EXE Allows shares to be created from a command line Lets you configure permissions during creation Lets you configure offline settings for the share IT:Network:Microsoft Server 1 Copyright 2010

18 Net.exe IT:Network:Microsoft Server 1 Copyright 2010

19 Net.exe Can map logical drives using net.exe Net use : \\computername\sharename /persistent:no\\computername\sharename Net use x: \\server01\public /persistent:no\\server01\public Creates a non-persistent logical x drive to the share public on server01 A persistent drive is similar to the Reconnect at Logon check box when mapping a network drive in Windows Explorer. A non-persistent drive is flushed from memory when the system reboots. Universal naming convention is represented as \\computername\sharename\folder\folder\...\... \\computername\sharename IT:Network:Microsoft Server 1 Copyright 2010

20 MANAGING SHARE PERMISSIONS IT:Network:Microsoft Server 1 Copyright 2010

21 CREATING A FILE SYSTEM SHARING STRATEGY Create logically named shares. Use nesting where necessary to reduce users’ need to navigate the directory structure. Makes navigation easier for end user Reduces the possibility of an accidental click/drag of folders Share removable drives from the root to keep the share available when media are removed and reconnected or changed. IT:Network:Microsoft Server 1 Copyright 2010

22 What Shares can do A share can be created with a share which is referred to as nesting. A share can be created on any folder in the file system. Multiple shares on the same folder can have different permissions. Permissions are applied at the share entry point. IT:Network:Microsoft Server 1 Copyright 2010

23 SHARE PERMISSION CHARACTERISTICS Limited scope. Can be applied only to folders and only when connecting to the share. Lack of flexibility. Permissions applied to the share apply to all levels below. No replication. Share permissions are not replicated. No resiliency. Share permissions cannot be backed up or restored. IT:Network:Microsoft Server 1 Copyright 2010

24 SHARE PERMISSION CHARACTERISTICS (continued) Fragility Shares (and therefore share permissions) are lost when a folder is moved or renamed. No auditing Share permissions do not facilitate auditing. IT:Network:Microsoft Server 1 Copyright 2010

25 USING NTFS PERMISSIONS Scope NTFS permissions apply no matter how the file is accessed. Flexibility Wide range of permissions allows assignments to be tailored. Replication NTFS permissions are included when a file is replicated. Resilience NTFS permissions are retained when objects are backed up. Less fragile NTFS permissions are not lost if a file is moved or renamed. Auditing NTFS permissions support auditing. IT:Network:Microsoft Server 1 Copyright 2010

26 Folder and File Security Best Practices Try not to manage by file, but rather by folder if possible Assign permissions by group rather than by user. If a single user needs access to ANY resource, create a group, add that user to the group and assign permissions to the group. Reduces the possibility of “forgetting” that user assignment Allows you to grant access to resource by just adding future users to group. IT:Network:Microsoft Server 1 Copyright 2010

27 NTFS Permissions The drive must be formatted using NTFS to be able to use NTFS permissions (Quiz!!!) Non-NTFS (FAT32) will not have the Security tab (right) IT:Network:Microsoft Server 1 Copyright 2010

28 NTFS Permissions The permission levels in NTFS are narrower than the Share permissions, with 6 levels for folders and 5 levels for files. The file levels are as follows: Read - Read the file and its ownership and attributes Write - In addition to the Read permissions, the user can overwrite the file and change its attributes. Read & Execute - In addition to the Read permissions, the user can run applications. In the folder permissions, this level can also traverse folders and list the folder contents. Modify - In addition to the Read & Execute and Write permissions, the user can delete the file or folder. Full Control - This permission is inclusive of previous rights. In addtion, it grants the user/group the right to modify the Access Control List(ACL). This right also allows a user/group to take ownership of files/folders. List Folder Contents -allows the user to list the folder and subfolder contents. IT:Network:Microsoft Server 1 Copyright 2010

29 RESOURCE OWNERSHIP Each file and folder is assigned an owner. Ownership of a file makes the security principle a member of the Creator/Owner special identity. Files/folders that are owned go toward disk quota calculations. IT:Network:Microsoft Server 1 Copyright 2010

30 MANAGING STANDARD NTFS PERMISSIONS IT:Network:Microsoft Server 1 Copyright 2010

31 NTFS Permissions IT:Network:Microsoft Server 1 Copyright 2010

32 USING ADVANCED SECURITY SETTINGS IT:Network:Microsoft Server 1 Copyright 2010

33 MANAGING SPECIAL PERMISSIONS IT:Network:Microsoft Server 1 Copyright 2010

34 INHERITANCE Allows permissions assigned at one folder to flow down to subsequent files and folders Can be overridden by explicit permission assignment or inheritance blocking Useful in reducing the number of permission assignments required A file permissions will always override its folders' permissions IT:Network:Microsoft Server 1 Copyright 2010

35 Inherited Permissions IT:Network:Microsoft Server 1 Copyright 2010

36 Inherited Permissions By unchecking the Inherited permissions option, you have the choice to copy or remove any inherited permissions. IT:Network:Microsoft Server 1 Copyright 2010

37 EFFECTIVE PERMISSIONS Allowed permissions are cumulative. Denied permissions override allowed permissions. Explicit permissions take precedence over inherited permissions. IT:Network:Microsoft Server 1 Copyright 2010

38 VIEWING EFFECTIVE PERMISSIONS IT:Network:Microsoft Server 1 Copyright 2010

39 Summary: Share v. NTFS When applied to the same resource, the most restrictive permissions apply. UserA has a share permission of Read UserA has an NTFS permission of Full Control UserA’s effective permission is Read because Read is the most restrictive between Share and NTFS IT:Network:Microsoft Server 1 Copyright 2010

Download ppt "Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders Permissions Inheritance Access Control List NTFS Permissions."

Similar presentations

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
When you combine NTFS permissions and share permissions the most restrictive effective permission applies. For example, if you share a folder and assign.

When you combine NTFS permissions and share permissions the most restrictive effective permission applies. For example, if you share a folder and assign.
1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.

1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.
1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.

1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
1 File systems security: Shared folders & NTFS permissions, EFS (Week 6, Monday 2/12/2007) © Abdou Illia, Spring 2007.

1 File systems security: Shared folders & NTFS permissions, EFS (Week 6, Monday 2/12/2007) © Abdou Illia, Spring 2007.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
MIS 431 - Chapter 51 Chapter 5 – Managing File Access MIS 431 Created Spring 2006.

MIS Chapter 51 Chapter 5 – Managing File Access MIS 431 Created Spring 2006.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Lesson 4: Configuring File and Share Access

Lesson 4: Configuring File and Share Access
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

Similar presentations

Ads by Google