Permissions - Seneca - School of Information & Communications
Download
Report
Transcript Permissions - Seneca - School of Information & Communications
Chapter 9: SHARING FILE SYSTEM RESOURCES
1
CHAPTER OVERVIEW
Create and manage file system shares and work
with share permissions.
Use NTFS file system permissions to control access
to files.
Manage file sharing using Internet Information
Services (IIS).
Chapter 9: SHARING FILE SYSTEM RESOURCES
UNDERSTANDING PERMISSIONS
File system permissions ***
Share permissions ***
Active Directory permissions
users, groups computers, may
delegate for more effective management
Registry permissions
may require admin permissions to modify
2
Chapter 9: SHARING FILE SYSTEM RESOURCES
ACCESS CONTROL LISTS
Used to set permissions on most
Windows elements such as files,
shares, Active Directory objects,
and registry keys. The ACL is
always stored/found with the
element being controlled.
You set permissions on security
principals like users, groups, and
computers.
You can view the STANDARD
permissions given to a security
principal for an object.
3
Chapter 9: SHARING FILE SYSTEM RESOURCES
PERMISSIONS
The advanced tab
allows you to see the
STANDARD permissions
set on a security
principal, as well as set
SPECIAL permissions.
This is a very “granular”
method of setting
permissions.
4
Chapter 9: SHARING FILE SYSTEM RESOURCES
INHERITANCE
Allows permissions assigned at one folder to flow
down to subsequent files and folders
Can be overridden by explicit permission
assignment or inheritance blocking
Useful in reducing the number of permission
assignments required
A DENY permission will ALWAYS override an inherited permission.
5
Chapter 9: SHARING FILE SYSTEM RESOURCES
6
EFFECTIVE PERMISSIONS
Allowed permissions are cumulative.
Denied permissions override allowed INHERITED
permissions. In other words, explicitly allowed permissions do not override
inherited DENIED permissions
Explicit permissions take precedence over inherited
permissions.
Remember, a security principal can receive permissions from multiple
sources, either individually, by inheritance, and by group membership.
The combination of these cumulative permissions is known as the
EFFECTIVE PERMISSIONS.
Chapter 9: SHARING FILE SYSTEM RESOURCES
SHARING FOLDERS
WHY SHARE ???
You can access files and folders
by sitting at the machine,
provided you have the proper
permissions.
You can make the files or folder
available to users on the network
by SHARING.
The Workstation service and the
Server service make sharing and
accessing the resources possible. The
SERVER service makes the shared
resource available on the network,
and the WORKSTATION service
enables other computers to access
the shared resources.
These services are implemented when you select Client for Microsoft networks
(workstation service) and File and Printer Sharing (server service)
7
Chapter 9: SHARING FILE SYSTEM RESOURCES
8
ADMINISTRATIVE SHARES
Remember, when
you use a “$” sign
AFTER the share
name, you will
effectively hide the
share from users on
the network
ADMIN$ is the System Root folder. C:\Windows by default is shared with the name Admin$. This is a
Hidden share that enables members of the Administrators group to have full control over the system
Root folder without having to know exactly where it is.
IPC$ Used for remote administration of computers, it allows dedicated portions of one computer’s
Memory (named pipe) to communicate with another computer’s named pipe to pass information
From one process to another.
Chapter 9: SHARING FILE SYSTEM RESOURCES
RESTRICTIONS ON CREATING FILE
SYSTEM SHARES
On a domain controller: Administrators, Server
Operators, Enterprise Admins, Domain Admins
groups only
On a domain member server or workstation:
Administrators, Server Operators, or Power Users
groups only
On a workgroup or standalone computer:
Administrators or Power Users groups only
9
Chapter 9: SHARING FILE SYSTEM RESOURCES
CREATING A FILE SYSTEM SHARE USING
WINDOWS EXPLORER
10
Chapter 9: SHARING FILE SYSTEM RESOURCES
SHARING A VOLUME USING WINDOWS
EXPLORER
11
Chapter 9: SHARING FILE SYSTEM RESOURCES
CREATING A FILE SYSTEM SHARE USING THE
SHARED FOLDERS SNAP-IN
12
Chapter 9: SHARING FILE SYSTEM RESOURCES
CREATING A FILE SYSTEM SHARE
USING NET.EXE
Allows shares to be created from a command line
Lets you configure permissions during creation
Lets you configure offline settings for the share
Example:
net share documents=c:\docs /grant:users,read
where documents is the share name you want to use
and docs is the name of the folder you want to share
13
Chapter 9: SHARING FILE SYSTEM RESOURCES
MANAGING SHARED FOLDERS
You will see this by going to Computer
Management, Shared Folders. Right
click any shared folder then select the
properties option for the shared folder.
Offline settings allows the Administrator to
specify whether network users are permitted
to cache the shared folder contents on their
computers.
14
Chapter 9: SHARING FILE SYSTEM RESOURCES
CONTROLLING OFFLINE STORAGE
15
Chapter 9: SHARING FILE SYSTEM RESOURCES
PUBLISHING FILE SYSTEM SHARES IN ACTIVE
DIRECTORY
A valuable option which creates a
Shared folder object in AD which will
“POINT” to the actual location of a
shared folder. Users can search for this
PUBLISHED SHARED FOLDER object in
Active Directory without actually having
to know the exact location of a shared
folder.
VIEW THIS IN COMPUTER
MANAGEMENT
16
Chapter 9: SHARING FILE SYSTEM RESOURCES
MANAGING SHARE PERMISSIONS
Default share permissions
Use Explorer or the Shared
Folders option in the
Computer Management snapin to manage shared folders.
17
Chapter 9: SHARING FILE SYSTEM RESOURCES
18
USING SHARE PERMISSIONS
Limited scope Can be applied only to folders and
only when connecting to the share.
Lack of flexibility Permissions applied to the share
apply to all levels below.
No replication Share permissions are not
replicated.
No resiliency Share permissions cannot be backed
up or restored.
Chapter 9: SHARING FILE SYSTEM RESOURCES
19
USING SHARE PERMISSIONS (continued)
Fragility Shares (and therefore share permissions)
are lost when a folder is moved or renamed.
No auditing Share permissions do not facilitate
auditing.
Chapter 9: SHARING FILE SYSTEM RESOURCES
SHARE PERMISSION DEFAULTS
When a new share is created, the following
permissions are granted:
Everyone special identity: Read
Don’t forget that the Administrator can set whatever share permissions are
necessary to allow appropriate access by users, over the network.
20
Chapter 9: SHARING FILE SYSTEM RESOURCES
21
CREATING A FILE SYSTEM SHARING STRATEGY
Create logically named shares.
Use nesting where necessary to reduce users’ need
to navigate the directory structure.
Share removable drives from the root to keep the
share available when media are removed and
reconnected or changed. For example, when you
share out the CDROM drive
Chapter 9: SHARING FILE SYSTEM RESOURCES
NESTING SHARES
A share can be created on any folder in the file
system.
Multiple shares on the same folder can have
different permissions.
Permissions are applied at the share entry point.
22
Chapter 9: SHARING FILE SYSTEM RESOURCES
23
USING NTFS PERMISSIONS
Scope NTFS permissions apply no matter how the
file is accessed.
Flexibility Wide range of permissions allows
assignments to be tailored.
Replication NTFS permissions are included when a
file is replicated.
Resilience NTFS permissions are retained when
objects are backed up.
Less fragile NTFS permissions are not lost if a file is
moved (but they may change) or renamed.
Auditing NTFS permissions support auditing.
Chapter 9: SHARING FILE SYSTEM RESOURCES
MANAGING STANDARD PERMISSIONS
24
Chapter 9: SHARING FILE SYSTEM RESOURCES
USING ADVANCED SECURITY SETTINGS
25
Chapter 9: SHARING FILE SYSTEM RESOURCES
MANAGING SPECIAL PERMISSIONS
26
Chapter 9: SHARING FILE SYSTEM RESOURCES
VIEWING EFFECTIVE PERMISSIONS
27
Chapter 9: SHARING FILE SYSTEM RESOURCES
RESOURCE OWNERSHIP
Each file and folder is assigned an owner.
Ownership of a file makes the security principle a
member of the Creator/Owner special identity.
Files that are owned go toward disk quota
calculations.
28
Chapter 9: SHARING FILE SYSTEM RESOURCES
29
Multiple NTFS Permissions user 1 has READ for folder A, and is a
member of both groups. Group B has WRITE for folder A , Group A has been DENIED WRITE for file 2. What
are user 1’s effective permissions to
File 2 ??
NTFS Permissions Are Cumulative
File Permissions Override Folder Permissions
Deny Overrides Other Permissions
NTFS Partition C:\
Read / Write
GroupB
FolderA
Write
User1
Read
GroupA
Deny Write to File2
Read / Write
File1
Read
File2
Chapter 9: SHARING FILE SYSTEM RESOURCES
30
Class Discussion: Applying NTFS Permissions
Users Group
Users Group
Write to Folder1
Sales Group
Read to Folder1
User1
Sales Group
User 1 to folder 1 ??
Users Group
Read to Folder1
Sales Group
Write to Folder2
NTFS Partition
C:\
Folder1
Doc1
User 1 to Doc2 ??
Users Group
Modify to Folder1
Doc2 Should Only Be
Accessible to Sales
Group, and Only for
Read Access
Folder2
Doc2
Chapter 9: SHARING FILE SYSTEM RESOURCES
• Copying and Moving Files and Folders
Copying Files and Folders
Moving Files and Folders
Class Discussion: Copying and Moving Files
31
Chapter 9: SHARING FILE SYSTEM RESOURCES
32
Copying Files and Folders
NTFS Partition
C:\
NTFS Partition
C:\
Permissions =
Destination Folder
D:\
Copy
Copy
Permissions =
Full Control
NTFS Partition
Permissions =
Full Control
Permissions =
Destination Folder
NTFS Partition
Non-NTFS Partition
C:\
Copy
Read, Write Permission
Permissions =
Full Control
Lose NTFS
Permissions
Chapter 9: SHARING FILE SYSTEM RESOURCES
33
Moving Files and Folders
NTFS Partition
C:\
NTFS Partition
C:\
Move
Permissions =
Full Control
NTFS Partition
D:\
Move
Permissions =
Full Control
Permissions =
Full Control
Permissions =
Destination Folder
NTFS Partition
Non-NTFS Partition
C:\
Move
Write, Modify Permissions
Permissions =
Full Control
Lose NTFS
Permissions
Chapter 9: SHARING FILE SYSTEM RESOURCES
34
Class Discussion: Copying and Moving Files
NTFS Partition
NTFS Partition
(C:)
(D:)
FC
Users
Data
None
Mary
Move
FileA
FileA
M
Public
Copy
FileA
Move
Group 1
Chapter 9: SHARING FILE SYSTEM RESOURCES
ADMINISTERING IIS
Web server platform included with all editions of
Windows Server 2003.
Version 6 has improved security over previous
versions.
Allows files to be published through a browser
interface.
Supports HTTP and FTP.
35
Chapter 9: SHARING FILE SYSTEM RESOURCES
36
INSTALLING IIS
Not installed during operating system installation
Installed through the Windows Components Wizard
(select Add Or Remove Programs in Control Panel,
and click Add/Remove Windows Components) or
through the Manage Your Server Wizard
Chapter 9: SHARING FILE SYSTEM RESOURCES
MANAGING AN IIS WEB SITE
37
Chapter 9: SHARING FILE SYSTEM RESOURCES
USING THE WEB SITE TAB
38
Chapter 9: SHARING FILE SYSTEM RESOURCES
USING THE HOME DIRECTORY TAB
39
Chapter 9: SHARING FILE SYSTEM RESOURCES
USING THE DOCUMENTS TAB
40
Chapter 9: SHARING FILE SYSTEM RESOURCES
USING THE PERFORMANCE TAB
41
Chapter 9: SHARING FILE SYSTEM RESOURCES
CREATING VIRTUAL DIRECTORIES
Allows you to include a folder from anywhere on
the network in your Web site
Appears to the Web site user as if it is a
subdirectory of the main Web site folder
Allows management of Web content to be
distributed between departments
42
Chapter 9: SHARING FILE SYSTEM RESOURCES
CONFIGURING IIS SECURITY
43
Chapter 9: SHARING FILE SYSTEM RESOURCES
CONFIGURING IIS AUTHENTICATION
44
Chapter 9: SHARING FILE SYSTEM RESOURCES
CONFIGURING IP ADDRESS AND DOMAIN
NAME RESTRICTIONS
45
Chapter 9: SHARING FILE SYSTEM RESOURCES
CONFIGURING SECURE COMMUNICATIONS
46
Chapter 9: SHARING FILE SYSTEM RESOURCES
47
SUMMARY
Windows Server 2003 controls access to resources
using a number of mechanisms, including share
permissions and NTFS permissions.
Every object protected by permissions has an ACL,
which is a list of ACEs assigned to that object. Each
ACE contains a security principal and indicates the
level of access they are permitted or denied to the
object.
File system shares enable network users to access
files and folders on other computers.
Chapter 9: SHARING FILE SYSTEM RESOURCES
SUMMARY (continued)
Share permissions provide basic protection for file
system shares, but they lack the granularity and
flexibility of NTFS permissions.
NTFS permissions can be allowed or denied, and
explicit or inherited. A Deny permission takes
precedence over an Allow permission, and an
Explicit permission takes precedence over an
Inherited permission.
48
Chapter 9: SHARING FILE SYSTEM RESOURCES
49
SUMMARY (continued)
Access granted by NTFS permissions can be
restricted by share permissions and other factors,
such as IIS permissions on Web sites.
Whenever two permission types are assigned
to a resource, you must evaluate each set of
permissions and then determine which of the
two is more restrictive.
Every NTFS file and folder has an owner. The owner
of a file or folder is always permitted to modify the
file or folder’s ACL.
Chapter 9: SHARING FILE SYSTEM RESOURCES
50
SUMMARY (continued)
Any user with the Allow Take Ownership permission
or the Take Ownership Of Files Or Other Objects
user right can take ownership of an object.
IIS is a Windows Server 2003 application that
allows you to share files and folders using Web
and FTP server services.