chapter 9 chapter 9: managing groups, folders, files, and object security

Chapter 9

Chapter 9:Chapter 9:Managing Groups, Folders, Managing Groups, Folders, Files, and Object SecurityFiles, and Object Security

Chapter 9:Chapter 9:Managing Groups, Folders, Managing Groups, Folders, Files, and Object SecurityFiles, and Object Security

Chapter 9

Learning ObjectivesLearning ObjectivesLearning ObjectivesLearning Objectives

Set up groups, including local, domain Set up groups, including local, domain local, global, and universal groups, and local, global, and universal groups, and convert Windows NT groups to convert Windows NT groups to Windows 2000 groupsWindows 2000 groups

Manage objects, such as folders, Manage objects, such as folders, through user rights, attributes through user rights, attributes permissions, share permissions, permissions, share permissions, auditing, and Web permissionsauditing, and Web permissions

Chapter 9

Learning Objectives (continued)Learning Objectives (continued)Learning Objectives (continued)Learning Objectives (continued)

Troubleshoot a security conflictTroubleshoot a security conflict Determine how creating, moving, and Determine how creating, moving, and

copying folders and files affect securitycopying folders and files affect security

Chapter 9

Managing ResourcesManaging ResourcesManaging ResourcesManaging Resources

Three ways of managing resources and Three ways of managing resources and user accounts include:user accounts include: By individual userBy individual user By resourceBy resource By groupBy group

Managing resources by groups is one Managing resources by groups is one effective way to reduce time spent on effective way to reduce time spent on managementmanagement

Chapter 9

Scope of InfluenceScope of InfluenceScope of InfluenceScope of Influence

Scope of influence: The reach of a type Scope of influence: The reach of a type of group, such as access to resources of group, such as access to resources in a single domain or access to all in a single domain or access to all resources in all domains in a forest resources in all domains in a forest

Chapter 9

Types of Security GroupsTypes of Security GroupsTypes of Security GroupsTypes of Security Groups

Local: Used on standalone servers Local: Used on standalone servers that are not part of a domainthat are not part of a domain

Domain local: Used in a single domain Domain local: Used in a single domain or to manage resources in a domain or to manage resources in a domain so that global and universal groups so that global and universal groups can access those resourcescan access those resources

Chapter 9

Types of Security Types of Security Groups (continued)Groups (continued)Types of Security Types of Security Groups (continued)Groups (continued)

Global: Used to manage accounts Global: Used to manage accounts from the same domain and to access from the same domain and to access resources in the same and other resources in the same and other domainsdomains

Universal: Used to provide access to Universal: Used to provide access to resources in any domain within a resources in any domain within a forestforest

Chapter 9

Local Security GroupLocal Security GroupLocal Security GroupLocal Security Group

Use local groups on a standalone Use local groups on a standalone server (Active Directory not server (Active Directory not implemented), such as to manage implemented), such as to manage multiple accounts in a small office multiple accounts in a small office

Chapter 9

Domain Local Security GroupDomain Local Security GroupDomain Local Security GroupDomain Local Security Group

Typically a domain local security group is on Typically a domain local security group is on the ACLs of resources such as folders, the ACLs of resources such as folders, shared folders, printers, and other shared folders, printers, and other resources. Global security groups in the resources. Global security groups in the same or in a different domain gain access to same or in a different domain gain access to those resources by becoming members of those resources by becoming members of the domain local group.the domain local group.

Domain local groups can contain accounts, Domain local groups can contain accounts, but usually that is not the best approach.but usually that is not the best approach.

Chapter 9

Membership Capabilities of a Membership Capabilities of a Domain Local GroupDomain Local Group

Membership Capabilities of a Membership Capabilities of a Domain Local GroupDomain Local Group

Active Directory Objects That Can Be Members of a Domain Local Group

Active Directory Objects That a Domain Local Group Can Join as a Member

User accounts in the same domain Access control lists for objects in the same domain, such as permissions to access a folder, shared folder, or printer

Domain local groups in the same domain Domain local groups in the same domain Global groups in any domain in a tree or forest (as long as there are transitive or two-way trust relationships maintained)

Universal groups in any domain in a tree or forest (as long as there are transitive or two-way trust relationships maintained)

Table 9-1 Membership Capabilities of a Domain Local Group

Chapter 9

Implementing Global GroupsImplementing Global GroupsImplementing Global GroupsImplementing Global Groups

Use global groups to contain accounts Use global groups to contain accounts for accessing resources in the same and for accessing resources in the same and in other domains via domain local groupsin other domains via domain local groups

Chapter 9

Membership Capabilities of a Membership Capabilities of a Global GroupGlobal Group

Membership Capabilities of a Membership Capabilities of a Global GroupGlobal Group

Active Directory Objects That Can Be Members of a Global Group

Active Directory Objects That a Global Group Can Join as a Member

User accounts from the domain in which the global group was created

Access control lists for objects in any domain in a forest (as long as a transitive trust is maintained between domains)

Other global groups that have been created in the same domain

Domain local groups in any domain in a forest

Levels of global groups, so that global groups can be nested to reflect the structure of organizational units (OUs) in a domain

Global groups in any domain in a forest

Universal groups in a forest

Table 9-2 Membership Capabilities of a Global Group

Chapter 9

Nesting Global GroupsNesting Global Groups Nesting Global GroupsNesting Global Groups

Global groups can be nested to reflect Global groups can be nested to reflect the structure of OUsthe structure of OUs

Chapter 9

Nesting ExampleNesting Example Nesting ExampleNesting Example

M anagers*

Finance**

Budget***

Figure 9-1 Nested global groupsFigure 9-1 Nested global groups

Chapter 9

Planning TipPlanning TipPlanning TipPlanning Tip

Plan nesting to take into account that Plan nesting to take into account that you may want to later convert specific you may want to later convert specific global groups, because a global group global groups, because a global group cannot be converted if it is a member of cannot be converted if it is a member of another global groupanother global group

Keep in mind that global groups can Keep in mind that global groups can only be nested in native mode domainsonly be nested in native mode domains

Chapter 9

Global Group ExampleGlobal Group ExampleGlobal Group ExampleGlobal Group Example

LocalExecdom ain local

group

LocalExecdom ain

local group

students.college.edu

LocalExecdom ain local

group

research.college.edu

G lobalExecglobalgroup

college.edu

Figure 9-2Figure 9-2Managing securityManaging security

through domain local through domain local and global groupsand global groups

Chapter 9

Implementing Universal GroupsImplementing Universal GroupsImplementing Universal GroupsImplementing Universal Groups

Use universal groups to provide access Use universal groups to provide access to forest-wide resources (to be included to forest-wide resources (to be included on the ACLs of resources such as on the ACLs of resources such as servers, shared folders, and printers)servers, shared folders, and printers)

Universal groups enable the scope of Universal groups enable the scope of influence to span domains and treesinfluence to span domains and trees

Chapter 9

Membership Capabilities of Membership Capabilities of a Universal Groupa Universal Group

Membership Capabilities of Membership Capabilities of a Universal Groupa Universal Group

Active Directory Objects That Can Be

Members of a Universal Group

Active Directory Objects That a Universal

Local Group Can Join as a Member

Accounts from any domain in a forest Access control lists for objects in any domain

in a forest

Global groups from any domain in a forest Any domain local group in a forest

Universal groups from any domain in a forest Any universal group in a forest

Table 9-3 Membership Capabilities of a Universal Group

Chapter 9

Guidelines for Using GroupsGuidelines for Using GroupsGuidelines for Using GroupsGuidelines for Using Groups

Use global groups to hold accounts as Use global groups to hold accounts as members. Give accounts access by joining members. Give accounts access by joining them to a global group and then placing them to a global group and then placing that global group into a domain local or that global group into a domain local or universal group or both.universal group or both.

Use domain local groups to provide access Use domain local groups to provide access to resources in a specific domain by to resources in a specific domain by adding them to the ACLs of those adding them to the ACLs of those resources.resources.

Chapter 9

Guidelines for Using Guidelines for Using Groups (continued)Groups (continued)

Guidelines for Using Guidelines for Using Groups (continued)Groups (continued)

Use universal groups to provide extensive Use universal groups to provide extensive access to resources, such as when the access to resources, such as when the Active Directory contains trees and forests. Active Directory contains trees and forests. Make universal groups members of ACLs Make universal groups members of ACLs for objects in any domain, tree, or forest. for objects in any domain, tree, or forest. Manage user account access by placing Manage user account access by placing accounts in global groups and joining accounts in global groups and joining those global groups to domain local or those global groups to domain local or universal groups.universal groups.

Chapter 9

Example Universal Group SetupExample Universal Group SetupExample Universal Group SetupExample Universal Group Setup

students.college.edu

research.college.edu

G lobalExecglobalgroup

college.edu

UniExeca universal group with access toresources in all three dom ains

Figure 9-3Figure 9-3Managing security Managing security through universal through universal and global groupsand global groups

Chapter 9

Creating a GroupCreating a GroupCreating a GroupCreating a Group

To create a group:To create a group: Click the container in which to create the Click the container in which to create the

groupgroup Click the Click the Create a new group in current Create a new group in current

containercontainer icon icon Enter the name of the groupEnter the name of the group Select the group scopeSelect the group scope Select the group typeSelect the group type Click OKClick OK

Chapter 9

Entering the Group ParametersEntering the Group Parameters

Figure 9-4 Creating a groupFigure 9-4 Creating a group

Chapter 9

Group Properties TabsGroup Properties Tabs

General: General: Used to enter a description, set the Used to enter a description, set the scope, and set the group typescope, and set the group type

Members:Members: Used to add group members Used to add group members Member Of:Member Of: Used to join another group Used to join another group Managed By:Managed By: Establishes who will manage the Establishes who will manage the

groupgroup Object:Object: Provides information about the group as Provides information about the group as

an object (on newer versions of Windows 2000)an object (on newer versions of Windows 2000) Security:Security: Enables you to set up security (on Enables you to set up security (on

newer versions of Windows 2000)newer versions of Windows 2000)

Chapter 9

Converting NT Groups to Windows 2000 Server Groups

Converting NT Groups to Windows 2000 Server Groups

Existing NT local groups on a PDC are converted Existing NT local groups on a PDC are converted to domain local groupsto domain local groups

Existing NT global groups on a PDC are converted Existing NT global groups on a PDC are converted to global groups to global groups

If still running in mixed mode, universal groups are If still running in mixed mode, universal groups are not recognizednot recognized

If running in native mode, but there are still If running in native mode, but there are still Windows NT servers, the NT servers treat Windows NT servers, the NT servers treat Windows 2000 universal groups as NT global Windows 2000 universal groups as NT global groupsgroups

Chapter 9

Windows 2000 Predefined Security Groups

Windows 2000 Predefined Security Groups

Security Group Scope Active Directory

Container Location/Default

Members

Description

Account Operators Built-in local 1 Builtin Used for administration of user

accounts and groups

Administrators Built-in local 1 Builtin/Administrator account;

Domain Admins and Enterprise

Admins groups

Provides complete access to all

local computer and/or domain

resources

Backup Operators Built-in local 1 Builtin Enables members to back up any

folders and files on the computer

Cert Publishers Global 1 Users Used to manage enterprise

certification services for security

11The group scope cannot be changedThe group scope cannot be changed Table 9-4 Windows 2000 Predefined Security Groups

Chapter 9

Windows 2000 Predefined Security Groups (continued)Windows 2000 Predefined

Security Groups (continued)Security Group Scope Active Directory

Container

Location/Default

Members

Description

DCHP Administrators Domain local Users/Domain

Admins group

Used to manage the DHCP server services

(when DHCP server services are installed)

DCHP Users Domain local Users Enables users to access DHCP services

when DHCP is enabled at the client (when

DHCP server services are installed)

DNSAdmins Domain local Users Used to manage the DNS server services

(when DNS server services are installed)

11The group scope cannot be changedThe group scope cannot be changed

Chapter 9



Container

Location/Default

Members

Description

DNSUpdateProxy Global Users Enables each user access as an update

proxy, so that a DHCP client can

automatically update the DNS server

information with its IP address

Domain Admins Global 1 Users/Administrator

account

Used to manage resources in a domain


Chapter 9



Container

Location/Default

Members

Description

Domain Computers Global 1 Users Used to manage all workstations and servers that

join the domain

Domain Controllers Global 1 Users/all DC

computers

Used to manage all domain controllers in a domain

Domain Guests Global 1 Users/Guest account Used to manage all domain guest-type accounts,

such as for temporary employees

Domain Users Global 1 Users/all user

accounts

Used to manage all domain user accounts


Chapter 9



Container

Location/Default

Members

Description

Enterprise Admins Universal 1 Users/Administrat

or account

Used to manage all resources in an

enterprise

Everyone Built-in local 1 Does not appear

in a container and

cannot be deleted

Used to manage default access to

local or domain resources and all

user accounts are automatically

members

Group Policy Creator

Owners

Global 1 Users/Administrat

or account

Enables members to manage group

policy


Chapter 9



Container

Location/Default

Members

Description

Guests Built-in local 1 Builtin/Guest and IIS

accounts, Domain

Guests group

Used to manage guest accounts and

to prevent access to install software

or change system settings

Pre-windows 2000

Compatible Access

Built-in local 1 Builtin/pre-Windows

2000 Everyone group

Used for backward compatibility to

the Everyone group on Windows NT

servers and limits access to read

Print Operators Built-in local 1 Builtin Members can manage printers on the

local computer or in the domain


Chapter 9



Container

Location/Default

Members

Description

RAS and IAS Servers Domain local 1 Users Enables member servers to have access to remote

access properties that are associated with user

accounts, such as security properties

Replicator Built-in local 1 Builtin Used with the Windows File Replication service

to replicate designated folders and files


Chapter 9



Container Location/Default

Members

Description

SchemaAdmins Universal 1 Users/Administrator account Members have access to modify

schema in the Active Directory

Server Operators Built-in local 1 Builtin Used for common day-to-day server

management tasks

Users Built-in local 1 Builtin/Domain Users group Used to manage general user access,

including the ability to be

authenticated as a user and to

communicate interactively


Chapter 9

Rights SecurityRights Security

User rights: Enable an account or group User rights: Enable an account or group to perform predefined tasks, such as the to perform predefined tasks, such as the right to access a server or to increase right to access a server or to increase disk quotasdisk quotas

Chapter 9

Rights SecurityRights Security

Privileges Logon Rights

Act as part of the operating system (a program process can gain

security access as a user)

Access this computer from the

network

Add workstations to a domain Deny access to this computer from the

network

Backup files and directories Deny logon as a batch job

Bypass traverse checking (enables a user to move through a

folder that the user has no permission to access, if it is on the

route to one that they do have permission to access)

Deny logon as a service

Change the system time Deny logon locally

Table 9-5 Rights Security

Chapter 9

Rights Security (continued)Rights Security (continued)


Create a pagefile Log on as a batch job

Create a token object (a process can create a security access token to

use any local resource; normally should be reserved for

administrators)

Log on as a service

Create permanent shared objects Log on locally

Debug programs (can install and use a process debugger to trace

problems; normally should be reserved for administrators)

Enable computer and user accounts to be trusted for delegation

Force shutdown from a remote system

Generate security audits

Chapter 9



Increase quotas

Increase scheduling priority

Load and unload device drivers

Lock pages in memory (included for backward compatibility

with Windows NT and should not be used because it degrades

performance)

Manage auditing and security log

Modify firmware environment variables

Profile single process (can monitor non-system processes)

Profile system performance (can monitor system processes)

Chapter 9



Remove computer from docking station

Replace a process level token (enables a

process to replace a security token on one

or more of its subprocesses)

Restore files and directories

Shut down the system

Synchronize directory service data

Take ownership of files or other objects

Chapter 9

Inherited RightsInherited Rights

Inherited rights: User rights that are Inherited rights: User rights that are assigned to a group and that assigned to a group and that automatically apply to all members of automatically apply to all members of that group that group

Chapter 9

Configuring RightsConfiguring Rights

To configure rights in a domain:To configure rights in a domain: Open the Active Directory Users and Computers toolOpen the Active Directory Users and Computers tool Right-click a domain or OU, for exampleRight-click a domain or OU, for example Click Properties, click the Group Policy tab, click the Click Properties, click the Group Policy tab, click the

group policy, and click Editgroup policy, and click Edit Double-click (if necessary) Computer Double-click (if necessary) Computer

Configuration,Windows Settings, Security Settings, and Configuration,Windows Settings, Security Settings, and Local PoliciesLocal Policies

Double-click User Rights AssignmentDouble-click User Rights Assignment Double-click any policies to configure them Double-click any policies to configure them

Chapter 9

Configuring Rights (continued)Configuring Rights (continued)

Figure 9-6 Configuring user rights as part of group policyFigure 9-6 Configuring user rights as part of group policy

Chapter 9

File and Folder AttributesFile and Folder Attributes

Attributes: A characteristic associated Attributes: A characteristic associated with a folder or file used to help manage with a folder or file used to help manage access and backupsaccess and backups

Chapter 9

FAT AttributesFAT Attributes

Read-onlyRead-only HiddenHidden ArchiveArchive

Chapter 9

FAT Attributes (continued)FAT Attributes (continued)

Figure 9-7 Attributes of a folder on a FAT-formatted diskFigure 9-7 Attributes of a folder on a FAT-formatted disk

Chapter 9

NTFS AttributesNTFS Attributes

Regular attributesRegular attributes Read-onlyRead-only HiddenHidden ArchiveArchive

Extended attributesExtended attributes IndexIndex CompressCompress EncryptEncrypt

Chapter 9

NTFS Attributes (continued)NTFS Attributes (continued)

Figure 9-8 Attributes of a folder on an NTFS-formatted diskFigure 9-8 Attributes of a folder on an NTFS-formatted disk

Chapter 9

Troubleshooting TipTroubleshooting Tip

If you configure the Index attribute, but If you configure the Index attribute, but indexing it is not working check the indexing it is not working check the following:following: Make sure that the Indexing Service is Make sure that the Indexing Service is

installedinstalled Makes sure that the Indexing Service is Makes sure that the Indexing Service is

started and set to start automaticallystarted and set to start automatically

Chapter 9


Files that are compressed cannot be Files that are compressed cannot be encrypted encrypted

Chapter 9

Encrypting File SystemEncrypting File System

The encrypt attribute uses Microsoft The encrypt attribute uses Microsoft Encrypting File System (EFS) that sets Encrypting File System (EFS) that sets a unique private encryption key that is a unique private encryption key that is associated with the user account that associated with the user account that encrypted the file or folder. Only that encrypted the file or folder. Only that account has access to the encrypted file account has access to the encrypted file or folder contents.or folder contents.

Chapter 9


De-encrypt an encrypted file or folder De-encrypt an encrypted file or folder before you move it to another location, before you move it to another location, or else the file or folder remains or else the file or folder remains encrypted in the new locationencrypted in the new location

Chapter 9

PermissionsPermissions

Permissions: Privileges to access and Permissions: Privileges to access and manipulate resource objects, such as manipulate resource objects, such as folders and printers; for example, folders and printers; for example, privilege to read a file, or to create a new privilege to read a file, or to create a new filefile

Chapter 9

AuditingAuditing

Auditing: Tracking the success or failure Auditing: Tracking the success or failure of events associated with an object, such of events associated with an object, such as writing to a file, and recording the as writing to a file, and recording the audited events in an event log of a audited events in an event log of a Windows 2000 server or workstationWindows 2000 server or workstation

Chapter 9

OwnershipOwnership

Ownership: Having the privilege to Ownership: Having the privilege to change permissions and to fully change permissions and to fully manipulate an object. The account that manipulate an object. The account that creates an object, such as a folder or creates an object, such as a folder or printer, initially has ownership.printer, initially has ownership.

Chapter 9

Design TipDesign Tip

If possible, set permissions on folders and If possible, set permissions on folders and not on individual files, so you can minimize not on individual files, so you can minimize the number of permission exceptions to the number of permission exceptions to rememberremember

One variance from this recommendation is One variance from this recommendation is large database files that may require large database files that may require individual securityindividual security

Chapter 9

Security OptionsSecurity Options

Figure 9-9 Configuring security optionsFigure 9-9 Configuring security options

Chapter 9

Inherited PermissionsInherited Permissions

Inherited permissions: Permissions of a Inherited permissions: Permissions of a parent object that also apply to child parent object that also apply to child objects of the parent, such as to objects of the parent, such as to subfolders within a foldersubfolders within a folder

Chapter 9

Configuring PermissionsConfiguring Permissions

Figure 9-10 Configuring permissions by groups and usersFigure 9-10 Configuring permissions by groups and users

Chapter 9

Configuring Inherited Permissions

Configuring Inherited Permissions

Figure 9-11 Configuring inherited permissionsFigure 9-11 Configuring inherited permissions

Chapter 9

NTFS Folder and File Permissions

NTFS Folder and File Permissions

Permission Description Applies to

Full Control Can read, add, delete, execute, and modify files plus

change permissions and attributes, and take ownership

Folders and files

List Folder

Contents

Can list (traverse) files in the folder or switch to a

subfolder, view folder attributes and permissions, and

execute files, but cannot view file contents

Folders only

Modify Can read, add, delete, execute, and modify files; but

cannot delete subfolders and their file contents, change

permissions, or take ownership

Folders and files

Table 9-6 NTFS Folder and File Permissions

Chapter 9

NTFS Folder and File Permissions (continued)

NTFS Folder and File Permissions (continued)


Read Can view file contents, view folder attributes and

permissions, but cannot traverse folders or execute

files

Folders and files

Read & Execute Implies the capabilities of both List Folder Contents

and Read (traverse folders, view file contents, view

attributes and permissions, and execute files)

Folders and files

Write Can create files, write data to files, appended data to

files, create folders, delete files (but not subfolders and

their files), and modify folder and file attributes

Folders and files

Chapter 9

Special PermissionsSpecial Permissions

You can customize permissions to meet You can customize permissions to meet particular security needs by using particular security needs by using special permissionsspecial permissions

Chapter 9

Configuring Special PermissionsConfiguring Special Permissions

Figure 9-12 Configuring special permissionsFigure 9-12 Configuring special permissions

Chapter 9

NTFS Folder and File Special Permissions

NTFS Folder and File Special Permissions


Traverse Folder/Execute File Can list the contents of a folder and execute program files in

that folder; keep in mind that all users are automatically granted

this permission via the Everyone and Users groups, unless it is

removed or denied by you

Folders/files

List Folder/Read Data Can list the contents of folders and subfolders and read the

contents of files

Folders/files

Read Attributes Can view folder and file attributes (Read-only and Hidden) Folders and files

Read Extended Attributes Enables the viewing of extended attributes (Archive, Index,

Compress, Encrypt)

Folders and files

Create Files/Write Data Can add new files to a folder and modify, append to, or write

over file contents

Folders/files

Create Folders/Append Data Can add new folders and add new data at the end of files (but

otherwise not delete, write over, or modify data)

Folders/files

Table 9-7

Chapter 9

NTFS Folder and File Special Permissions (continued)

NTFS Folder and File Special Permissions (continued)


Write Attributes Can add or remove the Read-only and Hidden attributes Folders and files

Write Extended

Attributes

Can add or remove the Archive, Index, Compress, and Encrypt

attributes

Folders and files

Delete Subfolders and

Files

Can delete subfolders and files (the following Delete

permission is not required)

Folders and files

Delete Can delete the specific subfolder or file to which this

permission is attached

Folders and files

Read Permissions Can view the permissions (ACL information) associated with a

folder or file (but does not imply you can change them)

Folders and files

Change Permissions Can change the permissions associated with a folder or file Folders and files

Take Ownership Can take ownership of the folder or file (Read Permissions and

Change Permissions automatically accompany this permission)

Folders and files

Chapter 9

Example Guidelines for Setting Permissions

Example Guidelines for Setting Permissions

Protect the Winnt folder by allowing limited Protect the Winnt folder by allowing limited access, such as Read & Executeaccess, such as Read & Execute

Protect server utility folders, such as folders Protect server utility folders, such as folders containing backup software, with access for containing backup software, with access for Administrators onlyAdministrators only

Protect software application folders with Protect software application folders with access such as Read & Execute (and Write access such as Read & Execute (and Write if necessary for temporary or configuration if necessary for temporary or configuration files)files)

Chapter 9

Example Guidelines for Setting Permissions (continued)

Example Guidelines for Setting Permissions (continued)

Set up publicly used folders with Modify Set up publicly used folders with Modify for broad user accessfor broad user access

Give users Full Control of their own Give users Full Control of their own home foldershome folders

Remove groups such as Everyone and Remove groups such as Everyone and Users from confidential foldersUsers from confidential folders

Chapter 9

Planning TipPlanning Tip

Err on the side of too much security at Err on the side of too much security at first, because it is easier to give users first, because it is easier to give users more permissions later than to take more permissions later than to take away permissions after users are used away permissions after users are used to having themto having them

Chapter 9

Configuring AuditingConfiguring Auditing

Start by configuring a group policy for Start by configuring a group policy for auditingauditing

Configure auditing on an as needed Configure auditing on an as needed basis for particular objects, such as a basis for particular objects, such as a folder or filefolder or file

Chapter 9

Folder AuditingFolder Auditing

Figure 9-13 Configuring folder auditingFigure 9-13 Configuring folder auditing

Chapter 9

Setting an Audit PolicySetting an Audit Policy

Figure 9-14 Figure 9-14 Configuring audit policy as part of the default domain policyConfiguring audit policy as part of the default domain policy

Chapter 9

OwnershipOwnership

Guidelines for ownership:Guidelines for ownership: The account that creates an object is the The account that creates an object is the

initial ownerinitial owner Ownership is changed by first having Ownership is changed by first having

permission to take ownership and then by permission to take ownership and then by taking ownershiptaking ownership

Full Control permissions are required to Full Control permissions are required to take ownership (or the special permission, take ownership (or the special permission, Take Ownership)Take Ownership)

Chapter 9

Share PermissionsShare Permissions

Share permissions: Limited permissions Share permissions: Limited permissions that apply to a particular shared object, that apply to a particular shared object, such as a shared folder or printersuch as a shared folder or printer

Chapter 9

Configuring Share PermissionsConfiguring Share Permissions

Figure 9-15 Configuring a shared folderFigure 9-15 Configuring a shared folder

Chapter 9

Share Permissions for a FolderShare Permissions for a Folder

Read:Read: Permits groups or users to read Permits groups or users to read and execute filesand execute files

Change:Change: Enables users to read, add, Enables users to read, add, modify, execute, and delete filesmodify, execute, and delete files

Full Control:Full Control: Permits full access to the Permits full access to the folder, including the ability to take folder, including the ability to take ownership control or change ownership control or change permissionspermissions

Chapter 9

Offline Access to a Folder through Caching

Offline Access to a Folder through Caching

Use the Caching button in the folder Use the Caching button in the folder Properties dialog box on the the Sharing Properties dialog box on the the Sharing tab to set up a folder for offline access tab to set up a folder for offline access via cachingvia caching

Caching a folder means that it can be Caching a folder means that it can be accessed by a client even when the accessed by a client even when the client computer is not connected to the client computer is not connected to the networknetwork

Chapter 9

Folder Caching OptionsFolder Caching Options

Automatic Caching for Documents:Automatic Caching for Documents: Documents are cached without using Documents are cached without using intervention – all files in the folder that are intervention – all files in the folder that are opened by the client are cached automatically opened by the client are cached automatically

Manual Caching for Documents:Manual Caching for Documents: documents documents are cached only per the user’s requestare cached only per the user’s request

Automatic Caching of Programs:Automatic Caching of Programs: document document and program files are automatically cached and program files are automatically cached when opened, but cannot be modifiedwhen opened, but cannot be modified

Chapter 9


If the Sharing tab is not displayed, make If the Sharing tab is not displayed, make sure that the Server service is startedsure that the Server service is started

Chapter 9

Web SharingWeb Sharing

Use the Web Sharing tab in a folder’s Use the Web Sharing tab in a folder’s properties to configure that folder for properties to configure that folder for Web accessWeb access

Chapter 9

Configuring Web SharingConfiguring Web Sharing

Figure 9-16 Entering Web sharing permissionsFigure 9-16 Entering Web sharing permissions

Chapter 9

Web Sharing Access PermissionsWeb Sharing Access Permissions

Access Permission Description

Read Enables clients to read and display the contents of folders and files

via an Internet or intranet

Write Enables clients to modify the contents of folders and files;

including the ability to upload files through FTP

Script source

access

Enables clients to view the contents of scripts containing

commands to execute Web functions

Directory browsing Enables clients to browse the folder and subfolders, such as for

FTP access

Table 9-8 Web Sharing Access Permissions

Chapter 9

Web Sharing Application Permissions

Web Sharing Application Permissions

Application

Permission

Description

None No access to execute a script or application

Scripts Enables the client to run scripts to perform Web-based functions

Execute (includes

scripts)

Enables clients to execute programs and scripts via an Internet or

intranet connection

Table 9-9 Web Sharing Application Permissions

Chapter 9

Troubleshooting a Security Conflict

Troubleshooting a Security Conflict

Check the groups to which a user or Check the groups to which a user or group belongsgroup belongs

Look for group permissions that conflict, Look for group permissions that conflict, particularly because the Deny box is particularly because the Deny box is checked for a permissionchecked for a permission

Chapter 9

Moving and Copying Files and Folders

Moving and Copying Files and Folders

A newly created file inherits the permissions A newly created file inherits the permissions already set up in a folderalready set up in a folder

A file copied from one folder to another on the A file copied from one folder to another on the same volume inherits the permissions of the same volume inherits the permissions of the folder to which it is copiedfolder to which it is copied

A folder that is moved from one folder to A folder that is moved from one folder to another on the same volume takes with it the another on the same volume takes with it the permissions it had in the original folderpermissions it had in the original folder

Chapter 9

Moving and Copying Files and Folders (continued)

Moving and Copying Files and Folders (continued)

A file or folder that is moved or copied to a folder A file or folder that is moved or copied to a folder on a different volume inherits the permissions of on a different volume inherits the permissions of the folder to which it is moved or copiedthe folder to which it is moved or copied

A file or folder that is moved or copied from an A file or folder that is moved or copied from an NTFS volume to a shared FAT folder inherits the NTFS volume to a shared FAT folder inherits the share permissions of the FAT foldershare permissions of the FAT folder

A file or folder moved from a FAT to an NTFS A file or folder moved from a FAT to an NTFS folder inherits the NTFS permissions of that folderfolder inherits the NTFS permissions of that folder

Chapter 9

Chapter SummaryChapter Summary

Without the Active Directory, use local Without the Active Directory, use local groups to manage access to resourcesgroups to manage access to resources

With the Active Directory implemented, With the Active Directory implemented, use domain local, global, and universal use domain local, global, and universal groups to manage resourcesgroups to manage resources

Chapter 9

Chapter SummaryChapter Summary

Windows 2000 Server objects are secured Windows 2000 Server objects are secured through ACLs, user rights, permissions, through ACLs, user rights, permissions, inherited rights and permissions, share inherited rights and permissions, share permissions, Web permissions, auditing, permissions, Web permissions, auditing, and ownershipand ownership

Troubleshoot permissions conflicts by Troubleshoot permissions conflicts by examining the security assigned to all examining the security assigned to all groups to which a user account or group groups to which a user account or group belongsbelongs

chapter 9 chapter 9: managing groups, folders, files, and object security

Documents

n domain local groups

resources n

domain n domain local

global group n

global security groups

global group slide

domain local group slide

domain local security