chapter 9 chapter 9: managing groups, folders, files, and object security
Post on 19-Dec-2015
229 views
TRANSCRIPT
Chapter 9
Chapter 9:Chapter 9:Managing Groups, Folders, Managing Groups, Folders, Files, and Object SecurityFiles, and Object Security
Chapter 9:Chapter 9:Managing Groups, Folders, Managing Groups, Folders, Files, and Object SecurityFiles, and Object Security
Chapter 9
Learning ObjectivesLearning ObjectivesLearning ObjectivesLearning Objectives
Set up groups, including local, domain Set up groups, including local, domain local, global, and universal groups, and local, global, and universal groups, and convert Windows NT groups to convert Windows NT groups to Windows 2000 groupsWindows 2000 groups
Manage objects, such as folders, Manage objects, such as folders, through user rights, attributes through user rights, attributes permissions, share permissions, permissions, share permissions, auditing, and Web permissionsauditing, and Web permissions
Chapter 9
Learning Objectives (continued)Learning Objectives (continued)Learning Objectives (continued)Learning Objectives (continued)
Troubleshoot a security conflictTroubleshoot a security conflict Determine how creating, moving, and Determine how creating, moving, and
copying folders and files affect securitycopying folders and files affect security
Chapter 9
Managing ResourcesManaging ResourcesManaging ResourcesManaging Resources
Three ways of managing resources and Three ways of managing resources and user accounts include:user accounts include: By individual userBy individual user By resourceBy resource By groupBy group
Managing resources by groups is one Managing resources by groups is one effective way to reduce time spent on effective way to reduce time spent on managementmanagement
Chapter 9
Scope of InfluenceScope of InfluenceScope of InfluenceScope of Influence
Scope of influence: The reach of a type Scope of influence: The reach of a type of group, such as access to resources of group, such as access to resources in a single domain or access to all in a single domain or access to all resources in all domains in a forest resources in all domains in a forest
Chapter 9
Types of Security GroupsTypes of Security GroupsTypes of Security GroupsTypes of Security Groups
Local: Used on standalone servers Local: Used on standalone servers that are not part of a domainthat are not part of a domain
Domain local: Used in a single domain Domain local: Used in a single domain or to manage resources in a domain or to manage resources in a domain so that global and universal groups so that global and universal groups can access those resourcescan access those resources
Chapter 9
Types of Security Types of Security Groups (continued)Groups (continued)Types of Security Types of Security Groups (continued)Groups (continued)
Global: Used to manage accounts Global: Used to manage accounts from the same domain and to access from the same domain and to access resources in the same and other resources in the same and other domainsdomains
Universal: Used to provide access to Universal: Used to provide access to resources in any domain within a resources in any domain within a forestforest
Chapter 9
Local Security GroupLocal Security GroupLocal Security GroupLocal Security Group
Use local groups on a standalone Use local groups on a standalone server (Active Directory not server (Active Directory not implemented), such as to manage implemented), such as to manage multiple accounts in a small office multiple accounts in a small office
Chapter 9
Domain Local Security GroupDomain Local Security GroupDomain Local Security GroupDomain Local Security Group
Typically a domain local security group is on Typically a domain local security group is on the ACLs of resources such as folders, the ACLs of resources such as folders, shared folders, printers, and other shared folders, printers, and other resources. Global security groups in the resources. Global security groups in the same or in a different domain gain access to same or in a different domain gain access to those resources by becoming members of those resources by becoming members of the domain local group.the domain local group.
Domain local groups can contain accounts, Domain local groups can contain accounts, but usually that is not the best approach.but usually that is not the best approach.
Chapter 9
Membership Capabilities of a Membership Capabilities of a Domain Local GroupDomain Local Group
Membership Capabilities of a Membership Capabilities of a Domain Local GroupDomain Local Group
Active Directory Objects That Can Be Members of a Domain Local Group
Active Directory Objects That a Domain Local Group Can Join as a Member
User accounts in the same domain Access control lists for objects in the same domain, such as permissions to access a folder, shared folder, or printer
Domain local groups in the same domain Domain local groups in the same domain Global groups in any domain in a tree or forest (as long as there are transitive or two-way trust relationships maintained)
Universal groups in any domain in a tree or forest (as long as there are transitive or two-way trust relationships maintained)
Table 9-1 Membership Capabilities of a Domain Local Group
Chapter 9
Implementing Global GroupsImplementing Global GroupsImplementing Global GroupsImplementing Global Groups
Use global groups to contain accounts Use global groups to contain accounts for accessing resources in the same and for accessing resources in the same and in other domains via domain local groupsin other domains via domain local groups
Chapter 9
Membership Capabilities of a Membership Capabilities of a Global GroupGlobal Group
Membership Capabilities of a Membership Capabilities of a Global GroupGlobal Group
Active Directory Objects That Can Be Members of a Global Group
Active Directory Objects That a Global Group Can Join as a Member
User accounts from the domain in which the global group was created
Access control lists for objects in any domain in a forest (as long as a transitive trust is maintained between domains)
Other global groups that have been created in the same domain
Domain local groups in any domain in a forest
Levels of global groups, so that global groups can be nested to reflect the structure of organizational units (OUs) in a domain
Global groups in any domain in a forest
Universal groups in a forest
Table 9-2 Membership Capabilities of a Global Group
Chapter 9
Nesting Global GroupsNesting Global Groups Nesting Global GroupsNesting Global Groups
Global groups can be nested to reflect Global groups can be nested to reflect the structure of OUsthe structure of OUs
Chapter 9
Nesting ExampleNesting Example Nesting ExampleNesting Example
M anagers*
Finance**
Budget***
Figure 9-1 Nested global groupsFigure 9-1 Nested global groups
Chapter 9
Planning TipPlanning TipPlanning TipPlanning Tip
Plan nesting to take into account that Plan nesting to take into account that you may want to later convert specific you may want to later convert specific global groups, because a global group global groups, because a global group cannot be converted if it is a member of cannot be converted if it is a member of another global groupanother global group
Keep in mind that global groups can Keep in mind that global groups can only be nested in native mode domainsonly be nested in native mode domains
Chapter 9
Global Group ExampleGlobal Group ExampleGlobal Group ExampleGlobal Group Example
LocalExecdom ain local
group
LocalExecdom ain
local group
students.college.edu
LocalExecdom ain local
group
research.college.edu
G lobalExecglobalgroup
college.edu
Figure 9-2Figure 9-2Managing securityManaging security
through domain local through domain local and global groupsand global groups
Chapter 9
Implementing Universal GroupsImplementing Universal GroupsImplementing Universal GroupsImplementing Universal Groups
Use universal groups to provide access Use universal groups to provide access to forest-wide resources (to be included to forest-wide resources (to be included on the ACLs of resources such as on the ACLs of resources such as servers, shared folders, and printers)servers, shared folders, and printers)
Universal groups enable the scope of Universal groups enable the scope of influence to span domains and treesinfluence to span domains and trees
Chapter 9
Membership Capabilities of Membership Capabilities of a Universal Groupa Universal Group
Membership Capabilities of Membership Capabilities of a Universal Groupa Universal Group
Active Directory Objects That Can Be
Members of a Universal Group
Active Directory Objects That a Universal
Local Group Can Join as a Member
Accounts from any domain in a forest Access control lists for objects in any domain
in a forest
Global groups from any domain in a forest Any domain local group in a forest
Universal groups from any domain in a forest Any universal group in a forest
Table 9-3 Membership Capabilities of a Universal Group
Chapter 9
Guidelines for Using GroupsGuidelines for Using GroupsGuidelines for Using GroupsGuidelines for Using Groups
Use global groups to hold accounts as Use global groups to hold accounts as members. Give accounts access by joining members. Give accounts access by joining them to a global group and then placing them to a global group and then placing that global group into a domain local or that global group into a domain local or universal group or both.universal group or both.
Use domain local groups to provide access Use domain local groups to provide access to resources in a specific domain by to resources in a specific domain by adding them to the ACLs of those adding them to the ACLs of those resources.resources.
Chapter 9
Guidelines for Using Guidelines for Using Groups (continued)Groups (continued)
Guidelines for Using Guidelines for Using Groups (continued)Groups (continued)
Use universal groups to provide extensive Use universal groups to provide extensive access to resources, such as when the access to resources, such as when the Active Directory contains trees and forests. Active Directory contains trees and forests. Make universal groups members of ACLs Make universal groups members of ACLs for objects in any domain, tree, or forest. for objects in any domain, tree, or forest. Manage user account access by placing Manage user account access by placing accounts in global groups and joining accounts in global groups and joining those global groups to domain local or those global groups to domain local or universal groups.universal groups.
Chapter 9
Example Universal Group SetupExample Universal Group SetupExample Universal Group SetupExample Universal Group Setup
students.college.edu
research.college.edu
G lobalExecglobalgroup
college.edu
UniExeca universal group with access toresources in all three dom ains
Figure 9-3Figure 9-3Managing security Managing security through universal through universal and global groupsand global groups
Chapter 9
Creating a GroupCreating a GroupCreating a GroupCreating a Group
To create a group:To create a group: Click the container in which to create the Click the container in which to create the
groupgroup Click the Click the Create a new group in current Create a new group in current
containercontainer icon icon Enter the name of the groupEnter the name of the group Select the group scopeSelect the group scope Select the group typeSelect the group type Click OKClick OK
Chapter 9
Entering the Group ParametersEntering the Group Parameters
Figure 9-4 Creating a groupFigure 9-4 Creating a group
Chapter 9
Group Properties TabsGroup Properties Tabs
General: General: Used to enter a description, set the Used to enter a description, set the scope, and set the group typescope, and set the group type
Members:Members: Used to add group members Used to add group members Member Of:Member Of: Used to join another group Used to join another group Managed By:Managed By: Establishes who will manage the Establishes who will manage the
groupgroup Object:Object: Provides information about the group as Provides information about the group as
an object (on newer versions of Windows 2000)an object (on newer versions of Windows 2000) Security:Security: Enables you to set up security (on Enables you to set up security (on
newer versions of Windows 2000)newer versions of Windows 2000)
Chapter 9
Converting NT Groups to Windows 2000 Server Groups
Converting NT Groups to Windows 2000 Server Groups
Existing NT local groups on a PDC are converted Existing NT local groups on a PDC are converted to domain local groupsto domain local groups
Existing NT global groups on a PDC are converted Existing NT global groups on a PDC are converted to global groups to global groups
If still running in mixed mode, universal groups are If still running in mixed mode, universal groups are not recognizednot recognized
If running in native mode, but there are still If running in native mode, but there are still Windows NT servers, the NT servers treat Windows NT servers, the NT servers treat Windows 2000 universal groups as NT global Windows 2000 universal groups as NT global groupsgroups
Chapter 9
Windows 2000 Predefined Security Groups
Windows 2000 Predefined Security Groups
Security Group Scope Active Directory
Container Location/Default
Members
Description
Account Operators Built-in local 1 Builtin Used for administration of user
accounts and groups
Administrators Built-in local 1 Builtin/Administrator account;
Domain Admins and Enterprise
Admins groups
Provides complete access to all
local computer and/or domain
resources
Backup Operators Built-in local 1 Builtin Enables members to back up any
folders and files on the computer
Cert Publishers Global 1 Users Used to manage enterprise
certification services for security
11The group scope cannot be changedThe group scope cannot be changed Table 9-4 Windows 2000 Predefined Security Groups
Chapter 9
Windows 2000 Predefined Security Groups (continued)Windows 2000 Predefined
Security Groups (continued)Security Group Scope Active Directory
Container
Location/Default
Members
Description
DCHP Administrators Domain local Users/Domain
Admins group
Used to manage the DHCP server services
(when DHCP server services are installed)
DCHP Users Domain local Users Enables users to access DHCP services
when DHCP is enabled at the client (when
DHCP server services are installed)
DNSAdmins Domain local Users Used to manage the DNS server services
(when DNS server services are installed)
11The group scope cannot be changedThe group scope cannot be changed
Chapter 9
Windows 2000 Predefined Security Groups (continued)Windows 2000 Predefined
Security Groups (continued)Security Group Scope Active Directory
Container
Location/Default
Members
Description
DNSUpdateProxy Global Users Enables each user access as an update
proxy, so that a DHCP client can
automatically update the DNS server
information with its IP address
Domain Admins Global 1 Users/Administrator
account
Used to manage resources in a domain
11The group scope cannot be changedThe group scope cannot be changed
Chapter 9
Windows 2000 Predefined Security Groups (continued)Windows 2000 Predefined
Security Groups (continued)Security Group Scope Active Directory
Container
Location/Default
Members
Description
Domain Computers Global 1 Users Used to manage all workstations and servers that
join the domain
Domain Controllers Global 1 Users/all DC
computers
Used to manage all domain controllers in a domain
Domain Guests Global 1 Users/Guest account Used to manage all domain guest-type accounts,
such as for temporary employees
Domain Users Global 1 Users/all user
accounts
Used to manage all domain user accounts
11The group scope cannot be changedThe group scope cannot be changed
Chapter 9
Windows 2000 Predefined Security Groups (continued)Windows 2000 Predefined
Security Groups (continued)Security Group Scope Active Directory
Container
Location/Default
Members
Description
Enterprise Admins Universal 1 Users/Administrat
or account
Used to manage all resources in an
enterprise
Everyone Built-in local 1 Does not appear
in a container and
cannot be deleted
Used to manage default access to
local or domain resources and all
user accounts are automatically
members
Group Policy Creator
Owners
Global 1 Users/Administrat
or account
Enables members to manage group
policy
11The group scope cannot be changedThe group scope cannot be changed
Chapter 9
Windows 2000 Predefined Security Groups (continued)Windows 2000 Predefined
Security Groups (continued)Security Group Scope Active Directory
Container
Location/Default
Members
Description
Guests Built-in local 1 Builtin/Guest and IIS
accounts, Domain
Guests group
Used to manage guest accounts and
to prevent access to install software
or change system settings
Pre-windows 2000
Compatible Access
Built-in local 1 Builtin/pre-Windows
2000 Everyone group
Used for backward compatibility to
the Everyone group on Windows NT
servers and limits access to read
Print Operators Built-in local 1 Builtin Members can manage printers on the
local computer or in the domain
11The group scope cannot be changedThe group scope cannot be changed
Chapter 9
Windows 2000 Predefined Security Groups (continued)Windows 2000 Predefined
Security Groups (continued)Security Group Scope Active Directory
Container
Location/Default
Members
Description
RAS and IAS Servers Domain local 1 Users Enables member servers to have access to remote
access properties that are associated with user
accounts, such as security properties
Replicator Built-in local 1 Builtin Used with the Windows File Replication service
to replicate designated folders and files
11The group scope cannot be changedThe group scope cannot be changed
Chapter 9
Windows 2000 Predefined Security Groups (continued)Windows 2000 Predefined
Security Groups (continued)Security Group Scope Active Directory
Container Location/Default
Members
Description
SchemaAdmins Universal 1 Users/Administrator account Members have access to modify
schema in the Active Directory
Server Operators Built-in local 1 Builtin Used for common day-to-day server
management tasks
Users Built-in local 1 Builtin/Domain Users group Used to manage general user access,
including the ability to be
authenticated as a user and to
communicate interactively
11The group scope cannot be changedThe group scope cannot be changed
Chapter 9
Rights SecurityRights Security
User rights: Enable an account or group User rights: Enable an account or group to perform predefined tasks, such as the to perform predefined tasks, such as the right to access a server or to increase right to access a server or to increase disk quotasdisk quotas
Chapter 9
Rights SecurityRights Security
Privileges Logon Rights
Act as part of the operating system (a program process can gain
security access as a user)
Access this computer from the
network
Add workstations to a domain Deny access to this computer from the
network
Backup files and directories Deny logon as a batch job
Bypass traverse checking (enables a user to move through a
folder that the user has no permission to access, if it is on the
route to one that they do have permission to access)
Deny logon as a service
Change the system time Deny logon locally
Table 9-5 Rights Security
Chapter 9
Rights Security (continued)Rights Security (continued)
Privileges Logon Rights
Create a pagefile Log on as a batch job
Create a token object (a process can create a security access token to
use any local resource; normally should be reserved for
administrators)
Log on as a service
Create permanent shared objects Log on locally
Debug programs (can install and use a process debugger to trace
problems; normally should be reserved for administrators)
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system
Generate security audits
Chapter 9
Rights Security (continued)Rights Security (continued)
Privileges Logon Rights
Increase quotas
Increase scheduling priority
Load and unload device drivers
Lock pages in memory (included for backward compatibility
with Windows NT and should not be used because it degrades
performance)
Manage auditing and security log
Modify firmware environment variables
Profile single process (can monitor non-system processes)
Profile system performance (can monitor system processes)
Chapter 9
Rights Security (continued)Rights Security (continued)
Privileges Logon Rights
Remove computer from docking station
Replace a process level token (enables a
process to replace a security token on one
or more of its subprocesses)
Restore files and directories
Shut down the system
Synchronize directory service data
Take ownership of files or other objects
Chapter 9
Inherited RightsInherited Rights
Inherited rights: User rights that are Inherited rights: User rights that are assigned to a group and that assigned to a group and that automatically apply to all members of automatically apply to all members of that group that group
Chapter 9
Configuring RightsConfiguring Rights
To configure rights in a domain:To configure rights in a domain: Open the Active Directory Users and Computers toolOpen the Active Directory Users and Computers tool Right-click a domain or OU, for exampleRight-click a domain or OU, for example Click Properties, click the Group Policy tab, click the Click Properties, click the Group Policy tab, click the
group policy, and click Editgroup policy, and click Edit Double-click (if necessary) Computer Double-click (if necessary) Computer
Configuration,Windows Settings, Security Settings, and Configuration,Windows Settings, Security Settings, and Local PoliciesLocal Policies
Double-click User Rights AssignmentDouble-click User Rights Assignment Double-click any policies to configure them Double-click any policies to configure them
Chapter 9
Configuring Rights (continued)Configuring Rights (continued)
Figure 9-6 Configuring user rights as part of group policyFigure 9-6 Configuring user rights as part of group policy
Chapter 9
File and Folder AttributesFile and Folder Attributes
Attributes: A characteristic associated Attributes: A characteristic associated with a folder or file used to help manage with a folder or file used to help manage access and backupsaccess and backups
Chapter 9
FAT AttributesFAT Attributes
Read-onlyRead-only HiddenHidden ArchiveArchive
Chapter 9
FAT Attributes (continued)FAT Attributes (continued)
Figure 9-7 Attributes of a folder on a FAT-formatted diskFigure 9-7 Attributes of a folder on a FAT-formatted disk
Chapter 9
NTFS AttributesNTFS Attributes
Regular attributesRegular attributes Read-onlyRead-only HiddenHidden ArchiveArchive
Extended attributesExtended attributes IndexIndex CompressCompress EncryptEncrypt
Chapter 9
NTFS Attributes (continued)NTFS Attributes (continued)
Figure 9-8 Attributes of a folder on an NTFS-formatted diskFigure 9-8 Attributes of a folder on an NTFS-formatted disk
Chapter 9
Troubleshooting TipTroubleshooting Tip
If you configure the Index attribute, but If you configure the Index attribute, but indexing it is not working check the indexing it is not working check the following:following: Make sure that the Indexing Service is Make sure that the Indexing Service is
installedinstalled Makes sure that the Indexing Service is Makes sure that the Indexing Service is
started and set to start automaticallystarted and set to start automatically
Chapter 9
Troubleshooting TipTroubleshooting Tip
Files that are compressed cannot be Files that are compressed cannot be encrypted encrypted
Chapter 9
Encrypting File SystemEncrypting File System
The encrypt attribute uses Microsoft The encrypt attribute uses Microsoft Encrypting File System (EFS) that sets Encrypting File System (EFS) that sets a unique private encryption key that is a unique private encryption key that is associated with the user account that associated with the user account that encrypted the file or folder. Only that encrypted the file or folder. Only that account has access to the encrypted file account has access to the encrypted file or folder contents.or folder contents.
Chapter 9
Troubleshooting TipTroubleshooting Tip
De-encrypt an encrypted file or folder De-encrypt an encrypted file or folder before you move it to another location, before you move it to another location, or else the file or folder remains or else the file or folder remains encrypted in the new locationencrypted in the new location
Chapter 9
PermissionsPermissions
Permissions: Privileges to access and Permissions: Privileges to access and manipulate resource objects, such as manipulate resource objects, such as folders and printers; for example, folders and printers; for example, privilege to read a file, or to create a new privilege to read a file, or to create a new filefile
Chapter 9
AuditingAuditing
Auditing: Tracking the success or failure Auditing: Tracking the success or failure of events associated with an object, such of events associated with an object, such as writing to a file, and recording the as writing to a file, and recording the audited events in an event log of a audited events in an event log of a Windows 2000 server or workstationWindows 2000 server or workstation
Chapter 9
OwnershipOwnership
Ownership: Having the privilege to Ownership: Having the privilege to change permissions and to fully change permissions and to fully manipulate an object. The account that manipulate an object. The account that creates an object, such as a folder or creates an object, such as a folder or printer, initially has ownership.printer, initially has ownership.
Chapter 9
Design TipDesign Tip
If possible, set permissions on folders and If possible, set permissions on folders and not on individual files, so you can minimize not on individual files, so you can minimize the number of permission exceptions to the number of permission exceptions to rememberremember
One variance from this recommendation is One variance from this recommendation is large database files that may require large database files that may require individual securityindividual security
Chapter 9
Security OptionsSecurity Options
Figure 9-9 Configuring security optionsFigure 9-9 Configuring security options
Chapter 9
Inherited PermissionsInherited Permissions
Inherited permissions: Permissions of a Inherited permissions: Permissions of a parent object that also apply to child parent object that also apply to child objects of the parent, such as to objects of the parent, such as to subfolders within a foldersubfolders within a folder
Chapter 9
Configuring PermissionsConfiguring Permissions
Figure 9-10 Configuring permissions by groups and usersFigure 9-10 Configuring permissions by groups and users
Chapter 9
Configuring Inherited Permissions
Configuring Inherited Permissions
Figure 9-11 Configuring inherited permissionsFigure 9-11 Configuring inherited permissions
Chapter 9
NTFS Folder and File Permissions
NTFS Folder and File Permissions
Permission Description Applies to
Full Control Can read, add, delete, execute, and modify files plus
change permissions and attributes, and take ownership
Folders and files
List Folder
Contents
Can list (traverse) files in the folder or switch to a
subfolder, view folder attributes and permissions, and
execute files, but cannot view file contents
Folders only
Modify Can read, add, delete, execute, and modify files; but
cannot delete subfolders and their file contents, change
permissions, or take ownership
Folders and files
Table 9-6 NTFS Folder and File Permissions
Chapter 9
NTFS Folder and File Permissions (continued)
NTFS Folder and File Permissions (continued)
Permission Description Applies to
Read Can view file contents, view folder attributes and
permissions, but cannot traverse folders or execute
files
Folders and files
Read & Execute Implies the capabilities of both List Folder Contents
and Read (traverse folders, view file contents, view
attributes and permissions, and execute files)
Folders and files
Write Can create files, write data to files, appended data to
files, create folders, delete files (but not subfolders and
their files), and modify folder and file attributes
Folders and files
Chapter 9
Special PermissionsSpecial Permissions
You can customize permissions to meet You can customize permissions to meet particular security needs by using particular security needs by using special permissionsspecial permissions
Chapter 9
Configuring Special PermissionsConfiguring Special Permissions
Figure 9-12 Configuring special permissionsFigure 9-12 Configuring special permissions
Chapter 9
NTFS Folder and File Special Permissions
NTFS Folder and File Special Permissions
Permission Description Applies to
Traverse Folder/Execute File Can list the contents of a folder and execute program files in
that folder; keep in mind that all users are automatically granted
this permission via the Everyone and Users groups, unless it is
removed or denied by you
Folders/files
List Folder/Read Data Can list the contents of folders and subfolders and read the
contents of files
Folders/files
Read Attributes Can view folder and file attributes (Read-only and Hidden) Folders and files
Read Extended Attributes Enables the viewing of extended attributes (Archive, Index,
Compress, Encrypt)
Folders and files
Create Files/Write Data Can add new files to a folder and modify, append to, or write
over file contents
Folders/files
Create Folders/Append Data Can add new folders and add new data at the end of files (but
otherwise not delete, write over, or modify data)
Folders/files
Table 9-7
Chapter 9
NTFS Folder and File Special Permissions (continued)
NTFS Folder and File Special Permissions (continued)
Permission Description Applies to
Write Attributes Can add or remove the Read-only and Hidden attributes Folders and files
Write Extended
Attributes
Can add or remove the Archive, Index, Compress, and Encrypt
attributes
Folders and files
Delete Subfolders and
Files
Can delete subfolders and files (the following Delete
permission is not required)
Folders and files
Delete Can delete the specific subfolder or file to which this
permission is attached
Folders and files
Read Permissions Can view the permissions (ACL information) associated with a
folder or file (but does not imply you can change them)
Folders and files
Change Permissions Can change the permissions associated with a folder or file Folders and files
Take Ownership Can take ownership of the folder or file (Read Permissions and
Change Permissions automatically accompany this permission)
Folders and files
Chapter 9
Example Guidelines for Setting Permissions
Example Guidelines for Setting Permissions
Protect the Winnt folder by allowing limited Protect the Winnt folder by allowing limited access, such as Read & Executeaccess, such as Read & Execute
Protect server utility folders, such as folders Protect server utility folders, such as folders containing backup software, with access for containing backup software, with access for Administrators onlyAdministrators only
Protect software application folders with Protect software application folders with access such as Read & Execute (and Write access such as Read & Execute (and Write if necessary for temporary or configuration if necessary for temporary or configuration files)files)
Chapter 9
Example Guidelines for Setting Permissions (continued)
Example Guidelines for Setting Permissions (continued)
Set up publicly used folders with Modify Set up publicly used folders with Modify for broad user accessfor broad user access
Give users Full Control of their own Give users Full Control of their own home foldershome folders
Remove groups such as Everyone and Remove groups such as Everyone and Users from confidential foldersUsers from confidential folders
Chapter 9
Planning TipPlanning Tip
Err on the side of too much security at Err on the side of too much security at first, because it is easier to give users first, because it is easier to give users more permissions later than to take more permissions later than to take away permissions after users are used away permissions after users are used to having themto having them
Chapter 9
Configuring AuditingConfiguring Auditing
Start by configuring a group policy for Start by configuring a group policy for auditingauditing
Configure auditing on an as needed Configure auditing on an as needed basis for particular objects, such as a basis for particular objects, such as a folder or filefolder or file
Chapter 9
Folder AuditingFolder Auditing
Figure 9-13 Configuring folder auditingFigure 9-13 Configuring folder auditing
Chapter 9
Setting an Audit PolicySetting an Audit Policy
Figure 9-14 Figure 9-14 Configuring audit policy as part of the default domain policyConfiguring audit policy as part of the default domain policy
Chapter 9
OwnershipOwnership
Guidelines for ownership:Guidelines for ownership: The account that creates an object is the The account that creates an object is the
initial ownerinitial owner Ownership is changed by first having Ownership is changed by first having
permission to take ownership and then by permission to take ownership and then by taking ownershiptaking ownership
Full Control permissions are required to Full Control permissions are required to take ownership (or the special permission, take ownership (or the special permission, Take Ownership)Take Ownership)
Chapter 9
Share PermissionsShare Permissions
Share permissions: Limited permissions Share permissions: Limited permissions that apply to a particular shared object, that apply to a particular shared object, such as a shared folder or printersuch as a shared folder or printer
Chapter 9
Configuring Share PermissionsConfiguring Share Permissions
Figure 9-15 Configuring a shared folderFigure 9-15 Configuring a shared folder
Chapter 9
Share Permissions for a FolderShare Permissions for a Folder
Read:Read: Permits groups or users to read Permits groups or users to read and execute filesand execute files
Change:Change: Enables users to read, add, Enables users to read, add, modify, execute, and delete filesmodify, execute, and delete files
Full Control:Full Control: Permits full access to the Permits full access to the folder, including the ability to take folder, including the ability to take ownership control or change ownership control or change permissionspermissions
Chapter 9
Offline Access to a Folder through Caching
Offline Access to a Folder through Caching
Use the Caching button in the folder Use the Caching button in the folder Properties dialog box on the the Sharing Properties dialog box on the the Sharing tab to set up a folder for offline access tab to set up a folder for offline access via cachingvia caching
Caching a folder means that it can be Caching a folder means that it can be accessed by a client even when the accessed by a client even when the client computer is not connected to the client computer is not connected to the networknetwork
Chapter 9
Folder Caching OptionsFolder Caching Options
Automatic Caching for Documents:Automatic Caching for Documents: Documents are cached without using Documents are cached without using intervention – all files in the folder that are intervention – all files in the folder that are opened by the client are cached automatically opened by the client are cached automatically
Manual Caching for Documents:Manual Caching for Documents: documents documents are cached only per the user’s requestare cached only per the user’s request
Automatic Caching of Programs:Automatic Caching of Programs: document document and program files are automatically cached and program files are automatically cached when opened, but cannot be modifiedwhen opened, but cannot be modified
Chapter 9
Troubleshooting TipTroubleshooting Tip
If the Sharing tab is not displayed, make If the Sharing tab is not displayed, make sure that the Server service is startedsure that the Server service is started
Chapter 9
Web SharingWeb Sharing
Use the Web Sharing tab in a folder’s Use the Web Sharing tab in a folder’s properties to configure that folder for properties to configure that folder for Web accessWeb access
Chapter 9
Configuring Web SharingConfiguring Web Sharing
Figure 9-16 Entering Web sharing permissionsFigure 9-16 Entering Web sharing permissions
Chapter 9
Web Sharing Access PermissionsWeb Sharing Access Permissions
Access Permission Description
Read Enables clients to read and display the contents of folders and files
via an Internet or intranet
Write Enables clients to modify the contents of folders and files;
including the ability to upload files through FTP
Script source
access
Enables clients to view the contents of scripts containing
commands to execute Web functions
Directory browsing Enables clients to browse the folder and subfolders, such as for
FTP access
Table 9-8 Web Sharing Access Permissions
Chapter 9
Web Sharing Application Permissions
Web Sharing Application Permissions
Application
Permission
Description
None No access to execute a script or application
Scripts Enables the client to run scripts to perform Web-based functions
Execute (includes
scripts)
Enables clients to execute programs and scripts via an Internet or
intranet connection
Table 9-9 Web Sharing Application Permissions
Chapter 9
Troubleshooting a Security Conflict
Troubleshooting a Security Conflict
Check the groups to which a user or Check the groups to which a user or group belongsgroup belongs
Look for group permissions that conflict, Look for group permissions that conflict, particularly because the Deny box is particularly because the Deny box is checked for a permissionchecked for a permission
Chapter 9
Moving and Copying Files and Folders
Moving and Copying Files and Folders
A newly created file inherits the permissions A newly created file inherits the permissions already set up in a folderalready set up in a folder
A file copied from one folder to another on the A file copied from one folder to another on the same volume inherits the permissions of the same volume inherits the permissions of the folder to which it is copiedfolder to which it is copied
A folder that is moved from one folder to A folder that is moved from one folder to another on the same volume takes with it the another on the same volume takes with it the permissions it had in the original folderpermissions it had in the original folder
Chapter 9
Moving and Copying Files and Folders (continued)
Moving and Copying Files and Folders (continued)
A file or folder that is moved or copied to a folder A file or folder that is moved or copied to a folder on a different volume inherits the permissions of on a different volume inherits the permissions of the folder to which it is moved or copiedthe folder to which it is moved or copied
A file or folder that is moved or copied from an A file or folder that is moved or copied from an NTFS volume to a shared FAT folder inherits the NTFS volume to a shared FAT folder inherits the share permissions of the FAT foldershare permissions of the FAT folder
A file or folder moved from a FAT to an NTFS A file or folder moved from a FAT to an NTFS folder inherits the NTFS permissions of that folderfolder inherits the NTFS permissions of that folder
Chapter 9
Chapter SummaryChapter Summary
Without the Active Directory, use local Without the Active Directory, use local groups to manage access to resourcesgroups to manage access to resources
With the Active Directory implemented, With the Active Directory implemented, use domain local, global, and universal use domain local, global, and universal groups to manage resourcesgroups to manage resources
Chapter 9
Chapter SummaryChapter Summary
Windows 2000 Server objects are secured Windows 2000 Server objects are secured through ACLs, user rights, permissions, through ACLs, user rights, permissions, inherited rights and permissions, share inherited rights and permissions, share permissions, Web permissions, auditing, permissions, Web permissions, auditing, and ownershipand ownership
Troubleshoot permissions conflicts by Troubleshoot permissions conflicts by examining the security assigned to all examining the security assigned to all groups to which a user account or group groups to which a user account or group belongsbelongs