lecture 9 further permissions
TRANSCRIPT
Lecture 9: More Access Control and PermissionsNetwork Design & Administration
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Registry Keys
• Registry Keys are the entities used to store information about a Windows PC.• They are used for:• Hardware information• OS information• Non-OS programs• Users• Preferences
2
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Registry Structure and Use• The registry is separated into Hives:• HKEY_CLASSES_ROOT
• For installed apps – file associations, etc.
• HKEY_CURRENT_USER • Specific settings for current user. e.g. printer settings.
• HKEY_LOCAL_MACHINE• General to all users. E.g. driver versions.
• HKEY_USERS• Details of all user profiles keys that can access machine.• Current_User is a partial list of information.
• HKEY_CURRENT_CONFIG• Generated at boot time to give information on local machine configuration.
3
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Registry Entries• For a registry entry
to be modified, the program or user has to be allowed to change it!
• Here we see the Administrators group given Full Control over this sub-key (via inheritance)
4
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Registry Permissions• Can see similarities and
differences between these and NTFS permissions.
• Different set of standard and special permissions.
• Again, inheritance can be allowed or stopped, and deny/allow priority applies.
5(Note: Write DAC = ability to change ACL for key)
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Why of interest in a network?
• Various programs may need to run on a server.• Those programs must have appropriate access
to registry keys.• If users want applications installed locally,
problems can occur if the registry keys do not have the appropriate ACL’s set.
6
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Active Directory Object PermissionsVery different again to NTFS and Registry. e.g. -• Create child• Delete child• Standard delete• Delete tree• Read property• Write property
• Microsoft recommend not changing.• If changed, performance can be lost due amount of
information transmitted around network. 7
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Microsoft File Shares
• Allow network clients to actually see folders on a server remotely.• Some shares are created automatically due to the role of
a server. e.g. NETLOGON share created when becomes a domain controller.• Shares can be hidden by appending $ to name (so how
do users find it?)
8
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Who can create file system shares?• Depends on role of machine and therefore
security risks associated with doing it:• Domain Controller – Administrators, Server
Operators, Enterprise Admins, Domain Admins groups only.• Domain Member Server or Workstation -
Administrators, Server Operators, Power Users groups only.• Workgroup or Standalone computer (?) -
Administrators, Power Users groups only. 9
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Creating a share using the MMC Shared Folders Snap-in
10
Net
wor
k D
esig
n &
Adm
inist
ratio
n
File share permissions
• They differ from NTFS.• Much coarser grain – no special permissions.• Change in Share Permissions is not the same as
Modify in NTFS in the delete area.• When Share and NTFS permissions both present,
resultant applied is the most restrictive.• Do not apply to locally logged on users. (e.g.
physically local or by Terminal Server)
11
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Limitations / Problems• Limited scope - Can be applied only to folders and only when
connecting to the share.• Lack of flexibility - Permissions applied to the share apply to all
levels below.• No replication - Share permissions are not replicated by domain
controller.• No resiliency - Share permissions cannot be backed up or
restored via Domain Controller.• Fragility - Shares (and therefore share permissions) are lost
when a folder is moved or renamed.• No auditing possible.• Do not show up in Effective Permissions tab – Need to be looked
at independently then considered with NTFS permissions to give resultant most restrictive .
12
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Printer Server Topologies
• For cost effectiveness, want multiple users to access a single printer.• What are the options?• Locally Attached Printers• Network Attached Printers• Logical printer on every client workstation• Logical Printer – object used by operating system to
represent physical device. Contains settings, defaults, drivers and other properties.
• Print server• Print server – receives jobs from clients, stores them in
a print queue and sends 1 by 1 to physical printer,
13
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Locally Attached Printer[1]
• Physical security issues (printer has to be close to server).• When printer share is created the attached server functions as
the print server.14
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Network attached printer, with logical printer in every client[1]
15
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Problems…
• Each user sees only own jobs – not rest of queue (may be lots waiting ahead!)• Admins cannot manage print queue or
implement advanced features.• Error messages only appear to user machine.• If driver update required, has to be done on each
client.• Print processing not offloaded to server.
16
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Network attached printer, with print server[1]
17
• Advantages…?
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Old UNIX/Linux permissions
• Each file has a set of bits that specify its permissions for 3 classes of user:• Owner, Group Owner, Everyone Else
• Owner is special, and can totally limit access.• Each class has 3 bits: (r) Read, (w) Write, (x) Execute• These are expressed as rwx if allowed or a – if not
allowed• e.g. rwxr-xr-x means owner allowed all 3, but all others
only allowed read and execute.• Super user (root access) can do anything even if not
owner. 18
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Modern UNIX/Linux permissions
• Now support ACLs (partly for compatibility with Windows via SAMBA).• Still based on read, write, execute (not as fiddly
as Windows NTFS, so SAMBA has to ‘translate’ between them)• ACL’s allow rwx to be set for multiple groups and
specific users.
19
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Next Time & references
• Keeping systems up to date.• Hotfixes vs. Service Packs.• Managing/automating processes.
• [1] MOAC 290 chapter 10
20