Administering Shared Folders

1
Administering Shared Folders

• Understanding Shared Folders
• Planning Shared Folders
• Sharing Folders
• Combining Shared Folder Permissions and NTFS
  Permissions
• Configuring Dfs to Gain Access to Network
  Resources

2
Understanding Shared Folders

• Shared Folders
• Shared Folder Permissions
• How Shared Folder Permissions Are Applied
• Guidelines for Shared Folder Permissions
• Practice Applied Permissions

3
Shared Folders in Windows Explorer
4
Shared Folders

• Provide network users centralized access to
  network files.
• Contain applications, data, or a users personal
  data in a home directory.
• All users by default can connect to the shared
  folder and gain access to the folders content.
• Each type of data requires different shared
  folder permissions.

5
Shared Folder Permissions

• Shared folder permissions can be assigned to user
  and group accounts to control what users can do
  with the content of a shared folder.
• Shared folder permissions are assigned to control
  how users gain access to a shared folder.
• Shared folder permissions can be allowed or
  denied.
• It is best to allow permissions and to assign
  permissions to a group rather than to individual
  users.
• Permissions should be denied only when necessary
  to override permissions that are otherwise
  applied.

6
Characteristics of Shared Folder Permissions

• Apply to folders, not to individual files
  provide less-detailed security than NTFS
  permissions.
• Do not restrict access to users who gain access
  to the folder at the computer where the folder is
  stored only apply to users who connect to the
  folder over the network.
• Are the only way to secure network resources on a
  FAT volume NTFS permissions are not available on
  FAT volumes.
• The default is Full Control, which is assigned to
  the Everyone group when the folder is shared.

7
Shared Folder Permissions

• Read View file names and subfolder names, view
  data in files, traverse to subfolders, and run
  programs
• Change Add files and subfolders to the shared
  folder, change data in files, delete subfolders
  and files, and perform actions permitted by the
  Read permission
• Full Control Change file permissions (NTFS
  only), take ownership of files (NTFS only), and
  perform all tasks permitted by the Change
  permission

8
Applied Permissions
9
Applied Permissions Overview

• Applying shared permissions to user accounts and
  groups affects access to a shared folder.
• Denying permission takes precedence over the
  permissions that are allowed.

10
Effective Permission

• A user can be a member of multiple groups, each
  with different permissions that provide different
  levels of access to a shared folder.
• Effective permissions are the combination of the
  user and group permissions.

11
Deny Overrides Other Permissions

• Denied permissions take precedence over any
  permissions that are otherwise allowed for user
  accounts and groups.
• If shared folder permissions are denied, the user
  will not have that permission, even if the
  permission is allowed for a group of which the
  user is a member.

12
NTFS Permissions Are Required on NTFS Volumes

• Shared folder permissions are sufficient to gain
  access to files and folders on a FAT volume, but
  not on an NTFS volume.
• Users can gain access to a shared folder for
  which they have permissions, as well as all of
  the folders contents.
• When users gain access to a shared folder on an
  NTFS volume, they need the shared folder
  permission and the appropriate NTFS permissions
  for each file and folder to which they gain
  access.

13
Copied, Moved, or Renamed Shared Folders

• When a shared folder is copied, the original
  shared folder is still shared, but the copy is
  not shared.
• When a shared folder is moved or renamed, it is
  no longer shared.

14
Guidelines for Shared Folder Permissions

• Determine which groups need access to each
  resource and the level of access they require.
• Document the groups and their permissions for
  each resource.
• Assign permissions to groups instead of user
  accounts to simplify access administration.
• Assign to a resource the most restrictive
  permissions that still allow users to perform
  required tasks.
• Organize resources so that folders with the same
  security requirements are located within a
  folder.
• Use intuitive share names so that users can
  easily recognize and locate resources.
• Use share names that all client operating systems
  can use.

15
Shared Folder Naming Conventions

• Microsoft Windows 2003, Windows NT, Windows 98,
  and Windows 95
• Share name length 80 characters
• Folder name length 255 characters
• MS-DOS, Windows 3.1, and Windows for Workgroups
• Share name length 8.3 characters
• Folder name length 8.3 characters

16
Planning Shared Folders

• Application Folders
• Data Folders

17
Planning Shared Folders Overview

• Planning shared folders helps to reduce
  administrative overhead and ease user access.
• Planning shared folders involves
• Determining which resources are to be shared.
• Organizing resources according to function, use,
  and administration needs.
• Shared folders contain applications and data.
• Using shared application folders centralizes
  administration.
• Using shared data folders provides a central
  location for users to store and gain access to
  common files.

18
Application Folders Overview

• Application folders are used for applications
  that are installed on a network server, and can
  be used from client computers.
• The primary advantage of shared applications is
  that most components of the applications do not
  need to be installed and maintained on each
  computer.
• Program files for applications can be stored on a
  server configuration information for most
  network applications is often stored on each
  workstation.
• The exact way in which application folders are
  shared depends upon the application, network
  environment, and organization.

19
Creating and Sharing Application Folders
20
Data FoldersOverview

• Data folders are used by users on a network to
  exchange public and working data.
• Two types working data folders and public data
  folders.
• When data folders are used, common data folders
  should be created and shared on a volume that is
  separate from the operating system and
  applications.
• Data files should be backed up frequently, and
  with data folders on a separate volume, they can
  be backed up conveniently.
• If the operating system requires reinstallation,
  the volume containing the data folder remains
  intact.

21
Public Data and Working Data Shared Folders
22
Public Data

• Public data folders are used by larger groups of
  users who all need access to common data.
• Centralized data folders are used so that data
  can be easily backed up.
• The Change permission should be assigned to the
  Users group for the common data folder, thereby
  providing users with a central, publicly
  accessible location for storing data files they
  want to share with other users.

23
Working Data

• Working data folders are used by members of a
  team who need access to shared files.
• Full Control permission should be assigned to the
  Administrators group for a central data folder,
  which allows administrators to perform
  maintenance more easily.
• Lower-level data folders below the central folder
  should be shared with the Change permission for
  the appropriate groups when restricted access to
  those folders is needed.

24
Sharing Folders

• Requirements for Sharing Folders
• Administrative Shared Folders
• Sharing a Folder
• Assigning Shared Folder Permissions
• Modifying Shared Folders
• Connecting to a Shared Folder

25
Sharing Folders

• Resources can be shared with others by sharing
  folders containing those resources.
• The creator of the shared folder must be a member
  of one of several groups, depending on the role
  of the computer on which the shared folder
  resides.
• Access to a shared folder is controlled by
  limiting the number of users who can
  simultaneously gain access to it or by assigning
  permissions to selected users and groups.
• Folder sharing properties may be modified after
  the folder is created.
• Users must first have appropriate permissions
  before making a connection to a shared folder.

26
Requirements for Sharing Folders

• In a Windows 2003 Domain
• The Administrators and Server Operators groups
  can share folders residing on any machines in the
  domain.
• The Power Users group is a local group and can
  only share folders residing on the stand-alone
  server or computer running Windows 2003
  Professional where the group is located.
• In a Windows 2003 Workgroup
• The Administrators and Power Users groups can
  share folders on the stand-alone server or the
  computer running Windows 2003 Professional on
  which the group exists.

27
Administrative Shared Folders

• Automatically shared folders are appended with a
  dollar sign ().
• The hides the shared folder from users who
  browse the computer.
• The root of each volume, the system root folder,
  and the location of the printer drivers are all
  hidden shared folders that can be accessed from
  across the network.
• Hidden shared folders are not limited to those
  that the system automatically creates.
• Additional folders can be shared and a can be
  appended to the end of the share name.
• Only users who know the folder name and possess
  proper permissions can gain access to the hidden
  folder.

28
Windows 2003 Administrative Shared Folders

• C, D, E, and so on The root of each volume on
  a hard disk
• Admin The system root folder, which is C\Winnt
  by default
• Print The printer drivers folder,
  systemroot\System32\Spool\Drivers

29
Sharing a Folder

• Assign a share name to the folder.
• Provide comments to describe the folder and its
  content.
• Limit the number of users who have access to the
  folder.
• Assign permissions.
• Share the same folder multiple times.

30
Sharing Tab of the Properties Dialog Box for a
Folder
31
Permissions For Dialog Box for a Shared Folder
32
Select Users, Computers, Or Groups Dialog Box
33
Modifying Shared Folders

• Sharing of a file can be stopped.
• The share name can be added or removed.
• Shared folder permissions can be modified.

34
Connecting to a Shared Folder Four Methods

• Map Network Drive Wizard
• Add Network Place Wizard
• Run command
• My Network Places

35
Map Network Drive Wizard
36
Combining Shared Folder Permissions and NTFS
Permissions

• Strategies for Combining Shared Folder
  Permissions and NTFS Permissions
• Practice Managing Shared Folders

37
Combined Permissions
38
Combining Shared Folder Permissions and NTFS
Permissions

• Sharing folders provides network users with
  access to resources.
• If a FAT volume is being used, the shared folder
  permissions are all that is available to provide
  security for the folders shared and the
  subfolders and files they contain.
• If an NTFS volume is being used, NTFS permissions
  can be assigned to individual users and groups to
  better control access to the files and subfolders
  in the shared folders.
• When shared folder permissions are combined with
  NTFS permissions, the more restrictive permission
  is always the overriding permission.

39
Strategies for Combining Shared Folder
Permissions and NTFS Permissions

• Access to resources on an NTFS volume can be
  provided by sharing folders with the default
  shared folder permissions and then controlling
  access by assigning NTFS permissions.
• When a folder is shared on an NTFS volume, both
  shared folder permissions and NTFS permissions
  combine to secure file resources.
• Shared folder permissions provide limited
  security for resources.
• Using NTFS permissions provides the greatest
  flexibility to control access to shared folders.
• NTFS permissions apply whether the resource is
  accessed locally or over the network.

40
Combining Shared Folder Permissions, NTFS
Permissions
41
Rules For Combining Shared Folder Permissions and
NTFS Permissions

• NTFS permissions can be applied to files and
  subfolders in the shared folder.
• Different NTFS permissions can be applied to each
  file and subfolder that a shared folder contains.
• Users must have access to both shared folder
  permissions and NTFS permissions to gain access
  to those files and subfolders.
• When shared folder permissions are combined with
  NTFS permissions, the more restrictive permission
  is always the overriding permission.

42
Configuring Dfs to Gain Access to Network
Resources

• Understanding Dfs
• Reasons for Using Dfs
• Dfs Topology
• Creating a Dfs
• Creating a Dfs Root
• Creating a Dfs Link
• Adding a Dfs Shared Folder
• Setting Replication Policy
• Practice Using Dfs

43
Overview of Dfs
44
Understanding Dfs

• Enables system administrators to make it easy for
  users to access and manage files that are
  physically distributed across a network
• Makes files distributed across multiple servers
  appear to users as if they reside in one place on
  the network
• Organizes shared folders that can reside on
  different computers
• Provides users with easy navigation to shared
  folders on different computers
• Enables users to gain access to a network
  resource without knowing its location on the
  network
• Facilitates administering multiple shared folders

45
Dfs Functions

• Organizes resources in a hierarchy
• Facilitates network navigation
• Facilitates network administration
• Preserves network permissions

46
Types of Dfs Roots

• Domain
• Stores the Dfs topology in Active Directory
• Allows links to point to multiple identical
  shared folders for fault tolerance
• Supports DNS, multiple-level Dfs links, and file
  replication
• Stand-alone
• Stores the Dfs topology on a single computer, not
  in Active Directory
• Provides no fault tolerance if the computer that
  stores the Dfs topology or any of the shared
  folders that Dfs uses fails
• Supports only one level of Dfs links

47
Reasons for Using Dfs

• Users who access shared folders are distributed
  across a site or sites.
• Most users require access to multiple shared
  folders.
• Server load balancing may be improved by
  redistributing shared folders.
• Users require uninterrupted access to shared
  folders.
• The organization has Web sites for either
  internal or external use.

48
Dfs Topology

• To users, a Dfs topology provides a unified and
  transparent access to the network resources they
  need.
• To system administrators, a Dfs topology is a
  single DNS namespace.
• The Dfs topology is automatically published to
  Active Directory by default.

49
Dfs Components

• Dfs root
• One or more Dfs links
• One or more Dfs shared folders, also known as
  replicas, to which each Dfs link points

50
Domain-Based Dfs

• The domain server on which a Dfs root resides is
  known as a host server.
• A Dfs root can be replicated by creating roots on
  other servers in the domain.
• Dfs root replication provides file availability
  if the host server becomes unavailable.
• DNS names for the Dfs roots resolve to the host
  servers for the Dfs root.
• The host server is a member server within a
  domain.

51
Dfs Benefits

• Provides synchronization of Dfs topologies across
  host servers
• Provides fault tolerance for the Dfs root
• Supports optional replication of Dfs shared
  folders

52
Creating a Dfs

• Create a Dfs root.
• Create a Dfs link.
• Add Dfs shared folders optional.
• Set replication policy.

53
Creating a Dfs Link

• In a network environment, keeping track of the
  physical locations of shared resources might be
  difficult for users.
• The network and file system structures become
  transparent to users when Dfs is used.
• Transparency enables the administrator to
  centralize and optimize access to resources based
  on a single tree structure.
• Users can browse the links under a Dfs root
  without knowing where the referenced resources
  are physically located.
• The maximum number of Dfs links that can be
  assigned to a Dfs root is 1000.

54
Create A New Dfs Link Dialog Box
55
Adding a Dfs Shared Folder

• For each Dfs link, create a set of Dfs shared
  folders to which the Dfs link points.
• Within a set of Dfs shared folders, the first
  folder is added to the set when the Dfs link is
  created, using the Distributed File System
  console.
• Subsequent folders are added using the consoles
  Add A New Replica dialog box.
• The maximum number of Dfs shared folders allowed
  in a set of shared folders is 32.
• When Dfs shared folders are added, folders can be
  chosen to participate in replication.
• If folders are set to participate in replication,
  the replication policy for the shared folders
  must be set.

56
Add A New Replica Dialog Box
57
Setting Replication Policy

• Replicating the contents of folders to other
  roots or Dfs shared folders in the domain ensures
  that the folders contents are always available
  to users.
• Both Dfs roots and Dfs shared folders can be
  replicated.
• Replication copies the content of one Dfs root to
  another, or from one Dfs shared folder to another
  Dfs shared folder.

58
Replication Policy Dialog Box