Configuring, Managing, and Troubleshooting Resource Access

1
Configuring, Managing, and Troubleshooting
Resource Access

• Manage object security for files and folders
• Configure shared folders and share permissions
• Troubleshoot a security conflict

2
Managing Object and Object Security

• Each object has an access control list (ACL) for
  shared resource management
• Access is controlled through common security
  techniques
• Attributes
• Permissions
• Auditing
• Ownership

3
Attributes

• Attributes are a carryover from earlier DOS-based
  systems
• Used to convert files and directories from
  NetWare
• Use by DOS and NetWare for security and file
  management
• Stored as header information

4
FAT File System and Attributes

• FAT has three attributes for files and folders
• Read-only
• Files in a read-only folder cannot automatically
  be read
• Instead, use the read-only permission to allow
  the files to inherit the folders permission
• Hidden
• Can be defeated in post-Windows 95 systems
• Archive
• Files are automatically flagged to be backed up
  when new or modified

5
NT File System and Attributes

• Allows the FAT attributes of
• Read-only and hidden on the General tab
• Archive on the Extended tab
• Extended tab also contains
• Index
• Compress
• Encrypt
• Extended attributes have the option to be applied
  to
• A folder and its files
• A folder, its files, and all subfolders and files

6
(No Transcript)
7
NT File System (cont.)

• Index
• Allows for quick searches
• Indexing Service must be installed and set to
  start automatically
• Compress
• Saves space on infrequently used files or limited
  disk space
• Takes longer to search compressed files
• Compressed files cannot be encrypted

8
NT File System (cont.)

• Encrypt
• Can only be read by the user who encrypted the
  file or folder
• Uses the Microsoft Encryption File System (EFS)
• Sets up a unique, private encryption key
• An encrypted file remains encrypted when moved to
  another folder, even of renamed
• Can also encrypt and decrypt at the command
  prompt with the cipher command

9
Folder and File Permissions

• Permissions control access to an object
• Use the folder properties Security tab
• Check the Allow and Deny boxes to set access
  permissions for groups and users
• If none of the Allow and Deny boxes are checked,
  all access is denied
• Deny overrides any other access
• Inherited permissions
• The permissions of the parent object applies to
  the child objects
• Set by default but can be deactivated

10
(No Transcript)
11
(No Transcript)
12
(No Transcript)
13
(No Transcript)
14
Guidelines for permissions

• Protect the \Windows folder from general users
• Traverse Folder / Execute File
• Protect server utility folders
• Access permissions only for Administrators,
  Server Operators, and Backup Operators
• Protect software application folders from users,
  but allow execution
• Read Execute, Write

15
Guidelines for permissions (cont.)

• Create publicly used folders for broad access
  except for administrative tasks
• Modify
• Provide users Full Control of their own home
  folders
• Remove general access groups from confidential
  folders
• Everyone and Users
• Always err on the side of too much security

16
Configuring Folder and File Auditing

• Track activity on a folder or file through
  auditing
• Windows Server NTFS folders and files allow
  auditing of any or all of the special permissions
• Each type of access can be tracked according to
  successful or failed attempts
• Set up an auditing policy to fully configure
  auditing for an object
• Use the Domain Security Policy tool

17
(No Transcript)
18
Configuring Folder and File Ownership

• Folders are first owned by the account that
  creates them
• Folder owners may change permissions for their
  folders
• Ownership can be transferred only by having the
  Take Ownership or Full Control permission
• Administrators group can take control of any
  group, regardless of permissions

19
(No Transcript)
20
Configuring Shared Folders

• Shared folders can be accessed over the network
• Specify number of users or allow the maximum
• Maximum is the number of Server 2003 client
  access licenses
• Share Permissions
• Full Control Full access control of share
  permissions
• Change Read, add, modify, execute, and delete
• Read Read and execute
• Option to hide shared folders from browser lists
• Place a sign just after its name

21
(No Transcript)
22
(No Transcript)
23
Troubleshooting a Security Conflict

• Look at the Effective Permissions tab
• Calculates account group membership and
  permission inheritance
• Take file and folder locations into account
• A new file inherits its folder permissions
• Files copied to a folder on the same volume
  inherits the new folders permissions
• Files moved to a folder on the same volume keeps
  its original permissions
• Files moved to another volume inherits the new
  folders permissions

24
(No Transcript)
25
Distributed File System

• Shared folders on a network appear in one
  hierarchy of folders
• Simplifies user access
• Fault tolerance is an option by replicating
  shared folders
• Uses the Microsoft File Replication Service
• Load balancing can be performed by distributing
  folder access across several servers
• Access is improved to Internet and Intranet sites
• Backups from one set of master folders

26
Summary

• Windows Server 2003 objects are managed through
  tools that include folder and file attributes,
  permissions, auditing, and ownership
• Attributes enable you to manage folder and file
  properties such as read-only, archiving,
  compression, and encryption
• Permissions are set to control who has access to
  a folder or file
• Auditing is used to monitor who has been given
  access to a folder or file

27
Summary

• Ownership is used to grant full control over a
  folder or file
• Folder and files can be shared over a network
• Folder and file security can be managed through
  share permissions
• Use security troubleshooting techniques and
  Windows Server 2003 troubleshooting tools to
  diagnose a security conflict