Configuring and Managing Resource Access

1
Configuring and Managing Resource Access

• Lecture 5

2
Folder and File Security

• Access Control List (ACL) list of privileges
  given to a user account or a group
• DACL discretionary ACL configured by an admin
  or owner
• SACL system control ACL contains information
  for auditing access

3
Folder and File Attributes

• Read-only
• Hidden
• Extended attributes Archive, Index (not Windows
  Search Service), Compress, Encrypt

4
Folder and File Permissions

• Permissions (NTFS) control access to an object
• DACL

5
NTFS permissions

• NTFS permissions are specified in the objects
  ACL and are used to control access to the object
• 2 Categories of permissions Standard and Special
• Standard are pre-set, frequently used permissions
  for objects
• Special provide finer granularity to file/folder
  security

6
NTFS permissions

• NTFS permissions can be assigned by an owner, a
  user with Full Control, or a user with Change
  Permissions. Also, a user with Take Ownership
  permission can take ownership of the file/folder
  and then change permissions.

7
Standard NTFS Permissions

• Read
• ReadExecute
• List Folder Contents
• Write
• Modify
• Full Control

8
Folder and File Auditing

• Auditing tracks access to folders and files
• Audited events are recorded in the Windows Server
  2008 Security Log in Event Viewer

9
Folder and File ownership

• An owner is the person who creates a folder/file.
• Owner can change permissions
• Ownership can be transferred to a user with Full
  Control or Take Ownership permissions
• Administrators can always take ownership

10
New, Moved and Copied files and folders
permissions

• When a file or folder is moved or copied, it will
  inherit the destination folder permissions.
• The only exception is when a file/folder is
  moved within the same NTFS volume - then it will
  retain its original permissions.

11
Shared Folders and Permissions

• Shared folder gives users access over the network
• In Server 2008 sharing is more secure (not shared
  with Everyone by default)

12
Shared Folder Permissions

• Share permissions are different from NTFS (NTFS
  and share permissions are cumulative)
• Deny permissions take precedence
• Shared folders can be cached
• Shared Folders can be published in AD

13
Shared Folder Permissions

• Reader (former Read)
• Contributor (former Change)
• Co-owner (former Full Control)
• Owner

14
Effective permissions

• User and Group NTFS permissions combine for the
  least restrictive combination, except where Deny
  overrides Allow. Files may have different
  permissions that parent folder permissions.
• When combining share and NTFS permissions always
  chose the MOST restrictive combination

15
Effective NTFS permissions

• Determine effective shared by choosing the least
  restrictive of all shared. The exception is
  Denied permission overrides Allow.
• Determine effective NTFS by choosing the least
  restrictive of all shared. The exception is
  Denied permission overrides Allow.  
• Combine the results of steps 1 and 2 and choose
  the MOST restrictive permission out of share and
  NTFS. IF there is no overlap - no permissions are
  effective.

16
Troubleshooting Permissions Problems

• When permissions are granted through group
  membership, a user needs to log off and log back
  on
• Watch out for Deny Permissions
• Watch out for individual folder permissions
• Watch out for a conflicting combination of
  NTFS/Shared permissions
• File permissions change after being moved/copied

17
Distributed File Services

• A way to combine multiple shared folders on
  different servers into one hierarchy (under 1
  root)
• Stand-alone- only exists on 1 server
• Domain-based allows fault-tolerance and load
  balancing, as well as using AD for copying a
  folder to multiple targets