Upload
peregrine-york
View
228
Download
1
Tags:
Embed Size (px)
Citation preview
Chapter 9: SHARING FILE SYSTEM RESOURCES 2
CHAPTER OVERVIEW
• Create and manage file system shares and work with share permissions
• Use NTFS file system permissions to control access to files
• Manage file sharing using Internet Information Services (IIS)
Chapter 9: SHARING FILE SYSTEM RESOURCES 3
UNDERSTANDING PERMISSIONS OVERVIEW
• File system permissions• Share permissions• Active Directory permissions• Registry permissions – (REGEDIT)
Chapter 9: SHARING FILE SYSTEM RESOURCES 4
ACCESS CONTROL LISTS (ACL)
Lab:Properties for root of a drive• Windows Explorer• Right-click• Properties
Access Control Entries
ACL has ACEs
Chapter 9: SHARING FILE SYSTEM RESOURCES 5
PERMISSIONS
Permissions are keys to unlock access to resources.
Full Control permission is the master key.
Chapter 9: SHARING FILE SYSTEM RESOURCES 6
INHERITANCE
• Allows permissions assigned at one folder to flow down to subsequent files and folders
• Can be overridden by explicit permission assignment or inheritance blocking
• Useful in reducing the number of permission assignments required
Chapter 9: SHARING FILE SYSTEM RESOURCES 7
INHERITANCE
Folder User Permissions
(Grand) Parent Folder
Parent Folder 1
Child Folder 1A
Child Folder 1B
Parent Folder 2
Child Folder 2A
Child Folder 2B
Parent Folder 3
Child Folder 3A
Read Write Delete Folders/Files
Read Write Delete Folders/Files
Read Write Delete Folders/Files
Read Write Delete Folders/Files
Read Write Delete Folders/Files
Read Write Delete Folders/Files
???? ????? ?????? Folders/Files
???? ????? ?????? Folders/Files
???? ????? ?????? Folders/Files
Chapter 9: SHARING FILE SYSTEM RESOURCES 8
EFFECTIVE PERMISSIONS
• Allowed permissions are cumulative.• Denied permissions override allowed
permissions.• Explicit permissions take precedence over
inherited permissions.
Chapter 9: SHARING FILE SYSTEM RESOURCES 9
EFFECTIVE PERMISSIONS
Folder User Permissions(Grand) Parent Folder
Parent Folder 1
Child Folder 1A
(Grand) Child
Child Folder 1B
Deny All
???? ????? ?????? Folders/Files
Read ????? ?????? Folders/Files
???? ????? ?????? Folders/Files
???? ????? ?????? Folders/Files
Chapter 9: SHARING FILE SYSTEM RESOURCES 10
SHARING FOLDERS
• Without shares, network clients cannot access folders on a server.
• Require:• Client for Microsoft
Networks• File and Printer Sharing
for Microsoft Networks
Chapter 9: SHARING FILE SYSTEM RESOURCES 11
ADMINISTRATIVE SHARES
Administrative shares are hidden.
Appending a share with a $ creates a hidden share.
Chapter 9: SHARING FILE SYSTEM RESOURCES 12
RESTRICTIONS ON CREATING FILE SYSTEM SHARES
• On a domain controller: • Administrators, Server Operators, Enterprise
Admins, Domain Admins groups
• On a domain member server or workstation:• Administrators, Server Operators, Power Users
groups
• On a workgroup or standalone computer:• Administrators or Power Users groups
Chapter 9: SHARING FILE SYSTEM RESOURCES 13
CREATING A FILE SYSTEM SHARE USING WINDOWS EXPLORER
Lab:Create Share Folder• Create “C:\ShareMe”
folder• Right-click “C:\ShareMe”• Select “Share this
folder”
Chapter 9: SHARING FILE SYSTEM RESOURCES 14
SHARING A VOLUME USING WINDOWS EXPLORER
Lab: Create Share for root• Start Windows Explorer• Select C:\ root • Right-click C:\ root• Select Sharing tab• Click “New Share…”
Chapter 9: SHARING FILE SYSTEM RESOURCES 15
CREATING A FILE SYSTEM SHARE USING THE SHARED FOLDERS SNAP-IN
Lab: Create Share using MMC• Start Computer
Management Console
• Select Shared Folders
• Select Shares• Right-click• Click New Shares
Chapter 9: SHARING FILE SYSTEM RESOURCES 16
CREATING A FILE SYSTEM SHARE USING NET.EXE
• Allows shares to be created from a command line
• Lets you configure permissions during creation
• Lets you configure offline settings for the share
Chapter 9: SHARING FILE SYSTEM RESOURCES 17
MANAGING SHARED FOLDERS
Lab:Share properties• Select “ShareMe”• Right-click• Properties
Chapter 9: SHARING FILE SYSTEM RESOURCES 18
CONTROLLING OFFLINE STORAGE
Lab: Offline Caching• Select “ShareMe”• Right-Click• Caching
Chapter 9: SHARING FILE SYSTEM RESOURCES 21
USING SHARE PERMISSIONS
• Limited scope Can be applied only to folders and only when connecting to the share.
• Lack of flexibility Permissions applied to the share apply to all levels below.
• No replication Share permissions are not replicated.
• No resiliency Share permissions cannot be backed up or restored.
Chapter 9: SHARING FILE SYSTEM RESOURCES 22
USING SHARE PERMISSIONS (continued)
• Fragility Shares (and therefore share permissions) are lost when a folder is moved or renamed.
• No auditing Share permissions do not facilitate auditing.
Chapter 9: SHARING FILE SYSTEM RESOURCES 23
SHARE PERMISSION DEFAULTS
• When a new share is created, the following permissions are granted:• Everyone special identity: Read• Administrators: Full Control
Chapter 9: SHARING FILE SYSTEM RESOURCES 24
CREATING A FILE SYSTEM SHARING STRATEGY
• Create logically named shares.• Use nesting where necessary to reduce
users’ need to navigate the directory structure.
• Share removable drives from the root to keep the share available when media are removed and reconnected or changed.
Chapter 9: SHARING FILE SYSTEM RESOURCES 25
NESTING SHARES
• A share can be created on any folder in the file system.
• Multiple shares on the same folder can have different permissions.
• Permissions are applied at the share entry point.
Chapter 9: SHARING FILE SYSTEM RESOURCES 26
USING NTFS PERMISSIONS
• Scope NTFS permissions apply no matter how the file is accessed.
• Flexibility Wide range of permissions allows assignments to be tailored.
• Replication NTFS permissions are included when a file is replicated.
• Resilience NTFS permissions are retained when objects are backed up.
• Less fragile NTFS permissions are not lost if a file is moved or renamed.
• Auditing NTFS permissions support auditing.
Chapter 9: SHARING FILE SYSTEM RESOURCES 31
RESOURCE OWNERSHIP
• Each file and folder is assigned an owner.• Ownership of a file makes the security
principle a member of the Creator/Owner special identity.
• Files that are owned go toward disk quota calculations.
Chapter 9: SHARING FILE SYSTEM RESOURCES 32
ADMINISTERING IIS
• Web server platform included with all editions of Windows Server 2003.
• Version 6 has improved security over previous versions.
• Allows files to be published through a browser interface.
• Supports HTTP and FTP.
Chapter 9: SHARING FILE SYSTEM RESOURCES 33
INSTALLING IIS
• Not installed during operating system installation
• Installed through the Windows Components Wizard (select Add Or Remove Programs in Control Panel, and click Add/Remove Windows Components) or through the Manage Your Server wizard
Chapter 9: SHARING FILE SYSTEM RESOURCES 39
CREATING VIRTUAL DIRECTORIES
• Allows you to include a folder from anywhere on the network in your Web site
• Appears to the Web site user as if it is a sub-directory of the main Web site folder
• Allows management of Web content to be distributed between departments.
Chapter 9: SHARING FILE SYSTEM RESOURCES 44
SUMMARY
• Windows Server 2003 controls access to resources using a number of mechanisms, including share permissions and NTFS permissions.
• Every object protected by permissions has an ACL, which is a list of ACEs assigned to that object. Each ACE contains a security principal and indicates the level of access they are permitted or denied to the object.
• File system shares enable network users to access files and folders on other computers.
Chapter 9: SHARING FILE SYSTEM RESOURCES 45
SUMMARY (continued)
• Share permissions provide basic protection for file system shares, but they lack the granularity and flexibility of NTFS permissions.
• NTFS permissions can be allowed or denied, and explicit or inherited. A Deny permission takes precedence over an Allow permission, and an explicit permission takes precedence over an inherited permission.
Chapter 9: SHARING FILE SYSTEM RESOURCES 46
SUMMARY (continued)
• Access granted by NTFS permissions can be restricted by share permissions and other factors, such as IIS permissions on Web sites.
• Whenever two permission types are assigned to a resource, you must evaluate each set of permissions and then determine which of the two is more restrictive.
• Every NTFS file and folder has an owner. The owner of a file or folder is always permitted to modify the file or folder’s ACL.
Chapter 9: SHARING FILE SYSTEM RESOURCES 47
SUMMARY (continued)
• Any user with the Allow Take Ownership permission or the Take Ownership Of Files Or Other Objects user right can take ownership of an object.
• IIS is a Windows Server 2003 application that allows you to share files and folders using Web and FTP server services.