IT103Microsoft Windows XP/OS Chap08

11

CONFIGURING AND MANAGING SHARED FOLDER SECURITY

Chapter 8

Chapter 8: CONFIGURING AND MANAGING SHARED FOLDER SECURITY 2

OVERVIEW

Create and remove shared folders

Control access to shared folders

Analyze and troubleshoot combined permissions

Manage and troubleshoot offline files

Manage and troubleshoot Web server resources


SHARED FOLDERS


Shared folders….

Shared folders make it possible to access files across the network.

Server systems make shared folders available to client computers.


SHARED FOLDER PERMISSIONS


Shared folder permissions….

Shared folders have three basic permissions:

Read, Change, and Full Control.

It is possible, as with NTFS permissions, to also deny a permission, with the same effect as Deny for NTFS. As with NTFS, it is best to use Deny only to support exception policies, and you should be sure to document use of Deny to prevent later confusion.


SHARED FOLDER PERMISSIONS (CONTINUED)

Apply to folders only (not files).

Do not restrict local access to resources.

Only permission available for FAT.

Default permission is Everyone/Read.


Important Security Note!

Please replace the [Everyone] group with

[Users or Authenticated Users].


SHARED FOLDER PERMISSIONS (CONTINUED)


Detail on the previous slide

The previous slide shows how access to a higher-level shared folder can provide access to lower-level folders.

Administrators in this example have Full Control access to all folders when they access the hidden administrative root shares.

The other groups have access only to lower-level folders.


PLANNING SHARED FOLDERS

Consolidate data.

Assign permissions to folders.

Assign most restrictive permissions possible.

Use groups for permission assignment.

Use intuitive share names.


PLANNING SHARED FOLDERS (CONTINUED)

Multiple permissions.

Limit use of Deny permission.

Permissions interact with NTFS permissions.

Folder no longer shared if moved or renamed.

Copies of folders are not shared.


Multiple Permissions

When you assign permissions to a folder, consider the effects of multiple permissions.

Permissions are the sum of all the permissions assigned to groups that the user belongs to.

Deny overrides all other permissions.

When share permissions are combined with NTFS permissions, the effective permission is the more restrictive of the two.


Moving shared folders

When a shared folder is renamed or moved, the folder is no longer shared.

It must be shared again manually. When a shared folder is copied, the copy is not shared.


SHARED FOLDER REQUIREMENTS

Administrators or Power Users group

Must have NTFS:Read to share folders

In Windows XP Professional, only Administrators and Power Users can share folders. In addition, the user who shares a folder must have at least the Read NTFS standard permission to the folder.


SHARING FOLDERS

Create Shared Folder Wizard


SHARING FOLDERS (CONTINUED)

Windows Explorer


SHARING FOLDERS (CONTINUED)

NET SHARE


Net Share command detail

Note the NET SHARE options map to options in the Create Shared Folder Wizard and the Sharing tab of the Properties dialog box for a folder.


ADMINISTRATIVE SHARES

The dollar sign ($) “hides” the share.


STOP SHARING FOLDERS – 3 ways

Computer Management: choose Stop Sharing from shortcut menu

Windows Explorer: select Do Not Share This Folder

NET SHARE: NET SHARE <sharename> /DELETE


MULTIPLE SHARES


A little more detail…

You can create multiple shares for one folder for different types of access.

Suppose you have an application folder that you access with Read permission for day-to-day operations.

If you need Change permission to carry out maintenance tasks, you can create both shares and use the Read version for normal operations.

When you need to perform maintenance, you can connect to the Change share.


UNC PATHS

Universal Naming Convention (UNC) paths consist of the server name followed by the share name and any subfolders. They are used to specify the share for mapped drives or for direct access from applications.


CONNECTING TO SHARED FOLDERS

My Network Places

Mapped drives (Windows Explorer)

Mapped drives (NET USE)

Run dialog box

Note: You can access shared folders by browsing My Network Places and finding the share, by mapping a drive in Windows Explorer (if you know the share path), or from a command line. You can also open a share by entering the UNC path in the Run dialog box (opened via the Start menu).


COMBINING NTFS AND SHARE PERMISSIONS


MONITORING SHARED FOLDERS

Shared Folder snap-in

Must be Administrator or Power User

Monitor connections, open files, and file locks

Might also disconnect users


MONITORING SHARED FOLDERS (CONTINUED)


ENABLING OFFLINE FILES (SERVER)


Enable Off-Line Files?

You can enable offline files by clicking the Caching button on the Sharing tab of a folder’s Properties dialog box.

This allows a client computer to cache files in the folder for offline use.

This is a great tool for organizations with mobile users. It allows the documents to be changed from outside the office, with changes being synchronized when the user returns.


ENABLING OFFLINE FILES (CLIENT)


CONFIGURING OFFLINE FILES


CONFIGURING SYNCHRONIZATION


INTERNET FILE SHARING

Installing Internet Information Services (IIS)

Internet Management console

WebDAV and Web folders

Web folder authentication

Using Web folders


WebDAV?

Web folders use Web Distributed Authoring and Versioning (WebDAV) to allow users to read and write files to a folder served from IIS.

WebDAV clients such as Internet Explorer 5 and later and Microsoft Office XP and later can use Web folders as if they were file system folders


INSTALLING IIS

Installed from Add/Remove Programs

Apply Windows Updates

Note: If the Windows Firewall is enabled on the computer, be sure that firewall exceptions are configured to allow Web serving.


INTERNET MANAGEMENT CONSOLE


WEB FOLDERS


CLIENT CONNECTIONS TO WEB FOLDERS

Note: This slide shows Internet Explorer’s Open dialog box opening a Web folder. Explain that failure to select Open As Web Folder will cause the browser to open the folder as a Web site (read-only).


SUMMARY

Share folders to allow remote usage.

Share permissions apply only to folders.

Default share permission is Everyone:Read.

Replace default share permissions to reduce security exposure.

Administrators and Power Users can share folders.

NTFS and share permissions can be combined.


SUMMARY (CONTINUED)

Offline files must be enabled before use.

Synchronization Manager synchronizes offline files.

IIS and WebDAV allow Internet file sharing.

WebDAV clients can use Web folders.

Documents

IT103Microsoft Windows XP/OS Chap08