Configuring File System Permissions

Objective:

Configure file system permissions

In today's security-conscious environment, few items are as important as basic file system security. There are several levels and methods of protection for files and folders in Windows Server 2003. The two levels of file system security you must be familiar with for the exam are Local Security (also known as NTFS security) and Share security.

Local security applies to a user who is either logged on to the server console or connected via Terminal Services. By default, the following groups have the right to log on locally on a domain controller:

• Administrators

• Account Operators

• Backup Operators

• Print Operators

• Server Operators

The following groups have logon locally rights on a workstation or member server:

• Administrators (Domain Administrators)

• Backup Operators

• Power Users

• Users

• Guest (if not disabled)

Because the members of these groups can log on to the server or workstation directly, it is always recommended that you format your volumes with the New Technology File System (NTFS). This is because you can use local security to block access for various users and groups to files and folders on an NTFS volume. On the other hand, File Allocation Table (FAT) volumes have no local security whatsoever. A user who has the necessary rights to log on to a server or workstation has unrestricted access to all the files and folders contained on a FAT volume.

Note: Domain Controllers

The partition of a domain controller that contains SYSVOL and the Active Directory database is required to be formatted with NTFS.

For a more detailed explanation of the various types of FAT volumes and how they differ from NTFS volumes, refer to the "Working with Basic Disks" section in Chapter 12, "Managing Server Storage Devices."