Securing Shared Drives and Folders
The type of security that can be applied to a shared drive or folder varies depending on the type of file system that is in use. FAT and FAT32 file systems are inherently less secure than the NTFS (New Technology File System) file system and do not support the same advanced set of security settings.The following sections provide further information about the security features provided by each of these file systems.
FAT and FAT32
FAT and FAT32 only provide share level security over shared network drives and folders. To set share level security when using FAT or FAT32, click on the Permissions button on the Sharing property sheet when setting up the shared drive or folder.This opens the Permissions For dialog, as demonstrated in Figure 19.14.
Figure 19.14: Configuring share level permissions when working with FAT or FAT32
Share level security allows the administrator to specify which users can access the shared resource by adding and removing user and group accounts to and from the resource's ACL (access control list). Click on Add to specify a username or
group that is to be granted or denied access. Click on Remove to delete the username or group from the ACL.
| Note | The Everyone group is used to represent every network user, thus allowing anyone who can access the network to access the shared resource. More information on Windows XP groups and group management is available in Chapter 9, "Security Administration." |
Once a username or group has been added to the ACL, specific security permission can be applied by selecting the username or group from the Group or user names list and then selecting or clearing share security permissions located in the bottom portion of the property sheet. Table 19.1 outlines the available share permissions and describes the level of access that they grant.
 |
| permission | description |
|---|---|
| | |
| Full Control | Provides the ability to assume ownership, to administer security permissions, to execute programs, and to create, change, and delete files and folders |
| Change | Provides the ability to execute programs and to create, change, and delete files and folders |
| Read | Provides the ability to execute programs and to display folder and files |
|
Each of the share level security permissions can be applied by electing either to allow or to deny access. Share level security permissions are hierarchical in nature, meaning that granting the Change permission implies a grant of the Read permission, and the granting of the Full Control permission implies the granting of all permissions.
NTFS security governs access by local and network users. When a volume or partition is formatted with NTFS, both share level and NTFS level security permissions can be applied. To set NTFS security, select the Security property sheet when setting up the shared drive or folder, as demonstrated in Figure 19.15.
Figure 19.15: Configuring NTFS security permissions
NTFS security allows the administrator to specify which users can access the shared resource by adding and removing usernames and group accounts to the resource's ACL. Click on Add to specify a username or group to be granted or denied access. Click on Remove to delete the username or group from the ACL.
NTFS security provides more granular control over user and group security permission. Table 19.2 provides a summary of the available NTFS security permissions. In addition to these security permissions, the administrator can click on Advanced to administer security at an even more granular level.
|
| permission | description |
|---|---|
| | |
| Full Control | Provides the ability to assume file ownership, to administer security permissions, to change folders and files, to navigate directories, to view folder contents, and to view folders and files |
| Modify | Provides the ability to change folders and files, to navigate directories, to view folder contents, and to view folders and files |
| Read & Execute | Provides the ability to navigate directories, to view folder contents, and to view folders and files |
| List Folder Contents | Provides the ability to view folder contents |
| Read | Provides the ability to view folders and files |
| Write | Provides the ability to create files and folders |
|
| Note | To learn more about the application of NTFS security permissions, refer to Chapter 9, "Security Administration." |
Resolving Effective Security Permissions
Share level permissions only affect network users. This means that users who log in locally to the computer where a shared resource resides are not governed by share level permissions. NTFS permissions apply to all users, local and network. Since NTFS permissions are more granular and affect all users, most administrators choose to apply only NTFS permissions when configuring shared access. However, both shared and NTFS permissions can be applied. When this happens, the resulting level of access is derived from an examination of both types of security permissions. Windows XP Professional determines the level or access granted by NTFS permissions and the level of access granted by share permissions and then implements the most restrictive combination of the two. For example, if a user or group is granted the Read share level permission and the Full Control NTFS permission over a specific resource, the user will be limited to Read access when accessing the resource over the network. However, if the user were to log in locally to the computer, he or she would have Full Control access over the resource.
| Note | To learn more about Windows XP Professional security and the applications of NTFS security permissions, refer to Chapter 9, "Security Administration." |
EAN: 2147483647
Pages: 358