Section 2.4. Managing and Maintaining Access to Network Resources

2.4. Managing and Maintaining Access to Network Resources

Network files and folders are one of the primary resources administrators have to manage and maintain. Files are shared over the network by configuring shared folders. Access to shared folders is managed using share permissions and filesystem permissions. While share permissions provide the top-level access controls to the files and folders being shared, filesystem permissions ultimately determine who has access to what. The two levels of permissions for shared folders can be thought of as a double set of security doors. Share permissions open the outer security doors so that specific groups of users can access a particular shared folder. Filesystem permissions determine access to the inner security doors on individual files and folders within the shared folder.

2.4.1. Configuring Access to Shared Folders

Users access files stored on Windows servers using shared folders. There are two general types of shares: standard and web. Standard shares are used to access folders over a network. Web shares are used to access folders over the Internet.

2.4.1.1. Configuring access to shared folders

When a user needs to access shared files and folders over the network, he uses standard shared folders. All shared folders have a folder path and a share name. The folder path sets the local file path to the shared folder. The share name sets the name of the shared folder. For example, the user might want to share the folder C:\userdata as UserDirs.

All shared folders have a specific set of permissions. Share permissions grant access directly to users by account name or according to their membership in a particular group, and are applied only when a folder is accessed remotely.

One of three levels of share permissions can be granted to a user or group:

Full Control: Grants both Read and Change permission. Also allows the user to change file and folder permissions and take ownership of files and folders.
Change: Grants Read permission. Also allows the user to create files and subfolders, modify files, change attributes on files and subfolders, and delete files and subfolders.
Read: Allows the user to view file and subfolder names, access the subfolders of the share, read file data and attributes, and run program files.

Share permissions determine the maximum allowed access level. If the user has Read permission on a share, the most the user can do is perform Read operations. If a user has Change permission on a share, the most the user can do is perform Read and Change operations. If a user has Full Control permission, the user has full access to the share. However, in any case, filesystem permissions can further restrict or block access.

You can share folders using Windows Explorer and Computer Management. With Windows Explorer, you can share a folder on a local computer by right-clicking a folder, selecting Sharing And Security, and then selecting Share This Folder. The share name is set for you automatically and can be changed as desired. To set the share permissions, click the Permissions tab.

Tip: Unlike Windows NT and 2000, the default share permission for Windows Server 2003 is Everyone-Read instead of Everyone-Full Control. Further, keep in mind that with Windows Explorer, you can share only local folders but with Computer Management you can share folders on local as well as remote computers.

With Computer Management, you can share folders of any computer to which you can connect on the network. You can create a shared folder by completing these steps:

Start Computer Management, connect to the computer you want to work, expand System Tools and Shared Folders, and then select Shares to list the current shares on the system you are working with.
Right-click Shares and then select New Share. This starts the Share A Folder Wizard.
Click Next to display the Folder Path page. Click Browse and then use the Browse For Folder dialog box to find the folder you want to share.
Click Next to display the Name, Descriptions, And Settings page shown in Figure 2-13.

Figure 2-13. Set the share name and description.
In the Share Name field, type a name for the share. Share names can be up to 80 characters in length and can contain spaces. For DOS clients, you should limit the share name to eight characters with a three-letter extension. To create a hidden administrative share, type $ as the last character of the share name.
Optionally, type a description of the share in the Description field. The description is displayed as a comment when the share is viewed.
Click Next. On the Permissions page, set the default share permissions using the options provided:

All Users Have Read-Only Access

Grants the Everyone group Read-only access (the default).

Administrators Have Full Access; Other Users Have Read-Only Access

Grants administrators Full Control and the Everyone group Read-only access.

Administrators Have Full Access; Other Users Have Read And Write Access

Grants administrators Full Control and the Everyone group Change access.

Use Custom Share And Folder Permissions

Allows you to configure access by accessing Full Control, Change, and Read access to specific users and groups (recommended).
Click Finish to create the share and set the initial permissions. To further restrict access, set filesystem permissions.

Once you share a folder, it is available to users automatically and can be accessed using a network drive. Network drives can be mapped automatically using logon scripts. In Windows Explorer, you can map a network drive by selecting Tools Map Network Drive. This displays the Map Network Drive dialog box shown in Figure 2-14.

Figure 2-14. Set the drive letter and folder path.

You use the Drive field to select a free drive letter to use. You use the Folder field to enter the UNC path to the network share. For example, to access a server called FileServer06 and a shared folder called HomeDirs, type \\FileServer06\HomeDirs. If you don't know the name of the share, you could click Browse to search for available shares. In the Browse For Folder dialog box, expand the entry for the domain you want to work with under Microsoft Windows network, expand the entry for the file server, select the shared folder, and then click OK.

2.4.1.2. Managing shared folder properties and permissions

You can manage the properties and permissions of shared folders using Windows Explorer or Computer Management. With Computer Management, you can work with a share's properties and permissions by completing the following steps:

Start Computer Management, connect to the computer you want to work on, expand System Tools and Shared Folders, and then select Shares to list the current shares on the system you are working with.
Right-click the share you want to work with, and then select Properties.
You'll then see a dialog box similar to the one shown in Figure 2-15. The Properties dialog box has the following tabs:

Figure 2-15. Configure share properties.

General

Displays the share name, description, and folder path. Use the User Limit radio buttons to control how many users can connect to the share at one time. Use the Offline Settings options to configure whether and how the contents will be available to users who are offline. To rename the share, you must stop sharing the folder, and then share it again with the new name.

Publish

Allows you to publish the share in Active Directory. Select Publish This Share In Active Directory to allow users to search for the folder using Active Directory's find features. You can add keywords and owner information as well if desired.

Share Permissions

Displays the current share permissions. Click a group or user in the list to view or change the related permissions. Click a group or user, and then click Remove to remove share permissions for that group or user. Click Add to specify share permissions for additional groups or users.

Security

Displays the current NTFS permissions for the folder. Click a group or user in the list to view or change the related permissions. Click a group or user, and then click Remove to remove NTFS permissions for that group or user. Click Add to specify NTFS permissions for additional groups or users.

2.4.1.3. Using hidden and administrative shares

Windows Server 2003 creates several shares automatically. The shares, referred to as special or default shares, are listed when you select the Shares node in Computer Management. Shares with names ending in a dollar sign ($) are hidden. These hidden or administrative shares do not appear on the network browse list in My Network Places or elsewhere where share names would be listed normally.

The special shares that are available depend on the system configuration. Typically, you'll find one or more of the following special shares on any Windows 2000, Windows XP, or Windows Server 2003 computer:

C$, D$, E$, . . .: A special share for the root of each available drive letter on the computer. Mapping a network drive to this special share provides full access to the drive.
ADMIN$: A special share for accessing the operating system files in the %SystemRoot% folder.
FAXCLIENT and FXSSRVCP$: The FAXCLIENT and FXSSRVCP$ shared are used to support network faxes.
IPC$: A special share to support named pipes and process to process communications. Named pipes can be redirected over the network to connect local and remote systems, and enable remote administration.
NETLOGON: A special share that supports the Net Logon service and is used during processing of logon requests (primarily for logon scripts).
Microsoft UAM Volume: A special share that supports Macintosh file and printer services. It is used by the File Server For Macintosh and Print Server For Macintosh services.
PRINT$: A special share that supports printer sharing by providing access to printer drivers.
SYSVOL: A special share used to support Active Directory. Domain Controllers have this share and use it to store Active Directory data, including policies and scripts.

Tip: Special shares are created each time a computer is started. If you delete a special share, it is re-created the next time the system starts.

As an administrator, you can create hidden shares by adding a dollar sign ($) to the end of a share name. Like any other share, the permissions on a hidden share determine who has access. Any user with appropriate permissions can connect to a hidden share, provided the user knows the full UNC path to the share.

2.4.1.4. Configuring web shares

To give users access to shared files and folders over the Internet, you use web shares. Web shares are accessed in a web browser using the Hypertext Transfer Protocol (HTTP). To use web shares, a system must have IIS installed. Install it using Add Or Remove Programs in the Control Panel. Click Add/Remove Windows Components, then configure the appropriate Application Server components to install and configure IIS as necessary.

All web shares have a folder path and an alias. The folder path sets the local file path to the shared folder. The alias sets the name of the web share. For example, you might want to share the folder C:\reports as UserReports.

All web shares have two sets of permissions:

Access permissions: These grant access directly to users by account name or according to their membership in a particular group, and are applied only when a folder is accessed remotely.
Application permissions: These determine the permitted actions for programs and scripts that may be contained in the folder being shared over the Web.

Access permissions that can be granted to a user or group are as follows:

Read: Allows web users to read files in the folder
Write: Allows web users to write data in the folder
Script Source Access: Allows web users to access the source code for scripts (not recommended)
Directory Browsing: Allows web users to browse the folder and its subfolders (not recommended)

Application permissions that can be set are as follows:

None: Disallows the execution of programs and scripts
Scripts: Allows scripts stored in the folder to be run from the Web
Execute (Includes Scripts): Allows both programs and scripts stored in the folder to be executed from the Web

You can create web shares using Windows Explorer, by completing these steps:

Right-click the local folder you want to share, and then select Properties.
In the Properties dialog box, select the Web Sharing tab.
Use the Share On list box to select the local web site on which you want to share the selected folder.
Select Share This Folder and to display the Edit Alias dialog box shown in Figure 2-16.

Figure 2-16. Set the web share alias and permissions.
In the Alias field, type an alias for the folder. This alias must be unique for the web server.
Use the Access Permissions checkboxes to set the access permissions. The default access permissions granted is Read.
Use the Application Permissions radio buttons to set the application permissions for the folder. The default application permission granted is Scripts.
Click OK. To further restrict access, set filesystem permissions.

Once you create a web share, it is available to users automatically and can be accessed using a web browser. The alias is the name you'll use to access the folder on the web server. On the internal network, the alias "UserReports" could be accessed on FileServer06 using http://fileserver06/userreports/ as the Internet address. On the Internet, the alias "UserReports" could be accessed on williamstanek.com using http://williamstanek.com/userreports/ as the Internet address.

2.4.2. Working with Attributes of Files and Folders

On FAT, FAT32, and NTFS volumes, all files and folders have basic attributes that allow files and folders to be marked as Hidden and Read-only. Basic attributes can be examined in Windows Explorer by right-clicking the file or folder and then selecting Properties. The Hidden attribute determines whether the file or folder is displayed in directory listings.

You can override the Hidden attribute by setting Windows Explorer to display hidden files:

In Windows Explorer, click Tools Folder Options.
Click OK.

On NTFS, the Read-only attribute is shown dimmed, meaning the attribute is in a mixed state regardless of the current state of files in the folder. To override the mixed state, select Read-only for a folder so all files in the folder will be read-only. To override the mixed state, clear the Read-only checkbox for a folder, and then all files in the folder will be writable.

Some files and folders also have extended attributes. Extended attributes come from named data streams associated with a folder or file. Many types of document files have named data streams associated with them. These define field and field values that appear on optional tabs, such as the Custom or Summary tab.

2.4.3. Configuring Filesystem Permissions

Filesystem permissions determine the specific set of access controls applied to a file or folder. FAT volumes have no file and folder permission capabilities. On FAT/FAT32, share permissions provide the only access controls for shared FAT/FAT32 folders. NTFS volumes have filesystem permissions that include specific ownership permissions for files and folders. When you share folders on NTFS volumes, share permissions provide the top-level access control and NTFS permissions provide the base-level access controls.

NTFS permissions are managed according to:

Basic or special permissions directly assigned
Basic or special permissions inherited from higher level folders
Ownership of the related file or folder

Together, these three components for NTFS permissions determine the effective permissions on a particular file or folder.

2.4.3.1. Working with NTFS permissions

Whether you work with files locally by logging on to a computer or remotely using shared folders, NTFS permissions provide the base access permissions. Whenever a user attempts to access a file or folder, NTFS permissions determine whether access is granted. If the user has been granted access to a file or folder, the access permissions determine the permitted actions as well, such as whether a user can change a file's contents.

On NTFS volumes, every file and folder has a security descriptor called an access control list (ACL) associated with it. Access permissions are stored within the ACL as access control entries (ACEs). The ACEs detail the specific permissions that apply to each user and group. When a user attempts to access a file or folder, the user's security access token, containing the security identifiers (SIDs) of the user's account and any groups of which the user is a member, is compared to the file or folder's security descriptor.

If the user has specific access permissions, the user will be granted access and will have the permissions assigned through the related ACE for the user. If the user is a member of a group that has specific access permissions, the user will be granted access and will have the permissions assigned through the related ACE for the group. When multiple ACEs apply, the user will have effective permissions that are a combination of the access permissions.

Tip: Generally, if a user is a member of multiple groups, her effective permissions are a combination of permissions assigned in all groups. The highest level of permissions will apply.

NTFS has both basic and special permission sets. The basic permissions represent a grouping of special permissions that together allow six commonly configured levels of access: Read, Read & Execute, Write, Modify, or Full Control. The special or advanced permissions provide granular control for when you need to fine-tune access permissions.

2.4.3.2. Managing basic permissions

You can view the basic permissions on a file or folder using Windows Explorer. Unlike Share permissions, Windows Explorer can be used to set NTFS permissions on both local and remote computers. Right-click the file or folder, select Properties, and then, in the Properties dialog box, select the Security tab. As Figure 2-17 shows, the Security tab is divided into two lists. The Groups Or Users Names list show groups and users with assigned permissions. Click a user or group name to display the allowed or denied permissions for that user or group in the Permissions For list. Dimmed permissions are inherited from a parent folder. See "Understanding and managing inherited permissions," later in this chapter for details.

Figure 2-17. Basic access permissions are a grouping of special access permissions.

Basic file permissions differ slightly from basic folder permissions. Table 2-9 describes basic permissions for files. Table 2-10 describes basic permissions for folders.

Table 2-9. Basic permissions for files
Permission	Description
Full Control	Permits reading and listing of files; writing to files; deleting files and file contents; viewing attributes and permissions of files; changing attributes and permissions of files; taking ownership of files
Modify	Permits reading and listing of files; writing to files; deleting files and file contents; viewing attributes; setting attributes
Read & Execute	Permits executing files; reading and listing of files; viewing attributes and permissions of files
Write	Permits writing to files; creating files; appending data to files; deleting files and file contents; setting attributes of files
Read	Permits reading and listing of files; viewing attributes and permissions of files

Table 2-10. Basic permissions for folders
Permission	Description
Full Control	Permits reading and listing of folders and files; writing to files; creating folders and files; deleting folders; files and file contents; viewing attributes and permissions of folders and files; changing attributes and permissions of folders and files; taking ownership of folders and files
Modify	Permits reading and listing of folders and files; writing to files; creating folders and files, deleting folders, files and file contents; viewing and setting attributes of folders and files
Read & Execute	Permits executing files; reading and listing of folders and files; viewing attributes and permissions of folders and files
List Folder Contents	Permits reading and listing of folders and files; executing files
Write	Permits creating files in folders
Read	Permits reading and listing of folders and files; viewing attributes and permissions of folders and files

To set basic permissions for files and folders, follow these steps:

Open Windows Explorer. Right-click the file or folder, select Properties, and then, in the Properties dialog box, select the Security tab.
To add a group or user to the Group Or User Names list, click Add. This displays the Select Users, Computers, Or Groups dialog box.
In the Enter The Object Name To Select box, type the name of a user or group account, and then click Check Names. If a match is found, the dialog box is updated as appropriate and the entry is underlined. If multiple matches are found, select one or more of the names listed, and then click OK to return to the Select Users, Computers, Or Groups dialog box. If no matches are found, try searching a different location or using a different name.
Click OK to close the Select Users, Computers, Or Groups dialog box. The previously selected users and groups are added to the Group Or User Name list.
To assign access permissions for a user and group, select an account name and then allow or deny access permissions as appropriate. To assign an access permission, select the permission in the Allow column. To deny an access permission, select the permission in the Deny column.
Warning: Deny overrides all other permissions. Use the Deny permission only when it is absolutely necessary.
To remove a group or user, select the group or user in the Group Or User Names list and then click Remove.
Click OK to save the settings.

Keep in mind individual file permissions override the folder permissions. You can also set NTFS folder permissions from Shared Folders snap-in of the Computer Management console. Click the Security Tab of the shared folder and set permissions as appropriate.

2.4.3.3. Managing special permissions

Special permissions allow administrators to directly edit the access control entries (ACEs) associated with a folder or file. You can view the special (advanced) permissions on a file or folder using Windows Explorer. Right-click the file or folder, and then select Properties. In the Properties dialog box, select the Security tab, and then click the Advanced button to display the Advanced Security Settings dialog box. As shown in Figure 2-18, the Permission Entries list shows the access control entry assigned to each group and user with permissions on the selected resource.

Figure 2-18. Special permissions provide granular control for fine-tuning access.

There are two general types of permissions: those that are inherited and those that are not. If a permission is inherited, the folder from which settings are inherited is listed. Typically, you'll manage inherited permissions by editing the folder from which settings are inherited. The exception is when you want to override or modify the inherited permissions for a particular user or group with respect to a specific folder or file.

As Table 2-11 shows, the special permissions are very granular in their scope. It is rare that you will need to edit the access control entry for a group or user, and more typically, you'll need to review or modify special permissions only when access controls aren't working the way you expect them to.

Table 2-11. Special permissions for folders and files
Special permission	Description
Traverse Folder/Execute File	Traverse Folder permits moving through folder to access a folder or file even if the group or user doesn't have explicit access to traversed folders; user or group must also have the Bypass Traverse Checking user right. Execute File permits running an executable file.
List Folder/Read Data	List Folder permits viewing file and folder names. Read Data permits viewing the contents of a file.
Read Attributes	Permits reading the basic attributes of a folder or file. These attributes include: Read-only, Hidden, System, and Archive.
Read Extended Attributes	Permits reading extended attributes associated with a folder or file.
Create Files/Write Data	Create Files permits adding files to a folder. Write Data permits overwriting existing data in a file (but not adding new data to an existing file since this is covered by Append Data).
Create Folders/Append Data	Create Folders permits creating subfolders within folders. Append Data permits adding data to the end of an existing file (but not to overwrite existing data, which is covered by Write Data).
Write Attributes	Permits changing basic attributes of a folder or file. These attributes include: Read-only, Hidden, System, and Archive.
Write Extended Attributes	Permits changing extended attributes of a folder or file.
Delete Subfolders and Files	Permits deleting the contents of a folder, even if Delete permission on the subfolder or file isn't specifically granted.
Delete	Permits deleting a folder or file. If a group or user doesn't have Delete permission, the group or user granted the "Delete Subfolders and Files" permission can still delete the folder or file.
Read Permissions	Permits reading all basic and special permissions assigned to a folder or file.
Change Permissions	Permits changing basic and special permissions assigned to a folder or file.
Take Ownership	Permits taking ownership of a folder or file. The owner of a folder or file can always change permissions on it, even if other permissions were removed. By default, administrators can always take ownership of a folder or file and can also grant this permission to others.

Each ACE listed in the Advanced Security Settings dialog box can be edited by selecting the ACE and then clicking Edit. You will then be able to allow or deny special permissions using the Permission Entry For . . . dialog box shown in Figure 2-19. When you are finished selecting Allow or Deny for each permission as appropriate, use the Apply Onto options to determine how and where these permissions are applied.

Figure 2-19. Accessing the permissions entry.

2.4.3.4. Verifying effective permissions when granting permissions

Often groups or users are members of multiple groups, and each of those groups will have separate access permission configurations. Membership in multiple groups can make it difficult if not nearly impossible to track down the exact access permissions that apply in a given situation. To resolve this problem, Windows provides the Effective Permissions tab for evaluating the access permissions that apply to a group or user with respect to a specific folder or file.

The Effective Permissions tab allows you to determine the collective set of permissions that apply based on directly assigned permissions, permissions inherited due to group membership, and permissions inherited from parent folders. Effective Permissions apply only to folder and file permissions. Share permissions are not included. To view effective permissions on a folder or file, follow these steps:

Open Windows Explorer. Right-click the file or folder, and then select Properties.
In the Properties dialog box, select the Security tab, and then click the Advanced button to display the Advanced Security Settings dialog box.
On the Effective Permissions tab, click Select. Type the name of the user or group, and then click OK.

The Effective Permissions for the selected user or group are displayed as shown Figure 2-20.

Figure 2-20. Viewing the effective permissions for a group or user.

Tip: You cannot determine effective permissions for implicit groups or special identities. Share permissions are also not accounted for.

2.4.3.5. Changing ownership of files and folders

As discussed previously in "Understanding implicit groups and special identities," Windows defines many special identities that are implicitly applied according to a particular situation or circumstance. One of these special identities is Creator Owner, which represents the creator and owner of objects and is used to grant implicit access permissions to object owners.

When a user creates a folder or file, the user is the creator and initial owner of the folder or file. If the system creates a folder or file, the default owner is the Administrators group. The owner has complete control to grant access permissions and give other users permission to take ownership of a folder or file.

Ownership can be taken or transferred in several ways:

Users who have the right to Restore Files And Directories, such as a member of the Backup Operators group, can take ownership.
Members of the Administrators group can take ownership because members of this group are granted this permission by default.
Users or groups assigned with the Take Ownership permission can take ownership.
Current owners can grant another user the Take Ownership permission.

To view or change ownership of a folder or file, follow these steps:

Open Windows Explorer. Right-click the file or folder, and then select Properties.
In the Properties dialog box, select the Security tab, and then click the Advanced button to display the Advanced Security Settings dialog box.
Click the Owner tab as shown in Figure 2-21. The current owner of the file or folder is listed under Current Owner Of This Item.

Figure 2-21. Use the Owner tab to determine and change ownership.
To grant Take Ownership permission, click Other Users Or Groups. Use the Select User, Computer, Or Group dialog box to select the user or group to which you want to grant Take Ownership permission.
To change the owner, select the new owner in the Change Owner To list box. When taking ownership of a folder, you can take ownership of all subfolders and files within the folder by selecting the Replace Owner On Subcontainers And Objects checkbox.
Click OK.

2.4.3.6. Understanding and managing inherited permissions

Windows Server 2003 uses inheritance so that permissions applied to a folder are, by default, applied to subfolders and files beneath that folder. If you later change the permissions of a folder, those changes, by default, affect all subfolders and files beneath that folder.

Permissions are inherited from parent folders. A file inherits its permissions from the folder in which it is stored. A subfolder inherits its permissions from the folder in which it is stored. Folders stored in the root of a drive volume inherit the permissions of the drive volume.

Permissions are inherited by default when files and folders are created. If you remove inherited permissions, any explicitly defined permissions remain. When you view the Security tab for a folder or file, inherited permissions are dimmed and are not changeable. When you view the Permission Entry for a folder or file, inherited permissions similarly are dimmed and are not changeable.

Typically, when you want to change inherited permissions, you will do so by accessing the parent folder from which the permissions are inherited and then making the desired changes. Any permission changes will then be inherited by child folders and files. The Permissions tab of the Advanced Security Settings dialog box lists the folder from which permissions are inherited. Each ACE on the folder or file has a separate entry, as shown previously in Figure 2-18.

When working with the folder or file that is inheriting permissions, you may need to override, stop, or restore inheriting:

To override the inherited permissions, select the opposite permission. For example, if a permission is allowed through inheritance, override inheritance by explicitly denying the permission to a group or user.
To stop inheriting permissions from a parent folder, clear Allow Inheritable Permissions From The Parent To Propagate To This Object on the Permissions tab. When prompted, you can then duplicate and apply explicitly the permissions that were previously applied, or you can elect to remove the inherited permissions and apply only the permissions that you explicitly set. Click Copy to duplicate and apply the previously inherited settings or click Remove to remove the inherited permission and use only explicit permissions.
To restore inherited permissions to the subfolders and files within a folder and remove all explicitly defined permissions, access the folders Permissions tab, select Allow Inheritable Permissions From The Parent To Propagate To This Object, select Replace Permission Entries On All Child Objects With Entries Shown Here, and click OK.

2.4.4. Troubleshooting Access to Folders and Files

When it comes to folder and file access, the one truism seems to be that the larger the network, the more difficult it is to determine why a user cannot access a particular file or folder. Before you can diagnose and resolve the problem, you need to determine what type of error message the user is getting when attempting to access the folder or file. Most access errors relate to one of the following:

Network connectivity: If the user is accessing a shared folder for the first time and cannot connect to the remote server because "no network was found," the most likely culprit is that the user entered the incorrect UNC path to the shared folder. Check the folder path and the logon credentials being used. If these are correct, check network connectivity between the user's machine and the file server on which the folder or file is located.
Share permissions: If the user sees an "Access is denied" message, the most likely culprits are the share permissions on the resource. Remember, the share permissions set the top-level permissions and are the most restrictive: the user can only perform the allowed permissions regardless of the underlying access permissions. The default share permissions provide Read permission to the implicit group Everyone. If you do not change the default permissions, uses will only be able to list folder contents and read files within folders.
NTFS permissions: If the user sees an "Access is denied" message, the next most likely culprits are the NTFS permissions on the resource. Share permissions have no effect on local file access or Terminal Services remote access. With remote access via a shared folder, share permissions set the top-level permissions. NTFS permissions set the base-level permissions and can further restrict access. For example, while the Everyone group may have Full Control over the folder, a user that is not a member of a group assigned NTFS permissions will not be able to access and work with the share's folders and files. When troubleshooting, be sure to check basic permissions, special permissions, and the effective permissions.

Beyond the likely culprits, access can be affected by basic attributes as well as encryption. The Hidden basic attribute hides a folder or file from directory listings. The Read-only basic attribute makes a folder or file read-only. To determine whether basic attributes are causing access problems, right-click the folder or file and select Properties. On the General tab, as necessary, clear the Read-only, Hidden, or both checkboxes and then click OK.

NTFS volumes can contain encrypted folders and files, and encryption can limit access to folders and files. To determine whether a folder or file is encrypted, right-click the folder or file and select Properties. On the General tab, click Advanced. If the Encrypt Contents To Secure Data checkbox is selected, the resource is encrypted.

Encryption limits access to the user who encrypted the file, to the user who is granted shared access, and to the Data Recovery Agent (DRA). In domains, the default DRA is the domain Administrator user account. You can determine the exact list of users authorized to access an encrypted file by completing these steps:

Right-click the folder or file and select Properties.
On the General tab, click Advanced. If the Encrypt Contents To Secure Data checkbox is selected, the resource is encrypted.
Click Details to display the Encryption Details dialog box shown in Figure 2-22.

Figure 2-22. Use the Encryption Details dialog box to determine who has access to an encrypted file.

2.4.5. Troubleshoot Terminal Services

As discussed previously in this chapter in "Remote Desktop for Administration ," Windows Server 2003 Terminal Services has two operating modes: Remote Desktop for Administration and Terminal Server. Remote Desktop for Administration is a limited Terminal Server mode that enables remote administration. When a server is configured as a Terminal Server, users establish remote sessions with the server to run Windows-based applications. In this configuration, the execution and processing takes place on the Terminal Server and the output data from the display, keyboard, and mouse are transmitted over the network to the user. A user logged in remotely to a Terminal Server is in a virtual session and any single Terminal Server can handle dozens or hundreds of such virtual sessions, depending on its configuration of course.

Exam 70-290 doesn't test your ability to install and configure Terminal Services. However, the exam does test your ability to:

Diagnose and resolve issues related to terminal services security
Diagnose and resolve issues related to client access to terminal services

Tip: Exam 70-290 also tests your ability to manage a server by using Terminal Services remote administration mode as discussed previously in the chapter in "Remote Desktop for Administration."

2.4.5.1. Diagnosing and resolving issues related to Terminal Services security

Windows Server 2003 provides several ways to manage security for Terminal Services. Using Active Directory Users And Computers, you can add users or group to the Remote Desktop Users group to allow users to log on to a terminal server. By adding the Domain Users group to the Remote Desktop Users group, you allow all authenticated domain users to use Terminal Services. By adding the special group Everyone to the Remote Desktop Users group, you allow anyone with access to the network to use Terminal Services.

In addition to the Remote Desktop Users group, users and groups that have access to Terminal Services by default are:

Administrators: Any member of the Administrators group by default has Full Control access permission.
System: By default, has Full Control access permission.
Local Server and Network Service: Both have special access permissions.

You can manage the configuration of a designated Terminal Server using the Terminal Services Configuration tool. Click Start Programs Administrative Tools Terminal Service Configuration, or type tscc.msc at a command prompt.

With Terminal Services and Remote Desktop for Administration, data sent between servers and clients uses Remote Desktop Protocol (RDP). You can modify the RDP settings for a server using the Terminal Services Configuration Tool. Select Connections, right-click the RDP-Tcp connection you want to work with, and select Properties. The RDP-Tcp Properties dialog box has the following tabs:

General: Displays the RDP version and transport. Windows Server 2003 uses RDP version 5.2 over TCP by default. The encryption level in mixed environments that include Windows 2000 computers should be set to Client Compatible.
Logon Settings: Allows you to configure logon settings. Typically, you'll use the default setting: Use Client-Provided Logon Information.
Sessions: Allows you to configure session reconnection and timeout. These settings override the client settings.
Environment: Allows you to use initial programs to run. These settings override the user client settings.
Remote Control: Determines whether remote control of user sessions is enabled and sets remote control options.
Client Settings: Determines how client screen resolution and redirection features are managed. By default, the connection settings from the clients are used and clients are limited to a maximum color depth of 16 bits.
Network Adapter: Determines to which network adapters on the server connections can be made. The All Network Adapters option is selected by default. A maximum of two connections is the default limit.
Permissions: Allows you to manage security permissions for the server, as discussed next.

When you want to manage Terminal Services security, you'll do so using the Permissions tab of the RDP-Tcp Properties dialog box. Similar to NTFS permissions, Terminal Services has two permission sets: basic permissions and special permission. The basic permissions represent a grouping of special permissions that together allow three commonly configured levels of access: Guest Access, User Access, and Full Control. The special permissions provide granular control for when you need to fine-tune access permissions.

Tip: The Remote Desktop Users group is granted User Access and Guest Access by default.

Terminal Services permissions set the maximum allowed permissions and are applied whenever a client connects to a Terminal Server. The basic permissions Terminal Services are:

Full Control: Grants users full control over their sessions as well as the sessions of other users. Allows users to change session settings; view and take control of user sessions; disconnect user sessions; and establish virtual channels.
User Access: Allows users to log on, view session settings, and connect to another session.
Guest Access: Allows users to log on to a terminal server. Doesn't allow users to view session settings or connect to another session.

Typically, when you troubleshoot Terminal Services security, you check to see whether a user is a member of Remote Desktop Users in Active Directory Users And Computers. If groups are granted access directly through RDP-Tcp Properties, you need to examine the settings on the Permissions tab. On the Permissions tab, view the access permissions for a user or group by selecting the account name. You can then allow or deny access permissions as appropriate. Click Add to configure permissions for additional users or groups.

2.4.5.2. Diagnosing and resolving issues related to client access to Terminal Services

Users connecting to a Terminal Server will use the Remote Desktop Connection client found under Programs Accessories Communications. The default configuration for this client is to connect to a designated server using the users current credentials. To connect using different credentials, start the Remote Desktop Connection client, click Options, and then enter values in the related Computer, User Name, Password, and Domain fields.

Tip: Both session and client settings are configured by default. The session settings on the server override client settings.

Session settings for display, devices, sound, start programs, experience, and security can be set through the server and the client. Most settings for sessions configured on the server override session settings configured on the client. Configure session settings on the server using the RDP-Tcp Properties dialog box. Configure session settings on the client using the options tabs.

After you click Options in the Remote Desktop Connection client, you'll see the following tabs, described here and shown in Figure 2-23:

Figure 2-23. Session settings can be controlled through both client and server settings.

General: Configure logon settings. Instead of typing in settings each time, users can save and then load them when they want to make a connection. Save the current connection settings by clicking Save As, and then using the Save As dialog box to save a .RDP file for the connection. Load previously saved connection settings by clicking Open, and then using the Open dialog box to open the previously saved connection settings.
Display: Configure remote desktop size and colors. The default is for 16-bit color on a full screen, but settings on the Terminal Server can override this.
Local Resources: Configure audio redirection, keystroke combination redirection, and local device redirection.
Programs: Configure the execution of programs when a session starts.
Experience: Choose the connection speed to optimize performance and determine whether extras such as backgrounds and themes are allowed.
Security: Specify whether and how authentication is used. Authentication is used to confirm the identity of the terminal server.

Most client access problems for Terminal Services have to do with the following:

Invalid credentials or connection server: If a user is having problems connecting to a terminal server, make sure she are connecting to the appropriate server using the correct username, password, and domain settings. If the user enters the server name and then clicks Connect without setting additional options, the user's current credentials are used for the default, logon domain. If the user has recently changed her password and is using saved credentials, she will have to change the saved password and save the connection settings.
Improper group assignment: The user must be a member of the Remote Desktop Users group in Active Directory or otherwise be assigned permissions for logon as discussed previously in "Diagnosing and resolving issues related to Terminal Services security."
Incorrect authentication mode: With authentication, the user may need to type the fully qualified domain name for the terminal server instead of the computer name. For example, the user may need to type termserver21.williamstanek.com instead of just termserver21.

In a standard configuration, Terminal Services require TCP port 3389 to be open on both the client and the server. If either the client or the server is running a firewall, TCP port 3389 must be opened to allow remote access.