2.4. Managing and Maintaining Access to Network ResourcesNetwork files and folders are one of the primary resources administrators have to manage and maintain. Files are shared over the network by configuring shared folders. Access to shared folders is managed using share permissions and filesystem permissions. While share permissions provide the top-level access controls to the files and folders being shared, filesystem permissions ultimately determine who has access to what. The two levels of permissions for shared folders can be thought of as a double set of security doors. Share permissions open the outer security doors so that specific groups of users can access a particular shared folder. Filesystem permissions determine access to the inner security doors on individual files and folders within the shared folder. 2.4.1. Configuring Access to Shared FoldersUsers access files stored on Windows servers using shared folders. There are two general types of shares: standard and web. Standard shares are used to access folders over a network. Web shares are used to access folders over the Internet. 2.4.1.1. Configuring access to shared foldersWhen a user needs to access shared files and folders over the network, he uses standard shared folders. All shared folders have a folder path and a share name. The folder path sets the local file path to the shared folder. The share name sets the name of the shared folder. For example, the user might want to share the folder C:\userdata as UserDirs. All shared folders have a specific set of permissions. Share permissions grant access directly to users by account name or according to their membership in a particular group, and are applied only when a folder is accessed remotely. One of three levels of share permissions can be granted to a user or group:
Share permissions determine the maximum allowed access level. If the user has Read permission on a share, the most the user can do is perform Read operations. If a user has Change permission on a share, the most the user can do is perform Read and Change operations. If a user has Full Control permission, the user has full access to the share. However, in any case, filesystem permissions can further restrict or block access. You can share folders using Windows Explorer and Computer Management. With Windows Explorer, you can share a folder on a local computer by right-clicking a folder, selecting Sharing And Security, and then selecting Share This Folder. The share name is set for you automatically and can be changed as desired. To set the share permissions, click the Permissions tab. Tip: Unlike Windows NT and 2000, the default share permission for Windows Server 2003 is Everyone-Read instead of Everyone-Full Control. Further, keep in mind that with Windows Explorer, you can share only local folders but with Computer Management you can share folders on local as well as remote computers. With Computer Management, you can share folders of any computer to which you can connect on the network. You can create a shared folder by completing these steps:
Once you share a folder, it is available to users automatically and can be accessed using a network drive. Network drives can be mapped automatically using logon scripts. In Windows Explorer, you can map a network drive by selecting Tools Map Network Drive. This displays the Map Network Drive dialog box shown in Figure 2-14. Figure 2-14. Set the drive letter and folder path.You use the Drive field to select a free drive letter to use. You use the Folder field to enter the UNC path to the network share. For example, to access a server called FileServer06 and a shared folder called HomeDirs, type \\FileServer06\HomeDirs. If you don't know the name of the share, you could click Browse to search for available shares. In the Browse For Folder dialog box, expand the entry for the domain you want to work with under Microsoft Windows network, expand the entry for the file server, select the shared folder, and then click OK. 2.4.1.2. Managing shared folder properties and permissionsYou can manage the properties and permissions of shared folders using Windows Explorer or Computer Management. With Computer Management, you can work with a share's properties and permissions by completing the following steps:
2.4.1.3. Using hidden and administrative sharesWindows Server 2003 creates several shares automatically. The shares, referred to as special or default shares, are listed when you select the Shares node in Computer Management. Shares with names ending in a dollar sign ($) are hidden. These hidden or administrative shares do not appear on the network browse list in My Network Places or elsewhere where share names would be listed normally. The special shares that are available depend on the system configuration. Typically, you'll find one or more of the following special shares on any Windows 2000, Windows XP, or Windows Server 2003 computer:
Tip: Special shares are created each time a computer is started. If you delete a special share, it is re-created the next time the system starts. As an administrator, you can create hidden shares by adding a dollar sign ($) to the end of a share name. Like any other share, the permissions on a hidden share determine who has access. Any user with appropriate permissions can connect to a hidden share, provided the user knows the full UNC path to the share. 2.4.1.4. Configuring web sharesTo give users access to shared files and folders over the Internet, you use web shares. Web shares are accessed in a web browser using the Hypertext Transfer Protocol (HTTP). To use web shares, a system must have IIS installed. Install it using Add Or Remove Programs in the Control Panel. Click Add/Remove Windows Components, then configure the appropriate Application Server components to install and configure IIS as necessary. All web shares have a folder path and an alias. The folder path sets the local file path to the shared folder. The alias sets the name of the web share. For example, you might want to share the folder C:\reports as UserReports. All web shares have two sets of permissions:
Access permissions that can be granted to a user or group are as follows:
Application permissions that can be set are as follows:
You can create web shares using Windows Explorer, by completing these steps:
Once you create a web share, it is available to users automatically and can be accessed using a web browser. The alias is the name you'll use to access the folder on the web server. On the internal network, the alias "UserReports" could be accessed on FileServer06 using http://fileserver06/userreports/ as the Internet address. On the Internet, the alias "UserReports" could be accessed on williamstanek.com using http://williamstanek.com/userreports/ as the Internet address. 2.4.2. Working with Attributes of Files and FoldersOn FAT, FAT32, and NTFS volumes, all files and folders have basic attributes that allow files and folders to be marked as Hidden and Read-only. Basic attributes can be examined in Windows Explorer by right-clicking the file or folder and then selecting Properties. The Hidden attribute determines whether the file or folder is displayed in directory listings. You can override the Hidden attribute by setting Windows Explorer to display hidden files:
On NTFS, the Read-only attribute is shown dimmed, meaning the attribute is in a mixed state regardless of the current state of files in the folder. To override the mixed state, select Read-only for a folder so all files in the folder will be read-only. To override the mixed state, clear the Read-only checkbox for a folder, and then all files in the folder will be writable. Some files and folders also have extended attributes. Extended attributes come from named data streams associated with a folder or file. Many types of document files have named data streams associated with them. These define field and field values that appear on optional tabs, such as the Custom or Summary tab. 2.4.3. Configuring Filesystem PermissionsFilesystem permissions determine the specific set of access controls applied to a file or folder. FAT volumes have no file and folder permission capabilities. On FAT/FAT32, share permissions provide the only access controls for shared FAT/FAT32 folders. NTFS volumes have filesystem permissions that include specific ownership permissions for files and folders. When you share folders on NTFS volumes, share permissions provide the top-level access control and NTFS permissions provide the base-level access controls. NTFS permissions are managed according to:
Together, these three components for NTFS permissions determine the effective permissions on a particular file or folder. 2.4.3.1. Working with NTFS permissionsWhether you work with files locally by logging on to a computer or remotely using shared folders, NTFS permissions provide the base access permissions. Whenever a user attempts to access a file or folder, NTFS permissions determine whether access is granted. If the user has been granted access to a file or folder, the access permissions determine the permitted actions as well, such as whether a user can change a file's contents. On NTFS volumes, every file and folder has a security descriptor called an access control list (ACL) associated with it. Access permissions are stored within the ACL as access control entries (ACEs). The ACEs detail the specific permissions that apply to each user and group. When a user attempts to access a file or folder, the user's security access token, containing the security identifiers (SIDs) of the user's account and any groups of which the user is a member, is compared to the file or folder's security descriptor. If the user has specific access permissions, the user will be granted access and will have the permissions assigned through the related ACE for the user. If the user is a member of a group that has specific access permissions, the user will be granted access and will have the permissions assigned through the related ACE for the group. When multiple ACEs apply, the user will have effective permissions that are a combination of the access permissions. Tip: Generally, if a user is a member of multiple groups, her effective permissions are a combination of permissions assigned in all groups. The highest level of permissions will apply. NTFS has both basic and special permission sets. The basic permissions represent a grouping of special permissions that together allow six commonly configured levels of access: Read, Read & Execute, Write, Modify, or Full Control. The special or advanced permissions provide granular control for when you need to fine-tune access permissions. 2.4.3.2. Managing basic permissionsYou can view the basic permissions on a file or folder using Windows Explorer. Unlike Share permissions, Windows Explorer can be used to set NTFS permissions on both local and remote computers. Right-click the file or folder, select Properties, and then, in the Properties dialog box, select the Security tab. As Figure 2-17 shows, the Security tab is divided into two lists. The Groups Or Users Names list show groups and users with assigned permissions. Click a user or group name to display the allowed or denied permissions for that user or group in the Permissions For list. Dimmed permissions are inherited from a parent folder. See "Understanding and managing inherited permissions," later in this chapter for details. Figure 2-17. Basic access permissions are a grouping of special access permissions.Basic file permissions differ slightly from basic folder permissions. Table 2-9 describes basic permissions for files. Table 2-10 describes basic permissions for folders.
To set basic permissions for files and folders, follow these steps:
Keep in mind individual file permissions override the folder permissions. You can also set NTFS folder permissions from Shared Folders snap-in of the Computer Management console. Click the Security Tab of the shared folder and set permissions as appropriate. 2.4.3.3. Managing special permissionsSpecial permissions allow administrators to directly edit the access control entries (ACEs) associated with a folder or file. You can view the special (advanced) permissions on a file or folder using Windows Explorer. Right-click the file or folder, and then select Properties. In the Properties dialog box, select the Security tab, and then click the Advanced button to display the Advanced Security Settings dialog box. As shown in Figure 2-18, the Permission Entries list shows the access control entry assigned to each group and user with permissions on the selected resource. Figure 2-18. Special permissions provide granular control for fine-tuning access.There are two general types of permissions: those that are inherited and those that are not. If a permission is inherited, the folder from which settings are inherited is listed. Typically, you'll manage inherited permissions by editing the folder from which settings are inherited. The exception is when you want to override or modify the inherited permissions for a particular user or group with respect to a specific folder or file. As Table 2-11 shows, the special permissions are very granular in their scope. It is rare that you will need to edit the access control entry for a group or user, and more typically, you'll need to review or modify special permissions only when access controls aren't working the way you expect them to.
Each ACE listed in the Advanced Security Settings dialog box can be edited by selecting the ACE and then clicking Edit. You will then be able to allow or deny special permissions using the Permission Entry For . . . dialog box shown in Figure 2-19. When you are finished selecting Allow or Deny for each permission as appropriate, use the Apply Onto options to determine how and where these permissions are applied. Figure 2-19. Accessing the permissions entry.2.4.3.4. Verifying effective permissions when granting permissionsOften groups or users are members of multiple groups, and each of those groups will have separate access permission configurations. Membership in multiple groups can make it difficult if not nearly impossible to track down the exact access permissions that apply in a given situation. To resolve this problem, Windows provides the Effective Permissions tab for evaluating the access permissions that apply to a group or user with respect to a specific folder or file. The Effective Permissions tab allows you to determine the collective set of permissions that apply based on directly assigned permissions, permissions inherited due to group membership, and permissions inherited from parent folders. Effective Permissions apply only to folder and file permissions. Share permissions are not included. To view effective permissions on a folder or file, follow these steps:
The Effective Permissions for the selected user or group are displayed as shown Figure 2-20. Figure 2-20. Viewing the effective permissions for a group or user.Tip: You cannot determine effective permissions for implicit groups or special identities. Share permissions are also not accounted for. 2.4.3.5. Changing ownership of files and foldersAs discussed previously in "Understanding implicit groups and special identities," Windows defines many special identities that are implicitly applied according to a particular situation or circumstance. One of these special identities is Creator Owner, which represents the creator and owner of objects and is used to grant implicit access permissions to object owners. When a user creates a folder or file, the user is the creator and initial owner of the folder or file. If the system creates a folder or file, the default owner is the Administrators group. The owner has complete control to grant access permissions and give other users permission to take ownership of a folder or file. Ownership can be taken or transferred in several ways:
To view or change ownership of a folder or file, follow these steps:
2.4.3.6. Understanding and managing inherited permissionsWindows Server 2003 uses inheritance so that permissions applied to a folder are, by default, applied to subfolders and files beneath that folder. If you later change the permissions of a folder, those changes, by default, affect all subfolders and files beneath that folder. Permissions are inherited from parent folders. A file inherits its permissions from the folder in which it is stored. A subfolder inherits its permissions from the folder in which it is stored. Folders stored in the root of a drive volume inherit the permissions of the drive volume. Permissions are inherited by default when files and folders are created. If you remove inherited permissions, any explicitly defined permissions remain. When you view the Security tab for a folder or file, inherited permissions are dimmed and are not changeable. When you view the Permission Entry for a folder or file, inherited permissions similarly are dimmed and are not changeable. Typically, when you want to change inherited permissions, you will do so by accessing the parent folder from which the permissions are inherited and then making the desired changes. Any permission changes will then be inherited by child folders and files. The Permissions tab of the Advanced Security Settings dialog box lists the folder from which permissions are inherited. Each ACE on the folder or file has a separate entry, as shown previously in Figure 2-18. When working with the folder or file that is inheriting permissions, you may need to override, stop, or restore inheriting:
2.4.4. Troubleshooting Access to Folders and FilesWhen it comes to folder and file access, the one truism seems to be that the larger the network, the more difficult it is to determine why a user cannot access a particular file or folder. Before you can diagnose and resolve the problem, you need to determine what type of error message the user is getting when attempting to access the folder or file. Most access errors relate to one of the following:
Beyond the likely culprits, access can be affected by basic attributes as well as encryption. The Hidden basic attribute hides a folder or file from directory listings. The Read-only basic attribute makes a folder or file read-only. To determine whether basic attributes are causing access problems, right-click the folder or file and select Properties. On the General tab, as necessary, clear the Read-only, Hidden, or both checkboxes and then click OK. NTFS volumes can contain encrypted folders and files, and encryption can limit access to folders and files. To determine whether a folder or file is encrypted, right-click the folder or file and select Properties. On the General tab, click Advanced. If the Encrypt Contents To Secure Data checkbox is selected, the resource is encrypted. Encryption limits access to the user who encrypted the file, to the user who is granted shared access, and to the Data Recovery Agent (DRA). In domains, the default DRA is the domain Administrator user account. You can determine the exact list of users authorized to access an encrypted file by completing these steps:
2.4.5. Troubleshoot Terminal ServicesAs discussed previously in this chapter in "Remote Desktop for Administration ," Windows Server 2003 Terminal Services has two operating modes: Remote Desktop for Administration and Terminal Server. Remote Desktop for Administration is a limited Terminal Server mode that enables remote administration. When a server is configured as a Terminal Server, users establish remote sessions with the server to run Windows-based applications. In this configuration, the execution and processing takes place on the Terminal Server and the output data from the display, keyboard, and mouse are transmitted over the network to the user. A user logged in remotely to a Terminal Server is in a virtual session and any single Terminal Server can handle dozens or hundreds of such virtual sessions, depending on its configuration of course. Exam 70-290 doesn't test your ability to install and configure Terminal Services. However, the exam does test your ability to:
Tip: Exam 70-290 also tests your ability to manage a server by using Terminal Services remote administration mode as discussed previously in the chapter in "Remote Desktop for Administration." 2.4.5.1. Diagnosing and resolving issues related to Terminal Services securityWindows Server 2003 provides several ways to manage security for Terminal Services. Using Active Directory Users And Computers, you can add users or group to the Remote Desktop Users group to allow users to log on to a terminal server. By adding the Domain Users group to the Remote Desktop Users group, you allow all authenticated domain users to use Terminal Services. By adding the special group Everyone to the Remote Desktop Users group, you allow anyone with access to the network to use Terminal Services. In addition to the Remote Desktop Users group, users and groups that have access to Terminal Services by default are:
You can manage the configuration of a designated Terminal Server using the Terminal Services Configuration tool. Click Start Programs Administrative Tools Terminal Service Configuration, or type tscc.msc at a command prompt. With Terminal Services and Remote Desktop for Administration, data sent between servers and clients uses Remote Desktop Protocol (RDP). You can modify the RDP settings for a server using the Terminal Services Configuration Tool. Select Connections, right-click the RDP-Tcp connection you want to work with, and select Properties. The RDP-Tcp Properties dialog box has the following tabs:
When you want to manage Terminal Services security, you'll do so using the Permissions tab of the RDP-Tcp Properties dialog box. Similar to NTFS permissions, Terminal Services has two permission sets: basic permissions and special permission. The basic permissions represent a grouping of special permissions that together allow three commonly configured levels of access: Guest Access, User Access, and Full Control. The special permissions provide granular control for when you need to fine-tune access permissions. Tip: The Remote Desktop Users group is granted User Access and Guest Access by default. Terminal Services permissions set the maximum allowed permissions and are applied whenever a client connects to a Terminal Server. The basic permissions Terminal Services are:
Typically, when you troubleshoot Terminal Services security, you check to see whether a user is a member of Remote Desktop Users in Active Directory Users And Computers. If groups are granted access directly through RDP-Tcp Properties, you need to examine the settings on the Permissions tab. On the Permissions tab, view the access permissions for a user or group by selecting the account name. You can then allow or deny access permissions as appropriate. Click Add to configure permissions for additional users or groups. 2.4.5.2. Diagnosing and resolving issues related to client access to Terminal ServicesUsers connecting to a Terminal Server will use the Remote Desktop Connection client found under Programs Accessories Communications. The default configuration for this client is to connect to a designated server using the users current credentials. To connect using different credentials, start the Remote Desktop Connection client, click Options, and then enter values in the related Computer, User Name, Password, and Domain fields. Tip: Both session and client settings are configured by default. The session settings on the server override client settings. Session settings for display, devices, sound, start programs, experience, and security can be set through the server and the client. Most settings for sessions configured on the server override session settings configured on the client. Configure session settings on the server using the RDP-Tcp Properties dialog box. Configure session settings on the client using the options tabs. After you click Options in the Remote Desktop Connection client, you'll see the following tabs, described here and shown in Figure 2-23: Figure 2-23. Session settings can be controlled through both client and server settings.
Most client access problems for Terminal Services have to do with the following:
In a standard configuration, Terminal Services require TCP port 3389 to be open on both the client and the server. If either the client or the server is running a firewall, TCP port 3389 must be opened to allow remote access. |