Managing and Maintaining Access to Resources


The process of working with share and NTFS permissions has always been a major focus on Microsoft exams. Make sure you have a complete understanding of how the different permissions are applied when you access a folder over the network versus accessing it from the server console.

Managing File System Permissions

Permissions define the type of access that is granted to a user or group for an object such as a file, folder, or share. Permissions can be assigned to local users or groups, or if the server is a member of a domain, permissions can be assigned to any user or group that is trusted by that domain.

If you are sitting at the server or workstation console, only the NTFS file and folder access permissions apply. However, if you are trying to access the files across the network via a shared folder, both the file and the share permissions apply.

NTFS Permissions

NTFS permissions can be granted to either users or groups. By default, the Administrators group can assign permissions to all files and folders on a server.

The following permissions apply to a file:

  • Read This permission allows you to read the contents of a file and its attributes, including file ownership and assigned permissions.

  • Read and Execute This permission includes all the Read permissions in addition to the ability to run applications.

  • Write This permission includes all the Read permissions in addition to the ability to overwrite the file and change its attributes.

  • Modify This permission includes all the Read and Execute and the Write permissions in addition to the ability to modify and delete the file.

  • Full Control This permission includes all the Modify permissions in addition to allowing you to take ownership of a file and configure the permissions to it.

The following permissions apply to a folder and to the files and subfolders contained in that folder:

  • Read This permission allows you to read the contents of a folder and its attributes, including ownership and assigned permissions.

  • Read and Execute This permission includes all the Read permissions in addition to the ability to run applications.

  • Write This permission includes all the Read permissions in addition to the ability to create new files and subfolders and change the folder's attributes.

  • Modify This permission includes all the Read & Execute and the Write permissions in addition to the ability to modify and delete the folder.

  • Full Control This permission includes all the Modify permissions in addition to allowing you to take ownership of a folder and configure the permissions to it.

The creator or owner of a file or folder will automatically have the Full Control permission for that object. In addition to the basic permissions, NTFS also allows you to assign more granular special permissions. Special permissions are generally a subset of the basic NTFS permissions. This allows you to limit access to a file or folder to specific tasks. Special permissions apply to both files and folders. The owner of a file or folder will always have the right to modify permissions.

  • Permissions applied to folders are inherited by subfolders unless you select the This Folder Only option when applying the permissions.

  • A user's actual permissions are the resulting collective allowed rights that have flowed down from upper-level folders plus explicitly assigned permissions at that level as long as there are no denied rights. Denied rights override allowed rights.

  • Conflicting permissions for users who are members of multiple groups are a common problem to encounter on the exam. Not only should you be aware that Deny permissions always override Allowed permissions, but explicit permissions always override inherited permissions.

By default, when you assign file and folder permissions, these permissions are automatically applied to the files and folders underneath them in the hierarchy. This means that any permissions applied at the root of an NTFS drive will flow down to files and folders at the lowest level, unless the inheritance has been removed. In addition, if you create a file or folder in an existing folder, the permissions in effect for that folder will apply to the new objects.

Here are a few key points to remember about inherited permissions:

  • Inherited Deny permissions will be overridden by an explicit Allow permission.

  • Explicit permissions will always take precedence over inherited permissions.

NTFS file and folder permissions are cumulative. This means that the effective NTFS permissions will be a combination of the permissions granted to the user and those permissions granted to any group the user is a member of. The exception to this is Deny Access, which overrules everything else.

The following are some important points to remember about NTFS file and folder permissions:

  • Permissions applied to folders are inherited by subfolders unless you select the This Folder Only option when applying the permissions.

  • A user's actual permissions are the resulting collective allowed rights that have flowed down from upper-level folders plus explicitly assigned permissions at that level, as long as there are no denied rights. Denied rights override allowed rights.

  • You can display a user's actual rights to use a file by looking at the Effective Permissions tab of the Advanced Security options.

  • Conflicting permissions for users who are members of multiple groups are a common problem to encounter on the exam. Not only should you be aware that Deny permissions always override Allowed permissions, but explicit permissions always override inherited permissions.

Table 7 shows the results of copying and moving files and folders on NTFS volumes.

Table 7. Moving and Copying Files on NTFS Volumes May Change Permissions

Operation

Resulting Permissions

Move a file or folder to another location on the same NTFS volume.

The file or folder retains its original permissions.

Move a file or folder to a different NTFS volume.

The file or folder inherits new permissions from the new parent folder.

Copy a file or folder to another location on the same NTFS volume.

The file or folder inherits new permissions from the new parent folder.

Copy a file or folder to a different NTFS volume.

The file or folder inherits new permissions from the new parent folder.


Share Permissions

Share permissions apply only when a file or folder is accessed over the network through a shared folder. When a folder is shared, by default the Everyone group is granted Read access. Only members of the Administrators, Server Operators, and Power Users group are permitted to share folders, and only three permissions are allowed for a shared folder:

  • Read

  • Change

  • Full Control

When you're accessing the contents of a shared folder on an NTFS volume, the effective permission for the object is a combination of the share and NTFS permissions applied to the object. The effective permission will always be the most restrictive.

The following are some important items to remember about shares:

  • Be on the lookout for questions that say that a user can access a file locally, but not across the network. These are indicative of NTFS and Share permission conflicts. In this situation, only NTFS permissions would apply.

  • You can use the command net share to create or delete a shared folder. To create a new shared folder, type net share MYSHARE=c:\mydata.

  • There are three possible Share permissions to grant or deny: Full Control, Change, and Read.

  • You can hide shares by adding a $ symbol at the end of the name. All administrative shares are hidden. These are C$, ADMIN$, IPC$, PRINT$, and FAX$.

  • The Web Distributed Authoring and Versioning (WebDAV) protocol acts as a redirector to enable users to read and save documents via the Hypertext Transfer Protocol (HTTP) when you share Web Folders.

Encrypting File System (EFS)

Encrypting File System (EFS) is similar to NTFS compression in that it allows the user to selectively encrypt files and folders as desired. After a file is encrypted, all file operations continue transparently for the user who performed the encryption. However, unauthorized users cannot access the files. NTFS compression and EFS encryption are mutually exclusive. That is, you cannot both compress and encrypt a file or folder at the same time. Here are some additional points to keep in mind:

  • Only files and folders on NTFS volumes can be encrypted.

  • If a folder is encrypted, all files and folders contained in that folder will be automatically encrypted.

  • Encrypted files will be unencrypted when they are moved or copied to a non-NTFS volume.

  • Moving or copying encrypted files to an unencrypted folder on an NTFS volume will not decrypt them.

  • A recovery agent is an authorized individual who is able to decrypt data in the event that the original certificate is unavailable, such as when an employee leaves the company.

  • A recovery agent can be any user assigned that role.

  • A Certificate Authority (CA) is required to deploy EFS.

Encrypted files can be shared. However, keep the following points in mind:

  • After the user is given permission to the file, he or she can also grant others permission to use the file.

  • Encrypted files can be shared but encrypted folders cannot. Note that this refers only to EFS sharing, and an encrypted folder can always be an NTFS file share.

  • Any user who is being granted access must have an EFS certificate. This certificate can reside in Active Directory, in the user's roaming profile, or in the user's profile on the server where the shared file is located.

Terminal Services Fundamentals

Windows Terminal Services is designed to distribute the Windows 32-bit desktop to clients that are usually not able to run it. Although at the client it appears that the application is running locally, all processing is actually occurring on the server. The only processing that occurs at the client involves displaying the user interface and accepting input from the keyboard and mouse. Terminal Services consists of three major components:

  • Multiuser server core This is a modified version of the Windows Server 2003 kernel that allows the operating system to support multiple concurrent users and share resources.

  • Client software The Remote Desktop Connection (RDC) client software provides the user interface. It can be installed on a PC, Windows terminal, or handheld device. It provides the look and feel of the standard Windows interface.

  • Remote Desktop Protocol (RDP) This is the protocol that provides communication between the server and the client software. It runs only on TCP/IP.

Terminal Services is available in two modes: Remote Desktop for Administration (formerly called Remote Administration mode) and Application Server mode. Remote Desktop for Administration mode is used to provide remote server management. Unlike in Windows 2000, where the Remote Administration mode was an option, the Remote Desktop for Administration mode is automatically installed in Windows Server 2003. However, incoming connections are disabled by default. With Windows Server 2003 Terminal Services in Remote Desktop for Administration mode, you are allowed two concurrent sessions, plus a console session to the Windows server.

Application Server mode requires each remote connection to have a Windows Server 2003 Terminal Services user or device Client Access License (TS CAL). These licenses are separate from the normal Windows Client Access Licenses (CALs) and must be installed and managed using a Terminal Services licensing server. If a license is not installed within 90 days, the client will no longer be able to access the server.

Two types of Terminal Services licensing servers are built in to Windows Server 2003:

  • Enterprise License server An Enterprise License server should be used when you have Windows Server 2003 Terminal Services servers located in several domains. This is the default.

  • Domain License server A Domain License server is used if you want to segregate licensing by domain, or if you're supporting a Windows NT 4.0 domain or a workgroup.

To install applications on a Terminal Services server in Application Server mode, you must be in Install mode. This can be accomplished by installing programs via the Add/Remove Programs applet in the Control Panel or via the Change User command. When you're connecting via the RDC client, the following resources can be mapped between the server and the client session:

  • Client drives

  • Client printers

  • Clipboard

  • Printers

  • Serial ports

  • Sound




MCSA. MCSE 70-290 Exam Prep. Managing and Maintaining a MicrosoftR Windows ServerT 2003 Environment
MCSA/MCSE 70-290 Exam Prep: Managing and Maintaining a Microsoft Windows Server 2003 Environment (2nd Edition)
ISBN: 0789736489
EAN: 2147483647
Year: 2006
Pages: 219
Authors: Lee Scales

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net