Configuring and Managing Shared Folders

Objective:

Configure access to shared folders

Now that we have examined the properties of local security, let's take a look at share security. As previously discussed, one of the main roles of a computer running Windows Server 2003 is that of a file server. The role of a file server is to provide centralized access to files over a network. Regardless of whether the server is serving files to a workgroup or a domain, this is an important role.

Unfortunately, without the proper security in place, just having physical access to the network allows any user to access any file on the file server. In this section, we examine not only how to share files and folders over a network, but also how to assign permissions to restrict access to the appropriate users.

Creating and Managing Shared Folders

Users on other computers can connect to a file server via shares. The term share is shorthand for shared folder. Sharing a folder allows the contents of the folder to be available to multiple concurrent users on a network. When a folder is shared, any user with the proper permissions can access it.

A shared folder can contain applications, data, or a user's personal data. Using shares allows an administrator to centralize the management, security, and backup of applications and data. Shared folders can be implemented on either workstations or servers.

When a folder is shared, the Everyone group is granted Read access by default. As additional users or groups are added to the share, they are also given Read permission initially. Unless there is a good reason not to do so, you should always remove the permissions from the Everyone group and assign the proper permissions directly to other groups.

Exam Alert: Better Security in Windows Server 2003

In previous versions of Windows, when a folder was shared, the Everyone group was granted Full Control permissions.

Note: Be Careful with Deny

If you want to remove the permissions for the Everyone group for an object, remove the Everyone entry from the Permissions dialog box. Do not assign the Deny permission to the Everyone group because the Everyone group includes all users, including administrators.

Only members of the Administrators, Server Operators, or Power Users (member servers only) groups are permitted to share folders. To share a folder on a local volume, follow the procedure outlined in Step by Step 4.1.

Figure 4.2. Windows Explorer, showing the shared folder icon.

A share can also be created on a remote computer. This is accomplished using the Shared Folders snap-in of the Computer Management Microsoft Management Console (MMC).

To share a folder on a remote volume, follow the procedure outlined in Step by Step 4.2.

Step by Step 4.2 Creating a shared folder on a remote volume 1. Click Start, All Programs, Administrative Tools, Computer Management. 2. From the Computer Management MMC, in the left pane right-click the Computer Management (Local) entry. From the pop-up menu, select Connect to Another Computer. 3. From the Select Computer dialog box, enter the name of the remote computer and then click the OK button. 4. From the Computer Management MMC, shown in Figure 4.3, click the System Tools entry in the left pane. Figure 4.3. The Computer Management MMC, showing the Shared Folders snap-in, pointing to a remote server. 5. From the expanded tree, click the Shared Folders entry. Under Shared Folders, right-click Shares and select New Share from the pop-up menu. 6. This starts the Share a Folder Wizard. Click Next on the opening screen of the wizard. 7. From the Folder Path screen of the Share a Folder Wizard, shown in Figure 4.4, enter the path of the folder to be shared. If desired, you can click the Browse button to search for it. Click Next to continue. Figure 4.4. Enter a share name and description. 8. On the Name, Description, and Settings screen, enter a share name. This is the name users will use to access this folder over the network. It does not have to be the same as the folder name. The description is optional; some user interfaces display this field, whereas others do not. Click Next to continue. 9. From the Permissions screen, select one of the following permissions depending on the desired level of access, and then click the Finish button. All users have read-only access Administrators have full access; other users have read-only access Administrators have full access; other users have read and write access Use custom share and folder permissions 10. If the operation was successful, click the Close button to end the wizard. 11. As shown in Figure 4.5, the shared folder appears in the right pane of the Shared Folders snap-in as an icon of a hand holding a folder. Figure 4.5. The Shared Folders snap-in, showing the shared folder icon.

Administrative Shares

As you might have noticed in Figure 4.5, when the new share was created, several shares were already presentmost of which have a dollar sign ($) after their name. These shares are Administrative Shared folders. These folders are shared during the default installation of Windows Server 2003. They are used for the convenience of administrators and the operating system to administer files and folders on remote computers.

The permissions for Administrative Shared folders cannot be changed. By default, members of the Administrators group are granted Full Control access. The names and purposes of the folders are as follows:

• C$, D$, E$, and so on The root of every volume is automatically shared. Connecting to this share gives you access to the entire volume. Typically, you will use the administrative share to remotely connect to the computer to perform administrative tasks.

• Admin$ This is a shortcut to the %systemroot% folder. This is handy because the systemroot folder can be on any volume, and depending on whether your installation of Windows Server 2003 is an upgrade or a clean installation, the systemroot could be either in a \winnt or \windows folder. This folder is shared for administrative purposes.

• IPC$ This is a system folder that is used for interprocess communications (IPC). It is used by most of the Windows Server 2003 administrative tools.

• Print$ This folder contains the installed print drivers. In addition to the Administrators group, the Server Operators and Print Operators groups have Full Control permissions to this folder. The Everyone group has Read permission.

• FAX$ This shared folder is used as temporary storage for the Windows Server 2003 Fax application.

The dollar sign after the name tells Windows Server 2003 not to display the folder in My Network Places or when the server is being browsed. You can create your own hidden shares

Note: Some Administrative Shares Are Optional

As you probably noticed in Figure 4.5, the Print$ and FAX$ shares weren't present. These shares are optional and appear only if print drivers and the fax service have been installed.

by adding the trailing dollar sign at the end of the share name.

Publishing a Shared Folder in Active Directory

In Windows Server 2003, you can publish a shared folder as a shared folder object in Active Directory using the Active Directory Users and Computers snap-in. This allows users to query Active Directory for the shared folder instead of browsing to locate it. Just creating a shared folder is not enough; it must also be published to be visible in Active Directory.

To publish a shared folder in Active Directory, use the procedure outlined in Step by Step 4.3.

Note: Use the Fully Qualified Domain Name

Notice in the previous Step by Step that the fully qualified domain name was used to refer to the network path for the shared folder. If you use the NetBIOS name, only users within your domain can access the share

Any shared folder accessible via a Universal Naming Convention (UNC) name (that is, \\server\share) or FQDN can be published in Active Directory. This includes both shares on servers and workstations. An additional advantage of publishing a share in Active Directory is that if the share is moved to another server, only the reference in Active Directory has to be updatedthe users do not have to change their configuration.

Managing Shared Folder Permissions

Objective:

Manage shared folder permissions

Shared folder permissions are important, especially when the share is hosted on a FAT volume. Because the objects on FAT volumes can't be assigned permissions at the file or folder level, share permissions are the only type of file security available.

Share permissions, as you might have guessed from the name, apply only when a file or folder is accessed over the network through a shared folder. Permissions assigned to a share have no effect on a user logged on to the server console or logged on to a Terminal Services session on that server.

When a share is created, the Everyone group is granted Read access by default. Obviously, this isn't appropriate for many circumstances, so you should make adjustments. Only three types of access permissions can be configured on a share. The default permission is Read, and it allows you to perform the following:

• View file and subfolder names.

• View the contents of files.

• Execute applications.

The second permission is Change. It allows you to do everything that the Read permission allows as well as the following:

• Add files and subfolders.

• Change the contents of files.

• Delete files and subfolders.

The last permission is Full Control. It allows you to perform all the Read and Change tasks in addition to allowing you to change the permissions on NTFS files and subfolders in the share.

To share a folder on a local volume, follow the procedure outlined in Step by Step 4.4.

Connecting to Shared Folders

After the share folders are configured on your server or workstation, they can be accessed over the network. Users can access shared folders using either My Network Places, Map Network Drives, or the Run command.

Using the Run command is the easiest and quickest way to access a remote share, as long as you know the server and share name. All you have to do is type it in, as shown in the Run dialog box in Figure 4.7, and then click OK.

You can also map a network drive using the Map Network Drive option. When you map a drive, you assign the share to a drive letter, which you can use to reference the share. This makes it easier to reference your files. The procedure for mapping a drive is shown in Step by Step 4.5.

In Figure 4.8, there is a check box labeled Reconnect at Logon. This creates a persistent drive mappingthat is, it will remain mapped until you manually disconnect it, even if you reboot your machine. The other option is Connect Using a Different User Name. This option allows you to connect to a share using a different username from what you used when logging on to your machine.

The final method to access a shared folder is via My Network Places. My Network Places is available in the left pane of My Computer (unless you selected Classic Folders).

Figure 4.9. My Network Places is available in the My Computer MMC.

There are two ways you can access a folder via My Network Places. The first method is to browse to it by clicking My Network Places, Entire Network, Microsoft Windows Network. This allows you to browse the servers in the domains and workgroups on your network, and click on the shares to connect. As shown in Figure 4.10, all the available shares on the \\Book server are shown in the list, except for those that are hidden.

Figure 4.10. Browsing shares using My Network Places.

The second method is to click the Add a Network Place entry, listed under the Network Tasks section in the left pane of My Network Places, as shown earlier in Figure 4.10.

This starts the Add Network Place Wizard. It guides you through adding a share via a UNC name, a web share, or a File Transfer Protocol (FTP) address. This allows you to add a network place on your local network or on the Internet.

Configuring and Managing NTFS File and Folder Permissions

Although the various versions of FAT provide no local security, NTFS was created with the capability to control access to every file and folder on an NTFS volume. When a file or folder is created on an NTFS volume, an Access Control List (ACL) is created. The ACL contains a list of every user, group, or computer that has been granted access to the file or folder and what type of access was granted. Each user, group, or computer that has been allowed access to the resource has its own Access Control Entry (ACE) in the ACL. Whenever a file or folder is accessed on an NTFS volume, the operating system reads the ACE to determine whether the user, group, or computer has the necessary permissions for the type of access it is requesting.

Permissions define the type of access that is granted to a user or group for an object, such as a file or folder. Permissions can be assigned to local users or groups, or if the server is a member of a domain, permissions can be assigned to any user or group that is trusted by that domain.

The type of permission varies by object. Folders are used as containers to store files or other folders. Files are executed or written, so the permissions assigned to them apply to the amount of manipulation a user or group can perform against them.

NTFS permissions can be granted to either users or groups. By default, the Administrators group can assign permissions to all files and folders on a server.

The following permissions apply to a file:

• Read This permission allows you to read the contents of a file and its attributes, including file ownership and assigned permissions.

• Read and Execute This permission includes all the Read permissions, in addition to the ability to run applications.

• Write This permission includes all the Read permissions, in addition to the ability to overwrite the file and change its attributes.

• Modify This permission includes all the Read and Execute and the Write permissions, in addition to the ability to modify and delete the file.

• Full Control This permission includes all the Modify permissions, in addition to allowing you to take ownership of a file and configure the permissions for it.

The following permissions apply to a folder and to the files and subfolders contained in that folder:

• Read This permission allows you to read the contents of a folder and its attributes, including ownership and assigned permissions.

• Read and Execute This permission includes all the Read permissions, in addition to the ability to run applications.

• Write This permission includes all the Read permissions, in addition to the ability to create new files and subfolders and change the folder's attributes.

• List Folder Contents This permission includes all the Read permissions, but for the folder only.

• Modify This permission includes all the Read and Execute and the Write permissions, in addition to the ability to modify and delete the folder.

• Full Control This permission includes all the Modify permissions, in addition to allowing you to take ownership of a folder and configure the permissions to it.

Note

Notice that while under the normal permissions, when granting Write access, the Read access permissions are included. However when using special permissions, only the explicit Write functionality selected is granted.

The creator or owner of a file or folder is able to control how permissions are set and to whom permissions are granted on that object. To configure the permissions on a file or folder, use the procedure outlined in Step by Step 4.6.

This Properties dialog box allows you to add or delete users or groups that have access to a file or folder. In addition, you can explicitly select to either allow or deny the basic permissions that apply to that object.

Special Permissions

In addition to the basic permissions, NTFS also allows you to assign more granular, special permissions. Special permissions are generally a subset of the basic NTFS permissions and allow you to limit access to a file or folder to specific tasks. These special permissions apply to both files and folders and are detailed in the following list:

• Traverse Folder/Execute File This permission enables users to pass through a folder they do not have access to in order to access a file or folder to which they do have access. This permission may initially have no effect because, for it to apply, the user privilege Bypass Traverse Checking must be enabled. In the default system policy, Bypass Traverse Checking is disabled.

• List Folder/Read Data This permission allows a user to list the contents of a folder. When it's applied to a file, this permission allows the file to be opened for Read access.

• Read Attributes This permission allows a user to see the file or folder attributes.

• Read Extended Attributes This permission allows a user to see special file or folder attributes that are created by applications. This is not commonly used.

• Create Files/Write Data When applied to a folder, this permission allows a user to create new files. When applied to a file, it allows the user to edit a file.

• Create Folders/Append Data When applied to a folder, this permission grants the user the ability to create new folders. When applied to a file, it allows the user to append data to the file (but not the ability to change existing data).

• Write Attributes This permission allows a user to change the file or folder attributes.

• Write Extended Attributes This permission allows a user to change special file or folder attributes that are created by applications. This is not commonly used.

• Delete Subfolders and Files This permission allows a user to delete subfolders and files, even when the Delete permission is denied at the file and subfolder levels.

• Delete This permission allows a user to delete the subfolder or file to which the permission is applied. This permission can be overruled by the Delete Subfolders and File permission.

• Read Permissions This permission allows a user to see the permissions applied to a file or folder.

• Change Permissions This permission allows a user to change the permissions applied to a file or folder.

• Take Ownership This permission allows a user to seize ownership of a file or folder. After a user has ownership of a file or folder, the user will have Full Control.

• Synchronize This permission applies to multithreaded, multiprocess programs and is typically used only by developers.

To configure the special permissions on a file or folder, use the procedure outlined in Step by Step 4.7.

Step by Step 4.7 Configuring special permissions 1. Open either My Computer or Windows Explorer. Navigate to the object for which you want to configure permissions. 2. Right-click the object and select Properties from the pop-up menu. Click the Security tab on the resulting dialog box. 3. From the Security tab, click the Advanced button. 4. The Advanced Security Settings dialog box appears (see Figure 4.12). This dialog box allows you to select or add a user or group to assign permissions to by clicking the Add button. Alternatively, you can modify the permissions that are assigned to an existing user or group by highlighting the appropriate entry and then clicking the Edit button. Highlight a user or group and then click Edit. Figure 4.12. The Advanced Security Settings dialog box allows you to add or edit the special permissions applied to each user or group. 5. The Permission Entry dialog box appears (see Figure 4.13). This dialog box allows you to allow or deny special permissions for the user or group selected in the Advanced Security Settings dialog box. Select the desired permissions, and then click the Apply Onto drop-down list. Figure 4.13. The Permission Entry dialog box allows you to select the special permissions to be applied. 6. As you can see in Figure 4.13, the Apply Onto drop-down list allows you to specify where to apply the newly selected special permissions. This allows you to select various combinations of files, folders, and subfolders. At the bottom of the dialog box is a check box that prevents the permissions from being inherited by subfolders. Click OK when finished. 7. This returns you to the Advanced Security Settings dialog box. Click OK here and on the Folder Properties dialog box to save.

Special permissions are subsets of the basic permissions discussed earlier. To see which basic permissions the special permissions are included in, see Table 4.1.

As you can see, the special permissions allow you to grant permission for just a specific task. This allows you to avoid giving a user Full Control access when all you want the user to be able to do is delete files. In some cases, the basic permissions allow users to perform more tasks than you want them to have access to.

Managing Permissions Inheritance

So far we have covered explicit permissionsthe permissions explicitly assigned on a file or folder. However, NTFS supports inherited permissions; these are the permissions inherited from the parent folder.

NTFS can be thought of as an upside-down tree, with the root at the top. By default, when you assign file and folder permissions, these permissions are automatically applied to the files and folders underneath them in the hierarchy. This means that any permissions applied at the root of an NTFS drive flow down to files and folders at the lowest level, unless the inheritance has been removed. In addition, if you create a file or folder in an existing folder, the permissions in effect for that folder apply to the new objects.

Unless you remove inheritance from the parent, you cannot configure the existing permissions on an object; however, you can still add new ones. As shown in Figure 4.14, the permissions are grayed out. When removing inheritance, you have the option to set the initial permissions by copying the existing inherited permissions or removing them completely. Any explicitly configured permissions remain unchanged.

Here are two key points to remember about inherited permissions:

• Inherited Deny permissions are overridden by an explicit Allow permission.

• Explicit permissions always take precedence over inherited permissions.

To block inheritance on a file, use the procedure outlined in Step by Step 4.8.

Step by Step 4.8 Removing inheritance from a file 1. Open either My Computer or Windows Explorer and navigate to the file for which you want to configure permissions. 2. Right-click the file, select Properties from the pop-up menu, and click the Security tab in the resulting dialog box. 3. From the Security tab, click the Advanced button. 4. The Advanced Security Settings dialog box appears (see Figure 4.15). Note that the Permission Entries area of the dialog box displays the permissions and where they were inherited from. Deselect the check box Allow Inheritable Permissions from the Parent to Propagate to This Object and All Child Objects. Figure 4.15. The Advanced Security Settings dialog box. The check box can be deselected to prevent the object from inheriting permissions from the parent containers. 5. The Security prompt appears (see Figure 4.16). This prompt allows you to either copy or remove the inherited permissions for the object. Select Copy. Figure 4.16. The Security prompt, which allows you to select whether to copy or remove the inherited permissions. 6. This returns you to the Advanced Security Settings dialog box. The existing permissions were retained; however, the Inherited From field is now empty. Click OK. 7. The file Properties dialog box appears, as shown in Figure 4.17. Click OK to save. Figure 4.17. The file Properties dialog box. Notice that the permissions entries are no longer grayed out and can be changed.

Note: Be Careful with Remove

If you choose to remove the inherited permissions, the only permissions that remain are those that were explicitly added. If there are no added permissions, no one can access the object. The administrator must either assign permissions to it or turn propagation of permissions back on.

Changing Ownership of Files and Folders

Objective:

Change ownership of files and folders

What happens when the owner of a file or folder leaves the company? How do you regain access to the data she controls? As an administrator, you have the option of resetting the password and logging on using her user account. However, this is not a viable option in many cases because security restrictions may not allow the administrator to be the owner of secure user files. Instead, to ensure the audit trail is intact and not interrupted by the administrator accessing the files, the administrator must transfer the ownership to the new user responsible for the files.

As mentioned earlier, when a file or folder is created, by default the creator is granted ownership of the object. In the case of someone leaving the organization, the administrator can assign the Take Ownership permission to another user or group so that it can take control of the former user's files and folders. In this case, the user or group must then take ownership of the files to complete the process. In Windows Server 2003, however, the administrator also has the option to assign ownership to the new user or group. Either method of transferring ownership allows the administrator to pass control to the new user or group responsible for the files without the administrator having ownership and disrupting the auditing trail.

The Take Ownership setting is configured on the Permission Entry dialog box for the object, as shown in Figure 4.18.

Exam Alert: You Can Assign Ownership

Unlike in previous versions of Windows, where the administrator could take ownership, in Windows Server 2003, you can assign ownership of a file or folder to another user.

Ownership of an object can be taken by the following users and groups:

• Administrators

• A user or group that has been assigned the Take Ownership permission

• A user or group that has the Restore Files and Directories privilege

To assign ownership of a file or folder, use the procedure outlined in Step by Step 4.9.

Step by Step 4.9 Assigning ownership of a file or folder 1. Log on as an administrator. 2. Open either My Computer or Windows Explorer. Navigate to the object for which you want to configure permissions. 3. Right-click the object, select Properties from the pop-up menu, and click the Security tab in the resulting dialog box. 4. From the Security tab, click the Advanced button. 5. The Advanced Security Settings dialog box appears. Select the Owner tab. 6. The Owner tab, shown in Figure 4.19, allows you to assign ownership of the object to a user or group. Click the Other Users or Groups button. Figure 4.19. The Advanced Security Settings dialog box, showing the Owner tab. 7. The Select User or Group dialog box appears. Enter the desired user or group and then click the OK button. 8. This returns you to the Advanced Security Settings dialog box. Click OK here and in the Object Properties dialog box to save.

Verifying Effective Permissions When Granting Permissions

Objective:

Verify effective permissions when granting permissions.

NTFS file and folder permissions are cumulative. This means that the effective permissions are a combination of the permissions granted to the user and those permissions granted to any group to which the user belongs. For example, Dave is a member of the Accounting group, and the Accounting group has Read access to the ACCT folder. However, Dave is also a member of the Managers group. The Managers group has Write access to the ACCT folder. In this case, Dave would have Read and Write access to the ACCT folder.

Let's look at another example. Joe has been granted Full Control access to the EOY folder. Joe is a member of the Managers group, which has Read access to the EOY folder. Joe is also a member of the Planning group, which has Deny Full Control permission on the EOY folder. Joe's effective permission is Deny Full Control.

Another important point to remember is that the least-restrictive permissions apply. For example, if Mary is a member of the HR group, which has Read access to a folder, and she's also a member of the Managers group, which has Full Control access, her effective permission for the folder is Full Control.

All NTFS permissions are cumulative, except in the case of Deny, which overrules everything else. Even if the user has been granted Full Control in several groups, being a member of one group that has been assigned the Deny permission negates everything else.

Windows Server 2003 includes the Effective Permissions tool. This tool automatically looks at a user's permissions and the permissions of the groups of which the user is a member to calculate the effective permissions for an object on an NTFS volume.

To view the effective permissions for an object, follow the procedure outlined in Step by Step 4.10.

Step by Step 4.10 Viewing the effective permissions of a file or folder 1. Open either My Computer or Windows Explorer and navigate to the object for which you want to view permissions. 2. Right-click the object, select Properties from the pop-up menu, and click the Security tab in the resulting dialog box. 3. From the Security tab, click the Advanced button. 4. The Advanced Security Settings dialog box appears. Select the Effective Permissions tab. 5. The Effective Permissions tab appears. This page allows you to display the effective permissions of the object for a user or group. Click the Select button. 6. The Select User or Group dialog box appears. Enter the desired user or group and then click the OK button. 7. This returns you to the Advanced Security Settings dialog box. The effective permissions for the user are shown in Figure 4.20. Click OK here and in the Object Properties dialog box to quit. Figure 4.20. The Advanced Security Settings dialog box, showing the Effective Permissions tab.

Note: Share Permissions

Share permissions are not included in the effective permissions calculations.

Copying and Moving Files and Folders

When files and folders are copied or moved on an NTFS partition, the configured permissions may change. This depends on whether the file or folder was copied or moved, and where it was moved to. Several rules apply when you move or copy NTFS files and folders. The possible outcomes of moving or copying NTFS files and folders are as follows:

• Moving a file or folder to another folder on the same NTFS volume results in the file or folder retaining its permissions, regardless of the permissions configured on the target folder.

• Moving a file or folder to a different NTFS volume results in the file or folder assuming the permissions of the target folder.

• Moving a file or folder from a FAT volume to an NTFS volume results in the file or folder assuming the permissions of the target folder.

• Moving a file or folder from an NTFS volume to a FAT volume results in all NTFS-specific properties (including permissions) being lost.

• Copying a file to another folder on the same NTFS volume results in the file assuming the permissions of the target folder.

• Copying a file or folder to a different NTFS volume results in the file or folder assuming the permissions of the target folder.

• Copying a file or folder from a FAT volume to an NTFS volume results in the file or folder assuming the permissions of the target folder.

• Copying a file or folder from an NTFS volume to a FAT volume results in all NTFS-specific properties being lost.

It's important to note that if you configure permissions on a folder, you can choose whether to propagate the permissions to the existing files and subfolders contained within that folder. However, any new files or subfolders created within that folder automatically inherit the permissions of the container.