Now that we have examined the properties of local security, let's take a look at share security. As previously discussed, one of the main roles of a computer running Windows Server 2003 is that of a file server. The role of a file server is to provide centralized access to files over a network. Regardless of whether the server is serving files to a workgroup or a domain, this is an important role. Unfortunately, without the proper security in place, just having physical access to the network allows any user to access any file on the file server. In this section, we examine not only how to share files and folders over a network, but also how to assign permissions to restrict access to the appropriate users. Creating and Managing Shared FoldersUsers on other computers can connect to a file server via shares. The term share is shorthand for shared folder. Sharing a folder allows the contents of the folder to be available to multiple concurrent users on a network. When a folder is shared, any user with the proper permissions can access it. A shared folder can contain applications, data, or a user's personal data. Using shares allows an administrator to centralize the management, security, and backup of applications and data. Shared folders can be implemented on either workstations or servers. When a folder is shared, the Everyone group is granted Read access by default. As additional users or groups are added to the share, they are also given Read permission initially. Unless there is a good reason not to do so, you should always remove the permissions from the Everyone group and assign the proper permissions directly to other groups. Exam Alert: Better Security in Windows Server 2003 In previous versions of Windows, when a folder was shared, the Everyone group was granted Full Control permissions. Note: Be Careful with Deny If you want to remove the permissions for the Everyone group for an object, remove the Everyone entry from the Permissions dialog box. Do not assign the Deny permission to the Everyone group because the Everyone group includes all users, including administrators. Only members of the Administrators, Server Operators, or Power Users (member servers only) groups are permitted to share folders. To share a folder on a local volume, follow the procedure outlined in Step by Step 4.1.
Figure 4.2. Windows Explorer, showing the shared folder icon.A share can also be created on a remote computer. This is accomplished using the Shared Folders snap-in of the Computer Management Microsoft Management Console (MMC). To share a folder on a remote volume, follow the procedure outlined in Step by Step 4.2.
Administrative SharesAs you might have noticed in Figure 4.5, when the new share was created, several shares were already presentmost of which have a dollar sign ($) after their name. These shares are Administrative Shared folders. These folders are shared during the default installation of Windows Server 2003. They are used for the convenience of administrators and the operating system to administer files and folders on remote computers. The permissions for Administrative Shared folders cannot be changed. By default, members of the Administrators group are granted Full Control access. The names and purposes of the folders are as follows:
The dollar sign after the name tells Windows Server 2003 not to display the folder in My Network Places or when the server is being browsed. You can create your own hidden shares Note: Some Administrative Shares Are Optional As you probably noticed in Figure 4.5, the Print$ and FAX$ shares weren't present. These shares are optional and appear only if print drivers and the fax service have been installed. by adding the trailing dollar sign at the end of the share name. Publishing a Shared Folder in Active DirectoryIn Windows Server 2003, you can publish a shared folder as a shared folder object in Active Directory using the Active Directory Users and Computers snap-in. This allows users to query Active Directory for the shared folder instead of browsing to locate it. Just creating a shared folder is not enough; it must also be published to be visible in Active Directory. To publish a shared folder in Active Directory, use the procedure outlined in Step by Step 4.3.
Note: Use the Fully Qualified Domain Name Notice in the previous Step by Step that the fully qualified domain name was used to refer to the network path for the shared folder. If you use the NetBIOS name, only users within your domain can access the share Any shared folder accessible via a Universal Naming Convention (UNC) name (that is, \\server\share) or FQDN can be published in Active Directory. This includes both shares on servers and workstations. An additional advantage of publishing a share in Active Directory is that if the share is moved to another server, only the reference in Active Directory has to be updatedthe users do not have to change their configuration. Managing Shared Folder Permissions
Shared folder permissions are important, especially when the share is hosted on a FAT volume. Because the objects on FAT volumes can't be assigned permissions at the file or folder level, share permissions are the only type of file security available. Share permissions, as you might have guessed from the name, apply only when a file or folder is accessed over the network through a shared folder. Permissions assigned to a share have no effect on a user logged on to the server console or logged on to a Terminal Services session on that server. When a share is created, the Everyone group is granted Read access by default. Obviously, this isn't appropriate for many circumstances, so you should make adjustments. Only three types of access permissions can be configured on a share. The default permission is Read, and it allows you to perform the following:
The second permission is Change. It allows you to do everything that the Read permission allows as well as the following:
The last permission is Full Control. It allows you to perform all the Read and Change tasks in addition to allowing you to change the permissions on NTFS files and subfolders in the share. To share a folder on a local volume, follow the procedure outlined in Step by Step 4.4.
Connecting to Shared FoldersAfter the share folders are configured on your server or workstation, they can be accessed over the network. Users can access shared folders using either My Network Places, Map Network Drives, or the Run command. Using the Run command is the easiest and quickest way to access a remote share, as long as you know the server and share name. All you have to do is type it in, as shown in the Run dialog box in Figure 4.7, and then click OK. Figure 4.7. The Run dialog box, showing how to access a shared folder using a UNC path.
You can also map a network drive using the Map Network Drive option. When you map a drive, you assign the share to a drive letter, which you can use to reference the share. This makes it easier to reference your files. The procedure for mapping a drive is shown in Step by Step 4.5.
In Figure 4.8, there is a check box labeled Reconnect at Logon. This creates a persistent drive mappingthat is, it will remain mapped until you manually disconnect it, even if you reboot your machine. The other option is Connect Using a Different User Name. This option allows you to connect to a share using a different username from what you used when logging on to your machine. The final method to access a shared folder is via My Network Places. My Network Places is available in the left pane of My Computer (unless you selected Classic Folders). Figure 4.9. My Network Places is available in the My Computer MMC.There are two ways you can access a folder via My Network Places. The first method is to browse to it by clicking My Network Places, Entire Network, Microsoft Windows Network. This allows you to browse the servers in the domains and workgroups on your network, and click on the shares to connect. As shown in Figure 4.10, all the available shares on the \\Book server are shown in the list, except for those that are hidden. Figure 4.10. Browsing shares using My Network Places.The second method is to click the Add a Network Place entry, listed under the Network Tasks section in the left pane of My Network Places, as shown earlier in Figure 4.10. This starts the Add Network Place Wizard. It guides you through adding a share via a UNC name, a web share, or a File Transfer Protocol (FTP) address. This allows you to add a network place on your local network or on the Internet. Configuring and Managing NTFS File and Folder PermissionsAlthough the various versions of FAT provide no local security, NTFS was created with the capability to control access to every file and folder on an NTFS volume. When a file or folder is created on an NTFS volume, an Access Control List (ACL) is created. The ACL contains a list of every user, group, or computer that has been granted access to the file or folder and what type of access was granted. Each user, group, or computer that has been allowed access to the resource has its own Access Control Entry (ACE) in the ACL. Whenever a file or folder is accessed on an NTFS volume, the operating system reads the ACE to determine whether the user, group, or computer has the necessary permissions for the type of access it is requesting. Permissions define the type of access that is granted to a user or group for an object, such as a file or folder. Permissions can be assigned to local users or groups, or if the server is a member of a domain, permissions can be assigned to any user or group that is trusted by that domain. The type of permission varies by object. Folders are used as containers to store files or other folders. Files are executed or written, so the permissions assigned to them apply to the amount of manipulation a user or group can perform against them. NTFS permissions can be granted to either users or groups. By default, the Administrators group can assign permissions to all files and folders on a server. The following permissions apply to a file:
The following permissions apply to a folder and to the files and subfolders contained in that folder:
Note Notice that while under the normal permissions, when granting Write access, the Read access permissions are included. However when using special permissions, only the explicit Write functionality selected is granted. The creator or owner of a file or folder is able to control how permissions are set and to whom permissions are granted on that object. To configure the permissions on a file or folder, use the procedure outlined in Step by Step 4.6.
This Properties dialog box allows you to add or delete users or groups that have access to a file or folder. In addition, you can explicitly select to either allow or deny the basic permissions that apply to that object. Special PermissionsIn addition to the basic permissions, NTFS also allows you to assign more granular, special permissions. Special permissions are generally a subset of the basic NTFS permissions and allow you to limit access to a file or folder to specific tasks. These special permissions apply to both files and folders and are detailed in the following list:
To configure the special permissions on a file or folder, use the procedure outlined in Step by Step 4.7.
Special permissions are subsets of the basic permissions discussed earlier. To see which basic permissions the special permissions are included in, see Table 4.1.
As you can see, the special permissions allow you to grant permission for just a specific task. This allows you to avoid giving a user Full Control access when all you want the user to be able to do is delete files. In some cases, the basic permissions allow users to perform more tasks than you want them to have access to. Managing Permissions InheritanceSo far we have covered explicit permissionsthe permissions explicitly assigned on a file or folder. However, NTFS supports inherited permissions; these are the permissions inherited from the parent folder. NTFS can be thought of as an upside-down tree, with the root at the top. By default, when you assign file and folder permissions, these permissions are automatically applied to the files and folders underneath them in the hierarchy. This means that any permissions applied at the root of an NTFS drive flow down to files and folders at the lowest level, unless the inheritance has been removed. In addition, if you create a file or folder in an existing folder, the permissions in effect for that folder apply to the new objects. Unless you remove inheritance from the parent, you cannot configure the existing permissions on an object; however, you can still add new ones. As shown in Figure 4.14, the permissions are grayed out. When removing inheritance, you have the option to set the initial permissions by copying the existing inherited permissions or removing them completely. Any explicitly configured permissions remain unchanged. Figure 4.14. The file Properties dialog box, showing the inherited permissions. The grayed-out check boxes indicate that the permissions were inherited and cannot be changed.
Here are two key points to remember about inherited permissions:
To block inheritance on a file, use the procedure outlined in Step by Step 4.8.
Note: Be Careful with Remove If you choose to remove the inherited permissions, the only permissions that remain are those that were explicitly added. If there are no added permissions, no one can access the object. The administrator must either assign permissions to it or turn propagation of permissions back on. Changing Ownership of Files and Folders
What happens when the owner of a file or folder leaves the company? How do you regain access to the data she controls? As an administrator, you have the option of resetting the password and logging on using her user account. However, this is not a viable option in many cases because security restrictions may not allow the administrator to be the owner of secure user files. Instead, to ensure the audit trail is intact and not interrupted by the administrator accessing the files, the administrator must transfer the ownership to the new user responsible for the files. As mentioned earlier, when a file or folder is created, by default the creator is granted ownership of the object. In the case of someone leaving the organization, the administrator can assign the Take Ownership permission to another user or group so that it can take control of the former user's files and folders. In this case, the user or group must then take ownership of the files to complete the process. In Windows Server 2003, however, the administrator also has the option to assign ownership to the new user or group. Either method of transferring ownership allows the administrator to pass control to the new user or group responsible for the files without the administrator having ownership and disrupting the auditing trail. The Take Ownership setting is configured on the Permission Entry dialog box for the object, as shown in Figure 4.18. Figure 4.18. The Permission Entry dialog box, showing the Take Ownership permission.
Exam Alert: You Can Assign Ownership Unlike in previous versions of Windows, where the administrator could take ownership, in Windows Server 2003, you can assign ownership of a file or folder to another user. Ownership of an object can be taken by the following users and groups:
To assign ownership of a file or folder, use the procedure outlined in Step by Step 4.9.
Verifying Effective Permissions When Granting Permissions
NTFS file and folder permissions are cumulative. This means that the effective permissions are a combination of the permissions granted to the user and those permissions granted to any group to which the user belongs. For example, Dave is a member of the Accounting group, and the Accounting group has Read access to the ACCT folder. However, Dave is also a member of the Managers group. The Managers group has Write access to the ACCT folder. In this case, Dave would have Read and Write access to the ACCT folder. Let's look at another example. Joe has been granted Full Control access to the EOY folder. Joe is a member of the Managers group, which has Read access to the EOY folder. Joe is also a member of the Planning group, which has Deny Full Control permission on the EOY folder. Joe's effective permission is Deny Full Control. Another important point to remember is that the least-restrictive permissions apply. For example, if Mary is a member of the HR group, which has Read access to a folder, and she's also a member of the Managers group, which has Full Control access, her effective permission for the folder is Full Control. All NTFS permissions are cumulative, except in the case of Deny, which overrules everything else. Even if the user has been granted Full Control in several groups, being a member of one group that has been assigned the Deny permission negates everything else. Windows Server 2003 includes the Effective Permissions tool. This tool automatically looks at a user's permissions and the permissions of the groups of which the user is a member to calculate the effective permissions for an object on an NTFS volume. To view the effective permissions for an object, follow the procedure outlined in Step by Step 4.10.
Note: Share Permissions Share permissions are not included in the effective permissions calculations. Copying and Moving Files and FoldersWhen files and folders are copied or moved on an NTFS partition, the configured permissions may change. This depends on whether the file or folder was copied or moved, and where it was moved to. Several rules apply when you move or copy NTFS files and folders. The possible outcomes of moving or copying NTFS files and folders are as follows:
It's important to note that if you configure permissions on a folder, you can choose whether to propagate the permissions to the existing files and subfolders contained within that folder. However, any new files or subfolders created within that folder automatically inherit the permissions of the container. |