Chapter 43. Rights and Permissions | Upgrading and Repairing Networks (5th Edition)

SOME OF THE MAIN TOPICS IN THIS CHAPTER ARE

User -Level and Share-Level Security

Assigning User Rights for Windows 2000, Server 2003, and XP

Windows NT/2000/2003 NTFS Standard Permissions and Special Permissions

User Groups Make Managing User Rights Easier

User Groups in Windows 2000 and 2003

Active Directory Groups

NetWare

Unix and Linux

Controlling access to system and network resources is a very important topic for the network administrator to understand. In a homogeneous network where all file servers and clients are of one particular brand, it can still be difficult to keep track of all file and print shares and which users need access to these resources. When you begin to add a mixture of network nodes consisting of more than one operating system to create a more diverse network, you can end up with the requirement to understand the access restrictions imposed by more than one operating system.

Note

A network composed of more than one operating system is generally referred to as a heterogeneous network. Part XI, "Migration and Integration," can help you learn the similarities and differences between different operating systems, and the utilities and add-on products that can enable them to coexist and share data on the same network. However, this chapter is one you should read first, because you will learn the importance of protecting important resources when operating a heterogeneous network.

Two kinds of identifying values are used to decide on access. The first is an identifier that uniquely specifies the user who is logged on to the system and the specific rights (or privileges) defined by an operating system. Rights are definitions of the types of actions that can be performed on the system by the users. For Windows 2003, the terms rights and permissions are used interchangeably when granting rights to a user account. The term permissions is also used, as described in the next paragraph, to define access and restrictions to files, directories, and other objects.

Permissions placed on each resource usually are granular, giving permission separately to read, write, execute, or delete a file or directory. Depending on the operating system, the names used for these permissions can vary, and other types of permissions and combinations of these basic types can be found.

The important point to remember when setting up new users or resources, or when troubleshooting existing connections, is that you might need to look at both ends: What rights does the user possess and what access controls (permissions) exist on the resource? Both of these factors determine what users can do on the network. This chapter takes a quick look at the concepts of rights and permissions in several major operating systems and discusses some of the methods used to solve problems related to them.

Tip

Rights and permissions are just one side of the coin. You can't ensure that security measures are working as they should unless you also use the operating system's auditing facility. In Windows, this is accomplished using the Event Viewer to examine security violations. For Unix/Linux systems, the syslog daemon is generally used for this purpose. You can find out more about the Windows Event Viewer, and how to set up which security events to audit, as well as how to set up the configuration files used by the Unix/Linux syslog daemon, in Chapter 47, "Auditing and Other Monitoring Measures."