User-Level and Share-Level Security | Upgrading and Repairing Networks (5th Edition)

User -Level and Share-Level Security

There are two basic means for protecting resources offered on a network. Each method strives to make the protected resources available only to users who have been authorized access to these resources. They do so in different ways, however, and grant different kinds of access.

Share-level security involves securing connections to a network share point by a password. Users who know the name of the share point and the password can connect to the share point. All subdirectories and files found under the share point are accessible by using only the single password.

User-level security involves using access controls in the file system and does not stop at placing a single password on an entire tree of resources (although you can do it that way if you want). Instead, access permissions can be placed on any directory or file in a directory, or subdirectories. When a user connects to a resource protected by user-level security mechanisms, the user must first authenticate himself (log on to the server). The user then is granted access rights to each file or directory on the resource, either by the access control restrictions implicitly placed on the resource or by inheritance of access rights.

Obviously, the user level of security permissions provides the administrator a finer granularity of detail when making resource access decisions. A combination of both share-level security and user-level security mechanisms can enable you to create resources on the network that are more secure than using just one of these methods .

When a logon username is employed to identify the user who is accessing a resource, an audit trail with more specific details can also be kept for troubleshooting purposes.

Tip

An audit trail can show you who did what, and when they did it. In Windows, Unix/Linux, and NetWare, you can decide which types of events to log, thus creating an audit trail that matches the level of security required in your network. One mistake often made by administrators of all three of these operating systems is to use the Administrator account (Windows), the root account (Unix/Linux), and the superuser account (NetWare) for administrative tasks .

In this type of situation ”if you have more than one administrator ”your audit trail can be useless for the capabilities these accounts enable. An audit trail should tell you the event that was logged, as well as what user performed the action. If all administrative users make use of a single built-in administrative account, you will not be able to easily track down the person who performed an event. For security reasons you should not use these accounts. Instead you should create separate accounts for each administrative user and grant the rights needed and give these accounts the same permissions (or a subset) that the highly privileged accounts use. This approach will allow you to delegate authority to selected users (such as network administrators), while maintaining an audit trail ”by username ”that you can use to determine what user performed a particular action on the network or computer.

Microsoft networks allow for both share-level and user-level permissions on network resources. Windows 95/98 operating systems allow each computer in the network to offer a directory (or subdirectory) as a file share on the LAN and protect it with a password. For example, you don't have to use a Windows 2000/2003 server to offer file shares on the LAN; you can also do so with Windows 2000 Professional or Windows XP.

In this type of scenario, each computer has its own security database that stores the share-level password. That means that a user might need to learn several passwords, depending on the number of share connections required in order to get their job done. A simple solution to this would be to use the same password for each share, on each computer. However, the drawback to this is that anyone who knows the password for one file share would know the password for all file shares. So, when all is taken into account, using share-level security is not really a good idea in a large network.

For Windows operating systems, starting with Windows NT 4.0, you need to have both a valid username (for the server you want to connect to, or a domain account) and a password valid for that account in order to connect to a resource share.

Tip

In a small network, such as a SOHO network, you might not need to worry about security problems when you have a small LAN consisting of just a few client computers. For this kind of LAN, you probably don't even need a server-class computer, because share-level security can be implemented by the clients , including Unix or Linux computers.

If you have a firewall of some sort protecting your small LAN from intruders from the Internet (as well as a good virus prevention program), then you might want to use a single password for all file shares to make your job easier. You don't have to be an advanced network administrator to operate a LAN that is under your control, in which only you or a few others use the LAN resources. Keep in mind, however, that if sensitive information (such as payroll information) needs to be viewed by only yourself, you should not offer that as a file share, and instead should manage those resources yourself.

Microsoft Windows Share-Level Security

Earlier versions of Windows operating systems used the FAT (File Allocation Table) and FAT32 (similar to FAT, but for larger disk volumes , as well as other features) file systems. Beginning with Windows NT, the NTFS file system enabled a more secure file system. FAT and FAT32 don't provide the mechanisms to store security attributes, such as access control lists (ACLs), for files or directories, as NTFS does.

The main benefit of using NTFS is that it does allow you to store a lot more information about a file or a directory. When you use the NTFS file system to format a disk, you can apply user-level security permissions on individual files or directories. You can still create file shares using Windows sever operating systems, but NTFS allows you to further define which files/directories a user can access when using the file share. For an environment that requires a high degree of security, the NTFS partition is the choice to make. Additionally, the Windows 2000/2003 operating systems allow for other features that make NTFS a more secure choice, including the capability to encrypt and decrypt data on-the-fly when storing or retrieving it from disk. You can also choose to compress data on files so that less disk space is used to store files.

For either of these options, just right-click on a folder and select the properties page from the menu that appears. You'll see an Advanced button on the General tab. After clicking that button, you'll see two important check boxes. The first is Compress Contents to Save Disk Space. The second is Encrypt Contents to Secure Data. Select either or both of these check boxes to enable that feature for the folder.

The only reason to format a disk using FAT or FAT32 is if you are going to dual-boot the computer, and one of the earlier operating systems (such as Windows 95/98) will be used. This is because Windows 95/98 systems are not capable of using an NTFS partition. You can create one partition and format it using FAT, and create additional partitions using NTFS for Windows NT and later operating systems, such as Windows 2000/2003/XP. However, this sort of dual-boot setup should be used only in an environment where security is not an important issue, such as a standalone computer (one not connected to a network). This is because a FAT partition does not let you set file or directory partitions and does not support encryption.

Another example is in your home, where you don't have such strict security requirements. For example, you might need to use an older software application that will not run under newer Windows operating systems. Even then, if you are connected to the Internet, you should consider the implications of using FAT or FAT32 on a home computer because many hackers regularly scan IP addresses looking for vulnerable systems. If you stay online for extended periods browsing the Internet ”or if you're online all the time using a broadband connection such as a cable or DSL modem, then a FAT-based disk is wide open for planting a Trojan horse and other malicious programs. If you use NTFS instead, and set up your user accounts correctly, you can potentially head off this sort of problem. This is because on NTFS partitions you can set permissions for every file or directory on a one-by-one basis.

Single computers and small LANs typically use an out-of-the-box firewall solution, such as a DSL/cable router, which can offer some degree of protection, such as Network Address Translation (NAT). However, by applying permissions on an NTFS formatted disk, you can further enhance your security.

For more information about NAT, see Chapter 49, "Firewalls."