chapter05 managing file access

Managing a Microsoft Windows Server 2003 Environment

Chapter 5: Managing File Access

2

Objectives

• Identify and understand the differences between the various file systems supported in Windows Server 2003

• Create and manage shared folders• Understand and configure the shared folder

permissions available in Windows Server 2003• Understand and configure the NTFS permissions

available in Windows Server 2003

3

Objectives (continued)

• Determine the impact of combining shared folder and NTFS permissions

• Convert partitions and volumes from FAT to NTFS

4

Windows Server 2003 File Systems

• Three main file systems• File Allocation Table (FAT)• FAT32• NTFS

• Final choice of file system depends on • How system will be used• Whether there are multiple operating systems• Security requirements

• NTFS is most highly recommended

5

FAT

• Used by MS-DOS• Supported by all versions of Windows since• Traditionally limited to partitions up to 2 GB

• Windows Server 2003 version supports partitions up to 4 GB

• Limitations• Small partition sizes• No file system security features• Disk space usage is poor

6

FAT32

• A derivative of the FAT file system• Supports partition sizes up to 2 TB• Still does not provide advanced security features

• Cannot configure permissions on file and folder resources

7

NTFS• Introduced with Windows NT operating system• Current version (version 5)

• Windows NT 4.0• Windows 2000• Windows XP• Windows Server 2003

• Theoretically supports partition sizes of up to 16 Exabytes (EB)• Practically supports maximum partition sizes from 2

TB to 16 TB

8

NTFS (continued)

• Advantages of NTFS• Greater scalability and performance on larger partitions

• Support for Active Directory on systems configured as domain controllers

• Ability to configure security permissions on individual files and folders

• Built-in support for compression and encryption

• Ability to configure disk quotas for individual users

• Support for Remote Storage

• Recovery logging of disk activities

9

Creating and Managing Shared Folders

• Shared folder• A data resource made available over a network to

authorized network clients

• Specific permissions required for creating, reading, modifying

• Groups that can create shared folders:• Administrators

• Server Operators

• Power Users (only on member servers)

10

Creating and Managing Shared Folders (continued)

• Several ways to create shared folders• Two important methods

• Windows Explorer Interface

• Computer Management console

• Also allows shared folders to be monitored

11

Using Windows Explorer

• Used since Windows 95 • Can create, maintain, and share folders• Folders can be on any drive connected to the

computer• Folders are shared in Windows Explorer by

accessing the Sharing tab of folder’s properties

12

Using Windows Explorer (continued)

13

Activity 5-1: Creating a Shared Folder Using Windows Explorer• Objective is to create a shared folder using

Windows Explorer• Open Explorer from Start menu• Use Explorer to create and configure a new folder• Verify folder using net view command• Open Explorer from command line for alternative

verification

14

Activity 5-1 (continued)

15


• Shared name of folder does not have to be the actual file name

• Hand icon used to indicate shared status• Shared folders can be hidden from My Network

Places and Network Neighborhood• Place dollar sign ($) after name, e.g., Salary$

• Number of hidden administrative shares created automatically at installation

16


17


18

Using Computer Management

• Computer Management console is a pre-defined Microsoft Management Console (MMC)• Allows you to share and monitor folders for local and

remote computers

• Allows you to stop sharing if desired

19

Using Computer Management (continued)

• Share a Folder Wizard• Used to create folders in Shared Folders section of

Computer Management

• Used to provide preconfigured or manual permissions

• All users have read-only access

• Administrators have full access; others have read-only access

• Administrators have full access; others have read and write access

• Custom share and folder permissions

20

Activity 5-2: Creating and Viewing Shared Folders Using

Computer Management• Objective is to create and view shared folders

using Computer Management• Open Computer Management and the Shared

Folders node• Open Shares folder and note hidden files and other

file types

21


22


• Open the Share a Folder Wizard• Configure the folder attributes• Configure the folder permissions• Verify folder accessibility from command line

23


24

Monitoring Access to Shared Folders

• Monitoring involves• Who is using shared files

• What shared files are open at any given time

• Other functions• Disconnect users from a share

• Send network alert messages

• Primary monitoring tool is Computer Management

25

Monitoring Access to Shared Folders (continued)

26

Managing Shared Folder Permissions

• A shared folder has a discretionary access control list (DACL)• Contains a list of user or group references that have

been allowed or denied permissions

• Each reference is an access control entry (ACE)

• Accessed from Permissions button on Sharing tab of folder’s properties

• Permissions only apply to network users, not those logged on directly to local machine

27

Managing Shared Folder Permissions (continued)

28

Managing Shared Folder Permissions (continued)

• To deny access to a user or group• Windows Server 2003 does not include No Access

share permission• Must explicitly deny access to each individually

• Default permission is read access for Everyone group• Should be immediately addressed when a share is

created

• Folder permissions are inherited by all contained objects

29

Activity 5-3: Implementing Shared Folder Permissions

• Objective is to use shared folder permissions to control access to resources

• In this exercise, you configure permissions on a shared folder to implement specific requirements:• Domain Admins group has Full Control permission

• Marketing Users group has Change permission

• Other users have no access

30

NTFS Permissions

• Resources located on an NTFS partition or volume can be given NTFS permissions

• An administrator must• Know how permissions are applied

• Standard and special NTFS permissions available

• How effective permissions are determined

31

NTFS Permission Concepts

• NTFS permissions are configured via the Security tab

• NTFS permissions are cumulative• Access denial always overrides permitted access• NTFS folder permissions are inherited unless

otherwise specified• NTFS permissions can be set at file or folder level

32

NTFS Permission Concepts (continued)

• A new ACE has default permission • Read and Read and Execute for files

• List Folder Contents for folders

• Windows Server 2003 has set of standard permissions plus special permissions

33

NTFS Permission Concepts (continued)

34

Activity 5-4: Implementing Standard NTFS Permissions

• Objective is to configure and test NTFS permissions on a local folder

• Implement standard NTFS permissions on a folder• Review default permissions • Explore behavior of permission inheritance

35

Special NTFS Permissions

• Can provide more or less access than standard permissions

• Special permissions accessed from Advanced button in the Security tab on Properties dialog box for resource

• Permission Entry dialog box enables assignment of permissions and control of inheritance settings

36

Special NTFS Permissions (continued)

37


• Inheritance settings• This folder only

• This folder, subfolders, and files (default)

• This folder and subfolders

• This folder and files

• Subfolders and files only

• Subfolders only

• Files only

38


39


40

Activity 5-5: Configuring Special NTFS Permissions

• Objective is to view, configure, and test special NTFS permissions• Deny a group the ability to read the NTFS permissions

associated with a folder

• Verify that access has been denied

41

Determining Effective Permissions

• Permissions that actually apply to a user can be the result of membership in multiple groups

• Prior to Windows Server 2003, determining effective permissions was done manually

• In Windows Server 2003, there is an Effective Permissions tab in Advanced Security Settings dialog box for resource• Shows specific permissions for a user or group

42

Determining Effective Permissions (continued)

43

Activity 5-6: Determining Effective NTFS Permissions

• Objective is to view effective permissions for a user on an NTFS folder

• Open the Effective Permissions tab for a test folder

• Enter the name of the user• Review the permissions specifically granted to

that user for that folder• Repeat with a group

44

Combining Shared Folder and NTFS Permissions

• NTFS permissions can be combined with share permissions • When accessing a share across a network, if both apply,

use most restrictive

• When accessing a file locally, only NTFS permissions apply

45

Activity 5-7: Exploring the Impact of Combined Shared

Folder and NTFS Permissions

• Objective is to determine effective permissions when combining shared folder and NTFS permissions

• Create a folder with both permissions• Attempt to create a new folder locally and over the

network

46

Converting a FAT Partition to NTFS

• For highest security, partitions and volumes should be configured to use NTFS

• Command-line utility, CONVERT, will convert FAT or FAT32 partitions and volumes to NTFS

• All existing files and folders are retained• CONVERT cannot convert NTFS to FAT or

FAT32

47

Activity 5-8: Converting a FAT32 Partition to NTFS

• Objective is to convert a FAT32 partition to NTFS file system

• Create a small FAT32 partition on server (using New Partition Wizard)

• Create new file and folder on the partition• Use CONVERT to convert the partition to NTFS• Review permissions on the converted folder

48

Summary

• Windows Server 2003 supports 3 file systems• FAT

• FAT32

• NTFS (preferred)

• Two types of permissions• Shared folder (network only)

• Tools are Windows Explorer, Computer Management, and NET SHARE command

• NTFS (local and network)

• NTFS partitions only

49

Summary (continued)

• Permissions• Shared folders, 3 standard permissions

• NTFS, 6 standard and 14 special permissions

• Permissions are cumulative

• Effective permissions can be determined from Advanced Security Settings of a resource

• Shared folder and NTFS permissions can be combined

• CONVERT utility can convert a FAT or FAT32 partition to the NTFS file system

chapter05 managing file access

Technology

shared folders shared

folders folders

shared status shared

computer folders

shared files

windows xp windows server

windows explorer open

windows nt