1. Managing File Access Chapter 5 70-290

2. Objectives

Identify and understand the differences between the various file systems supported in Windows Server 2003

Create and manage shared folders

Understand and configure the shared folder permissions available in Windows Server 2003

Understand and configure the NTFS permissions available in Windows Server 2003

3. Objectives (continued)

Determine the impact of combining shared folder and NTFS permissions

Convert partitions and volumes from FAT to NTFS

4. Windows Server 2003 File Systems

Three main file systems

• File Allocation Table (FAT)

• FAT32

• NTFS

Final choice of file system depends on

• How system will be used

• Whether there are multiple operating systems

• Security requirements

NTFS is most highly recommended

5. FAT

Used by MS-DOS

Supported by all versions of Windows since

Traditionally limited to partitions up to 2 GB

• Windows Server 2003 version supports partitions up to 4 GB

Limitations

• Small partition sizes

• No file system security features

• Disk space usage is poor

6. FAT32

A derivative of the FAT file system

Supports partition sizes up to 2 TB

Still does not provide advanced security features

• Cannot configure permissions on file and folder resources

7. NTFS

Introduced with Windows NT operating system

Current version (version 5)

• Windows NT 4.0

• Windows 2000

• Windows XP

• Windows Server 2003

Theoretically supports partition sizes of up to 16 Exabytes (EB)

• Practically supports maximum partition sizes from 2 TB to 16 TB

8. NTFS (continued)

Advantages of NTFS

• Greater scalability and performance on larger partitions

• Support for Active Directory on systems configured as domain controllers

• Ability to configure security permissions on individual files and folders

• Built-in support for compression and encryption

• Ability to configure disk quotas for individual users

• Support for Remote Storage

• Recovery logging of disk activities

9. Creating and Managing Shared Folders

Shared folder

• A data resource made available over a network to authorized network clients

• Specific permissions required for creating, reading, modifying

Groups that can create shared folders:

• Administrators

• Server Operators

• Power Users (only on member servers)

10. Creating and Managing Shared Folders

Several ways to create shared folders

Two important methods

• Windows Explorer Interface

• Computer Management console

• • Also allows shared folders to be monitored

11. Using Windows Explorer

Used since Windows 95

Can create, maintain, and share folders

Folders can be on any drive connected to the computer

Folders are shared in Windows Explorer by accessing the Sharing tab of folders properties

12. Using Windows Explorer (continued) 13. Activity 5-1 Creating a Shared Folder Using Windows Explorer 14. Creating a Shared Folder Using Windows Explorer

Objective is to create a shared folder using Windows Explorer

Open Explorer from Start menu

Use Explorer to create and configure a new folder

Verify folder usingnet viewcommand

Open Explorer from command line for alternative verification

15. Activity 5-1 (continued) 16. Using Windows Explorer (continued)

Shared name of folder does not have to be the actual file name

Hand icon used to indicate shared status

Shared folders can be hidden from My Network Places and Network Neighborhood

• Place dollar sign ($) after name, e.g., Salary$

• Number of hidden administrative shares created automatically at installation

17. Using Windows Explorer (continued) 18. Using Windows Explorer (continued) 19. Using Computer Management

Computer Management console is a pre-defined Microsoft Management Console (MMC)

• Allows you to share and monitor folders for local and remote computers

• Allows you to stop sharing if desired

20. Using Computer Management (continued)

Share a Folder Wizard

• Used to create folders in Shared Folders section of Computer Management

• Used to provide preconfigured or manual permissions

• • All users have read-only access

• • Administrators have full access; others have read-only access

• • Administrators have full access; others have read and write access

• • Custom share and folder permissions

21. Activity 5-2 Creating and Viewing Shared Folders Using Computer Management 22. Creating and Viewing Shared Folders Using Computer Management

Objective is to create and view shared folders using Computer Management

Open Computer Management and the Shared Folders node

Open Shares folder and note hidden files and other file types

23. Activity 5-2 (continued) 24. Activity 5-2 (continued)

Open the Share a Folder Wizard

Configure the folder attributes

Configure the folder permissions

Verify folder accessibility from command line

25. Activity 5-2 (continued) 26. Monitoring Access to Shared Folders

Monitoring involves

• Who is using shared files

• What shared files are open at any given time

Other functions

• Disconnect users from a share

• Send network alert messages

Primary monitoring tool is Computer Management

27. Monitoring Access to Shared Folders 28. Managing Shared Folder Permissions

A shared folder has a discretionary access control list (DACL)

• Contains a list of user or group references that have been allowed or denied permissions

• Each reference is an access control entry (ACE)

• Accessed from Permissions button on Sharing tab of folders properties

Permissions only apply to network users, not those logged on directly to local machine

29. Managing Shared Folder Permissions (continued) 30. Managing Shared Folder Permissions

To deny access to a user or group

• Windows Server 2003 does not include No Access share permission

• Must explicitly deny access to each individually

Default permission is read access for Everyone group

• Should be immediately addressed when a share is created

Folder permissions are inherited by all contained objects

31. Activity 5-3 Implementing Shared Folder Permissions 32. Implementing Shared Folder Permissions

Objective is to use shared folder permissions to control access to resources

In this exercise, you configure permissions on a shared folder to implement specific requirements:

• Domain Admins group has Full Control permission

• Marketing Users group has Change permission

• Other users have no access

33. NTFS Permissions

Resources located on an NTFS partition or volume can be given NTFS permissions

An administrator must

• Know how permissions are applied

• Standard and special NTFS permissions available

• How effective permissions are determined

34. NTFS Permission Concepts

NTFS permissions are configured via the Security tab

NTFS permissions are cumulative

Access denial always overrides permitted access

NTFS folder permissions are inherited unless otherwise specified

NTFS permissions can be set at file or folder level

35. NTFS Permission Concepts

A new ACE has default permission

• Read and Read and Execute for files

• List Folder Contents for folders

Windows Server 2003 has set of standard permissions plus special permissions

36. NTFS Permission Concepts 37. Activity 5-4 Implementing Standard NTFS Permissions 38. Implementing Standard NTFS Permissions

Objective is to configure and test NTFS permissions on a local folder

Implement standard NTFS permissions on a folder

Review default permissions

Explore behavior of permission inheritance

39. Special NTFS Permissions

Can provide more or less access than standard permissions

Special permissions accessed from Advanced button in the Security tab on Properties dialog box for resource

Permission Entry dialog box enables assignment of permissions and control of inheritance settings

40. Special NTFS Permissions 41. Special NTFS Permissions

Inheritance settings

• This folder only

• This folder, subfolders, and files (default)

• This folder and subfolders

• This folder and files

• Subfolders and files only

• Subfolders only

• Files only

42. Special NTFS Permissions 43. Special NTFS Permissions 44. Activity 5-5 Configuring Special NTFS Permissions 45. Configuring Special NTFS Permissions

Objective is to view, configure, and test special NTFS permissions

• Deny a group the ability to read the NTFS permissions associated with a folder

• Verify that access has been denied

46. Determining Effective Permissions

Permissions that actually apply to a user can be the result of membership in multiple groups

Prior to Windows Server 2003, determining effective permissions was done manually

In Windows Server 2003, there is an Effective Permissions tab in Advanced Security Settings dialog box for resource

• Shows specific permissions for a user or group

47. Determining Effective Permissions 48. Activity 5-6 Determining Effective NTFS Permissions 49. Determining Effective NTFS Permissions

Objective is to view effective permissions for a user on an NTFS folder

Open the Effective Permissions tab for a test folder

Enter the name of the user

Review the permissions specifically granted to that user for that folder

Repeat with a group

50. Combining Shared Folder and NTFS Permissions

NTFS permissions can be combined with share permissions

• When accessing a share across a network, if both apply, use most restrictive

• When accessing a file locally, only NTFS permissions apply

51. Activity 5-7 Exploring the Impact of Combined Shared Folder and NTFS Permissions 52. Exploring the Impact of Combined Shared Folder and NTFS Permissions

Objective is to determine effective permissions when combining shared folder and NTFS permissions

Create a folder with both permissions

Attempt to create a new folder locally and over the network

53. Converting a FAT Partition to NTFS

For highest security, partitions and volumes should be configured to use NTFS

Command-line utility, CONVERT, will convert FAT or FAT32 partitions and volumes to NTFS

All existing files and folders are retained

CONVERT cannot convert NTFS to FAT or FAT32

54. Activity 5-8 Converting a FAT32 Partition to NTFS 55. Converting a FAT32 Partition to NTFS

Objective is to convert a FAT32 partition to NTFS file system

Create a small FAT32 partition on server (using New Partition Wizard)

Create new file and folder on the partition

Use CONVERT to convert the partition to NTFS

Review permissions on the converted folder

56. Summary

Windows Server 2003 supports 3 file systems

• FAT

• FAT32

• NTFS (preferred)

Two types of permissions

• Shared folder (network only)

• • Tools are Windows Explorer, Computer Management, and NET SHARE command

• NTFS (local and network)

• • NTFS partitions only

57. Summary

Permissions

• Shared folders, 3 standard permissions

• NTFS, 6 standard and 14 special permissions

• • Permissions are cumulative

• • Effective permissions can be determined from Advanced Security Settings of a resource

• Shared folder and NTFS permissions can be combined

CONVERT utility can convert a FAT or FAT32 partition to the NTFS file system

58. 59. 60.