Chapter 9: Managing Groups, Folders, Files, and Object Security 4/15/2019

One-by-One? vs Group Management Labor Intensive Group Management 4/15/2019

Learning Objectives Set up groups, including local, domain local, global, and universal groups, and convert Windows NT groups to Windows 2000 groups Manage objects, such as folders, through user rights, attributes permissions, share permissions, auditing, and Web permissions 4/15/2019

Learning Objectives (continued) Troubleshoot a security conflict Determine how creating, moving, and copying folders and files affect security 4/15/2019

Managing Resources Three ways of managing resources and user accounts include: By individual user time consuming By resource print server By group Managing resources by groups is one effective way to reduce time spent on management 4/15/2019

Scope of Influence Scope of influence: The reach of a type of group, such as access to resources in a single domain or access to all resources in all domains in a forest 4/15/2019

Types of Security Groups Local: Used on standalone servers that are not part of a domain Domain local: Used in a single domain or to manage resources in a domain so that global and universal groups can access those resources 4/15/2019

Types of Security Groups (continued) Global: Used to manage accounts from the same domain and to access resources in the same and other domains. Can be Nested if native mode domains Universal: Used to provide access to resources in any domain within a forest Single domain d1 Across domains 4/15/2019

Local Security Group Use local groups on a standalone server (Active Directory not implemented), such as to manage multiple accounts in a small office 5-30 Users i.e manager group, worker group Each group with different access The scope does not go beyond the local server 4/15/2019

Domain Local Security Group Typically a domain local security group is on the ACLs (Access Control List) of resources such as folders, shared folders, printers, and other resources. Global security groups in the same or in a different domain gain access to those resources by becoming members of the domain local group. Domain local groups can contain accounts, but usually that is not the best approach. Scope is the domain in which the group exists can convert domain local group to a universal group domain must be native mode (only Win2K Server Domain Controllers) mixed mode (has NT PDCs and BDCs) Typical purpose is to provide access to resources 4/15/2019

Membership Capabilities of a Domain Local Group Table 9-1 Membership Capabilities of a Domain Local Group 4/15/2019

Implementing Global Groups Use global groups to contain accounts for accessing resources in the same and in other domains via domain local groups MEMBERS CAN ACCESS RESOURCES IN OTHER DOMAINS 4/15/2019

Membership Capabilities of a Global Group Table 9-2 Membership Capabilities of a Global Group 4/15/2019

Nesting Global Groups Global groups can be nested to reflect the structure of OUs (organizational Unit) .e.g. budget finance manager 4/15/2019

Figure 9-1 Nested global groups Nesting Example 4/15/2019 Figure 9-1 Nested global groups

Planning Tip Plan nesting to take into account that you may want to later convert specific global groups, because a global group cannot be converted if it is a member of another global group Keep in mind that global groups can only be nested in native mode domains 4/15/2019

Global Group Example Figure 9-2 Managing security through domain local and global groups create domain local group in each domain, e.g. LocalExec that has pres and vps user accounts if pres leaves, disable user act in global group and rename later 4/15/2019

Implementing Universal Groups Use universal groups to provide access to forest-wide resources (to be included on the ACLs of resources such as servers, shared folders, and printers) Universal groups enable the scope of influence to span domains and trees 4/15/2019

Membership Capabilities of a Universal Group Table 9-3 Membership Capabilities of a Universal Group 4/15/2019

Guidelines for Using Groups Use global groups to hold accounts as members. Give accounts access by joining them to a global group and then placing that global group into a domain local or universal group or both. Use domain local groups to provide access to resources in a specific domain by adding them to the ACLs of those resources. 4/15/2019

Guidelines for Using Groups (continued) Use universal groups to provide extensive access to resources, such as when the Active Directory contains trees and forests. Make universal groups members of ACLs for objects in any domain, tree, or forest. Manage user account access by placing accounts in global groups and joining those global groups to domain local or universal groups. 4/15/2019

Example Universal Group Setup Figure 9-3 Managing security through universal and global groups 4/15/2019

Creating a Group To create a group: Click the container in which to create the group Click the Create a new group in current container icon Enter the name of the group Select the group scope Select the group type Click OK 4/15/2019

Entering the Group Parameters 4/15/2019 Figure 9-4 Creating a group

Group Properties Tabs (p342) General: Used to enter a description, set the scope, and set the group type Members: Used to add group members Member Of: Used to make group member of another group Managed By: Establishes who will manage the group (if other than server administrator) Object: Provides information about the group as an object (on newer versions of Windows 2000) Security: Enables you to set up security (on newer versions of Windows 2000) 4/15/2019

Converting NT Groups to Windows 2000 Server Groups Existing NT local groups on a PDC are converted to domain local groups Existing NT global groups on a PDC are converted to global groups If still running in mixed mode, universal groups are not recognized If running in native mode, but there are still Windows NT servers, the NT servers treat Windows 2000 universal groups as NT global groups 4/15/2019

Windows 2000 Predefined Security Groups Default group supplied e.g. Domain Administrator group , includes administrator 4/15/2019 1The group scope cannot be changed Table 9-4 Windows 2000 Predefined Security Groups

Windows 2000 Predefined Security Groups (continued) 4/15/2019 1The group scope cannot be changed

Windows 2000 Predefined Security Groups (continued) 4/15/2019 1The group scope cannot be changed

Windows 2000 Predefined Security Groups (continued) 4/15/2019 1The group scope cannot be changed

Windows 2000 Predefined Security Groups (continued) 4/15/2019 1The group scope cannot be changed

Windows 2000 Predefined Security Groups (continued) 4/15/2019 1The group scope cannot be changed

Windows 2000 Predefined Security Groups (continued) 1The group scope cannot be changed 4/15/2019

Windows 2000 Predefined Security Groups (continued) 4/15/2019 1The group scope cannot be changed

Table 9-5 Rights Security The most efficient way to assign user rights is to assign them to groups that have those rights. inherited rights Table 9-5 Rights Security 4/15/2019

Rights Security User rights: Enable an account or group to perform predefined tasks, such as the right to access a server or to increase disk quotas 4/15/2019

Rights Security (continued) 4/15/2019

Rights Security (continued) 4/15/2019

Rights Security (continued) 4/15/2019

Inherited Rights Inherited rights: User rights that are assigned to a group and that automatically apply to all members of that group 4/15/2019

Configuring Rights To configure rights in a domain: Open the Active Directory Users and Computers tool Right-click a domain or OU, for example Click Properties, click the Group Policy tab, click the group policy, and click Edit Double-click (if necessary) Computer Configuration,Windows Settings, Security Settings, and Local Policies Double-click User Rights Assignment Double-click any policies to configure them 4/15/2019

Configuring Rights (continued) 4/15/2019 Figure 9-6 Configuring user rights as part of group policy

File and Folder Attributes Attributes: A characteristic associated with a folder or file used to help manage access and backups 4/15/2019

FAT Attributes Read-only Hidden Archive if assign to folder, does not apply to files in folder. Can only be deleted by user belonging to administrator group Hidden cannot see contents Archive used to indicate file or folder needs to be backedup because of a change 4/15/2019

FAT Attributes (continued) 4/15/2019 Figure 9-7 Attributes of a folder on a FAT-formatted disk

NTFS Attributes Regular attributes Extended attributes Read-only Hidden Archive Extended attributes Index-Used for windows quick search Compress-less space, longer to access Encrypt-cipher command 4/15/2019

NTFS Attributes (continued) 4/15/2019 Figure 9-8 Attributes of a folder on an NTFS-formatted disk

Troubleshooting Tip If you configure the Index attribute, but indexing it is not working check the following: Make sure that the Indexing Service is installed Makes sure that the Indexing Service is started and set to start automatically 4/15/2019

Troubleshooting Tip Files that are compressed cannot be encrypted 4/15/2019

Encrypting File System The encrypt attribute uses Microsoft Encrypting File System (EFS) that sets a unique private encryption key that is associated with the user account that encrypted the file or folder. Only that account has access to the encrypted file or folder contents. 4/15/2019

Troubleshooting Tip De-encrypt an encrypted file or folder before you move it to another location, or else the file or folder remains encrypted in the new location 4/15/2019

Permissions (p354) Permissions: Privileges to access and manipulate resource objects, such as folders and printers; for example, privilege to read a file, or to create a new file 4/15/2019

Auditing Auditing: Tracking the success or failure of events associated with an object, such as writing to a file, and recording the audited events in an event log of a Windows 2000 server or workstation 4/15/2019

Ownership Ownership: Having the privilege to change permissions and to fully manipulate an object. The account that creates an object, such as a folder or printer, initially has ownership. 4/15/2019

Design Tip If possible, set permissions on folders and not on individual files, so you can minimize the number of permission exceptions to remember One variance from this recommendation is large database files that may require individual security 4/15/2019

Figure 9-9 Configuring security options 4/15/2019 Figure 9-9 Configuring security options

Inherited Permissions Inherited permissions: Permissions of a parent object that also apply to child objects of the parent, such as to subfolders within a folder 4/15/2019

Configuring Permissions 4/15/2019 Figure 9-10 Configuring permissions by groups and users

Configuring Inherited Permissions 4/15/2019 Figure 9-11 Configuring inherited permissions

NTFS Folder and File Permissions 4/15/2019 Table 9-6 NTFS Folder and File Permissions

NTFS Folder and File Permissions (continued) 4/15/2019

Configuring Special Permissions 4/15/2019 Figure 9-12 Configuring special permissions

Special Permissions You can customize permissions to meet particular security needs by using special permissions 4/15/2019

NTFS Folder and File Special Permissions Table 9-7 4/15/2019

NTFS Folder and File Special Permissions (continued) 4/15/2019

Example Guidelines for Setting Permissions Protect the Winnt folder by allowing limited access, such as Read & Execute Protect server utility folders, such as folders containing backup software, with access for Administrators only Protect software application folders with access such as Read & Execute (and Write if necessary for temporary or configuration files) 4/15/2019

Example Guidelines for Setting Permissions (continued) Set up publicly used folders with Modify for broad user access Give users Full Control of their own home folders Remove groups such as Everyone and Users from confidential folders 4/15/2019

Configuring Auditing Start by configuring a group policy for auditing Configure auditing on an as needed basis for particular objects, such as a folder or file 4/15/2019

Planning Tip Err on the side of too much security at first, because it is easier to give users more permissions later than to take away permissions after users are used to having them 4/15/2019

Figure 9-13 Configuring folder auditing 4/15/2019 Figure 9-13 Configuring folder auditing

Setting an Audit Policy Figure 9-14 Configuring audit policy as part of the default domain policy 4/15/2019

Ownership Guidelines for ownership: The account that creates an object is the initial owner Ownership is changed by first having permission to take ownership and then by taking ownership Full Control permissions are required to take ownership (or the special permission, Take Ownership) 4/15/2019

Share Permissions Share permissions: Limited permissions that apply to a particular shared object, such as a shared folder or printer 4/15/2019

Configuring Share Permissions 4/15/2019 Figure 9-15 Configuring a shared folder

Share Permissions for a Folder Read: Permits groups or users to read and execute files Change: Enables users to read, add, modify, execute, and delete files Full Control: Permits full access to the folder, including the ability to take ownership control or change permissions 4/15/2019

Offline Access to a Folder through Caching Use the Caching button in the folder Properties dialog box on the the Sharing tab to set up a folder for offline access via caching Caching a folder means that it can be accessed by a client even when the client computer is not connected to the network 4/15/2019

Folder Caching Options Automatic Caching for Documents: Documents are cached without using intervention – all files in the folder that are opened by the client are cached automatically Manual Caching for Documents: documents are cached only per the user’s request Automatic Caching of Programs: document and program files are automatically cached when opened, but cannot be modified 4/15/2019

Troubleshooting Tip If the Sharing tab is not displayed, make sure that the Server service is started 4/15/2019

Web Sharing Use the Web Sharing tab in a folder’s properties to configure that folder for Web access 4/15/2019

Configuring Web Sharing Figure 9-16 Entering Web sharing permissions 4/15/2019

Web Sharing Access Permissions 4/15/2019 Table 9-8 Web Sharing Access Permissions

Web Sharing Application Permissions Table 9-9 Web Sharing Application Permissions 4/15/2019

Troubleshooting a Security Conflict Check the groups to which a user or group belongs Look for group permissions that conflict, particularly because the Deny box is checked for a permission 4/15/2019

Moving and Copying Files and Folders A newly created file inherits the permissions already set up in a folder A file copied from one folder to another on the same volume inherits the permissions of the folder to which it is copied A folder that is moved from one folder to another on the same volume takes with it the permissions it had in the original folder 4/15/2019

Moving and Copying Files and Folders (continued) A file or folder that is moved or copied to a folder on a different volume inherits the permissions of the folder to which it is moved or copied A file or folder that is moved or copied from an NTFS volume to a shared FAT folder inherits the share permissions of the FAT folder A file or folder moved from a FAT to an NTFS folder inherits the NTFS permissions of that folder 4/15/2019

Chapter Summary Without the Active Directory, use local groups to manage access to resources With the Active Directory implemented, use domain local, global, and universal groups to manage resources 4/15/2019

Chapter Summary Windows 2000 Server objects are secured through ACLs, user rights, permissions, inherited rights and permissions, share permissions, Web permissions, auditing, and ownership Troubleshoot permissions conflicts by examining the security assigned to all groups to which a user account or group belongs 4/15/2019