Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security
Chapter 9 Learning Objectives n Set up groups, including local, domain local, global, and universal groups, and convert Windows NT groups to Windows 2000 groups n Manage objects, such as folders, through user rights, attributes permissions, share permissions, auditing, and Web permissions
Chapter 9 Learning Objectives (continued) n Troubleshoot a security conflict n Determine how creating, moving, and copying folders and files affect security
Chapter 9 Managing Resources n Three ways of managing resources and user accounts include: u By individual user u By resource u By group n Managing resources by groups is one effective way to reduce time spent on management
Chapter 9 Scope of Influence n Scope of influence: The reach of a type of group, such as access to resources in a single domain or access to all resources in all domains in a forest
Chapter 9 Types of Security Groups n Local: Used on standalone servers that are not part of a domain n Domain local: Used in a single domain or to manage resources in a domain so that global and universal groups can access those resources
Chapter 9 Types of Security Groups (continued) n Global: Used to manage accounts from the same domain and to access resources in the same and other domains n Universal: Used to provide access to resources in any domain within a forest
Chapter 9 Local Security Group n Use local groups on a standalone server (Active Directory not implemented), such as to manage multiple accounts in a small office
Chapter 9 Domain Local Security Group n Typically a domain local security group is on the ACLs of resources such as folders, shared folders, printers, and other resources. Global security groups in the same or in a different domain gain access to those resources by becoming members of the domain local group. n Domain local groups can contain accounts, but usually that is not the best approach.
Chapter 9 Membership Capabilities of a Domain Local Group Table 9-1 Membership Capabilities of a Domain Local Group
Chapter 9 Implementing Global Groups n Use global groups to contain accounts for accessing resources in the same and in other domains via domain local groups
Chapter 9 Membership Capabilities of a Global Group Table 9-2 Membership Capabilities of a Global Group
Chapter 9 Nesting Global Groups n Global groups can be nested to reflect the structure of OUs
Chapter 9 Nesting Example Figure 9-1 Nested global groups
Chapter 9 Planning Tip n Plan nesting to take into account that you may want to later convert specific global groups, because a global group cannot be converted if it is a member of another global group n Keep in mind that global groups can only be nested in native mode domains
Chapter 9 Global Group Example Figure 9-2 Managing security through domain local and global groups
Chapter 9 Implementing Universal Groups n Use universal groups to provide access to forest-wide resources (to be included on the ACLs of resources such as servers, shared folders, and printers) n Universal groups enable the scope of influence to span domains and trees
Chapter 9 Membership Capabilities of a Universal Group Table 9-3 Membership Capabilities of a Universal Group
Chapter 9 Guidelines for Using Groups n Use global groups to hold accounts as members. Give accounts access by joining them to a global group and then placing that global group into a domain local or universal group or both. n Use domain local groups to provide access to resources in a specific domain by adding them to the ACLs of those resources.
Chapter 9 Guidelines for Using Groups (continued) n Use universal groups to provide extensive access to resources, such as when the Active Directory contains trees and forests. Make universal groups members of ACLs for objects in any domain, tree, or forest. Manage user account access by placing accounts in global groups and joining those global groups to domain local or universal groups.
Chapter 9 Example Universal Group Setup Figure 9-3 Managing security through universal and global groups
Chapter 9 Creating a Group n To create a group: u Click the container in which to create the group u Click the Create a new group in current container icon u Enter the name of the group u Select the group scope u Select the group type u Click OK
Chapter 9 Entering the Group Parameters Figure 9-4 Creating a group
Chapter 9 Group Properties Tabs n General: Used to enter a description, set the scope, and set the group type n Members: Used to add group members n Member Of: Used to join another group n Managed By: Establishes who will manage the group n Object: Provides information about the group as an object (on newer versions of Windows 2000) n Security: Enables you to set up security (on newer versions of Windows 2000)
Chapter 9 Converting NT Groups to Windows 2000 Server Groups n Existing NT local groups on a PDC are converted to domain local groups n Existing NT global groups on a PDC are converted to global groups n If still running in mixed mode, universal groups are not recognized n If running in native mode, but there are still Windows NT servers, the NT servers treat Windows 2000 universal groups as NT global groups
Chapter 9 Windows 2000 Predefined Security Groups 1 The group scope cannot be changed Table 9-4 Windows 2000 Predefined Security Groups
Chapter 9 Windows 2000 Predefined Security Groups (continued) 1 The group scope cannot be changed
Chapter 9 Windows 2000 Predefined Security Groups (continued) 1 The group scope cannot be changed
Chapter 9 Windows 2000 Predefined Security Groups (continued) 1 The group scope cannot be changed
Chapter 9 Windows 2000 Predefined Security Groups (continued) 1 The group scope cannot be changed
Chapter 9 Windows 2000 Predefined Security Groups (continued) 1 The group scope cannot be changed
Chapter 9 Windows 2000 Predefined Security Groups (continued) 1 The group scope cannot be changed
Chapter 9 Windows 2000 Predefined Security Groups (continued) 1 The group scope cannot be changed
Chapter 9 Rights Security n User rights: Enable an account or group to perform predefined tasks, such as the right to access a server or to increase disk quotas
Chapter 9 Rights Security Table 9-5 Rights Security
Chapter 9 Rights Security (continued)
Chapter 9 Rights Security (continued)
Chapter 9 Rights Security (continued)
Chapter 9 Inherited Rights n Inherited rights: User rights that are assigned to a group and that automatically apply to all members of that group
Chapter 9 Configuring Rights n To configure rights in a domain: u Open the Active Directory Users and Computers tool u Right-click a domain or OU, for example u Click Properties, click the Group Policy tab, click the group policy, and click Edit u Double-click (if necessary) Computer Configuration,Windows Settings, Security Settings, and Local Policies u Double-click User Rights Assignment u Double-click any policies to configure them
Chapter 9 Configuring Rights (continued) Figure 9-6 Configuring user rights as part of group policy
Chapter 9 File and Folder Attributes n Attributes: A characteristic associated with a folder or file used to help manage access and backups
Chapter 9 FAT Attributes n Read-only n Hidden n Archive
Chapter 9 FAT Attributes (continued) Figure 9-7 Attributes of a folder on a FAT-formatted disk
Chapter 9 NTFS Attributes n Regular attributes u Read-only u Hidden u Archive n Extended attributes u Index u Compress u Encrypt
Chapter 9 NTFS Attributes (continued) Figure 9-8 Attributes of a folder on an NTFS-formatted disk
Chapter 9 Troubleshooting Tip n If you configure the Index attribute, but indexing it is not working check the following: u Make sure that the Indexing Service is installed u Makes sure that the Indexing Service is started and set to start automatically
Chapter 9 Troubleshooting Tip n Files that are compressed cannot be encrypted
Chapter 9 Encrypting File System n The encrypt attribute uses Microsoft Encrypting File System (EFS) that sets a unique private encryption key that is associated with the user account that encrypted the file or folder. Only that account has access to the encrypted file or folder contents.
Chapter 9 Troubleshooting Tip n De-encrypt an encrypted file or folder before you move it to another location, or else the file or folder remains encrypted in the new location
Chapter 9 Permissions n Permissions: Privileges to access and manipulate resource objects, such as folders and printers; for example, privilege to read a file, or to create a new file
Chapter 9 Auditing n Auditing: Tracking the success or failure of events associated with an object, such as writing to a file, and recording the audited events in an event log of a Windows 2000 server or workstation
Chapter 9 Ownership n Ownership: Having the privilege to change permissions and to fully manipulate an object. The account that creates an object, such as a folder or printer, initially has ownership.
Chapter 9 Design Tip n If possible, set permissions on folders and not on individual files, so you can minimize the number of permission exceptions to remember n One variance from this recommendation is large database files that may require individual security
Chapter 9 Security Options Figure 9-9 Configuring security options
Chapter 9 Inherited Permissions n Inherited permissions: Permissions of a parent object that also apply to child objects of the parent, such as to subfolders within a folder
Chapter 9 Configuring Permissions Figure 9-10 Configuring permissions by groups and users
Chapter 9 Configuring Inherited Permissions Figure 9-11 Configuring inherited permissions
Chapter 9 NTFS Folder and File Permissions Table 9-6 NTFS Folder and File Permissions
Chapter 9 NTFS Folder and File Permissions (continued)
Chapter 9 Special Permissions n You can customize permissions to meet particular security needs by using special permissions
Chapter 9 Configuring Special Permissions Figure 9-12 Configuring special permissions
Chapter 9 NTFS Folder and File Special Permissions Table 9-7
Chapter 9 NTFS Folder and File Special Permissions (continued)
Chapter 9 Example Guidelines for Setting Permissions n Protect the Winnt folder by allowing limited access, such as Read & Execute n Protect server utility folders, such as folders containing backup software, with access for Administrators only n Protect software application folders with access such as Read & Execute (and Write if necessary for temporary or configuration files)
Chapter 9 Example Guidelines for Setting Permissions (continued) n Set up publicly used folders with Modify for broad user access n Give users Full Control of their own home folders n Remove groups such as Everyone and Users from confidential folders
Chapter 9 Planning Tip n Err on the side of too much security at first, because it is easier to give users more permissions later than to take away permissions after users are used to having them
Chapter 9 Configuring Auditing n Start by configuring a group policy for auditing n Configure auditing on an as needed basis for particular objects, such as a folder or file
Chapter 9 Folder Auditing Figure 9-13 Configuring folder auditing
Chapter 9 Setting an Audit Policy Figure 9-14 Configuring audit policy as part of the default domain policy
Chapter 9 Ownership n Guidelines for ownership: u The account that creates an object is the initial owner u Ownership is changed by first having permission to take ownership and then by taking ownership u Full Control permissions are required to take ownership (or the special permission, Take Ownership)
Chapter 9 Share Permissions n Share permissions: Limited permissions that apply to a particular shared object, such as a shared folder or printer
Chapter 9 Configuring Share Permissions Figure 9-15 Configuring a shared folder
Chapter 9 Share Permissions for a Folder n Read: Permits groups or users to read and execute files n Change: Enables users to read, add, modify, execute, and delete files n Full Control: Permits full access to the folder, including the ability to take ownership control or change permissions
Chapter 9 Offline Access to a Folder through Caching n Use the Caching button in the folder Properties dialog box on the the Sharing tab to set up a folder for offline access via caching n Caching a folder means that it can be accessed by a client even when the client computer is not connected to the network
Chapter 9 Folder Caching Options n Automatic Caching for Documents: Documents are cached without using intervention – all files in the folder that are opened by the client are cached automatically n Manual Caching for Documents: documents are cached only per the user’s request n Automatic Caching of Programs: document and program files are automatically cached when opened, but cannot be modified
Chapter 9 Troubleshooting Tip n If the Sharing tab is not displayed, make sure that the Server service is started
Chapter 9 Web Sharing n Use the Web Sharing tab in a folder’s properties to configure that folder for Web access
Chapter 9 Configuring Web Sharing Figure 9-16 Entering Web sharing permissions
Chapter 9 Web Sharing Access Permissions Table 9-8 Web Sharing Access Permissions
Chapter 9 Web Sharing Application Permissions Table 9-9 Web Sharing Application Permissions
Chapter 9 Troubleshooting a Security Conflict n Check the groups to which a user or group belongs n Look for group permissions that conflict, particularly because the Deny box is checked for a permission
Chapter 9 Moving and Copying Files and Folders n A newly created file inherits the permissions already set up in a folder n A file copied from one folder to another on the same volume inherits the permissions of the folder to which it is copied n A folder that is moved from one folder to another on the same volume takes with it the permissions it had in the original folder
Chapter 9 Moving and Copying Files and Folders (continued) n A file or folder that is moved or copied to a folder on a different volume inherits the permissions of the folder to which it is moved or copied n A file or folder that is moved or copied from an NTFS volume to a shared FAT folder inherits the share permissions of the FAT folder n A file or folder moved from a FAT to an NTFS folder inherits the NTFS permissions of that folder
Chapter 9 Chapter Summary n Without the Active Directory, use local groups to manage access to resources n With the Active Directory implemented, use domain local, global, and universal groups to manage resources
Chapter 9 Chapter Summary n Windows 2000 Server objects are secured through ACLs, user rights, permissions, inherited rights and permissions, share permissions, Web permissions, auditing, and ownership n Troubleshoot permissions conflicts by examining the security assigned to all groups to which a user account or group belongs