Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources
2 Objectives Create and manage shared folders using Windows Explorer and Microsoft Management Console Manage shared folder permissions Integrate shared folder and NTFS permissions Configure EFS encryption Monitor access to shared folders Configure and manage DFS
3 Creating and Managing Shared Folders Shared folder –Data resource made available over network to authorized network clients Users must have appropriate rights to create shared folders –Groups that have the right to create shared folders within a domain Administrators Server Operator
4 Creating and Managing Shared Folders (Continued) Two popular methods of creating shared folders –Windows Explorer interface –Computer Management console
5 Using Windows Explorer to Create a Shared Folder Windows Explorer –Standard method used to create and share folders for all versions of Windows since Windows 95 –Used to create, maintain, and share folders on any drive connected to the computer
6 Viewing the Windows Explorer
7 Using Windows Explorer to Create a Shared Folder (Continued) Sharing tab of a folder’s properties –Used to share a folder To indicate a shared folder –Windows Explorer displays a hand icon under the folder A hidden shared folder –Will not be listed in My Network Places or Network Neighborhood –To hide a shared folder Place a dollar sign ($) after its name
8 Sharing a folder using Windows Explorer
9 Viewing shared folders in Windows Explorer
10 Using Windows Explorer to Create a Shared Folder (Continued) Final step in creating a shared folder –Secure the share by modifying user and group permissions on the resource Shared folder’s permissions –By default Windows Server 2003 will initially allow the Read permission to the Everyone group –Default permission usually needs to be changed to make the folder more secure
11 Using Computer Management to Create a Shared Folder Computer Management console –Predefined Microsoft Management Console (MMC) application –Can be used to perform a variety of administrative tasks, such as Sharing and monitoring folders for both local and remote computers
12 Using Computer Management to Create a Shared Folder (Continued) Share a Folder Wizard –Available in Computer Management –Used to Create a shared folder Configure the permissions for a shared folder
13 Creating a new shared folder using the Computer Management console
14 Managing Shared Folder Permissions Discretionary access control list (DACL) –Part of an object’s security descriptor –Contains a list of user or group references that have been allowed or denied permissions to the resource Access control entry (ACE) –User or group name listed in a DACL
15 Viewing the DACL of the Apps shared folder
16 Managing Shared Folder Permissions (Continued) Share permissions –Apply only to users that connect to a shared folder over the network –Are inherited by all objects that the shared folder contains –Are cumulative Exception –When a user (or a group of which a user is a member) is denied a permission, the denied entry always overrides any permissions that are allowed
17 Integrating Shared Folders with NTFS Permissions Shared folder permissions –Do not apply when user is logged on locally to computer where resource is located NTFS permissions –Apply whenever a file or folder is accessed –Apply in both of the following cases: The user is logged on to the computer where the file or folder is located The user is accessing the file or folder across a network connection
18 NTFS File and Directory Permissions Concepts and Rules NTFS permissions –Can only be applied to files and folders that exist on partitions formatted with the NTFS file system –Are cumulative –Folder permissions are inherited by child folders and files, unless otherwise specified –Permissions that are explicitly denied always override those that are allowed
19 NTFS File and Directory Permissions Concepts and Rules (Continued) NTFS permissions can be set both at –File level –Folder level When a new access control entry is added to an NTFS file or folder, the default permissions allow –Read, and Read and Execute permissions for files –List Folder Contents permission for folders
20 Standard NTFS permissions
21 Special NTFS Permissions Special NTFS permissions –Used to specify an even more granular level of access to a file or folder Permission Entry dialog box –Can be used to Assign special NTFS permissions Control inheritance settings for special permissions
22 Special NTFS Permissions (Continued) Options available for applying special permissions: –This folder only –This folder, subfolders, and files (default) –This folder and subfolders –This folder and files –Subfolders and files only –Subfolders only –Files only
23 Special Access Permissions
24 Special Access Permissions (Continued)
25 Special NTFS Permissions (Continued) Effective Permissions tab in the Advanced Security Settings dialog box –Can be used to easily determine the effective NTFS permissions that apply to a user or group
26 Viewing a user’s effective permissions
27 Combining Share and NTFS Permissions Using both NTFS and share permissions –Provides strong combination of local and remote security Rules regarding how share and NTFS permissions are combined –When user is accessing a share across a network and both NTFS and share permissions apply, the most restrictive permission of the two becomes the effective combined permission –When a user accesses a file locally, only NTFS permissions apply
28 Configuring File Encryption Encryption –Method to secure files and folders –Adds additional level of protection Encrypting file system (EFS) –Uses public key cryptography to transparently encrypt folders and files
29 Configuring File Encryption (Continued) EFS uses the following to encrypt data –File encryption key (FEK) Special session key used to encrypt a file –Data decryption field (DDF) Header field in an EFS-encrypted file used to store the FEK encrypted by the user’s public key –Data recovery field (DRF) Header field in an EFS-encrypted file used to store the FEK encrypted by the recovery agent’s public key
30 Configuring File Encryption (Continued) Main challenge in using encryption to secure file resources –Data encrypted with a user’s public key would be inaccessible by other user accounts if The user leaves the company Solution –Data recovery agent The individual responsible for recovering encrypted data
31 Setting the encryption attribute EFS encryption for a file or folder is configured using advanced attributes in Windows Explorer
32 Configuring File Encryption (Continued) If encryption attribute on a folder is set –Only the contents of the folder are encrypted; not the folder itself Once a folder’s encryption attribute is set, any data saved in the folder, or copied or moved into the folder, is encrypted
33 Configuring File Encryption (Continued) In a NTFS file system –If encrypted file is copied or moved into a folder that is not encrypted, the file retains its encryption attribute In a FAT file system –Encrypted files moved to a FAT partition are automatically decrypted Encryption and compression are mutually exclusive
34 Monitoring Access to Shared Folders In Windows Server 2003, administrators are able to –See how many people are connected to a share –See who are the people connected to a share –See what files were opened by people connected to a share at any given time –Disconnect users from a specific share –Send network messages alerting users of pending changes to the server’s status
35 Monitoring Access to Shared Folders (Continued) Computer Management utility –Tool used to perform shared folder monitoring and management tasks –Facilitates the management of both local and remote computers on the network Sessions node –Provides information about the users that are currently connected to a server
36 Monitoring the number of sessions connected to the local computer
37 Monitoring Access to Shared Folders (Continued) Open Files node –Provides information about all files that users currently have open To disconnect an open file connection or session –Right-click the entry in the details pane, and –Click “Close Open File” or “Close Session” on the shortcut menu Send Console Message feature –Allows you to supply a custom warning message that appears as a dialog box on the user’s screen
38 Sending a console message to connected users
39 Configuring and Managing a Distributed File System DFS –Allows administrators to simplify access to multiple shared-file resources Makes it appear as though multiple shared-file resources are stored in a single hierarchical structure Eliminates the need for users to browse the network looking for shared resources –Makes managing folder access easier for server administrators
40 Configuring and Managing a Distributed File System (Continued) Tools to configure DFS –Distributed File System console in the Administrative Tools menu –Distributed File System MMC snap-in A DFS share –Resembles a tree structure –Consists of A root DFS links
41 Viewing a DFS root and links
42 DFS Models Models for implementing DFS: –Stand-alone model –Domain-based model
43 DFS Models (Continued) DFS topology or logical structure –Hierarchical structure of DFS in domain-based model Elements of DFS topology: –DFS root –DFS links –Servers on which DFS shared folders are replicated as replica sets
44 DFS Models (Continued) DFS root –Main container that holds links to shared folders that can be accessed from the root –Host server Server that hosts the DFS root DFS link –Pointer to the physical location of shared folders defined in the root Replica set –Set of shared folders replicated or copied to one or more servers in a domain
45 Managing DFS Tasks involved in managing a new DFS root system include: –Deleting a DFS root –Removing a DFS link –Adding root and link replica sets –Checking the status of a root or link
46 Managing DFS (Continued) Replication capability of a domain-based DFS –Entire DFS root or specific DFS links in a root can be replicated on servers other than the one that contains the master folder –Enables administrator to provide Fault tolerance Load balancing of requests between servers
47 Summary You must have the appropriate rights to create a shared folder –By default, a domain administrator or server operator has the rights to create shared folders within a domain Windows Server 2003 supports three share permissions: Read, Change, and Full Control Share permissions are cumulative NTFS permissions are cumulative
48 Summary (Continued) When a shared folder and NTFS permissions are combined, the most restrictive permission applies A denied permission overrides an allowed permission Files and folders can be encrypted using the encrypted file system DFS can be used to logically group network resources in a single tree structure