IOS110 Introduction to Operating Systems using Windows Session 8 1

Objectives: Shared Folders NTFS

Shared Folders

Permissions apply to all entries in the folder (as the name implies) No affect on local users Files/Folders on FAT/FAT2 partitions can only be secured by Shared Folder permissions only – NTFS permissions cannot be applied A new shared folder defaults to the group Everyone, with Full Control permissions The only built-in groups that can share a folder are: Administrators Power Users Permissions that can be granted on a Shared Folder are: Read (display folder names, files names, file data and attributes. Run executables. Navigate to folders within the Shared Folder Change – All Read Permissions and: Create folders, add files to folders, change data in files, append data in files Full Control – All Read and Change permissions and: change file permissions, take ownership of files. Deny – Used to override permissions already in place. For example, a new employee may have access to a set of folders as they are members of a group. However, until their probation is over, they may be denied accessing some of the folders. A folder can be shared more than once with different names – this is a means to solve the 8.3 filename restriction on older operating systems Permissions can be customized 4 Shared Folders

Points to Ponder Denying permission overrides all other shared permissions that may be applied to a folder Multiple permissions accumulate Copying of moving a folder alters the shared permissions associated with that folder When you share a folder that is located on an NTFS volume, you will still need to consider the NTFS permissions that apply to that folder When a shared folder and NTFS permissions combine, the most restrictive permissions apply If a folder resides on an NTFS volume. you will need at least the NTFS Read permission to be able to share that folder at all 5 Shared Folders

Applications Sharing an application folder on a server is indented to make it available to clients on the network Install and administer one copy, instead of many copies across the client population Create a central shared folder to hold all other application folders – permissions can be administered from the top-most application folder Administrators can be granted Full Control (through Administrative Shared Folders) After shared has been created – remove Everyone group from the share, and add Users group to the share with Read Permission If necessary, assign Change Permission to groups such as Power Users – they may need to upgrade software or troubleshoot applications If necessary, you can create separate shared folders located outside the folder hierarchy fro applications that need customized permissions When creating permissions, start with the most restrictive set. 6 Shared Folders – Sharing Strategies

Data Keep data folders separate from application folders Configure permissions to allow read and write privileges 7 Shared Folders – Sharing Strategies

Connecting to Shared Resources My Network Places Windows Explorer Run Command Mapping a drive 8 Shared Folders

Background When a hierarchy of folders are being shared, they are shared from the root (of the hierarchy) downwards. Administrative Shares are created at the root of the partition – thus allowing Administrators to manage the PC from the root on down By default, Administrative Shares are assigned only to the Administrative Group with Full Control Drives are given the share name of the letter followed by a $: C$, D$, E$, etc. including the CD-ROM drive The \WINDOWS folder is given the share name of Admin$ When the first shared printer is installed, the Administrative Share $Print is created, and points to the directory where printer driver files are stored Power Users are also given Full Control 9 Administrative Shared Folders

Shared Documents Folder Created when 2 or more local accounts exist Automatically shared Used to locally share documents between the local user accounts When connected to a network, allows the sharing of documents between computers 10 Shared Folders

ForceGuest For WinXP PCs not connected to a domain Forces all users logging onto the computer across the network to user the Guest account No need to have an account on every PC that contains resources you need Even though you provide a user ID and password, you will only receive Guest-level access – Defaults to a more secure model Is turned on when WinXP uses the Simple Sharing user interface 11 Shared Folders

NTFS

Folder Permissions Read Write List Folder Contents Read and Execute Modify Full Control File Permissions Read Write Read and Execute Modify Full Control Special Access Permissions 28 variations (14 folder, 14 file) More granular than the above permissions, and are used to construct the standard permissions: READ = List Folder/Read Data + Read Attributes + Read Extended Attributes + Read Permissions 13 NTFS

Access Control Lists (ACLs) Stored with every file and folder on an NTFS volume ACL is a list of users and groups that have been granted access, as well as the type of access Access Control Entry (ACE) is a detail record in the ACL Group Membership and NTFS Permissions Your permissions are the cumulative permissions of all your group memberships Is the least restrictive set of permissions Exception is the Denied permission File permissions override folder permissions – again the exception is if you are Denied How File and Folder Permissions Work Together If there is a conflict between file permissions and folder permissions, the file permissions will apply 14 NTFS

Applying and Modifying NTFS Permissions WinNT/2K – default was to give Everyone group Full Control on the formatted volume WinXP – NTFS permissions are applied when you first create a folder: Administrators users that own files and folders (Creator Owner) System group –all get Full Control Users group –get Read and Execute To view and modify NTFS permissions you must disable Simple File Sharing Inheritance of NTFS Permission Permissions are inherited from parent folder to all is files and to subfolders Change Permission and Take Ownership Permission Change Permission: By default Administrators and file owners can change a file's permissions The Change permission can be assigned to another user to be able to manage the permissions on files Take ownership Can be granted to a user that is taking over the responsibilities of another user Administrator or original user (Full Control) can grant Take Ownership 15 NTFS

NTFS Permissions and Copying Same rules as when Copying Compressed Files NTFS Permissions and Moving Same rules as when Moving Compressed Files Modify Permission is required at the source folder so that the file can be deleted Write permission is required at the destination folder to create the file 16 NTFS

Shared Folder / NTFS permissions To what objects can you apply these permissions? Where are these permissions effective How are multiple permissions accumulated? When both folder and file permissions are present, which takes precedence? Shared Folder and NTFS permissions Combined The most restrictive permissions apply: (NTFS) + (Shared) = Effective Permission (Full Control) + (Read) = Read (Read + Write ) + (Full Control) = Read + Write (Read) + (Change) = Read Windows XP provides a tab to view the effective permissions on a file/folder 17 NTFS

An Example 18 NTFS Payables Users: NTFS:Read & Execute Accountants: NTFS:Write Bob local Users group local Accountant group Bob's effective Permissions = Modify Payables Users: NTFS:Read & Execute Accountants: NTFS:Write Everyone: SF:Read Users: SF:Read Bob's effective Permissions = ? Simple Fix?