1 Administering Shared Folders Understanding Shared Folders Planning Shared Folders Sharing Folders Combining Shared Folder Permissions and NTFS Permissions Configuring Dfs to Gain Access to Network Resources

2 Understanding Shared Folders Shared Folders Shared Folder Permissions How Shared Folder Permissions Are Applied Guidelines for Shared Folder Permissions Practice: Applied Permissions

3 Shared Folders in Windows Explorer

4 Shared Folders Provide network users centralized access to network files. Contain applications, data, or a user’s personal data in a home directory. All users by default can connect to the shared folder and gain access to the folder’s content. Each type of data requires different shared folder permissions.

5 Shared Folder Permissions Shared folder permissions can be assigned to user and group accounts to control what users can do with the content of a shared folder. Shared folder permissions are assigned to control how users gain access to a shared folder. Shared folder permissions can be allowed or denied. It is best to allow permissions and to assign permissions to a group rather than to individual users. Permissions should be denied only when necessary to override permissions that are otherwise applied.

6 Characteristics of Shared Folder Permissions Apply to folders, not to individual files; provide less-detailed security than NTFS permissions. Do not restrict access to users who gain access to the folder at the computer where the folder is stored; only apply to users who connect to the folder over the network. Are the only way to secure network resources on a FAT volume; NTFS permissions are not available on FAT volumes. The default is Full Control, which is assigned to the Everyone group when the folder is shared.

7 Shared Folder Permissions Read: View file names and subfolder names, view data in files, traverse to subfolders, and run programs Change: Add files and subfolders to the shared folder, change data in files, delete subfolders and files, and perform actions permitted by the Read permission Full Control: Change file permissions (NTFS only), take ownership of files (NTFS only), and perform all tasks permitted by the Change permission

8 Applied Permissions

9 Applied Permissions Overview Applying shared permissions to user accounts and groups affects access to a shared folder. Denying permission takes precedence over the permissions that are allowed.

10 Effective Permission A user can be a member of multiple groups, each with different permissions that provide different levels of access to a shared folder. Effective permissions are the combination of the user and group permissions.

11 Deny Overrides Other Permissions Denied permissions take precedence over any permissions that are otherwise allowed for user accounts and groups. If shared folder permissions are denied, the user will not have that permission, even if the permission is allowed for a group of which the user is a member.

12 NTFS Permissions Are Required on NTFS Volumes Shared folder permissions are sufficient to gain access to files and folders on a FAT volume, but not on an NTFS volume. Users can gain access to a shared folder for which they have permissions, as well as all of the folder’s contents. When users gain access to a shared folder on an NTFS volume, they need the shared folder permission and the appropriate NTFS permissions for each file and folder to which they gain access.

13 Copied, Moved, or Renamed Shared Folders When a shared folder is copied, the original shared folder is still shared, but the copy is not shared. When a shared folder is moved or renamed, it is no longer shared.

14 Guidelines for Shared Folder Permissions Determine which groups need access to each resource and the level of access they require. Document the groups and their permissions for each resource. Assign permissions to groups instead of user accounts to simplify access administration. Assign to a resource the most restrictive permissions that still allow users to perform required tasks. Organize resources so that folders with the same security requirements are located within a folder. Use intuitive share names so that users can easily recognize and locate resources. Use share names that all client operating systems can use.

15 Shared Folder Naming Conventions Microsoft Windows 2000, Windows NT, Windows 98, and Windows 95 Share name length: 80 characters Folder name length: 255 characters MS-DOS, Windows 3.1, and Windows for Workgroups Share name length: 8.3 characters Folder name length: 8.3 characters

16 Planning Shared Folders Application Folders Data Folders

17 Planning Shared Folders Overview Planning shared folders helps to reduce administrative overhead and ease user access. Planning shared folders involves Determining which resources are to be shared. Organizing resources according to function, use, and administration needs. Shared folders contain applications and data. Using shared application folders centralizes administration. Using shared data folders provides a central location for users to store and gain access to common files.

18 Application Folders Overview Application folders are used for applications that are installed on a network server, and can be used from client computers. The primary advantage of shared applications is that most components of the applications do not need to be installed and maintained on each computer. Program files for applications can be stored on a server; configuration information for most network applications is often stored on each workstation. The exact way in which application folders are shared depends upon the application, network environment, and organization.

19 Creating and Sharing Application Folders

20 Data Folders Overview Data folders are used by users on a network to exchange public and working data. Two types: working data folders and public data folders. When data folders are used, common data folders should be created and shared on a volume that is separate from the operating system and applications. Data files should be backed up frequently, and with data folders on a separate volume, they can be backed up conveniently. If the operating system requires reinstallation, the volume containing the data folder remains intact.

21 Public Data and Working Data Shared Folders

22 Public Data Public data folders are used by larger groups of users who all need access to common data. Centralized data folders are used so that data can be easily backed up. The Change permission should be assigned to the Users group for the common data folder, thereby providing users with a central, publicly accessible location for storing data files they want to share with other users.

23 Working Data Working data folders are used by members of a team who need access to shared files. Full Control permission should be assigned to the Administrators group for a central data folder, which allows administrators to perform maintenance more easily. Lower-level data folders below the central folder should be shared with the Change permission for the appropriate groups when restricted access to those folders is needed.

24 Sharing Folders Requirements for Sharing Folders Administrative Shared Folders Sharing a Folder Assigning Shared Folder Permissions Modifying Shared Folders Connecting to a Shared Folder

25 Sharing Folders Resources can be shared with others by sharing folders containing those resources. The creator of the shared folder must be a member of one of several groups, depending on the role of the computer on which the shared folder resides. Access to a shared folder is controlled by limiting the number of users who can simultaneously gain access to it or by assigning permissions to selected users and groups. Folder sharing properties may be modified after the folder is created. Users must first have appropriate permissions before making a connection to a shared folder.

26 Requirements for Sharing Folders In a Windows 2000 Domain The Administrators and Server Operators groups can share folders residing on any machines in the domain. The Power Users group is a local group and can only share folders residing on the stand-alone server or computer running Windows 2000 Professional where the group is located. In a Windows 2000 Workgroup The Administrators and Power Users groups can share folders on the stand-alone server or the computer running Windows 2000 Professional on which the group exists.

27 Administrative Shared Folders Automatically shared folders are appended with a dollar sign ($). The $ hides the shared folder from users who browse the computer. The root of each volume, the system root folder, and the location of the printer drivers are all hidden shared folders that can be accessed from across the network. Hidden shared folders are not limited to those that the system automatically creates. Additional folders can be shared and a $ can be appended to the end of the share name. Only users who know the folder name and possess proper permissions can gain access to the hidden folder.

28 Windows 2000 Administrative Shared Folders C$, D$, E$, and so on: The root of each volume on a hard disk Admin$: The system root folder, which is C:\Winnt by default Print$: The printer drivers folder, systemroot\System32\Spool\Drivers

29 Sharing a Folder Assign a share name to the folder. Provide comments to describe the folder and its content. Limit the number of users who have access to the folder. Assign permissions. Share the same folder multiple times.

30 Sharing Tab of the Properties Dialog Box for a Folder

31 Permissions For Dialog Box for a Shared Folder

32 Select Users, Computers, Or Groups Dialog Box

33 Modifying Shared Folders Sharing of a file can be stopped. The share name can be added or removed. Shared folder permissions can be modified.

34 Connecting to a Shared Folder: Four Methods Map Network Drive Wizard Add Network Place Wizard Run command My Network Places

35 Map Network Drive Wizard

36 Combining Shared Folder Permissions and NTFS Permissions Strategies for Combining Shared Folder Permissions and NTFS Permissions Practice: Managing Shared Folders

37 Combined Permissions

38 Combining Shared Folder Permissions and NTFS Permissions Sharing folders provides network users with access to resources. If a FAT volume is being used, the shared folder permissions are all that is available to provide security for the folders shared and the subfolders and files they contain. If an NTFS volume is being used, NTFS permissions can be assigned to individual users and groups to better control access to the files and subfolders in the shared folders. When shared folder permissions are combined with NTFS permissions, the more restrictive permission is always the overriding permission.

39 Strategies for Combining Shared Folder Permissions and NTFS Permissions Access to resources on an NTFS volume can be provided by sharing folders with the default shared folder permissions and then controlling access by assigning NTFS permissions. When a folder is shared on an NTFS volume, both shared folder permissions and NTFS permissions combine to secure file resources. Shared folder permissions provide limited security for resources. Using NTFS permissions provides the greatest flexibility to control access to shared folders. NTFS permissions apply whether the resource is accessed locally or over the network.

40 Combining Shared Folder Permissions, NTFS Permissions

41 Rules For Combining Shared Folder Permissions and NTFS Permissions NTFS permissions can be applied to files and subfolders in the shared folder. Different NTFS permissions can be applied to each file and subfolder that a shared folder contains. Users must have access to both shared folder permissions and NTFS permissions to gain access to those files and subfolders. When shared folder permissions are combined with NTFS permissions, the more restrictive permission is always the overriding permission.

42 Configuring Dfs to Gain Access to Network Resources Understanding Dfs Reasons for Using Dfs Dfs Topology Creating a Dfs Creating a Dfs Root Creating a Dfs Link Adding a Dfs Shared Folder Setting Replication Policy Practice: Using Dfs

43 Overview of Dfs

44 Understanding Dfs Enables system administrators to make it easy for users to access and manage files that are physically distributed across a network Makes files distributed across multiple servers appear to users as if they reside in one place on the network Organizes shared folders that can reside on different computers Provides users with easy navigation to shared folders on different computers Enables users to gain access to a network resource without knowing its location on the network Facilitates administering multiple shared folders

45 Dfs Functions Organizes resources in a hierarchy Facilitates network navigation Facilitates network administration Preserves network permissions

46 Types of Dfs Roots Domain Stores the Dfs topology in Active Directory Allows links to point to multiple identical shared folders for fault tolerance Supports DNS, multiple-level Dfs links, and file replication Stand-alone Stores the Dfs topology on a single computer, not in Active Directory Provides no fault tolerance if the computer that stores the Dfs topology or any of the shared folders that Dfs uses fails Supports only one level of Dfs links

47 Reasons for Using Dfs Users who access shared folders are distributed across a site or sites. Most users require access to multiple shared folders. Server load balancing may be improved by redistributing shared folders. Users require uninterrupted access to shared folders. The organization has Web sites for either internal or external use.

48 Dfs Topology To users, a Dfs topology provides a unified and transparent access to the network resources they need. To system administrators, a Dfs topology is a single DNS namespace. The Dfs topology is automatically published to Active Directory by default.

49 Dfs Components Dfs root One or more Dfs links One or more Dfs shared folders, also known as replicas, to which each Dfs link points

50 Domain-Based Dfs The domain server on which a Dfs root resides is known as a host server. A Dfs root can be replicated by creating roots on other servers in the domain. Dfs root replication provides file availability if the host server becomes unavailable. DNS names for the Dfs roots resolve to the host servers for the Dfs root. The host server is a member server within a domain.

51 Dfs Benefits Provides synchronization of Dfs topologies across host servers Provides fault tolerance for the Dfs root Supports optional replication of Dfs shared folders

52 Creating a Dfs Create a Dfs root. Create a Dfs link. Add Dfs shared folders; optional. Set replication policy.

53 Creating a Dfs Link In a network environment, keeping track of the physical locations of shared resources might be difficult for users. The network and file system structures become transparent to users when Dfs is used. Transparency enables the administrator to centralize and optimize access to resources based on a single tree structure. Users can browse the links under a Dfs root without knowing where the referenced resources are physically located. The maximum number of Dfs links that can be assigned to a Dfs root is 1000.

54 Create A New Dfs Link Dialog Box

55 Adding a Dfs Shared Folder For each Dfs link, create a set of Dfs shared folders to which the Dfs link points. Within a set of Dfs shared folders, the first folder is added to the set when the Dfs link is created, using the Distributed File System console. Subsequent folders are added using the console’s Add A New Replica dialog box. The maximum number of Dfs shared folders allowed in a set of shared folders is 32. When Dfs shared folders are added, folders can be chosen to participate in replication. If folders are set to participate in replication, the replication policy for the shared folders must be set.

56 Add A New Replica Dialog Box

57 Setting Replication Policy Replicating the contents of folders to other roots or Dfs shared folders in the domain ensures that the folders’ contents are always available to users. Both Dfs roots and Dfs shared folders can be replicated. Replication copies the content of one Dfs root to another, or from one Dfs shared folder to another Dfs shared folder.

58 Replication Policy Dialog Box