CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Agenda Chapter 7: Understanding and Troubleshooting File Access Quiz Exercise
NTFS File System Offers better security through permissions and encryption ▫A permission is a type of access granted to an object such as NTFS files and folders ▫Access Control List (ACL) ▫Each assignment of permissions to a user or group is represented as an access control entry (ACE)
NTFS Permissions Full Control ▫Can do everything Modify Read & Execute ▫Can see and run all contents inside the folder List Folder Contents Read Write See Figure 7-1 on Page 135
Special Permissions Each of the standard permissions consists of a logical group of special permissions ▫To assign special permission, you have use advanced security settings ▫See Table 7-1 on Page 136 for a full list of permissions ▫See Figure 7-2 on Page 137
NTFS Permissions (Cont.) There are two types of permissions used in NTFS: ▫Explicit permission Permissions granted directly to the file or folder. ▫Inherited permission Permissions that are granted to a folder (parent object or container) that flow into child objects (sub- folders or files inside the parent folder) By default, objects within a folder inherit the permissions from parent
NTFS Permissions (Cont.) Deny permissions override allow; however explicit override inherit 1.Explicit Deny 2.Explicit Allow 3.Inherited Deny 4.Inherited Allow
Effective Permissions The actual permissions you have when logging in and accessing a file or folder ▫They consist of explicit permissions plus any inherited permissions ▫See Figure 7-3 on Page 140 Calculate the effective permissions ▫Calculate the explicit and inherited permissions for an individual group and then combine them. ▫The only exception is that Deny permissions always apply
Copying and Moving Files Copy a folder or file ▫New location permissioned will be applied Move a folder or file from one volume to another volume ▫New location permissioned will be applied Move a folder or file within the SAME volume ▫Old permissions will be applied
Sharing Drives and Folders To help protect against unauthorized access, you will use share permissions along with NTFS permissions (assuming the shared folder is on an NTFS volume) When users need to access a network share, they would use the UNC, which is \\servername\sharename
Sharing Drives and Folders (Cont.) In Windows 7, there are four types of file sharing: ▫Public sharing (Public folder) Either use the same computer, or connect to it over a network Located in the Users folder of your root directory It can be accessed through a person’s libraries ▫Standard sharing Can be enabled or disabled on a per computer basis ▫Homegroups ▫Advanced sharing
Homegroups Only available with Windows 7 You can join a HomeGroup in any edition of Windows 7 Only Home Premium, Professional, or Ultimate editions can create homegroups
Advanced Sharing Right-clicking a folder, selecting Properties and clicking Advanced Sharing Shared folders can be shared several times with different names and permissions See Figure 7-4 on Page 145
Share Permissions Full Control ▫Users can do everything as well as change file and folder permissions and take ownership of files and folders Change ▫Users can do everything except change the permission and cannot take ownership Read
Share Permissions (Cont.) You can allow or deny each share permission To simplify managing share and NTFS permissions, Microsoft recommends ▫Giving Everyone Full Control ▫Controlling access using NTFS permissions The effective share permissions are the combination of the user and all group permissions that the user is a member of
Combining NTFS and Share Permissions Only the NTFS permissions apply ▫When user logs on to the server (Physically or remotely) Both NTFS and share permissions apply ▫When access through UNC To determine the overall access ▫Calculate the effective NTFS permissions ▫Then determine the effective shared permissions ▫Last, apply the more restrictive permissions between the NTFS and shared permissions
Administrative Share A shared folder typically used for administrative purposes To make a shared folder or drive into an administrative share, the share name must have a $ at the end of it ▫Shared folder or drive cannot be seen during browsing, UNC with $ is needed By default, all volumes with drive letters automatically have administrative shares (C$, D$, E$, and so on) ▫Other administrative shares can be created as needed for individual folders
Troubleshooting File Access Problems Make sure that the computer is available (including proper name resolution) The shared folder is available There are no firewall issues (SMB file sharing uses port 139 and 445) on the client and remote computer If the user gets an access denied or similar message ▫Verify the NTFS and share permissions.
Backups When planning backups ▫You should isolate program files and data files Program files usually do not change and so they do not have to be backed up often Data files change often, so they should be backed up more often If you isolate them in different areas, you can create different backup policies for each area
Windows System State The Windows system state is a collection of system components that are not contained in a simple file that can be backed up easily. It includes: ▫Boot files ▫Registry (including COM settings) ▫SYSVOL ▫User profiles ▫COM+ and WMI information ▫IIS metabase
Windows Backup Allows you to make copies of data files for everyone who uses the computer You can ▫Let Windows choose what to back up ▫Select the individual folders, libraries, and drives By default, your backups are created on a regular schedule ▫You can change the schedule and manually create a backup at any time ▫See Figure 7-5 on Page 148
System Protection A feature that regularly creates and saves information about your computer’s system files and settings System Protection uses restore points Also created automatically once every seven days if no other restore points were created in the previous seven days You can create restore points manually at any time
System Restore Helps you restore your computer’s system files to an earlier point in time by regularly creating and saving restore points It’s a way to undo system changes to your computer without affecting your personal files, such as , documents, or photos See Figure 7-6 on Page 150
Previous Versions If you have system protection enable, you also can revert any change made to files or folders individually See Figure 7-7 on Page 152
File Auditing To enable auditing ▫Specify what types of system events to audit using group policies or the local security policy ▫Security Settings\Local Policies\Audit Policy To audit NTFS files, NTFS folders, and printers is a two-step process ▫First enable Object Access using group policies ▫Specify which files or folders you want to audit After you enable logging, you then open the Event Viewer security logs to view the security events
Assignment Submit these before class over on Thursday ▫Fill in the blank ▫Multiple Choice ▫True / False Submit these before class start on Monday ▫Lab 7 ▫Case Scenario 7-2