Configuring and Managing Resource Access Lecture 5

Folder and File Security Access Control List (ACL) – list of privileges given to a user account or a group DACL – discretionary ACL – configured by an admin or owner SACL – system control ACL – contains information for auditing access

Folder and File Attributes Read-only Hidden Extended attributes: Archive, Index (not Windows Search Service), Compress, Encrypt

Folder and File Permissions Permissions (NTFS) control access to an object DACL

NTFS permissions NTFS permissions are specified in the object’s ACL and are used to control access to the object 2 Categories of permissions: Standard and Special Standard are pre-set, frequently used permissions for objects Special provide finer granularity to file/folder security

NTFS permissions NTFS permissions can be assigned by an owner, a user with Full Control, or a user with Change Permissions. Also, a user with Take Ownership permission can take ownership of the file/folder and then change permissions.

Standard NTFS Permissions  Read  Read&Execute  List Folder Contents  Write  Modify  Full Control

Folder and File Auditing  Auditing tracks access to folders and files  Audited events are recorded in the Windows Server 2008 Security Log in Event Viewer

Folder and File ownership  An owner is the person who creates a folder/file.  Owner can change permissions  Ownership can be transferred to a user with Full Control or Take Ownership permissions  Administrators can always take ownership

New, Moved and Copied files and folders permissions  When a file or folder is moved or copied, it will inherit the destination folder permissions.  The only exception is when a file/folder is moved within the same NTFS volume - then it will retain its original permissions.

Shared Folders and Permissions  Shared folder gives users access over the network  In Server 2008 sharing is more secure (not shared with Everyone by default)

Shared Folder Permissions  Share permissions are different from NTFS (NTFS and share permissions are cumulative)  Deny permissions take precedence’  Shared folders can be cached  Shared Folders can be published in AD

Shared Folder Permissions  Reader (former Read)  Contributor (former Change)  Co-owner (former Full Control)  Owner

Effective permissions  User and Group NTFS permissions combine for the least restrictive combination, except where Deny overrides Allow. Files may have different permissions that parent folder permissions.  When combining share and NTFS permissions always chose the MOST restrictive combination

Effective NTFS permissions 1. Determine effective shared by choosing the least restrictive of all shared. The exception is Denied permission overrides Allow. 2. Determine effective NTFS by choosing the least restrictive of all shared. The exception is Denied permission overrides Allow. 3. Combine the results of steps 1 and 2 and choose the MOST restrictive permission out of share and NTFS. IF there is no overlap - no permissions are effective.

Troubleshooting Permissions Problems When permissions are granted through group membership, a user needs to log off and log back on Watch out for “Deny” Permissions Watch out for individual folder permissions Watch out for a conflicting combination of NTFS/Shared permissions File permissions change after being moved/copied

Distributed File Services A way to combine multiple shared folders on different servers into one hierarchy (under 1 root) Stand-alone- only exists on 1 server Domain-based – allows fault-tolerance and load balancing, as well as using AD for copying a folder to multiple targets