Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 9: Managing Groups, Folders, Files, and Object Security

Published byStephan Scholz Modified over 5 years ago

Similar presentations

Presentation on theme: "Chapter 9: Managing Groups, Folders, Files, and Object Security"— Presentation transcript:

1 Chapter 9: Managing Groups, Folders, Files, and Object Security
4/15/2019

2 One-by-One? vs Group Management
Labor Intensive Group Management 4/15/2019

3 Learning Objectives Set up groups, including local, domain local, global, and universal groups, and convert Windows NT groups to Windows 2000 groups Manage objects, such as folders, through user rights, attributes permissions, share permissions, auditing, and Web permissions 4/15/2019

4 Learning Objectives (continued)
Troubleshoot a security conflict Determine how creating, moving, and copying folders and files affect security 4/15/2019

5 Managing Resources Three ways of managing resources and user accounts include: By individual user time consuming By resource print server By group Managing resources by groups is one effective way to reduce time spent on management 4/15/2019

6 Scope of Influence Scope of influence: The reach of a type of group, such as access to resources in a single domain or access to all resources in all domains in a forest 4/15/2019

7 Types of Security Groups
Local: Used on standalone servers that are not part of a domain Domain local: Used in a single domain or to manage resources in a domain so that global and universal groups can access those resources 4/15/2019

8 Types of Security Groups (continued)
Global: Used to manage accounts from the same domain and to access resources in the same and other domains. Can be Nested if native mode domains Universal: Used to provide access to resources in any domain within a forest Single domain d1 Across domains 4/15/2019

9 Local Security Group Use local groups on a standalone server (Active Directory not implemented), such as to manage multiple accounts in a small office 5-30 Users i.e manager group, worker group Each group with different access The scope does not go beyond the local server 4/15/2019

10 Domain Local Security Group
Typically a domain local security group is on the ACLs (Access Control List) of resources such as folders, shared folders, printers, and other resources. Global security groups in the same or in a different domain gain access to those resources by becoming members of the domain local group. Domain local groups can contain accounts, but usually that is not the best approach. Scope is the domain in which the group exists can convert domain local group to a universal group domain must be native mode (only Win2K Server Domain Controllers) mixed mode (has NT PDCs and BDCs) Typical purpose is to provide access to resources 4/15/2019

11 Membership Capabilities of a Domain Local Group
Table 9-1 Membership Capabilities of a Domain Local Group 4/15/2019

12 Implementing Global Groups
Use global groups to contain accounts for accessing resources in the same and in other domains via domain local groups MEMBERS CAN ACCESS RESOURCES IN OTHER DOMAINS 4/15/2019

13 Membership Capabilities of a Global Group
Table 9-2 Membership Capabilities of a Global Group 4/15/2019

14 Nesting Global Groups Global groups can be nested to reflect the structure of OUs (organizational Unit) .e.g. budget finance manager 4/15/2019

15 Figure 9-1 Nested global groups
Nesting Example 4/15/2019 Figure 9-1 Nested global groups

16 Planning Tip Plan nesting to take into account that you may want to later convert specific global groups, because a global group cannot be converted if it is a member of another global group Keep in mind that global groups can only be nested in native mode domains 4/15/2019

17 Global Group Example Figure 9-2 Managing security through domain local
and global groups create domain local group in each domain, e.g. LocalExec that has pres and vps user accounts if pres leaves, disable user act in global group and rename later 4/15/2019

18 Implementing Universal Groups
Use universal groups to provide access to forest-wide resources (to be included on the ACLs of resources such as servers, shared folders, and printers) Universal groups enable the scope of influence to span domains and trees 4/15/2019

19 Membership Capabilities of a Universal Group
Table 9-3 Membership Capabilities of a Universal Group 4/15/2019

20 Guidelines for Using Groups
Use global groups to hold accounts as members. Give accounts access by joining them to a global group and then placing that global group into a domain local or universal group or both. Use domain local groups to provide access to resources in a specific domain by adding them to the ACLs of those resources. 4/15/2019

21 Guidelines for Using Groups (continued)
Use universal groups to provide extensive access to resources, such as when the Active Directory contains trees and forests. Make universal groups members of ACLs for objects in any domain, tree, or forest. Manage user account access by placing accounts in global groups and joining those global groups to domain local or universal groups. 4/15/2019

22 Example Universal Group Setup
Figure 9-3 Managing security through universal and global groups 4/15/2019

23 Creating a Group To create a group:
Click the container in which to create the group Click the Create a new group in current container icon Enter the name of the group Select the group scope Select the group type Click OK 4/15/2019

24 Entering the Group Parameters
4/15/2019 Figure 9-4 Creating a group

25 Group Properties Tabs (p342) General: Used to enter a description, set the scope, and set the group type Members: Used to add group members Member Of: Used to make group member of another group Managed By: Establishes who will manage the group (if other than server administrator) Object: Provides information about the group as an object (on newer versions of Windows 2000) Security: Enables you to set up security (on newer versions of Windows 2000) 4/15/2019

26 Converting NT Groups to Windows 2000 Server Groups
Existing NT local groups on a PDC are converted to domain local groups Existing NT global groups on a PDC are converted to global groups If still running in mixed mode, universal groups are not recognized If running in native mode, but there are still Windows NT servers, the NT servers treat Windows 2000 universal groups as NT global groups 4/15/2019

27 Windows 2000 Predefined Security Groups
Default group supplied e.g. Domain Administrator group , includes administrator 4/15/2019 1The group scope cannot be changed Table 9-4 Windows 2000 Predefined Security Groups

28 Windows 2000 Predefined Security Groups (continued)
4/15/2019 1The group scope cannot be changed

29 Windows 2000 Predefined Security Groups (continued)
4/15/2019 1The group scope cannot be changed

30 Windows 2000 Predefined Security Groups (continued)
4/15/2019 1The group scope cannot be changed

31 Windows 2000 Predefined Security Groups (continued)
4/15/2019 1The group scope cannot be changed

32 Windows 2000 Predefined Security Groups (continued)
4/15/2019 1The group scope cannot be changed

33 Windows 2000 Predefined Security Groups (continued)
1The group scope cannot be changed 4/15/2019

34 Windows 2000 Predefined Security Groups (continued)
4/15/2019 1The group scope cannot be changed

35 Table 9-5 Rights Security
The most efficient way to assign user rights is to assign them to groups that have those rights. inherited rights Table 9-5 Rights Security 4/15/2019

36 Rights Security User rights: Enable an account or group to perform predefined tasks, such as the right to access a server or to increase disk quotas 4/15/2019

37 Rights Security (continued)
4/15/2019

38 Rights Security (continued)
4/15/2019

39 Rights Security (continued)
4/15/2019

40 Inherited Rights Inherited rights: User rights that are assigned to a group and that automatically apply to all members of that group 4/15/2019

41 Configuring Rights To configure rights in a domain:
Open the Active Directory Users and Computers tool Right-click a domain or OU, for example Click Properties, click the Group Policy tab, click the group policy, and click Edit Double-click (if necessary) Computer Configuration,Windows Settings, Security Settings, and Local Policies Double-click User Rights Assignment Double-click any policies to configure them 4/15/2019

42 Configuring Rights (continued)
4/15/2019 Figure 9-6 Configuring user rights as part of group policy

43 File and Folder Attributes
Attributes: A characteristic associated with a folder or file used to help manage access and backups 4/15/2019

44 FAT Attributes Read-only Hidden Archive
if assign to folder, does not apply to files in folder. Can only be deleted by user belonging to administrator group Hidden cannot see contents Archive used to indicate file or folder needs to be backedup because of a change 4/15/2019

45 FAT Attributes (continued)
4/15/2019 Figure 9-7 Attributes of a folder on a FAT-formatted disk

46 NTFS Attributes Regular attributes Extended attributes Read-only
Hidden Archive Extended attributes Index-Used for windows quick search Compress-less space, longer to access Encrypt-cipher command 4/15/2019

47 NTFS Attributes (continued)
4/15/2019 Figure 9-8 Attributes of a folder on an NTFS-formatted disk

48 Troubleshooting Tip If you configure the Index attribute, but indexing it is not working check the following: Make sure that the Indexing Service is installed Makes sure that the Indexing Service is started and set to start automatically 4/15/2019

49 Troubleshooting Tip Files that are compressed cannot be encrypted
4/15/2019

50 Encrypting File System
The encrypt attribute uses Microsoft Encrypting File System (EFS) that sets a unique private encryption key that is associated with the user account that encrypted the file or folder. Only that account has access to the encrypted file or folder contents. 4/15/2019

51 Troubleshooting Tip De-encrypt an encrypted file or folder before you move it to another location, or else the file or folder remains encrypted in the new location 4/15/2019

52 Permissions (p354) Permissions: Privileges to access and manipulate resource objects, such as folders and printers; for example, privilege to read a file, or to create a new file 4/15/2019

53 Auditing Auditing: Tracking the success or failure of events associated with an object, such as writing to a file, and recording the audited events in an event log of a Windows 2000 server or workstation 4/15/2019

54 Ownership Ownership: Having the privilege to change permissions and to fully manipulate an object. The account that creates an object, such as a folder or printer, initially has ownership. 4/15/2019

55 Design Tip If possible, set permissions on folders and not on individual files, so you can minimize the number of permission exceptions to remember One variance from this recommendation is large database files that may require individual security 4/15/2019

56 Figure 9-9 Configuring security options
4/15/2019 Figure 9-9 Configuring security options

57 Inherited Permissions
Inherited permissions: Permissions of a parent object that also apply to child objects of the parent, such as to subfolders within a folder 4/15/2019

58 Configuring Permissions
4/15/2019 Figure Configuring permissions by groups and users

59 Configuring Inherited Permissions
4/15/2019 Figure Configuring inherited permissions

60 NTFS Folder and File Permissions
4/15/2019 Table 9-6 NTFS Folder and File Permissions

61 NTFS Folder and File Permissions (continued)
4/15/2019

62 Configuring Special Permissions
4/15/2019 Figure Configuring special permissions

63 Special Permissions You can customize permissions to meet particular security needs by using special permissions 4/15/2019

64 NTFS Folder and File Special Permissions
Table 9-7 4/15/2019

65 NTFS Folder and File Special Permissions (continued)
4/15/2019

66 Example Guidelines for Setting Permissions
Protect the Winnt folder by allowing limited access, such as Read & Execute Protect server utility folders, such as folders containing backup software, with access for Administrators only Protect software application folders with access such as Read & Execute (and Write if necessary for temporary or configuration files) 4/15/2019

67 Example Guidelines for Setting Permissions (continued)
Set up publicly used folders with Modify for broad user access Give users Full Control of their own home folders Remove groups such as Everyone and Users from confidential folders 4/15/2019

68 Configuring Auditing Start by configuring a group policy for auditing
Configure auditing on an as needed basis for particular objects, such as a folder or file 4/15/2019

69 Planning Tip Err on the side of too much security at first, because it is easier to give users more permissions later than to take away permissions after users are used to having them 4/15/2019

70 Figure 9-13 Configuring folder auditing
4/15/2019 Figure Configuring folder auditing

71 Setting an Audit Policy
Figure 9-14 Configuring audit policy as part of the default domain policy 4/15/2019

72 Ownership Guidelines for ownership:
The account that creates an object is the initial owner Ownership is changed by first having permission to take ownership and then by taking ownership Full Control permissions are required to take ownership (or the special permission, Take Ownership) 4/15/2019

73 Share Permissions Share permissions: Limited permissions that apply to a particular shared object, such as a shared folder or printer 4/15/2019

74 Configuring Share Permissions
4/15/2019 Figure Configuring a shared folder

75 Share Permissions for a Folder
Read: Permits groups or users to read and execute files Change: Enables users to read, add, modify, execute, and delete files Full Control: Permits full access to the folder, including the ability to take ownership control or change permissions 4/15/2019

76 Offline Access to a Folder through Caching
Use the Caching button in the folder Properties dialog box on the the Sharing tab to set up a folder for offline access via caching Caching a folder means that it can be accessed by a client even when the client computer is not connected to the network 4/15/2019

77 Folder Caching Options
Automatic Caching for Documents: Documents are cached without using intervention – all files in the folder that are opened by the client are cached automatically Manual Caching for Documents: documents are cached only per the user’s request Automatic Caching of Programs: document and program files are automatically cached when opened, but cannot be modified 4/15/2019

78 Troubleshooting Tip If the Sharing tab is not displayed, make sure that the Server service is started 4/15/2019

79 Web Sharing Use the Web Sharing tab in a folder’s properties to configure that folder for Web access 4/15/2019

80 Configuring Web Sharing
Figure Entering Web sharing permissions 4/15/2019

81 Web Sharing Access Permissions
4/15/2019 Table 9-8 Web Sharing Access Permissions

82 Web Sharing Application Permissions
Table 9-9 Web Sharing Application Permissions 4/15/2019

83 Troubleshooting a Security Conflict
Check the groups to which a user or group belongs Look for group permissions that conflict, particularly because the Deny box is checked for a permission 4/15/2019

84 Moving and Copying Files and Folders
A newly created file inherits the permissions already set up in a folder A file copied from one folder to another on the same volume inherits the permissions of the folder to which it is copied A folder that is moved from one folder to another on the same volume takes with it the permissions it had in the original folder 4/15/2019

85 Moving and Copying Files and Folders (continued)
A file or folder that is moved or copied to a folder on a different volume inherits the permissions of the folder to which it is moved or copied A file or folder that is moved or copied from an NTFS volume to a shared FAT folder inherits the share permissions of the FAT folder A file or folder moved from a FAT to an NTFS folder inherits the NTFS permissions of that folder 4/15/2019

86 Chapter Summary Without the Active Directory, use local groups to manage access to resources With the Active Directory implemented, use domain local, global, and universal groups to manage resources 4/15/2019

87 Chapter Summary Windows 2000 Server objects are secured through ACLs, user rights, permissions, inherited rights and permissions, share permissions, Web permissions, auditing, and ownership Troubleshoot permissions conflicts by examining the security assigned to all groups to which a user account or group belongs 4/15/2019

Download ppt "Chapter 9: Managing Groups, Folders, Files, and Object Security"

Similar presentations

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.

1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.
1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.

1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
1 File systems security: Shared folders & NTFS permissions, EFS (Week 6, Monday 2/12/2007) © Abdou Illia, Spring 2007.

1 File systems security: Shared folders & NTFS permissions, EFS (Week 6, Monday 2/12/2007) © Abdou Illia, Spring 2007.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
MIS 431 - Chapter 51 Chapter 5 – Managing File Access MIS 431 Created Spring 2006.

MIS Chapter 51 Chapter 5 – Managing File Access MIS 431 Created Spring 2006.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.

Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

Similar presentations

Ads by Google