Giáo trình ACNA - Chap09 pot

CHAPTER OVERVIEW• Create and manage file system shares and work with share permissions • Use NTFS file system permissions to control access to files • Manage file sharing using Interne

SHARING FILE SYSTEM RESOURCES

Chapter 9

CHAPTER OVERVIEW

• Create and manage file system shares and work

with share permissions

• Use NTFS file system permissions to control

access to files

• Manage file sharing using Internet Information

Services (IIS)

UNDERSTANDING PERMISSIONS OVERVIEW

• File system permissions

• Share permissions

• Active Directory permissions

• Registry permissions – (REGEDIT)

ACCESS CONTROL LISTS (ACL)

A ccess C ontrol E ntries

ACL has ACEs

Permissions are keys to unlock access to

resources

Full Control permission is the master key

• Allows permissions assigned at one folder to flow

down to subsequent files and folders

• Can be overridden by explicit permission

assignment or inheritance blocking

• Useful in reducing the number of permission

assignments required

(Grand) Parent Folder

Read Write Delete Folders/Files

Read Write Delete Folders/Files

Read Write Delete Folders/Files

Read Write Delete Folders/Files

Read Write Delete Folders/Files Read Write Delete Folders/Files

???? ????? ?????? Folders/Files

???? ????? ?????? Folders/Files

???? ????? ?????? Folders/Files

EFFECTIVE PERMISSIONS

• Allowed permissions are cumulative.

• Denied permissions override allowed permissions.

• Explicit permissions take precedence over

inherited permissions

EFFECTIVE PERMISSIONS

(Grand) Parent Folder

SHARING FOLDERS

• Without shares, network

clients cannot access folders on a server

ADMINISTRATIVE SHARES

Administrative shares are hidden

Appending a share with a $ creates a hidden share.

RESTRICTIONS ON CREATING FILE

SYSTEM SHARES

• On a domain controller:

• Administrators, Server Operators, Enterprise Admins,

Domain Admins groups

• On a domain member server or workstation:

• Administrators, Server Operators, Power Users groups

• On a workgroup or standalone computer:

• Administrators or Power Users groups

CREATING A FILE SYSTEM SHARE USING

WINDOWS EXPLORER

Lab:

Create Share Folder

• Create “C:\ShareMe” folder

• Right-click “C:\ShareMe”

• Select “Share this folder”

SHARING A VOLUME USING WINDOWS

EXPLORER

Lab:

Create Share for root

• Start Windows Explorer

• Select C:\ root

• Right-click C:\ root

• Select Sharing tab

• Click “New Share…”

CREATING A FILE SYSTEM SHARE USING THE SHARED FOLDERS SNAP-IN

CREATING A FILE SYSTEM SHARE USING

NET.EXE

• Allows shares to be created from a command line

• Lets you configure permissions during creation

• Lets you configure offline settings for the share

MANAGING SHARED FOLDERS

CONTROLLING OFFLINE STORAGE

PUBLISHING FILE SYSTEM SHARES IN ACTIVE DIRECTORY

MANAGING SHARE PERMISSIONS

USING SHARE PERMISSIONS

• Limited scope Can be applied only to folders and

only when connecting to the share

• Lack of flexibility Permissions applied to the

share apply to all levels below

• No replication Share permissions are not

replicated

• No resiliency Share permissions cannot be

backed

up or restored

USING SHARE PERMISSIONS (continued)

• Fragility Shares (and therefore share

permissions)

are lost when a folder is moved or renamed

• No auditing Share permissions do not facilitate

auditing

SHARE PERMISSION DEFAULTS

• When a new share is created, the following

permissions are granted:

• Everyone special identity: Read

• Administrators: Full Control

CREATING A FILE SYSTEM SHARING

STRATEGY

• Create logically named shares.

• Use nesting where necessary to reduce users’

need to navigate the directory structure

• Share removable drives from the root to keep the

share available when media are removed and

reconnected or changed

USING NTFS PERMISSIONS

• Scope NTFS permissions apply no matter how

the file is accessed

• Flexibility Wide range of permissions allows

assignments to be tailored

• Replication NTFS permissions are included when

a file is replicated

• Resilience NTFS permissions are retained when

objects are backed up

• Less fragile NTFS permissions are not lost if a

file is moved or renamed

• Auditing NTFS permissions support auditing.

MANAGING STANDARD PERMISSIONS

USING ADVANCED SECURITY SETTINGS

MANAGING SPECIAL PERMISSIONS

VIEWING EFFECTIVE PERMISSIONS

RESOURCE OWNERSHIP

• Each file and folder is assigned an owner.

• Ownership of a file makes the security principle a

member of the Creator/Owner special identity

• Files that are owned go toward disk quota

calculations

INSTALLING IIS

• Not installed during operating system installation

• Installed through the Windows Components

Wizard (select Add Or Remove Programs in

Control Panel, and click Add/Remove Windows Components) or through the Manage Your Server wizard

MANAGING AN IIS WEB SITE

USING THE WEB SITE TAB

USING THE HOME DIRECTORY TAB

USING THE DOCUMENTS TAB

USING THE PERFORMANCE TAB

CREATING VIRTUAL DIRECTORIES

• Allows you to include a folder from anywhere on

the network in your Web site

• Appears to the Web site user as if it is a

sub-directory of the main Web site folder

• Allows management of Web content to be

distributed between departments

CONFIGURING IIS SECURITY

CONFIGURING IIS AUTHENTICATION

CONFIGURING IP ADDRESS AND DOMAIN NAME RESTRICTIONS

CONFIGURING SECURE COMMUNICATIONS

• Windows Server 2003 controls access to

resources using a number of mechanisms,

including share permissions and NTFS

permissions

• Every object protected by permissions has an

ACL, which is a list of ACEs assigned to that

object Each ACE contains a security principal and indicates the level of access they are permitted or denied to the object

• File system shares enable network users to

access files and folders on other computers

SUMMARY (continued)

• Share permissions provide basic protection for file

system shares, but they lack the granularity and flexibility of NTFS permissions

• NTFS permissions can be allowed or denied, and

explicit or inherited A Deny permission takes

precedence over an Allow permission, and an

explicit permission takes precedence over an

inherited permission

SUMMARY (continued)

• Access granted by NTFS permissions can be

restricted by share permissions and other factors, such as IIS permissions on Web sites

• Whenever two permission types are assigned

to a resource, you must evaluate each set of

permissions and then determine which of the

two is more restrictive

• Every NTFS file and folder has an owner The

owner of a file or folder is always permitted to

modify the file or folder’s ACL

SUMMARY (continued)

• Any user with the Allow Take Ownership

permission or the Take Ownership Of Files Or Other Objects

user right can take ownership of an object

• IIS is a Windows Server 2003 application that

allows you to share files and folders using Web and FTP server services