Tài liệu Sharing and Securing Files and Folders pptx

The NT File System NTFS lets you do that on three security access levels: ✦ Shares ✦ Folder permissions and file permissions called NTFS permissions ✦ EncryptionNTFS creates a hierarchy

Sharing and Securing Files and Folders

This chapter provides an understanding of access control

to network file and folder resources Chapter 21 provided

an in-depth review of the Windows 2000 file systems, especiallyNTFS Now, let’s look at the file systems from other viewpoints:

users and applications and, of course, administrators

Most data is generated and stored on computer systems, using the file and folder metaphors inherited from our three-dimensional world However, since the advent of local and wide area networks, particularly the Internet, your files andfolders (directories) are accessible to anyone with a computerand a network connection unless you secure them You need

to secure the data within their files, and the folders that containthose files, while at the same time providing controlled access

to authorized users The NT File System (NTFS) lets you do that

on three security access levels:

✦ Shares

✦ Folder permissions and file permissions (called NTFS permissions)

✦ EncryptionNTFS creates a hierarchy of folders in a volume, all startingfrom a root folder (see also Dfs and mounted volumes inChapter 21) The earlier versions of NTFS could only store asingle folder hierarchy on a single hard drive or volume,maintained on a single computer As we stated in Chapter

21, the folder hierarchy (or folder namespace) can traverse

or span hard disk volumes on any computer on the work To keep things simple in this chapter, we’ll discussfolder and files independently of where they may belocated on the network

Sharing and Securing Your Data

Windows 2000, like all modern graphically managed operating systems, allows you

to manage your files and folders in the same way as your hardcopy filing systems:

in folders and filing cabinets Think about the file room in a law firm or a newspapermorgue It is unlikely you would be allowed to just walk into this room: It is usuallylocked or guarded, and you would need authority to enter, but you know it’s there.The company does not hide it away from you, because it is a shared resource, andthey usually want you to know about it because you might need data in it to doyour work

Shares are the clubhouses of the network A share is where users and groups of

users go to share resources You enable folder-sharing for your users and tions by creating a share, or in the lingo of mainframes, midrange, and legacy sys-

applica-tems, a share-point By owning the files and folders on your own machine (and

we discuss ownership next), you automatically have full access and control overyour folders and their contents Administrators own all the folders they create anywhere on the network, and can thus share them

Over the years, we have found that most calls to the support desk originatebecause a user or a group cannot connect to shared resources, such as folders,files, and printers When users cannot connect, and get the “access denied” mes-sage, they assume the world has ended, such is the extent of their panic Usually,

it is a simple case of an incorrect permission However, we have seen how mission misadventure causes much consternation and is a waste of time, so westress that every administrator should become an expert in this subject

per-Getting back to our brick and mahogany file room: By having access to the file room,you do not necessarily have access to every file or folder it contains Depending onyour rank in the company, the department you work for, and the work you do, youmay or may not be allowed to open a file cabinet, read a file, check it out, change itscontents, or add data to it Likewise, by being a member of a group of users or byhaving individual authority, you may gain access to the NTFS share, but some fileswill not be for your eyes Others will be accessible for reading only — you might not

be allowed to change, delete, copy, or move them The levels of access you have tothe folders and files are called permissions Administrators, members of Admin-istrator groups, and the owners of objects can assign permissions and controlaccess to these objects, and they can also encrypt the files

Folder and file encryption is the third mechanism you can now use for protectingyour files and folders It has been added to the Windows 2000 file system and is onlysupported under NTFS When you add Windows 2000’s support for cryptographyand distributed security services, such as Kerberos and digital certificates, to thefile system, you have what is known as the encrypting file system or EFS The EFS

is fully discussed later in this chapter

Note

Another means of understanding shares or share-points is by understanding

ownership Ownership is not a configuration setting, or a mere value in the registry

or Active Directory; it derives from the security services of the NTFS and the Win32security system (this is discussed in more detail in Chapters 3 and 10)

It helps to understand ownership if you’ve done some Windows programming TheWin32 API has a Createor CreateFilefunction that creates objects such as foldersand files If the Createfunction you are calling can take a security parameter, you canlock the object (pass a security descriptor) and keep other processes from accessing

it The lock is like a key that you, the owner, get to keep when you create the object

That is the essence of ownership Of course, the whole process is managed by the OSand requires no user actions

When a process creates a file or a folder — objects — the file system assigns thatprocess the rights of ownership, and passes it a key The process created it, so

that process owns it and it can do whatever it likes with that object If you

cre-ate a folder on the computer you are logged onto, or within a folder namespace towhich you have access, you own the folder Only you and the processes that oper-ate within your security context (activated by the validation of your password) can access that folder

Now, when other users or processes need access to the folder you just created, doyou allow them to take ownership, hand them the key? No, not normally, because ifyou did, you would be losing your right to the object By creating a share, you areessentially inviting others to access the folder (with restrictions, of course), but youdon’t give them the key If someone else with bad intentions got hold of your keys,they might come back after dark and destroy your network Remember the old adage:

Possession is nine-tenths of the law And remember what we said about safeguardingthe Administrator account back in Chapter 10 You can do tremendous damage with

50 lines of code and access to the Administrator account

The owner of an object can actually allow a specified user or a group to take overthe ownership of the object (we’ll get to that shortly) Taking ownership is a one-wayaction You can take ownership, but you cannot bestow it or return it You can allowsomeone else to take ownership; you assign them this permission Ownership canonly be transferred if the would-be benefactor is willing to take it By not being able

to transfer ownership unilaterally, NTFS prevents users from hiding dirty work Inother words, you cannot go and lock up a folder and throw away the key, and thenmake it look like someone else did the damage

Publishing Shares in Active Directory

The idea of published shares is new to the Windows networking environment, and it

begins with Active Directory, as discussed in the previous chapter Windows 2000users connect to shared resources on a Windows 2000 domain by looking them up

in the Active Directory You can still connect to shares on the browse list and fromthe command line, as described later in this chapter

Creating shares on Windows 2000 is really easy, and if you have Windows experience,you will only need to read the next section as a refresher and to pick up subtle yetimportant differences Establishing shares on remote computers is another story,however, and the process is handled in the new Computer Management snap-indescribed later in this chapter

Creating a Share

When you first create a share, the file system automatically gives access to the

Everyone group, unless you have taken steps to prevent that, discussed later If

the contents of the files are sensitive, you need to remove the Everyone group and assign access only to authorized users or groups

Back in Chapter 10, we encouraged you to use common sense management tices and avoid assigning rights to individual users The same advice applies toshares Share folders with groups, not individuals One of the only times you shouldcircumvent this advice is when you need to audit individuals

prac-Sharing a Local Folder

If you are the owner of the folder or the folders within the local folder namespace,then sharing a folder involves little more than right-clicking the new or existingfolder and selecting Sharing from the Context menu Select the option Share thisfolder in the dialog box The share name field is enabled This is demonstrated inFigure 22-1

As soon as the dialog box is enabled, you can enter the following share data:

✦ Share name: The actual folder name is used as the default share name, but

you can change this to reflect any name that better suits the application forthe share It is a good idea to use the best share name for the share, possiblyone that better informs the user of the purpose of the share or that provides

a hint of the share’s contents For example, a folder might be named Y2K, andrather than changing that name (it’s been done before), which would impactother applications, it would be better to make the share name “Y2K data filesand documents.” Share names can be up to 80 characters in length, and theycan contain spaces However, if your users are attaching from the commandline or you have applications that might send share attach commands to

Note

the system console, you should stick to single names of between 8 and 12characters (and even 8.3 names for those still using Windows 3.1) The bestcommand-line-compliant substitute for the aforementioned share name is the

simple Y2KDATA.

Figure 22-1: The Sharing tab on

the folder’s Properties dialog box

✦ Comment: The comment field will take 100 characters, so you can be creative

here It is a good idea to include the comment field wherever possible because

it shows up in Explorer when users browse for a share Although we said youcan be creative, be conservative A hundred-character comment field forcesmost users to waste time scrolling to the right

✦ User limit: You will ignore this most of the time, allowing the client access

licensing to monitor the number of connections On server shares there is

no maximum limit, but you can restrict connections for application-specificpurposes or licensing Windows 2000 Professional prohibits more than tenconcurrent connections and several other exclusions you will discover

so forget about using it as a substitute for a server

✦ Caching: The cache settings allow you to configure offline access to the

shared folder Offline folder and file access is touched upon later in this chapter, and explained in the context of Group Policy and change control

Establishing Shares on Remote Computers

There are two ways to connect to a remote computer and create a share-point on

it The first and hardest way is by using the NET SHARE command at the commandprompt This is explained in Appendix A The second, and by far the easiest way, is

by opening the Computer Management snap-in (compmgmt.msc)

Once you are in Computer Management, select the first option, Computer ment (Local) Right-click it and select Connect to another computer from the Con-text menu This is illustrated in Figure 22-2 You can connect to a computer listed

Manage-in the Active Directory (the best way), or you can connect to a computer listed Manage-inthe domain Once you have opened the remote computer into the snap-in, you will

be able to expand the System Tools tree and select the remote computer SharedFolders option From here on, the process of creating the share-point is no differentfrom creating shares on the local machine

Figure 22-2: The Shared Folders option in the Computer Management

snap-in

Share Attributes

Share access can be given directly to users or processes, or implicitly throughgroup membership Shared folders possess the following attributes:

✦ Shares only work on folder objects, and not on files that folders contain You

cannot select a file, x-file, and share it as x-file on the network But you can share a folder called thexfiles and allow users to access the files in that folder.

✦ The default access permission on a share is Full Control This permission is

assigned to the Everyone group So, if you create such a share, and have yourGuest account enabled and not governed by any domain policy, every com-puter user has access to it But you are a common-sense administrator, andyou will follow our advice and make sure that your network is locked down

✦ Shares can be established on most file systems, including FAT But NTFS permissions, discussed later in this chapter, are peculiar to the Windows NTand Windows 2000 operating systems

✦ Shares are visible to you (if they are not hidden) when you are trying to connect over the network Share access also applies to the local user loggedonto the computer that is hosting the shared folder This feature is extremelyimportant because it means you can prevent users who log on locally fromaccessing folders And it’s a surefire way of protecting your data on a note-book computer

✦ A shared folder on your machine is represented as an icon with a hand holdingthe folder But across the network, the icon does not include the hand

✦ Shares can be hidden, a very valuable security and administration tool that

we will discuss later in this chapter

Table 22-1 lists the folder permissions that apply to Windows 2000 shares Rememberthat the access level is at the share only; NTFS permissions provide the “second line

of defense” to locked-down resources You set these permissions through the SharePermissions properties, which you can access by clicking Permissions on the Sharingpage of the shared folder’s property sheet, as shown in Figure 22-3

Table 22-1

Shared Folder Permission Types

Permission Privilege

Read The user can see the entire shared folder tree (root shared folder and

subfolders) The user can also see all the files in the folder tree (traversing) and open them for reading The user can execute applications in the shared folder hierarchy.

Change This privilege inherits the Read privileges and also allows the user to

change the folders and the data in the files within the shared folder’s namespace The user can also change file attributes, and can copy, move, and delete files and folders The user cannot change the actual share.

Full Control This privilege allows the user to take ownership of the files and folders,

within the shared folder’s namespace It inherits the privileges of the Read and Change permissions Under NTFS, only Full Control allows a user to change permissions and take ownership of a file or folder.

Figure 22-3: The Share Permissions

dialog box

Deny

You can deny access to any of the above permissions For example: If you deny FullControl, you drop the privilege level down to Change Deny is useful if you wish tosingle out a user and deny him or her access (the same applies to groups) Deny

is the strongest of permission attributes; in other words, it takes precedence overevery permission For example, if a user in a primary group has full access to ashare, but you deny access directly or via a secondary group, the user is denieddespite the access given in the primary group However, it is better to take the user out of a group rather than keep him or her in the share and specifically deny him or her the access

Accumulation of Share Permissions

Share permissions accumulate If a user is a member of one group that is given Read access, but he or she is also a member of another group that

is given Change access (to the same share), then the user’s cumulative permissions in the share are Read and Change The user’s effective permission is Change, because it includes Read permission

Moving or Copying Folders

When you move a folder, the shares assigned to it are deleted The folder is notshared at the new location If you copy a folder, the new copy is not shared, but the source folder remains shared

Intra-Domain Shares

Shares are not restricted to the users and groups of the domain in which they werecreated If a trust relationship exists between two domains, then a user or group inone domain can be given access to the share in another domain (see Chapters 3, 7,and 10) The administrator of Domain A can provide access to a user or to a global

or universal group from Domain B

Who Can Share Folders

Members of the predefined Administrators, Server Operators, and Power Usersgroups can share folders On a member server, in a Windows 2000 domain, the mem-bers of the Administrators or Server Operators groups can share folders that exist onany computer on the network On a standalone computer, only the Administrator andmembers of the Power Users and local Administrators groups can share a folder

Workgroups do not make for such flexible sharing Only members of the localAdministrators group and the Power Users group can share folders Remember that if you own the folder, you can share it But an administrator can take owner-ship at any time

Hidden Shares

The ability to hide shares is a useful feature of the Windows OS It makes up for theproblem of shares being visible to everyone on the network, even to users who do nothave access to the shares Relative hiding of shares is probably a very difficult andcumbersome technology to introduce into the OS, but it makes sense to only exposeshares to users who have access to them To the other users, the shares should justnot be visible only available on a need-to-know basis Active Directory goes a longway to make that possible by locating published shares in organizational units

It is, however, possible to hide shares by simply ending the share name with thedollar sign ($) You can still connect to the share if you have access to it, but it does not show up on the browse list (as nothing ending with the dollar sign shows

in the browse list) You connect to the share using Run, as explained next, or at thecommand line using NET SHARE(see Appendix A)

Here is a good example of a hidden share in action: A certain company in Floridatransmits millions of dollars of direct deposit information to the bank every after-noon The application resides at the data center in Miami, but it logs into a hiddenshare on the wide area network, after an application in Los Angeles writes thedirect deposit information to a file in the same hidden share Both applications orprocesses are members of the Banking group, and they have Read and Write access

to the file in the share No one else can see the share on the network, and the ing affords the share a measure of concealment Of course, it is possible to digaround on computers and look for hidden shares But did you know that you canhide computers as well? See Chapter 3

cloak-Connecting to Shares

There are several ways to connect to shares You can connect using interactivetools or at the command line You can also connect to published shares in ActiveDirectory, which is the preferred way DNS directs you to the domain controllerhosting the Active Directory, so connecting to a share is as simple as browsing for a Web page:

To connect to a share using the Map Network Drive Wizard (this option assigns

a drive letter):

1 Right-click the My Network Places on the desktop and select Map

Network Drive

2 Type in the UNC path to the folder if you know it, or click Browse to drill

down to the exact folder

3 Enter a drive letter of your choice or use the default.

4 Check the Reconnect at Logon checkbox if you wish the connection to

remain persistent

5 You can also connect to the share under another user name All you need

is the logon name and password This is useful if you need to connect to aresource on a domain for which you have not been fully authenticated

To connect to a share using Run:

1 Select Start ➪ Run.

2 Type in the UNC path to the folder if you know it, or click Browse to drill down

to the exact folder

To connect to a share from My Network Places:

1 Open My Network Places.

2 Find the computer that contains the share and drill down until you locate

the folder in the browse list

3 When you find the share, double-click it to establish the connection.

To connect to a share in the Active Directory:

1 Open My Network Places.

2 Expand Active Directory until you locate the domain in which you wish to

locate a published share

3 When you find the share, double-click it to establish the connection.

Administrative Shares

When you install Windows 2000, NTFS automatically creates administrative shares

on your local volume These shares are placed in strategic administrative folders,the most important being where you installed the Windows 2000 system files Theadministrative shares are listed in Table 22-2

Table 22-2

Administrative Shares

Share Purpose

Roots (C$, D$, E$ and so on) The root of every volume on a Windows 2000 server (and

even on NT 4.0 and earlier servers) is shared This means that if you can map to the share, you have access to the entire volume.

ADMIN$ This share is the system root, the Windows 2000 system

folder hierarchy To map to this share simply use

\\SERVERNAME\ADMIN$.

PRINT$ This share is created when you install the first shared

printer on the server This share is established at

\\SERVERNAME\SPOOL\DRIVERS, and its purpose is to allow clients to remotely pull printer drivers for installation

on their machines The Everyone group has Read access

to this share, and administrators are able to install new drivers to the share as needed, using Full Control.

NETLOGON This share is used for the net logon service, which is the

mechanism to service logon requests to the server It is also used for locating logon scripts.

IPC$ This is the share for Named Pipes, intra- and inter-process

communications between applications.

It is possible to shut off these shares, and doing so might result in unpredictableresults You can, for example, shut down the NETLOGON share to prevent anyonefrom trying to obtain authentication at your machine — and you may have legitimatereasons for doing so — but the correct way is to stop the NETLOGON service

We have found that you can delete the share, if you are an administrator or haveownership of the share However, if you try to change permissions on the share,Windows 2000 denies access with a nasty message saying that built-in shares can-not be modified — absurd in light of the fact that you can delete the administrativeshares at any time after you unseat the ownership

Incidentally, if you delete an administrative share, it will return when you reboot thecomputer The administrative shares are controlled by the server service Anytimethat you restart this service, such as reboot time, the shares are reestablished andreset to the factory default.

You might be concerned that the administrative shares pose a potential danger, andthey do In fact, all shares are dangerous if not managed with common sense It isfeasible, if you know Windows NT or Windows 2000, to map to the shared roots oneach drive If you are able to connect, you get total access to the drive and theentire folder hierarchy within

You would be right to say that these shares are the equivalent of leaving the hen-house door open for the fox to walk right in However, only administrators have access to these shares That, however, is still not comforting, and the wholeadministrative share quirk is another reason why we lock up the Administratoraccount As long as the Administrator account’s identity and password are lockedaway, and security policy is in force, you will not experience hacking of these shares

Common-Sense Strategies for Sharing Folders

The following sections include strategies for closing holes in your network withrespect to shares

Restricting Shares

Many administrators prefer to keep shares wide open by leaving the Everyonegroup in the share with full access Instead, they control access to subfolders viafolder and file permissions We understand this policy, and the reason is the effort

to relieve the administrative burden (one less thing to worry about) But is thiscommon-sense management? Not if it means you are leaving doors unlocked onyour network

The problem is that the subfolders below the share become accessible to the usersgiven access at the share-point And if the Everyone group has access to the root,then it has access to all the subfolders So by not restricting the share, you are ineffect giving yourself more work to do because you have to go to every subfolderand apply NTFS permissions On a complex folder hierarchy, the task of locking upall the subfolders could be next to impossible If you want to keep shares (and yournetwork) secure, it is best to remove the Everyone group from the share and admitonly the groups that require the access to the folder namespace Further securitycan be applied with the file and folder permissions

Limiting use of the Everyone group makes it easier to troubleshoot user- relatedproblems The Everyone group forces you to be cognizant of every user account inyour domain and every domain with which you share trusts.

Setting Up Application Share-points

When users need to access a remote application, shortcuts are created on their systems (manually or via profiles, logon scripts, and Group Policy) The users runthe applications from the network shares, and the applications run in the localmemory space on the client computer Most well-designed Win32 applications can

be executed multiple times in this fashion And you will often be asked to install anapplication on the applications server and then share that folder The followingstrategies are suggested for creating application shares:

✦ Create a root “application share-point.” On our servers, we call these sharesthe “Apps” share-points

✦ Under the Apps share-point, you can create a share for each application youare installing, and then share each respective install folder It might not be nec-essary, however, because the subfolders are accessible to those given access

to the share-point If you need to restrict access to a subfolder, simply ensureonly that the authorized group has access, through folder permissions, whichare discussed in the latter part of this chapter

✦ Provide access to an administrators group (or whatever suits your purpose) for the root (Apps) share and make sure the group has the Full Control privilegeassigned This allows application administrators only to manage the applica-tions, such as patches and upgrades You might also add a special “applicationsadmins” group with Change control enabled to allow technicians or consultants

to troubleshoot the applications

✦ Remove the Everyone group from the share and provide access to either theUsers group or a specific group that requires the access Make sure thesegroups have only the Read privilege assigned

Setting Up Data Share-points

Data shares contain files that users or applications need to share Users mostlyshare spreadsheet and document files, while applications (clients) need access todatabases It is common-sense practice to keep the data share-points separate fromapplication share-points because data shares require more that just Read access

Data backup is another good reason for separate data share-points Your backupsshould not be repetitively backing up application files (see Chapter 17), and theshare is easy to identify and backup

Tip

✦ Create a root “data” share-point for applications Name the shares after thegroups or projects that require them For example: Y2K compliance docs

or materials management Naming the shares after the application name isconfusing, and you may have many shares that contain data generated by the same application A share named Microsoft Access Files would be a badidea For example, we manage several hundred servers, and they all containMicrosoft Access files

✦ Give your users Change access so that their applications can update files andsave the data Administrative groups should be given Change or Full Control

To mark a file or folder for offline access, do the following: Right-click the sharedfolder and select the Caching option The Caching Settings dialog box appears All shares are cached for offline use by default, so you can clear the “Allow caching

of files in this shared folder” checkbox if you do not need to cache the contents ofthe folder

If you do want to keep caching for offline access, you can choose one of the optionsillustrated in Figure 22-4 and outlined in Table 22-3

Figure 22-4: The Caching Settings

dialog box

Table 22-3

Caching Settings

Caching Option Purpose

Manual caching for documents This option lets users select the files to be cached

This is the default setting for all shares, but only files marked for offline use will be cached Every file marked for caching is cached, regardless of whether the file was opened or not.

Automatic caching for documents This option allows every file in the folder that is

opened to be automatically cached This option saves on bandwidth because only files actually used are cached.

Automatic caching for programs This option provides for unilateral caching of

program files and applications The file is cached for offline use, but when the user reconnects to the network, no synchronization is required.

Caching Attributes

The following are attributes of the offline access features of Windows 2000:

✦ When a computer connects to the share on the network, any files marked for caching on the server are copied to the client computer’s hard disk

✦ When a computer connects back to the share on the network, any files thathave been updated on the client computer are copied to the server

✦ When the user logs off the network, the server and the client synchronize the files automatically

Synchronizing Cached Resources

To manage the synchronization between offline files and folders and their sources

on the server clients, you need to open Windows Explorer and select Tools ➪Synchronize from the menus In the Items to Synchronize dialog box, first select the items in the list to synchronize, and then click the Synchronize button

The synchronization management options, as shown in Figure 22-5, can be used todetermine when offline files are synchronized with the versions on the servers Youcan do either a quick or full synchronization The latter takes longer but ensuresthat the current versions are saved to the network and copied to the client

Figure 22-5: The Synchronization Settings

dialog box

Securing Files and Folders with Permissions

As you learned in Chapter 3, permissions are the means by which you controlaccess to network objects After shares, they are the second and third lines ofdefense in protecting data and network resources File and folder permissions are controlled by NTFS This section deals specifically with the permissions that control access to volumes, folders, and files, as opposed to permissions that control access to share-points

Permissions kick in as soon as you format a volume to NTFS Volumes are protectedwith NTFS permissions, just as are folders and files As soon as you have formatted

a volume to NTFS 5.0, right-click the volume in Windows Explorer and select theProperties option on the ensuing Context menu Click the Security tab You will nownotice that the Everyone group has default access to the drive, and thus any newfolder or file you create will allow Everyone access We advise that you change that

as follows (please proceed with caution; this can be done on a drive in service but

is safest and most easily done on a new volume):

1 Click Advanced.

2 Make sure the Reset permissions checkbox is unchecked (this avoids

resetting permissions on all child objects, and we’ll explain why later)

3 Click Add, and add the Administrators group or any special administration

group or account you have created We always create a root admin group and often use this group instead of the built-in one for tighter security

4 Assign Full Control to the Administrators group.

5 Remove the Everyone group Click Apply.

Now, only your select administrators can create and manage new folders on the ume The default allows anyone to create a folder on the volume Also, each time thatyou create a folder, you automatically assign your administrators group to the folderand nothing else This makes for good security practice and keeps the doors lockeduntil the folder is ready for group access Remember that the Everyone group is auto-matically given carte blanche access to any share you create, and there is currently

vol-no way to override that because the volume’s administrative share is inaccessible atthe user level

We strongly recommend that you remove the Everyone group’s Full Control permissions If you don’t, you’re creating a security risk

The Permission Types

Table 22-3 lists the folder permissions you can apply Folder and file permissionsare accessible from the Security tab of the Folder Properties dialog box To accessproperties, right-click the folder and select the Properties option Then select theSecurity tab, as shown in Figure 22-6

Table 22-3

Folder Permissions

Permission Purpose

Read This permission is the first that provides access to the folder’s

contents Without this permission, the user would get the dreaded

“Access Denied” message This permission allows the user to see ownership, permissions, and file attributes All Write permissions are grayed out.

Write This permission allows you to authorize the user to create files and

folders with the folder under management You can also permit the ability to change file attributes and view ownership and permissions.

List Folder Contents This permission allows you to let the users see files and subfolders in

the folder under management.

Read & Execute This permission allows you to authorize the user to traverse the

folders from the root folder down It also lets the user read the files and execute applications in the folder under management and all subfolders.

Modify This permission lets you authorize users to delete the folder under

management and all earlier permissions.

Full Control This permission allows the user to take ownership and perform all

the actions of the previous permissions.

Deny You can deny the user the permissions at any time If you deny Full

Control, you effectively deny all sub-permissions as well.

Caution

Figure 22-6: The Security tab on the

Properties dialog box

Table 22-4 lists the permissions possible on files

Table 22-4

File Permissions

Permission Purpose

Read This permission permits the user to read the files and view their

attributes, ownership, and permissions.

Write This permission permits the user to change the files’ contents and

attributes, and to view ownership and permissions.

Read & Execute This permission permits the user to run applications and also applies

the Read permissions to the file.

Modify This permission permits the user to delete and perform all the actions

permitted by the previous permissions.

Full Control This permission allows the user to take ownership and perform all the

actions of the previous permissions.

Deny You can deny the user the permissions at any time If you deny

Full Control, you effectively deny all sub-permissions as well.

NTFS 5.0 also lets you assign advanced versions of the permissions we just described.These permissions, shown in Figure 22-7, are more specific versions of the generalpermissions In other words, they allow you to pinpoint the level of access you wish

to provide to the user, such as only read a file or only execute an application as

opposed to the Read and Execute options in the basic permissions

To assign Advanced permissions, click the Advanced button on the Security page

of the Properties dialog box Then click the View/Edit button on the dialog box that appears

Figure 22-7: The Permission Entry dialog box

Permissions Attributes

You can assign multiple permission types to users, groups, and computer accounts,for tighter control of access to folders and files As with shares, you need to under-stand the attributes of permissions to more effectively achieve your objectives

Permissions possess the following attributes:

✦ Permissions are cumulative A user’s total authority is the sum of all sions granted to him or her over the use or access of an object For example:

permis-If a user is granted Read permission by virtue of his or her membership in theReaders Group, and is a member of an Application Access Group that bestowsthe Execute permission, then the user’s total access is Read and Execute

✦ The Deny permission option overrides any and all permissions granted to auser over the specific object If a user has Full Control of an object by virtue

of membership in several groups, it only takes the Deny option in one group

to lock the user out of the file or folder completely

✦ File permissions are not stronger than folder permissions This means that any

file permission bestowed to a user does not override or supercede any sion granted at the folder level In other words, if you give a user access to a file(even Full Control), but deny the user access at the folder level, the user cannotaccess the file This mechanism prevents the user from connecting to the filefrom the command line by specifying a UNC path to the file

The permissions that you assign to a given folder or file can, by default, propagatedown to the child folders and files In other words, if the Everyone group is givenaccess to a folder and inheritance is turned on for all the subfolders in the hierar-chy, they will also allow the Everyone group to have access, as will the files We recommend you keep inheritance turned off by default or via domain policy so that you do not leave doors open by acts of omission or by failure to keep an eye

on the propagation chain reaction

Of course, the inheritance option is useful when you have to build a huge folderhierarchy and automatically provide one group with specific permission access

to the entire folder and file namespace

To prevent or allow permission inheritance, simply uncheck or check the Allowinheritable permissions option on the Security tab You will be prompted to Copy

or Remove the inherited permissions every time you elect to uncheck the box By turning inheritance off for a folder, you make the folder the new parent, and if subfolders have inheritance turned on, they become children

check-Earlier, when we advised you to knock out the Everyone group from the volumeaccess control list, we made special note to ensure you kept the “Reset permissions

on all child objects and enable propagation of inheritable permissions” checkboxunchecked The option can be selected from any level in the folder hierarchy The option brings back not-too-fond memories of the “Replace permissions on subfolders and files .” option on NT 4.0 and earlier versions of NTFS

By running this option, you are replacing, not merging, the permissions on all childfolders and files on the volume This means that any permissions applied to sub-folders and files will be lost If that is not your desired end, you could end up losingweeks of work restoring permissions so that users and applications can operate.And it gets worse: The action cannot be undone You will only be able to rebuildwhat you had from backups and documentation Proceed with care here, as it couldcost you dearly

Taking Ownership

Administrators, owners, or users with Full Control of an object can set up a user

or a group to take ownership of the object This is done by first admitting the user

or group to the access control list (ACL), and checking the Take Ownership option

on the Permission Entry list as described previously, or by giving the potentialowner Full Control (which is a security risk) See Figure 22-8