70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Chapter 5: Managing File Access
�Objectives
• Identify and understand the differences between the various file systems supported in Windows Server 2003 • Create and manage shared folders • Understand and configure the shared folder permissions available in Windows Server 2003 • Understand and configure the NTFS permissions available in Windows Server 2003
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 2
�Objectives (continued)
• Determine the impact of combining shared folder and NTFS permissions • Convert partitions and volumes from FAT to NTFS
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
3
�Windows Server 2003 File Systems
• Three main file systems
• File Allocation Table (FAT) • FAT32 • NTFS
• Final choice of file system depends on
• How system will be used • Whether there are multiple operating systems • Security requirements
• NTFS is most highly recommended
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 4
�FAT
• Used by MS-DOS • Supported by all versions of Windows since • Traditionally limited to partitions up to 2 GB
• Windows Server 2003 version supports partitions up to 4 GB
• Limitations
• Small partition sizes • No file system security features • Disk space usage is poor
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 5
�FAT32
• A derivative of the FAT file system • Supports partition sizes up to 2 TB • Still does not provide advanced security features
• Cannot configure permissions on file and folder resources
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
6
�NTFS
• Introduced with Windows NT operating system • Current version (version 5)
• • • • Windows NT 4.0 Windows 2000 Windows XP Windows Server 2003
• Theoretically supports partition sizes of up to 16 Exabytes (EB)
• Practically supports maximum partition sizes from 2 TB to 16 TB
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 7
�NTFS (continued)
• Advantages of NTFS
• Greater scalability and performance on larger partitions • Support for Active Directory on systems configured as domain controllers • Ability to configure security permissions on individual files and folders • Built-in support for compression and encryption • Ability to configure disk quotas for individual users • Support for Remote Storage • Recovery logging of disk activities
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 8
�Creating and Managing Shared Folders
• Shared folder
• A data resource made available over a network to authorized network clients • Specific permissions required for creating, reading, modifying
• Groups that can create shared folders:
• Administrators • Server Operators • Power Users (only on member servers)
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 9
�Creating and Managing Shared Folders (continued)
• Several ways to create shared folders • Two important methods
• Windows Explorer Interface • Computer Management console • Also allows shared folders to be monitored
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
10
�Using Windows Explorer
• Used since Windows 95 • Can create, maintain, and share folders • Folders can be on any drive connected to the computer • Folders are shared in Windows Explorer by accessing the Sharing tab of folder’s properties
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
11
�Using Windows Explorer (continued)
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
12
�Activity 5-1: Creating a Shared Folder Using Windows Explorer
• Objective is to create a shared folder using Windows Explorer • Open Explorer from Start menu • Use Explorer to create and configure a new folder • Verify folder using net view command • Open Explorer from command line for alternative verification
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
13
�Activity 5-1 (continued)
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
14
�Using Windows Explorer (continued)
• Shared name of folder does not have to be the actual file name • Hand icon used to indicate shared status • Shared folders can be hidden from My Network Places and Network Neighborhood
• Place dollar sign ($) after name, e.g., Salary$ • Number of hidden administrative shares created automatically at installation
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
15
�Using Windows Explorer (continued)
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
16
�Using Windows Explorer (continued)
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
17
�Using Computer Management
• Computer Management console is a pre-defined Microsoft Management Console (MMC)
• Allows you to share and monitor folders for local and remote computers • Allows you to stop sharing if desired
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
18
�Using Computer Management (continued)
• Share a Folder Wizard
• Used to create folders in Shared Folders section of Computer Management • Used to provide preconfigured or manual permissions • All users have read-only access • Administrators have full access; others have readonly access • Administrators have full access; others have read and write access • Custom share and folder permissions
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 19
�Activity 5-2: Creating and Viewing Shared Folders Using Computer Management
• Objective is to create and view shared folders using Computer Management • Open Computer Management and the Shared Folders node • Open Shares folder and note hidden files and other file types
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
20
�Activity 5-2 (continued)
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
21
�Activity 5-2 (continued)
• • • • Open the Share a Folder Wizard Configure the folder attributes Configure the folder permissions Verify folder accessibility from command line
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
22
�Activity 5-2 (continued)
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
23
�Monitoring Access to Shared Folders
• Monitoring involves
• Who is using shared files • What shared files are open at any given time
• Other functions
• Disconnect users from a share • Send network alert messages
• Primary monitoring tool is Computer Management
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
24
�Monitoring Access to Shared Folders (continued)
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
25
�Managing Shared Folder Permissions
• A shared folder has a discretionary access control list (DACL)
• Contains a list of user or group references that have been allowed or denied permissions • Each reference is an access control entry (ACE) • Accessed from Permissions button on Sharing tab of folder’s properties
• Permissions only apply to network users, not those logged on directly to local machine
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 26
�Managing Shared Folder Permissions (continued)
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
27
�Managing Shared Folder Permissions (continued)
• To deny access to a user or group
• Windows Server 2003 does not include No Access share permission • Must explicitly deny access to each individually
• Default permission is read access for Everyone group
• Should be immediately addressed when a share is created
• Folder permissions are inherited by all contained objects
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 28
�Activity 5-3: Implementing Shared Folder Permissions
• Objective is to use shared folder permissions to control access to resources • In this exercise, you configure permissions on a shared folder to implement specific requirements:
• Domain Admins group has Full Control permission • Marketing Users group has Change permission • Other users have no access
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
29
�NTFS Permissions
• Resources located on an NTFS partition or volume can be given NTFS permissions • An administrator must
• Know how permissions are applied • Standard and special NTFS permissions available • How effective permissions are determined
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
30
�NTFS Permission Concepts
• NTFS permissions are configured via the Security tab • NTFS permissions are cumulative • Access denial always overrides permitted access • NTFS folder permissions are inherited unless otherwise specified • NTFS permissions can be set at file or folder level
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
31
�NTFS Permission Concepts (continued)
• A new access-control-entry (ACE) has default permission
• Read and Read and Execute for files • List Folder Contents for folders
• Windows Server 2003 has set of standard permissions plus special permissions
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
32
�NTFS Permission Concepts (continued)
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
33
�Activity 5-4: Implementing Standard NTFS Permissions
• Objective is to configure and test NTFS permissions on a local folder • Implement standard NTFS permissions on a folder • Review default permissions • Explore behavior of permission inheritance
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
34
�Special NTFS Permissions
• Can provide more or less access than standard permissions • Special permissions accessed from Advanced button in the Security tab on Properties dialog box for resource • Permission Entry dialog box enables assignment of permissions and control of inheritance settings
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
35
�Special NTFS Permissions (continued)
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
36
�Special NTFS Permissions (continued)
• Inheritance settings
• • • • • • • This folder only This folder, subfolders, and files (default) This folder and subfolders This folder and files Subfolders and files only Subfolders only Files only
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
37
�Special NTFS Permissions (continued)
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
38
�Special NTFS Permissions (continued)
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
39
�Activity 5-5: Configuring Special NTFS Permissions
• Objective is to view, configure, and test special NTFS permissions
• Deny a group the ability to read the NTFS permissions associated with a folder • Verify that access has been denied
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
40
�Determining Effective Permissions
• Permissions that actually apply to a user can be the result of membership in multiple groups • Prior to Windows Server 2003, determining effective permissions was done manually • In Windows Server 2003, there is an Effective Permissions tab in Advanced Security Settings dialog box for resource
• Shows specific permissions for a user or group
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 41
�Determining Effective Permissions (continued)
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
42
�Activity 5-6: Determining Effective NTFS Permissions
• Objective is to view effective permissions for a user on an NTFS folder • Open the Effective Permissions tab for a test folder • Enter the name of the user • Review the permissions specifically granted to that user for that folder • Repeat with a group
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 43
�Combining Shared Folder and NTFS Permissions
• NTFS permissions can be combined with share permissions
• When accessing a share across a network, if both apply, use most restrictive • When accessing a file locally, only NTFS permissions apply
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
44
�Activity 5-7: Exploring the Impact of Combined Shared Folder and NTFS Permissions
• Objective is to determine effective permissions when combining shared folder and NTFS permissions • Create a folder with both permissions • Attempt to create a new folder locally and over the network
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
45
�Converting a FAT Partition to NTFS
• For highest security, partitions and volumes should be configured to use NTFS • Command-line utility, CONVERT, will convert FAT or FAT32 partitions and volumes to NTFS • All existing files and folders are retained • CONVERT cannot convert NTFS to FAT or FAT32
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
46
�Activity 5-8: Converting a FAT32 Partition to NTFS
• Objective is to convert a FAT32 partition to NTFS file system • Create a small FAT32 partition on server (using New Partition Wizard) • Create new file and folder on the partition • Use CONVERT to convert the partition to NTFS • Review permissions on the converted folder
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 47
�Summary
• Windows Server 2003 supports 3 file systems
• FAT • FAT32 • NTFS (preferred)
• Two types of permissions
• Shared folder (network only) • Tools are Windows Explorer, Computer Management, and NET SHARE command • NTFS (local and network) • NTFS partitions only
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 48
�Summary (continued)
• Permissions
• Shared folders, 3 standard permissions • NTFS, 6 standard and 14 special permissions • Permissions are cumulative • Effective permissions can be determined from Advanced Security Settings of a resource • Shared folder and NTFS permissions can be combined
• CONVERT utility can convert a FAT or FAT32 partition to the NTFS file system
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 49
�