View
248
Download
0
Tags:
Embed Size (px)
Citation preview
Fundamentals of Soft Fundamentals of Soft Resource SharingResource Sharing
By Nanda Ganesan, Ph.D.By Nanda Ganesan, Ph.D.© Nanda Ganesan© Nanda Ganesan
Chapter Objectives• Describe the step-by-step process of placing
a soft resource for sharing and removing the same from sharing
• Discuss the access control that could be exercised at the file level
• Relate permission to effective access control• Demonstrate the mapping of resources• Describe the concept of administrative
shares• Discuss the sharing process in a mixed
client-server and peer-to-peer environment
Chapter Modules
• Placing a Resource for Sharing• Case Example: Single User Permission• Case Example: Group Sharing• Case Example: Permission Given to
Creator Owner• Case Example: Special Access to
Resources• File Access Control• Removing a File from Access
Chapter Modules Cont.
• File Ownership• Effective Access Permission of a User• Removing a Soft Resources from Sharing:
Removing a Directory from Sharing• Removing a File from Sharing• Mapping a Resource for Sharing• Administrative Shares• Sharing in a Mixed Environment
Chapter Objectives
• Present an overview of the sharing mechanism in client-server networks
• Explain the different types of access controls that could be imposed on resources
• Describe the permissions that could be assigned to users for using resources
Chapter Modules
• Overview of Windows Client-Server Sharing
• Access Control in the Client-Server Environment
• Windows Permissions
Module Objectives
• Basic client-server sharing• Resource administrator and the user• Resources, resource administrator and
users• Case example for demonstration• Client-server sharing: The two-step process• Resource classification for sharing• Overview of sharing of different resource
types
Basic Client-Server Sharing
• As in peer-to-peer sharing, the act of sharing usually involves the following persons:– Resource Administrator– Network User
• As the name implies, sharing is a two step process
Resource Administrator and the User
• Resource Administrator gives the user the permission to access certain – Known as the Administrator – Resources are, in general, held at the server– Different types of servers may be present in
a network• Application server, Exchange server etc.
• Network User uses the resource within the confines of his or her privileges – Different types of network users can be given
privileges to different resources
Resources, Resource Administrator and the
Users
Server
Client Client
FolderResource (Folder to be shared).
User User User
Administrator
Case Example
US
Mexico Canada
Tariff
Resource (Directory to be shared).
California
Administrator
Nevada Texas
A Note on Resource Administrator
• A resource holder need not always be the network Administrator
• A Print Operator can place a printer for sharing and subsequently remove it from sharing as well
• In Windows terminology, a resource holder is known as the Owner Creator
• In most cases, the person who created the resource such a folder becomes the Owner Creator
Resource Classification for Sharing
• Soft resource– Files– Subdirectories and directories– Hard disks etc.
• Hard resource– Printer– Modem etc.
Sharing and Resource Types
Soft resource on the network
Share as any locallogical resource
Hard resource(device) onthe network
Install as a locallogical device
Share the logicaldevice
Module Objectives
• Overview of access control in client-server networks
• Permission: The effective access to a resource
• Basic permissions for files and directories• Read, write, execute, delete and taking
ownership• A sample permission entry• Demonstration on viewing a user’s
permission on a directory
Overview of Access Control in Client-Server
Networks
• More sophisticated than in peer-to-peer networks
• Peer-to-peer– Share level– User-level
• Client-Server– Share level– User level
Permission
• Permission to use a resource such as a directory by one or more identified users– Example: User California is given Read
permission to access the directory Tariff– The most restrictive of the permissions will be
in operation
• Comparison with peer-to-peer control (Win 9X)– Network users are all given Read access to
the directory Tariff• Share level control
Basic Permissions for Files and Directories
• Read (R)• Write(W)• Execute (X)• Delete (D)• Change Permission (P)• Take Ownership (O)
Read and Write• Read
– Folder• View the files and subdirectories
– File• Read the file’s data
• Write– Folder
• Add files and subdirectories
– Files• Write to the file
Execute and Delete
• Execute– Folder
• Enter subdirectories
– File• Execute the file
• Delete– Delete folder and file
Change Permission and Take Ownership
• Change Permission – Change the permission on the folder
and file
• Take Ownership– Take ownership of the folder and file
NTFS Predefined Permissions
• None (None) (None)• List (RX) (Not Specified)• Read (RX) (RX)• Add (WX) (Not Specified)• Add & Read (RWX) (RX)• Change (RWXD) (RWXD)• Full Control (All) (All)
Shareable Entities
• Entire disk– Can be shared independently
• Folders– Can be shared independently
• Files– Within the context of the Folder in
which they reside
A Note on File Sharing
• Files are shared by making the folder containing the file shareable in the fist instance
• However, unlike in peer-to-peer sharing, considerable control can be exercised on file sharing in client-server sharing
Sharing in Different Architectures
• Peer-to-Peer network architecture (FAT Only)– Sharing is limited to access control based on
passwords– Also known as share level control– Control can be exercised based on user names
as well if the peer-to-peer network is based on an operating system such as Windows 2000 or Windows XP
• Client-Server network architecture (NTFS)– Sophisticated control of access to resources can
be exercised based on user names
Types of Access Control in Different Peer-to-Peer
Architectures
Peer-to-Peer Networks
Share-Level Control
User Level Control
Windows 9x/Me
Windows 2000 ProfWindows XP
Access Control in Client-Server Architecture
Client-Server Networks
User Level Control
Windows 2000 ServerWindows NT Server
File Systems and Sharing• Assignment of folder permission depends on
the file system• FAT file system
– Limited security– Share level access control
• NTFS– More extensive security and assignment of
permissions – User level access control
• Note that Windows 2000 could also be installed under the FAT file system although this is not recommended for security reasons
The FAT File System
• Known as FAT32• The older file system is known as FAT16• Supported in Windows 95 OSR2,
Windows 98 and Windows Me• NT 4.0 does not offer the support for
accessing disks formatted under FAT32• Windows 2000 and Windows XP,
however, do offer support for FAT32
Sample Server Configurations
NTFSNTFS
FAT
Windows 9x/NT OS
CD Copy
One or more partitions under NTFS
Folder Permissions
Windows 2000
FAT32 NTFS
Limited Expanded/Predefined
Permission based on shares
Permission based on User names
The Concept of Share-Name
• Each resource (folder or printer for example) is shared using a name
• The name can be the same name as the original resource (folder or printer for example) name itself
Share-Name View on the Network
Canada(Root Fol.)
Trade(Sub-Fol.)
Rules(Shared Sub-Fol.)
Canada(Peer)
Rules(Shared Sub-Fol.)
Local View Network View
The Concept of Owner Creator
• The user who creates a folder for instance becomes the owner creator of the folder
• He or she can assign the others permission to access the folder
• Note that access to a folder created in a user’s home directory can be restricted to the creator only– Even the network administrator cannot access
this folder
A Note on Sharing
• All files in the folder can be shared when the folder is shared
• It is also possible to limit the sharing to only a few files in the folder
Sharing Case Scenario
US
Canada Mexico
Tariff
Folder to be shared.
Rates
Access can be limited to a single file in the folder.
NAFTA (Domain)
(Server)
Module Objectives
• Giving folder access permission to a single user
• Placing the resource Tariff for sharing
• Giving access to user California
Sharing Scenario 1: Single User Permission
• User California is to be given access to the Tariff directory
• Permission is to be restricted to Change– (RWXD) (RWXD)
Placing the Resource Tariff on the Network for Sharing
Open the Explorerin the server
named US.
Right select thesubfolder
named Tariff.
Select Sharing.Select Shared As
and specify share name.
Giving Access to User California
Security Permissions
SelectCalifornia
Specify type of Access as Change.
Add/Show users
Add/OK
Check Replace Permissionon Existing Files.
Module Objectives
• Group sharing scenario• Opening the folder permission windows• Assigning the Inspectors group access
permission to the directory Tariff• Demonstration of placing Tariff for
sharing by the Inspectors• Entries in the permission window• Demonstration involving other users
and groups
Sharing Scenario 2: Group Sharing
• Consider the Group Inspectors– Users in the group are Texas and
Nevada
• Provide the group Inspectors with Read permission to the subfolder Tariff
Group Sharing: Opening the Directory Permission
Windows
Open the Exploreron the server
named US.
Right select thesubdirectorynamed Tariff.
Select Sharing.Select Security andthen Permissions.
Assign the Group Inspectors the Permission
to Tariff
Folder Permissions Window
SelectInspectors
Specify type of Access as Change.
Add
Add/OK
Check Replace Permissionon Existing Files.
More on the Entries in the Permission Window
• Administrator– Usually has access to all directories and files
except those private to a user that are usually kept in the home directory
• Creator Owner– Full access to a user to files and directories
created by that user
• System– System related access that should not
normally be changed
Module Objectives
• Use of creator owner to give permissions
• The required permissions• Permissions to be assigned• Demonstration of the creator
owner features
An Example on the Use of Creator Owner to Give
Permissions: Scenario 3
• Consider the case where the employees are required to provide reports for viewing in a subdirectory named Reports
• Allow the inspectors to make changes to the files in the subdirectory
Permissions Required
• Allow Everyone to create reports in the directory
• Permit Everyone to have full control over their own reports only
• Allow the inspectors permission to read, change and delete the reports
Permissions to be Assigned
Creator Owner- FullEveryone - Add
(WX) (Not Specified)
Inspectors- Change(RWXD) (RWXD)
Module Objectives
• Special access feature• Adding read access to everyone• Demonstration of adding read
access thorough the special access to directory feature
Special Access
• Directory and file access is not limited to pre-defined Microsoft access types (permissions)
• Customized permissions can also be granted
Special Access to a Resource: Scenario 4
• Allow everyone to read the files in the Report directory
• Add the Read permission to everyone– Using Special Access to Files option :
Adding the Read Access to the Files in the Directory
Reports for Everyone: Steps
Directory Permissions Window
SelectEveryone
Select Type of Access as Special
File Access.
Check Read access to grant Readpermission to the files to everyone.
Module Objectives
• File permissions• File security permissions in NTFS • Predefined file access permissions• Illustration of the permission assignment
process using a case example• Assignment of read-only permission
assignment to the file Rates– The procedure– Demonstration
File Permissions
• Unlike in peer-to-peer networking (FAT), better file control is available in client-server networks
• Greater control on files can be exercised independent of the directory in which they reside
File Security Permissions in NTFS
• Read (R)• Write(W)• Execute (X)• Delete (D)• Change Permission (P)• Take Ownership (O)• No Access (None)
– None of the above
Microsoft Predefine File Access Permission
• No Access (None)• Read (RX)• Change (RWXD)• Full Control (Full)• Special Access
– Customized from available file security permissions
Specifying File Access Permission: Case Example
• Restrict the access to the file Rates in the directory Tariff to the inspectors only
• Limit the permission given to the file Rates to read only
• The intention is to prevent unauthorized changes from being made
Location of the File Named Rates
US
Canada Mexico
Tariff
Directory to be shared.
Rates
A file in the directory.
NAFTA (Domain)
(Server)
The Permission Assignment Process
• Open the file permission window• Set the type of access for
Inspectors to Read, by selecting Special Permissions and then ensuring that only the Read box is checked
Opening the File Permission Window
Open the Exploreron the server
named US.
Reach and right select the file named Rates.
Select PropertiesSelect Security andthen Permissions.
Assigning Read Only Permission to the File
Rates
File Permissions Window
SelectInspectors
Select Type of Accessas Special Access.
Ensure that only the Read box is checked.
FinishOK/OK/OK
Module Objectives
• Removing a file from access• Preventing Texas from accessing
the file Rates– Case example– Steps – Demonstration– Confirmation of access denial
Removing a File From Access
• Because of better control being exercised a file can easily be removed from access
• It is achieved by specifying the following type of access for the users who are to be prevented from accessing the file– No Access
Preventing Access to the File Rates: Case Example
• Prevent the user Texas from accessing the file Rates
• This would eliminate Texas from accessing the file although he/she is a part of the group Inspectors
• The group Inspectors was given access to the file Rates earlier
Preventing Texas from Accessing the File Rates:
Steps
File Permissions Window
AddTexas
Select Type of Accessas No Access
Finish
OK
OK
Module Objectives
• A note on ownership• Finding the ownership of soft
resources• Steps for finding the ownership of
the directory named Tariff• Demonstration of finding the
ownership
A Note on Ownership
• In general ownership belongs to the creator of the file or directory
• Ownership can be granted to others• In general, the administrator will
have access to a variety of files• Exceptions are files in the home
directories and selected directories containing specific applications
Finding the Ownership of Soft Resources
• Finding ownership's of resources are necessary at times to change permissions etc.
• Ownership of a directory or file can be found through the security tab in the properties window of the resource
Finding the Ownership of the Directory Tariff: Steps
Open the Exploreron the server
named US.
Reach and right select the directory
named Tariff.
Select PropertiesSelect Security andthen Ownership toview ownership.
Module Objectives
• Factors influencing the effective access permission
• A case example on the effective permission for access to a resource
• An illustration of effective permission
• A note on the assignment of permissions
• Permeation of permissions
Effective Access Permissions
User
Group 1 Group 2
Directory and file permission assigned to the user.
Effective Permissions for Access: Case Example
• Consider the case of Inspector Wilson with the following permissions to the directory Tariff
• Permission from the group Inspector:– (RX) (RX)
• Directory Permission assigned directly to Wilson– (WD) (D)
The Effective Permission
Wilson(RXWD) (RXD)
Inspectors(RX) (RX)
Directory and file permission assigned to the user.
(WD) (D)
A Note on the Assignment of Permissions
• Accumulation of permissions can become unduly complicated
• Suggestions for simplicity:– A modular approach to group formation– Minimize the assignment of permissions– Balance functional representation of
directories with minimizing duplicity of files– Alertness to permeation of permissions
Permeation of Permissions: Example
Directory Permissions
Replace Permissionson Subdirectories
Replace Permissionson Existing Files
© N. Ganesan, All rights
reserved.
MODULE
Removing a Soft Resource from Sharing: Removing a
Directory form Sharing
Removing Tariff from Sharing: Case Example
US
Canada Mexico
Tariff Rates
A file in the directory.
NAFTA (Domain)
(Server)
Directory (Folder)
Steps for Removing Tariff from Sharing
Open the Exploreron the server
named US.
Right select thesubdirectorynamed Tariff.
Select Sharing.Select
Not SharedEnd
OK
Module Objectives
• Notes on removing a file from sharing
• Removing a file from sharing– Case example– Steps– Demonstration
Notes on Removing a File
• A file cannot be removed from sharing in the same manner as a directory
• One option is to remove the entire directory containing the file from sharing
• The other more practical option is to deny the users access to the file in the file permission list
Removing a File From Sharing: Case Example
• Remove the file Rates from sharing by nearly all the users
• The No Access type of permission may be give to achieve the above result– Better used for selective access control
• An easier method is to remove all the users from the permission list– It is a good practice to retain the permission
given to the administrator
Removing the File Rates from Sharing: Steps
File Permissions Window
Select Inspectors and remove.
Repeat until onlyAdministrators remain.
Finish
OK/OK
Module Objectives
• Drive mapping defined• An illustration of drive mapping• Notes on drive mapping• Procedures for mapping• Drive mapping
– Case example, steps and demonstration
• Disconnecting a mapped drive– Steps and demonstration
Drive Mapping Defined
• A resource on the network can be mapped to a local logical drive by assigning a drive letter to the resource
• A logical drive is thus temporarily created at the local client corresponding to that network resource
Mapping of Drives
a: Floppyc: Local hard diskd: Local CD-ROMe: Logical drive
a
c
d
e
a
c
d
Logical disk
Mappeddisk
Client requesting to share the resource
Resource availableat the server for sharing
Notes on Mapping
• Resources that are usually mapped are as follows:– Drives– Directories
• Different procedures can be followed for drive mapping
• A mapped drive can be disconnected at any time
Procedures for Mapping
• Select My Computer and specify path for mapping the resource
• Locate and select the resource using the Explorer and map through right-clicking on the selection
Drive Mapping Steps
My ComputerMap Network
Drive
Select adrive letter.
Specify network path to resource or browse below
for resource .
Path is \\US\Tariff
EndOK
Disconnecting a Mapped Drive: Steps
My Computer Disconnect Network Drive
Select the mapped drive tobe disconnected.
EndOK
Module Objectives
• Overview of administrative shares• Examples of administrative shares• Managing a server from a remote
client• Notes on administrative share C$
Administrative Shares
• Administrative shares are created by Windows NT
• One of the purposes is to allow administrators to manage the resources from remote computers
• Examples are the management of server hardware, printer etc.
• Administrative shares are not displayed on the browsers of non-administrators
Some Administrative Shares
• ADMIN$• driveletter$• IPC$• PRINT$• REPL$• Administrative shares are followed
by the letter $
Managing a Server from a Remote Client: An
Example of Administrative Share
US
Canada Mexico
NAFTA
Map e: to \\US\C$ and manage US from Canada.
Server
Client
Notes on Administrative Share C$
• Only administrators can connect to administrative share– Administrators <-----> C$– Administrator and Print Operators <---
> PRINT$
• A demonstration is given in the module dealing with server management
Module Objectives
• Mixed environment• Client-server and peer-to-peer
networking environments• Peer-to-peer sharing in a client-server
environment• Sharing in the mixed environment• Other applications• Client-server and peer-to-peer sharing
demonstration
Client-Server and Peer-to-Peer Networking
• A client-server network can include peer-to-peer network sharing as well
• Resources on the clients, if permitted, can be shared among one another in this instance
• One example would be the sharing of a color laser printer on one of the peers
Peer-to-Peer Sharing in a Client-Server Environment
Canada Mexico
Tariff
Shared directory.
Server
US
Printer
Shared Printer
Client-Server
Peer-to-Peer
Sharing in the Mixed Environment
• Client-server sharing of the directory
• Peer-to-peer sharing of the printer• The combined approach provides
the security and ease of management of a centralized resource and the flexibility of using the distributed resources
Other Applications
• Unorthodox file transfer among clients
• Execution of specialized programs on one or more clients by other clients
• etc.