- 1. Managing File Access Chapter 5 70-290
2. Objectives
- Identify and understand the differences between the various
file systems supported in Windows Server 2003
- Create and manage shared folders
- Understand and configure the shared folder permissions
available in Windows Server 2003
- Understand and configure the NTFS permissions available in
Windows Server 2003
3. Objectives (continued)
- Determine the impact of combining shared folder and NTFS
permissions
- Convert partitions and volumes from FAT to NTFS
4. Windows Server 2003 File Systems
-
- File Allocation Table (FAT)
- Final choice of file system depends on
-
- Whether there are multiple operating systems
- NTFS is most highly recommended
5. FAT
- Supported by all versions of Windows since
- Traditionally limited to partitions up to 2 GB
-
- Windows Server 2003 version supports partitions up to 4 GB
-
- No file system security features
6. FAT32
- A derivative of the FAT file system
- Supports partition sizes up to 2 TB
- Still does not provide advanced security features
-
- Cannot configure permissions on file and folder resources
7. NTFS
- Introduced with Windows NT operating system
- Current version (version 5)
- Theoretically supports partition sizes of up to 16 Exabytes
(EB)
-
- Practically supports maximum partition sizes from 2 TB to 16
TB
8. NTFS (continued)
-
- Greater scalability and performance on larger partitions
-
- Support for Active Directory on systems configured as domain
controllers
-
- Ability to configure security permissions on individual files
and folders
-
- Built-in support for compression and encryption
-
- Ability to configure disk quotas for individual users
-
- Support for Remote Storage
-
- Recovery logging of disk activities
9. Creating and Managing Shared Folders
-
- A data resource made available over a network to authorized
network clients
-
- Specific permissions required for creating, reading,
modifying
- Groups that can create shared folders:
-
- Power Users (only on member servers)
10. Creating and Managing Shared Folders
- Several ways to create shared folders
-
- Windows Explorer Interface
-
- Computer Management console
-
-
- Also allows shared folders to be monitored
11. Using Windows Explorer
- Can create, maintain, and share folders
- Folders can be on any drive connected to the computer
- Folders are shared in Windows Explorer by accessing the Sharing
tab of folders properties
12. Using Windows Explorer (continued) 13. Activity 5-1 Creating
a Shared Folder Using Windows Explorer 14. Creating a Shared Folder
Using Windows Explorer
- Objective is to create a shared folder using Windows
Explorer
- Open Explorer from Start menu
- Use Explorer to create and configure a new folder
- Verify folder usingnet viewcommand
- Open Explorer from command line for alternative
verification
15. Activity 5-1 (continued) 16. Using Windows Explorer
(continued)
- Shared name of folder does not have to be the actual file
name
- Hand icon used to indicate shared status
- Shared folders can be hidden from My Network Places and Network
Neighborhood
-
- Place dollar sign ($) after name, e.g., Salary$
-
- Number of hidden administrative shares created automatically at
installation
17. Using Windows Explorer (continued) 18. Using Windows
Explorer (continued) 19. Using Computer Management
- Computer Management console is a pre-defined Microsoft
Management Console (MMC)
-
- Allows you to share and monitor folders for local and remote
computers
-
- Allows you to stop sharing if desired
20. Using Computer Management (continued)
-
- Used to create folders in Shared Folders section of Computer
Management
-
- Used to provide preconfigured or manual permissions
-
-
- All users have read-only access
-
-
- Administrators have full access; others have read-only
access
-
-
- Administrators have full access; others have read and write
access
-
-
- Custom share and folder permissions
21. Activity 5-2 Creating and Viewing Shared Folders Using
Computer Management 22. Creating and Viewing Shared Folders Using
Computer Management
- Objective is to create and view shared folders using Computer
Management
- Open Computer Management and the Shared Folders node
- Open Shares folder and note hidden files and other file
types
23. Activity 5-2 (continued) 24. Activity 5-2 (continued)
- Open the Share a Folder Wizard
- Configure the folder attributes
- Configure the folder permissions
- Verify folder accessibility from command line
25. Activity 5-2 (continued) 26. Monitoring Access to Shared
Folders
-
- Who is using shared files
-
- What shared files are open at any given time
-
- Disconnect users from a share
-
- Send network alert messages
- Primary monitoring tool is Computer Management
27. Monitoring Access to Shared Folders 28. Managing Shared
Folder Permissions
- A shared folder has a discretionary access control list
(DACL)
-
- Contains a list of user or group references that have been
allowed or denied permissions
-
- Each reference is an access control entry (ACE)
-
- Accessed from Permissions button on Sharing tab of folders
properties
- Permissions only apply to network users, not those logged on
directly to local machine
29. Managing Shared Folder Permissions (continued) 30. Managing
Shared Folder Permissions
- To deny access to a user or group
-
- Windows Server 2003 does not include No Access share
permission
-
- Must explicitly deny access to each individually
- Default permission is read access for Everyone group
-
- Should be immediately addressed when a share is created
- Folder permissions are inherited by all contained objects
31. Activity 5-3 Implementing Shared Folder Permissions 32.
Implementing Shared Folder Permissions
- Objective is to use shared folder permissions to control access
to resources
- In this exercise, you configure permissions on a shared folder
to implement specific requirements:
-
- Domain Admins group has Full Control permission
-
- Marketing Users group has Change permission
-
- Other users have no access
33. NTFS Permissions
- Resources located on an NTFS partition or volume can be given
NTFS permissions
-
- Know how permissions are applied
-
- Standard and special NTFS permissions available
-
- How effective permissions are determined
34. NTFS Permission Concepts
- NTFS permissions are configured via the Security tab
- NTFS permissions are cumulative
- Access denial always overrides permitted access
- NTFS folder permissions are inherited unless otherwise
specified
- NTFS permissions can be set at file or folder level
35. NTFS Permission Concepts
- A new ACE has default permission
-
- Read and Read and Execute for files
-
- List Folder Contents for folders
- Windows Server 2003 has set of standard permissions plus
special permissions
36. NTFS Permission Concepts 37. Activity 5-4 Implementing
Standard NTFS Permissions 38. Implementing Standard NTFS
Permissions
- Objective is to configure and test NTFS permissions on a local
folder
- Implement standard NTFS permissions on a folder
- Review default permissions
- Explore behavior of permission inheritance
39. Special NTFS Permissions
- Can provide more or less access than standard permissions
- Special permissions accessed from Advanced button in the
Security tab on Properties dialog box for resource
- Permission Entry dialog box enables assignment of permissions
and control of inheritance settings
40. Special NTFS Permissions 41. Special NTFS Permissions
-
- This folder, subfolders, and files (default)
-
- This folder and subfolders
-
- Subfolders and files only
42. Special NTFS Permissions 43. Special NTFS Permissions 44.
Activity 5-5 Configuring Special NTFS Permissions 45. Configuring
Special NTFS Permissions
- Objective is to view, configure, and test special NTFS
permissions
-
- Deny a group the ability to read the NTFS permissions
associated with a folder
-
- Verify that access has been denied
46. Determining Effective Permissions
- Permissions that actually apply to a user can be the result of
membership in multiple groups
- Prior to Windows Server 2003, determining effective permissions
was done manually
- In Windows Server 2003, there is an Effective Permissions tab
in Advanced Security Settings dialog box for resource
-
- Shows specific permissions for a user or group
47. Determining Effective Permissions 48. Activity 5-6
Determining Effective NTFS Permissions 49. Determining Effective
NTFS Permissions
- Objective is to view effective permissions for a user on an
NTFS folder
- Open the Effective Permissions tab for a test folder
- Enter the name of the user
- Review the permissions specifically granted to that user for
that folder
50. Combining Shared Folder and NTFS Permissions
- NTFS permissions can be combined with share permissions
-
- When accessing a share across a network, if both apply, use
most restrictive
-
- When accessing a file locally, only NTFS permissions apply
51. Activity 5-7 Exploring the Impact of Combined Shared Folder
and NTFS Permissions 52. Exploring the Impact of Combined Shared
Folder and NTFS Permissions
- Objective is to determine effective permissions when combining
shared folder and NTFS permissions
- Create a folder with both permissions
- Attempt to create a new folder locally and over the
network
53. Converting a FAT Partition to NTFS
- For highest security, partitions and volumes should be
configured to use NTFS
- Command-line utility, CONVERT, will convert FAT or FAT32
partitions and volumes to NTFS
- All existing files and folders are retained
- CONVERT cannot convert NTFS to FAT or FAT32
54. Activity 5-8 Converting a FAT32 Partition to NTFS 55.
Converting a FAT32 Partition to NTFS
- Objective is to convert a FAT32 partition to NTFS file
system
- Create a small FAT32 partition on server (using New Partition
Wizard)
- Create new file and folder on the partition
- Use CONVERT to convert the partition to NTFS
- Review permissions on the converted folder
56. Summary
- Windows Server 2003 supports 3 file systems
-
- Shared folder (network only)
-
-
- Tools are Windows Explorer, Computer Management, and NET SHARE
command
57. Summary
-
- Shared folders, 3 standard permissions
-
- NTFS, 6 standard and 14 special permissions
-
-
- Permissions are cumulative
-
-
- Effective permissions can be determined from Advanced Security
Settings of a resource
-
- Shared folder and NTFS permissions can be combined
- CONVERT utility can convert a FAT or FAT32 partition to the
NTFS file system
58. 59. 60.