Managing File System Security - Bristol Community...

CERTIFICATION OBJECTIVE 4.01

Managing File System SecurityOne of the many benefits of networked systems is the ability to quickly and easilyshare data across systems. However, this benefit comes at the price of security. The filesystem is an extremely important part of modern computers. A large amount of mostorganizations’ sensitive information is stored in the file system in the form of documents,images, and other pieces of data. As a systems administrator, it’s your job to ensure thatthese files stay secure and that only authorized users can access them. That’s where theimportant topic of file system security comes in.

Let’s start with the most important point: If you want to implement security atthe file system level, you must choose to use NTFS. The FAT and FAT32 partitiontypes do not provide any security at all, and there’s little to stop someone from bootingoff a floppy and accessing all of the information on your computers. Furthermore,the only level of network security provided by FAT-based partitions is at the levelof shared folders (a topic that you’ll encounter later in this chapter).

With that in mind, let’s take a look at the file system security architecture ofWindows Server 2003.

Understanding NTFS PermissionsEarlier, I mentioned that permissions are placed on objects through the use of ACLsthat contain ACEs. Folders and files that are stored on an NTFS partition are treatedas objects, each of which has its own unique identifier. You can protect files at the levelof the file system using NTFS permissions. In Windows Server 2003, file systempermissions can be applied to files and folders through the Security tab of the propertiesof the object. For example, to set properties on a file, you can right-click the file, selectProperties, and then click the Security tab (see Figure 4-1).

It’s important to keep in mind that file system security is only one part of anoverall security strategy. Although NTFS permissions provide security whilethe operating system is running, it is possible to access this data withoutauthorization, using a boot floppy disk and special utilities. To prevent this,it’s important to provide for the physical security of your server computers!

CertPrs8 / MCSE/MCSA Windows Server 2003 Environment Study Guide / Desai / 222322-7 / Chapter 4

Managing File System Security 7


P:\010Comp\CertPrs8\322-7\ch04tem.vpMonday, August 04, 2003 6:47:32 PM

Color profile: Generic CMYK printer profileComposite Default screen

CertPrs8 / MCSE/MCSA Windows Server 2003 Environment Study Guide / Desai / 222322-7 / Chapter 4CertPrs8 / MCSE/MCSA Windows Server 2003 Environment Study Guide / Desai / 222322-7 / Chapter 4

In the Security dialog box, you’ll see a list of the users and groups for whichpermissions are configured. By clicking one of these items, you can view the permissions thatare assigned. For each permission setting, you will see two columns: Allow and Deny.Actually, there are three possible states for each setting: You can choose to allow thepermission, to deny it, or to leave it as unspecified (neither box will be checked). If thesecurity permissions were inherited from a higher level (a topic that you’ll consider inthe next section), you will see that the boxes are grayed out and cannot be changed.

The permissions that are available for a file include the following:

■ Full Control This option provides full permissions on the object, includingthe ability to take ownership of files and to change security permissions.

■ Modify This permission specifies that users can open files and change theircontents or delete them.

■ Read This permission allows users to read or open the specified file.

■ Read and Execute This permission allows users to read or open the filesand to run executable programs.

■ Write This permission allows users to change the contents of existing filesand to create new ones.

8 Chapter 4: Managing Resource Access


FIGURE 4-1

Viewing securitysettings for a file






■ Special Permissions (available for some objects) Through the use of theAdvanced button, you can specify much more detailed permissions on specificobjects (see Figure 4-2). In general, systems administrators will not need toapply permissions at this level. The Windows Help and Support Centerprovides details about the actual file and folder permissions that are assignedwhen you choose from the standard permissions.

Certain combinations of permissions are not allowed for a single permission lineitem. For example, you cannot deny Modify permissions and, at the same time, allowRead and Execute. When you work with setting permissions using the Security tab,you’ll notice that the user interface will automatically check and uncheck boxes asappropriate. Therefore, it’s important to take the time to review your final selectionsbefore you apply them.

The exact list of permissions that are available for various objects depends on the typeof object and the actions it supports. For example, folders also have a permission setting forList Folder Contents. Or if you’re setting permissions on a Registry key, you will see apermission called “Create subkey” (see Figure 4-3). Later in this chapter, you’ll look atthe steps that are required to assign permissions to files and folders. But first, you need tounderstand a few additional concepts regarding file system permissions.

FIGURE 4-2

Viewing File andFolder SpecialPermissionssettings






Understanding InheritanceIn modern networked environments, file systems tend to have many thousands of filesand folders. For systems administrators, this can pose a daunting challenge: How canyou possibly ensure that all of these objects have the right security settings? Even harderwould be setting the appropriate permissions for objects that have not yet been created(such as new files or folders).

That’s where inheritance comes in. The basic rule for inheritance is that permissionsthat are assigned at a higher-level folder will propagate to child files and folders. This isthe default behavior for files and folders in Windows Server 2003.

There are two main types of permissions that can apply to objects. The first isexplicit permissions. These permissions are the access control rules that are directlyapplied to an object. Implicit permissions, on the other hand, are access rules thatare defined for parent objects and that are propagated down to the object itself(Figure 4-4 compares explicit and implicit permissions). Note that explicit permissionsautomatically override implicit permissions. This is even true for the Deny permissionson a parent level (an explicit allow permission will override an implicit deny).

FIGURE 4-3

Setting advancedpermissions on aRegistry key






For example, if you grant Change permissions on a folder to members of theEngineering group, by default, all new files and folders created within that folder willhave the same permissions.

As another example, suppose you have a folder called Sales that’s used by yourorganization’s salespeople. All of the data in the Sales folder and its subfolders shouldbe made available to the entire sales team. In this case, you would assign the necessarypermissions at the level of the Sales folder and choose to propagate the changes toall child objects.

By default, files and folders will inherit permissions from their parent objects. Thisis designed to make the administration of file system permissions simpler. So, if youcreate a new file called SalesData.xls in the Sales folder, the new file will automaticallyhave the permissions that were applied to the Sales folder. If you attempt to removea permissions entry on this page, you will see a warning message.

When you change permissions at any level (for example a parent folder), thepermission changes will, by default, apply only to that object. That is, the permissionson subfolders and files will not be modified.

So, what if you really do want to set individual permissions on the SalesData.xlsfile, or you want to propagate the new security settings to all child objects? This iswhere the Advanced button on the Security tab comes in. When you click theAdvanced button, you’ll see two options (shown in Figure 4-5). The check boxes atthe bottom determine the inheritance behavior for this object.

FIGURE 4-4 Explicit vs. implicit permissions



The two options are:

■ “Allow inheritable permissions from the parent to propagate to this objectand all child objects. Include these with entries explicitly defined here”:When enabled, this option specifies that permissions assigned at higher-levelobjects (for example, a parent folder) will be inherited by this file or folder.By default, this option is enabled, and it specifies that inheritance is enabled.Therefore, certain actions (such as removing a permissions setting) are notallowed. If you uncheck the box, you will be given the opportunity to specifywhether you want to Copy or Remove the inherited permissions (shownnext). The Copy option will take all of the settings from the parent objectand copy them to this object. Although they are not inherited, thesepermissions will be the same as those on the parent object. The other option,Remove, specifies that you want to start with a clean slate and that inheritedpermissions should not be copied to this object.




FIGURE 4-5

Selectinginheritance ofpermissions




■ “Replace permission entries on all child objects with entries shown here thatapply to child objects”: This setting applies only to folders (since files cannotcontain child objects). When you select this option, you will be choosing toreplace the permissions on any child files or folders with the permissions thatyou set for this folder. As the confirmation warning states, only the inheritablepermissions will be propagated. For example, if a child object is a file, certainpermissions may not apply. You should be careful with this option, since itcan replace permissions on thousands of files and folders, and it can overrideother, more specific permissions. However, it is useful if you decide that youwant to make permissions changes to an entire tree of folders and files.



Exam Watch: Although theactual names of these two options are fairlywordy, you can keep them straight byremembering that the first option dealswith inheritance of permissions from parent

objects, and the second option deals withthe propagation of permissions to childobjects. If you keep this in mind, you’ll beless likely to be confused by the wording ofthe options on the exam.






Now that you know how inheritance works, let’s move on to looking at the topicof discovering the “bottom line” for security settings.

Calculating Effective PermissionsSo far, you’ve looked at basic information about NTFS permissions, as well as detailsrelated to how inheritance works. The most important aspect of setting permissions,however, is to figure out the effective permissions that users will have on objects. Thekey to figuring out the overall permissions that a user has is in understanding theinteraction between various permissions.

In general, the rule is that file and folder permissions are cumulative. That is, ifJohn is a member of the Engineering and Research groups, he will have all of thepermissions that are allowed for both groups. The one exception to this rule is theDeny setting. A deny permission will always override corresponding allow permissions.When you specify the Deny permission, you’ll see a warning dialog box that asks ifyou are sure you want to make the change.

In general, you will not need to use the Deny permission when controllingACLs for objects. Instead, you can usually remove permissions for a user orgroup. The Deny permission is generally used to override settings that mayapply from a higher level.

When determining effective permissions, there are two main aspects of security totake into account. The first is the actual permissions that are placed on a specific fileor folder. This includes considering the file system hierarchy to take into accountany inherited permissions. You looked at this in the previous section on inheritance.

The second consideration is group membership. Permissions that are set for groupsof which the user is a member will determine which permissions are applied to theuser. For example, assume Susan is a member of the Sales group, the Marketinggroup, and the Corporate group. Four different sets of permissions can apply to her:

■ Permissions set on the Sales group

■ Permissions set on the Marketing group






■ Permissions set on the Corporate group

■ Permissions set directly on Susan’s user account

The overall effective permissions are determined by combining the permissionsapplied to Susan’s account, as well as the permissions applied to any groups of whichshe is a member. Again, there are three possibilities for permissions: Allow, Deny,and unspecified. Remembering that permissions are additive, with the exception ofthe “Deny” permission, let’s look at a quick example:

■ Susan’s account has been allowed Read permissions on the Documents folder.

■ Members of the Sales group have been allowed “List Folder Contents”permissions on the Documents folder.

■ Members of the Marketing group have been denied Write permissions for theDocuments folder.

In this example, Susan’s effective permissions will be Read and List FolderContents for the Documents folder and she will be prohibited from writing to theDocuments folder.

As you can see, determining effective permissions can be a fairly tedious andtime-consuming process. Let’s look at an easier way.

Using the Effective Permissions ToolIn larger network environments, users can belong to dozens of groups. Fortunately,Windows Server 2003 includes a method for you to determine the effective permissionsfor a user or group. You can find the Effective Permissions tab by clicking Advancedwithin the Security tab of a folder’s properties. As seen in Figure 4-6, you can choose auser or group to view the effective permissions that this user has on the selected object.

To access the Effective Permissions property sheet, right-click a file or folder,select Properties, select the Security tab, and then click Advanced. This feature canbe used to calculate and view the effective permissions for a user or group.

Exam Watch: Although itmight be tempting to depend on theEffective Permissions feature in the realworld, don’t expect to have this toolavailable on the exam. You may need to

determine effective permissions on yourown, so don’t allow this feature to becomean excuse for not learning andunderstanding how to calculate effectivepermissions the hard way!






To calculate Effective Permissions for a user or a group, you must first click Selectto find an object for which you want to determine permissions. Once you do this,the tool will automatically calculate and display the results. Note that you cannotmake any changes to permissions on this screen. Also, you can view permissionsinformation for only one user at a time. Using this GUI can save a lot of time whenyou’re troubleshooting security issues. For example, if a user reports that he cannotaccess a specific file or folder over the network, you can start troubleshooting bydetermining the effective permissions on the folder. This is much easier and saferthan the old practice of giving the user “Full Control” permissions as a temporarytroubleshooting step.

There are some potential issues with determining effective permissions: First, theEffective Permissions tool does not take into account any logon-based restrictionsthat might affect the overall permissions a user might have on an object. The mostlikely example of this is in the difference in permissions between when a user logs onto a system and attempts to access files locally and when that user accesses those filesover the network. One other limitation of the Effective Permissions feature is that

FIGURE 4-6

Accessing theEffectivePermissionsfeature






it does not take into account share-level permissions. This is logically importantbecause a single folder can be made available under multiple shares, and the sharesmay have more restrictive permissions than the files or folders themselves.

One other consideration to keep in mind is that, in order to view effectivepermissions for users, you must have access to read group membership information.By default, a domain administrator will have the permissions necessary to enumeratethe members of all local and domain groups. Local administrator members will beable to determine members of local groups, but not domain groups. Also, if yourActive Directory environment is running in pre–Windows 2000 domain mode, allauthenticated users will be able to read group membership information.

Overall, the Effective Permissions tab can be a very useful method for verifyingfile permissions and to find potential errors in configuration.


Understanding Ownership One potential problem that might occur when working with security is the possibility of an object becoming inaccessible. For example, you might accidentally deny access to an object to the Everyone group. Or, you might delete the only user account that had permissions on a file. Ordinarily, this object would be irretrievably lost, since no one would be able to access the file (or change permissions on it). The concept of ownership helps resolve this potential issue.

Every Windows Server 2003 object has an owner. This is true for files and folders residing on NTFS volumes, as well as for objects such as Registry keys or Active Directory objects. By default, the creator of an object is its owner. For example, when the user PetraK creates a new file, she will be automatically listed as the owner. In order to view file ownership information, you must click Advanced on the Security tab for the properties of a file or folder. When you click

the Owner tab, you’ll see who owns the object (see Figure 4-7).

Viewing file ownership information




An owner of an object will always be able to access an object and change itspermissions. This means that other users, regardless of their permissions, cannot lockthat user out of access the file, as long as the user remains the owner of the file. Anotherfeature of object ownership is that a member of the Administrators group can takeownership of a file or folder. This is useful in situations in which a file is not otherwiseaccessible (perhaps because the user(s) that had access to the file have been deleted,or the permissions exclude Administrator accounts from accessing the file). In such

a case, the Administrator can takeownership of the files and can thenreplace the permissions, as required.Additionally, an object owner(or anyone with the “ChangePermissions” permission) can grant“Take Ownership” permissions toanother user or group in order toallow others to take ownership offiles or folders.

estdsx:

]

.n

....

de)e

s.

.e

Exam Watch: Fileownership is also an important conceptrelated to disk quotas, since it is used todetermine how much disk space a user isusing. For more information on disk quotas,see Chapter 5.






They may involve a steeper learning curve than their graphical counterparts, butif you know what you want to do, the CACLS and XCACLS utilities can be a veryeffective way to view and modify file system permissions.

Best Practices for Managing PermissionsIn this section, you have looked at many different aspects of file system security. Basedon this information, here are some things to keep in mind when you design andimplement file system security:

■ Assign users to groups and then assign permissions to groups. By logically groupingusers according to their job functions, you can much more easily assign andadminister security permissions. For example, you might place all of yourdevelopers in a group called “Developers.” Then, whenever you need toassign permissions to these users, you’ll just set the permissions for membersof the Developers group. The benefit is that you can easily add to or removemembers of this group without making security settings changes.

By using the Active Directory, you can easily organize all of yourdepartments, users, and groups into logical containers called OrganizationalUnits (OUs). And, you can take advantage of several additional features,including Group Policy Objects, automated software deployment, and thecreation of a hierarchical system of security and other settings that canapply to objects throughout the domain. Although it’s beyond the scope ofthis book (and the exam it prepares you for), you should definitely look intothe advantages that deploying the Active Directory can provide in yourenvironment.

■ Use understandable names for resources. Since your users will be accessing filesand folders by name, it’s important that the names be intuitive and descriptive.Often, an abbreviation that makes sense to you might not make sense toothers. Or, you might use different abbreviations from the ones that othersare familiar with. Keep in mind that modern operating systems don’t requireyou to adhere to very short names, and that users rarely type file or foldernames. Therefore, it’s probably better to name a folder “Marketing” than“mktg,” “mrktg,” or some other abbreviation.

■ Create a logical hierarchy of folders based on your business requirements. If youhave sets of files that should be available to specific departments, you mightwant to create a top-level folder called “Departments.” Then, within thatfolder, you could create separate folders for each of the departments. This






structure will enable you to set permissions at various levels. For example,ifyour CEO and other executives require access to information in all departments’folders, you can set those permissions at the level of the Departments folders.Most other users and groups should be assigned access to the various subfoldersof this one.

■ Give users only the permissions that they require. Many potential securityproblems can be caused by security permissions that are too lax. On the otherhand, permissions that are too strict can prevent people from doing theirjobs. Your goal should be to strike a balance between security and usability.That is, give your users the minimum permissions that they require to dotheir jobs. Sometimes, systems administrators will give some of their usersFull Control permissions on files and folders. The logic is that those usersshould be able to perform all of the possible tasks on those objects. However,granting full control allows users to change permissions on the objectsthemselves—something that end-users rarely need to be able to do. A betterchoice would be to provide Modify permissions, which still allow users toperform all of the other necessary options on the file.

■ For greater control over security settings, use the Special Permissions options. Themost commonly used permissions settings are available in the main Securityproperties for most objects. You can easily choose options such as Modify,Read, and Write for files and folders. Each of these options actually includesone or more lower-level permissions. In some cases, you might want morecontrol over the specific security settings for a file or folder. That’s whereSpecial Permissions come in. You can access these settings by choosing theAdvanced button on the security tab of many different objects. When youhighlight an existing entry and choose the Edit button, you will be able toallow or deny additional permissions, such as Read Attributes, WriteAttributes, Change Permissions, and Take Ownership. Additionally, othertypes of objects might include additional Special Permissions. For example,administrators can control who can create new Registry keys on withinspecific Registry objects. This level of granularity provides a method foraccommodating even the most complicated of permissions settings.

■ Review permissions settings regularly. Many businesses change quickly, and it’simportant that the IT department keep up with these changes. For example,a department reorganization might necessitate a change in your file systempermissions. Often, these types of changes are overlooked. Plan to regularlyreview your security settings to make sure that you haven’t forgotten aboutany changes that should be accounted for.






Now that you have a solid understanding of file system security features and tools,let’s look at how network resources can be shared.

CERTIFICATION OBJECTIVE 4.02

Creating and Managing Shared FoldersNTFS permissions are designed to provide for security at the level of the file system.They determine which users have access to which files, and they specify the operationsthat can be carried out. But how do users actually access these files over the network?The answer is shared folders. Shared folders (which are often just called “shares”) aredesigned to advertise to network users what resources are available on your WindowsServer 2003 machines. Typical network environments will have public shared folders(which users can use to exchange files and information), as well as specific shared folders(for example, a folder that is accessible to only members of the Marketing department).

It is important to understand the relationship between file system folders andshared folders. The main concept is that a file system folder can be made availableover the network through multiple shared folders. The name of the share itself candiffer from the names of the underlying folders. Entire volumes can also be shared.Note that throughout this section, I’ll refer to information about sharing folders. Allof the same information applies to sharing volumes.

One member of the AccountingAdmins reports thathe cannot access a specific folder on his local system.Other members of the group can access the serverwithout any problems.

Check the permissions on the folder to ensure thatthere is no explicit Deny permission for this user on thefolder. You can also use the Effective Permissions tab todetermine or not this is a permissions-related issue.

An employee recently left the company and youpermanently deleted her user account. Now,members of her department report that they areunable to access certain important files. Theemployee was the only owner of the files.

Log in to the system as an administrator and takeownership of the required files. Then, reset thenecessary permissions on the files.

You want to replace permissions settings for a file,but a dialog box states that this cannot be done.

It is likely that the folder is inheriting permissionsfrom a parent folder, and this is preventing thechange. To disable inheritance, click Advanced anduncheck the appropriate option.

SCENARIO & SOLUTION




Creating and Managing Shared Folders 27


Users can find and connect to shares in many different ways. For example, theycan browse for network resources using the My Network Places icon on their desktop.When they double-click the name of a computer, they’ll see a list of all of thenonhidden shares that are available. They can then open the shares and, assumingthey have the appropriate permissions, access the data contained in them.

More experienced users might prefer to use the Universal Naming Convention(UNC) path to access the shared folder. This can be done most quickly by simplychoosing Start | Run and then typing the full path to the share. A UNC name ismade up of the name of the computer on which the share is located, followed by thename of the share that you want to connect to. Here are some valid UNC paths:

■ \\Server1\Data

■ \\FileServ02\Public

■ \\FileServ11\Users

You can better organize your shared folders through the use of theDistributed File System (DFS) feature in Windows Server 2003. Moreinformation about DFS is available later in this chapter.

Now that you’ve seen how shares work from a user’s point of view, let’s look at thedetails related to configuring shares.

Creating Shared FoldersAs long as a user has the necessary permissions, a user or systems administrator canquickly create a new share for any folder on the system. The quickest way to create a






new shared folder is by right-clicking a folder and choosing Sharing and Security. Thiswill the Sharing tab for the properties of the folder (see Figure 4-9).

Using this tab, you can choose whether or not the folder is to be shared over thenetwork. If the folder that you have selected has already been shared, you will seeinformation about the share. And if there are already multiple shares for this folder,you will be able to choose the one that you want to view by clicking the drop-downlist. If the folder has not yet been shared, you will need to click New and provide aname for the shared folder. You must specify a name for the shared folder, alongwith an optional descriptive comment. You can create additional shares for thesame folder by clicking the New Share button. Next, you must choose how manyconcurrent network connections you want to allow for this share. The defaultsetting is “maximum allowed.” This option will allow an unlimited number ofusers (up to the number that you are licensed to support) to connect to the share.Alternatively, you can choose to limit the number of concurrent connections thatare supported for the share.

FIGURE 4-9

Viewing theSharingproperties for afolder



A dollar sign ($) character placed at the end of a share name makes the share“invisible” to Microsoft’s tools (such as the Windows Explorer). That is, theshared folder is accessible, but it will not show up when users are browsingthrough network resources. Therefore, users must know that it exists in orderto access it. In general, “security through obscurity” is not the best way tosecure systems, but it might help to hide shares that only a few users need toaccess. Keep in mind that this will not prevent knowledgeable users fromfinding these shares, especially through the use of third-party utilities.

Now that you’ve seen the basic steps that are required to create a share, let’s lookat the how security is configured.

Understanding Share-Level PermissionsAs you may have guessed, shared folders have security permissions that control whatpermissions users have on the folder and its contents. An important step in understandinghow shares work is to look at the interaction between file system permissions andshared folder permissions.

By clicking Permissions on the Sharing tab of a folder or volume, you’ll be ableto specify share-level permissions (see Figure 4-10).




FIGURE 4-10

Viewing sharepermissionsfor a folder




The list of share permissions is a short one and includes the following:

■ Full Control This permission allows the user to perform any action on thecontents of the shared folder. This includes the configuration of permissionsfor any folders located within the share.

■ Change This setting allows users to read and write to the share. This meansthat they’ll be able to access and modify current files and that they can createnew files and folders.

■ Read The most restrictive permission of the three, this setting affords usersthe ability to read the files that are stored in the share, but they cannot modifyor create files.

The default permission is to provide theEveryone built-in group read permissions on thecontents of the share. It’s very important to notethat these permissions apply only to users whoare accessing the share over the network. Thesettings have no effect for a user that is tryingto access these files from the local file system.

Share-level permissions should be used inconjunction with NTFS permissions, not insteadof them. The two levels of security work together.

Users who access the share will have a combination of the more restrictive permissionsthat have been set. For example, if a user named “Carlos” has read permissions at theshare level and “Change” NTFS permissions at the file system level, he will only beable to read the files. Similarly, if he has “Full Control” at the share level and onlyRead permissions in the file system, he can only read the files.

Although it may seem risky at first, many systems administrators do not setpermissions on shared folders (that is, they give Everyone, or AuthenticatedUsers full control to the share). They place the appropriate permissionsusing NTFS security. This method reduces redundant administration andcan save time while still maintaining adequate security.

Administrative SharesNetwork shares are very useful for accessing the file system on remote servers.Therefore, upon installation, Windows Server 2003 uses several built-in shareshat are designed to support administration and network communications betweenapplications. These are



Exam Watch: Keep inmind that share permissions apply onlywhen users are accessing a resource fromover the network. Permissions set onshares have no effect on folders that areaccessed locally on a computer.






■ ADMIN$ This hidden share points to the folder into which the operatingsystem was installed (e.g., C:\Windows).

■ FAX$ If your system is configured to support fax services, this share canbe used to transfer and control jobs over the network. Generally, client andserver operating systems will use this “behind-the-scenes” share.

■ IPC$ This share supports interprocess communications. Through the useof the IPC$ share, applications can communicate with each other over thenetwork. IPC connections are also used by various administrative tools thatare included with Windows Server 2003.

■ LogicalDriveLetter$ (e.g., “C$”, “D$”, etc.) One hidden administrativeshare is automatically created for each logical volume that is hosted by aserver. These administrative shares point to the root directory of each logicaldrive. Only members of the Administrators or Backup Operators group canuse these shares. When connecting using these shares, you’ll be able to accessand modify the full contents of the logical volume.

■ PRINT$ This share is used to support the remote management of printjobs. For example, if you want to cancel a print job on a network printer, theoperating system will connect using this share. You’ll learn additional detailsrelated to managing print queues later in this chapter.

■ NETLOGON This share is used to store scripts and other data that mightbe requested by client computers during the logon process.

Systems administrators can use these shares for simplifying access to remote machines,and developers can take advantage of them for communicating between applicationsthat are running on remote computers. Note, however, that the administrative sharesprovide a lot of power, and you should especially careful to keep them secure fromunauthorized users. In general, it is recommended that you not manually modifythese shares. For example, if you reconfigure the PRINT$ administrative share, usersmay be unable to use this machine as a print server.

Viewing Shares and Open FilesAnother method for creating and managing shared folders is through the ComputerManagement tool (accessible through the System icon in Control Panel). As shown inFigure 4-11, when you click the Shared Folders item, you’ll get a quick view of all ofthe shares on the local machine (see Figure 4-11).

By clicking Shares, you can quickly view a list of all of the shares on the localmachine. Also provided is information about the physical path to the share and the






number of users that are currently connected. The Sessions item allows you to viewwhich users are currently connected to this machine over the network.

Finally, the Open Files item allows you to see exactly which files are being accessedat the current time. Note that this display does not automatically refresh, so youshould do so manually using F5 or the Refresh option on the context-sensitive menu.Using these administrative features, you can efficiently administer shared folders.

Note that, in order to view Shared Folders settings, you must have the appropriatepermissions. If you cannot view this information, make sure that you are loggedon to the specified computer as a member of the Administrators group, ServerOperators group, or Power Users group.

EXERCISE 4-2CertCam & MasterSim 4-2 ON THE CD

Creating and Managing a Shared FolderThis exercise assumes that you have already configured your Windows Server 2003computer with the “file server” role.

1. Log on to the computer as an Administrator and create a new folder named“Marketing.” The location of this folder is not important. Create or copyseveral files within the Marketing folder.

2. Right-click the Marketing folder and select Sharing. Select Share ThisFolder. For the name of the share, enter Marketing Documents. For thedescription of the folder, specify Public storage space for Marketing staffmembers. Leave the user limit as the default (“maximum allowed”).

FIGURE 4-11

Administeringshared foldersfrom withinComputerManagement




3. To set the permissions for this share, click Permissions. Note that the defaultpermissions are to provide “Everyone” read permissions. Leave these settingsas their defaults. Click OK to save the permissions settings, and then OKagain to create the new shared folder.








4. Next, from one or more other computers, access the files in the Marketingshared folder. To monitor the open files and activity in the shared folder, openthe File Server Management console (located in the Administrative Toolsprogram group). View the information in the “Shares (Local),” “Sessions(Local),” and “Open Files (Local)” sections. Note that you will see which usersand machines are connected to the server, as well as any files that are currentlyin use. You may need to manually refresh the display to view any changes inactivity. Once you are finished, close the File Server Management console.

Mapping Network DrivesThere are several ways to access shared resources in modern Windows systems. Forexample, users can start at their My Network Places desktop icon and navigate tothe resources that they’re looking for. Or, if your environment is running theActive Directory, they can find the various shared folders that you have madeavailable by using Windows Explorer or other tools. Although these methods dowork, you may want to simplify locating data as much as possible. For example,you might want to tell your users that information that they want to share should bestored on their P: “drive,” and that private information that they want to havebacked up should be stored on their H: drive.

You can easily accomplish this through the mapping of network drives. Drivescan be mapped to any unused letter on your system, and they can point to anynetwork resource to which a user has access. Network resources are specifiedthrough the use of Universal Naming Convention (UNC) paths. A basic UNCpath includes the network name of the computer on which the shared resource is






available, along with the name of the share itself. For example, you could use theshared folder path of \\Server1\Public to access the public shared folder onServer1. There are several ways to map network shares to drive letters. Thefollowing table provides some examples of how mapped drives and networkresources are related.

Logical Drive Letter Network Path

H: \\FileServ1\Home\User1$

P: \\Marketing3\Public

S: \\AppServ3\Software

The first method for creating a mapped drive involves navigating to the shareusing the My Network Places (or Network Neighborhood in earlier versions ofWindows) icon. Simply find the share that you wish to map to a network drive,right-click it, and choose Map Network Drive. You’ll see the dialog box shownnext. Just choose the letter to which the drive should be mapped. You can alsochoose whether this network connection should be reconnected at logon. If youor your users will frequently be accessing a specific mapped network drive, youmight want it to be always available whenever they log on to their machines. Onthe other hand, if you only want to map the drive to run some commands fornow and you don’t want it to be available permanently, you can uncheckthis option.






Another useful option is the ability to map a network drive using a different securityaccount. This option provides users with the ability to provide different authenticationinformation that will be used to determine the user’s permissions on these folders. Bydefault, the user’s current name will be used when creating a new mapped network drive.In order to change this, simply click the Different User Name link. You will be able toprovide a username and password for another account. Now, whenever this network driveis accessed, you will have the permissions that are granted to that account.

Mapping Network Drives Using the NET CommandYou can also map network drives from the command line using the NET USEcommand. The syntax of the NET USE command (which you can get by typing NETUSE /? at a command prompt) is as follows:

NET USE[devicename | *] [\\computername\sharename[\volume] [password | *]]

[/USER:[domainname\]username][/USER:[dotted domain name\]username][/USER:[username@dotted domain name][/SMARTCARD][/SAVECRED][[/DELETE] | [/PERSISTENT:{YES | NO}]]

For example, you can use the following command to permanently map the X:drive to a network path:

NET USE P: \\Server1\PublicData\ /PERSISTENT:YES

To remove that network drive mapping, you can use the following command:

NET USE P: /DELETE

With regards to security, you should consider mapped network drives as justshortcuts to resources. All other security settings will still apply, and a user musthave permissions to access a network resource before he or she can access thatinformation via a mapped network drive.

Once a drive has been mapped, you can access it just as you would access alocal storage volume. For example, you will see the new “drive” when youdouble-click the My Computer icokn (see Figure 4-12). Or, you can choose Start| Run and type X: (where X: is the mapped network drive). Finally, you cansimply change to the mapped network drive using the command “X:” from thecommand prompt.



Managing Shared Folders Using the NET CommandThe NET command can also be used view, create, and manage shared folders. To viewa list of the available commands, simply type net share /? at a command prompt. Thesyntax of the command is listed as follows:

NET SHAREsharename

sharename=drive:path [/GRANT:user,[READ | CHANGE | FULL]][/USERS:number | /UNLIMITED][/REMARK:"text"][/CACHE:Manual | Documents| Programs | None ]

sharename [/USERS:number | /UNLIMITED][/REMARK:"text"][/CACHE:Manual | Documents | Programs | None]

{sharename | devicename | drive:path} /DELETE

For example, to view a list of shares on the local computer, simply typingthe command NET SHARE at a command prompt. As shown next , this will




FIGURE 4-12

Viewing mappednetwork drives inMy Computer






return the logical names and physical paths of all shared folders that areconfigured.

In order to create a new share, you can use a command such as the following:

NET SHARE "User Data"=D:\UserData /UNLIMITED/REMARK:"Storage space for user data."

This command will create a new share entitled “User Data.” The share will pointto a the physical location D:\UserData, and it will be configured to allow anunlimited number of connections. The NET SHARE command can be quite usefulfor scripting share creation and management across multiple servers.


Date post:	18-Mar-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times