350 likes | 447 Views
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System. Chapter 11: Managing Access to File System Resources. Objectives. Understand the basic Windows XP security model Understand the characteristics of the Windows XP file systems Manage NTFS permissions
E N D
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 11: Managing Access to File System Resources
Objectives • Understand the basic Windows XP security model • Understand the characteristics of the Windows XP file systems • Manage NTFS permissions • Use file compression • Use file encryption Guide to MCDST 70-271
Objectives (continued) • Manage simple and classic file sharing • Manage shared folders • Troubleshoot resource access problems • Understand security auditing Guide to MCDST 70-271
The Windows XP Security Model • Windows XP Professional • Can establish local security when used as a standalone system or in a workgroup • Can participate in domain security • Access token • Includes information about: • User’s identity • Permissions • List of groups to which user belongs Guide to MCDST 70-271
The Windows XP Security Model (continued) • Access control list (ACL) • Contains a list of permissions associated with a resource • Domain controller • Authenticates domain logons • Maintains the security policies and the account database for a domain Guide to MCDST 70-271
The Windows XP Security Model (continued) • All objects are logically subdivided into three parts • A type identifier • A list of services or functions • A list of named attributes that may or may not have associated data items, called values Guide to MCDST 70-271
File Systems • Windows XP supports • The File Allocation Table (FAT, also called FAT16) • FAT32 file systems • The New Technology File System (NTFS) • File-level security, encryption, compression, auditing, and more Guide to MCDST 70-271
FAT and FAT32 • Important features of FAT • Supports volumes up to 4 GB in size • Most efficient on volumes smaller than 256 MB • A root directory that can contain only 512 entries • Has no file-level compression • Has no file-level security • A maximum file size of 2 GB Guide to MCDST 70-271
NTFS • Important features • Supports volumes up to 2 TB in size • Is most efficient on volumes larger than 10 MB • Has a root directory that can contain unlimited entries • Has file-level compression • Has file-level security • Has file-level encryption Guide to MCDST 70-271
Converting File Systems • FAT and FAT32 volumes on a system • Can be migrated to the NTFS format without losing data • To convert an NTFS volume to FAT or FAT32, you must: • Back up your data • Reformat the volume • Restore your data Guide to MCDST 70-271
Managing NTFS Permissions • NTFS • The only file system supported by Windows XP that offers file-level security • File and folder permissions are nearly identical • NTFS file and folder permissions • Read • Write (folders) • Write (files) Guide to MCDST 70-271
Managing NTFS Permissions (continued) • NTFS file and folder permissions (continued) • List Folder Contents (folders only) • Read & Execute (folders) • Read & Execute (files) • Modify (folders) • Modify (files) • Full Control (folders) • Full Control (files) • Special Permissions Guide to MCDST 70-271
Managing NTFS Permissions (continued) Guide to MCDST 70-271
Managing NTFS Permissions (continued) Guide to MCDST 70-271
Managing NTFS Permissions (continued) Guide to MCDST 70-271
Rules for Working with NTFS Permissions • NTFS object permissions alwaysapply • NTFS object permissions are cumulative • NTFS file permissions override any contradictory settings on the parent or container folder • Deny overrides all other specific Allows Guide to MCDST 70-271
Rules for Working with NTFS Permissions (continued) • When disabling inheritance for an NTFS object, select to: • Copy the parent object’s permissions to the current object • Remove permissions assigned from the parent and retain only object-specific settings Guide to MCDST 70-271
Inheritance of Permissions • Situations in which inheritance comes into play • Moving an object within the same volume or partition • Copying an object within the same volume or partition • Moving an object from one volume or partition to another • Copying an object from one volume or partition to another Guide to MCDST 70-271
File Compression • The ability to compress data on the basis of single files, folders, or entire volumes • Offers the benefit of being able to store more data in the same space, but performance suffers • Configuring and managing file compression • Involves enabling or disabling the file compression attribute on one or more files or folders Guide to MCDST 70-271
File Compression (continued) Guide to MCDST 70-271
Encrypting File System • Allows you to encrypt data stored on an NTFS drive • Uses a public and private key encryption method • Does not function without a Recovery Agent • Windows XP automatically designates the local Administrator as the Recovery Agent Guide to MCDST 70-271
Encrypting File System (continued) • Primary benefit • If your computer is either physically accessed or stolen, the data is protected • Primary drawback • The increased processing power required to encrypt all writes and decrypt all reads on the fly Guide to MCDST 70-271
Encrypting File System (continued) • Each generation of operating systems uses a different default cryptography algorithm for EFS • Windows 2000 EFS uses DESX • Windows XP Professional EFS uses 3DES • Windows Server 2003 and Windows XP Professional with Service Pack 1 EFS use: • AES by default • Support 3DES and DESX Guide to MCDST 70-271
Simple File Sharing • Used when quick and easy file sharing is needed from a Windows XP Professional system • Offers a limited range of configuration options for shared resources • Effective only when Windows XP is a member of a workgroup Guide to MCDST 70-271
Managing Shared Folders • The Sharing tab, found on both FAT/FAT32 and NTFS folder Properties dialog boxes, offers the following controls: • Do not share this folder • Share this folder • Share name • Share name • User limit • Permissions Guide to MCDST 70-271
Managing Shared Folders (continued) • Issues when working with shares • Permission levels are the only way to impose security on shared FAT volumes • Shares are folders, not individual files • Share permissions apply only to the network access point where the folder resides • Default permission for a new share is Full Control for the Everyone group Guide to MCDST 70-271
Managing Shared Folders (continued) • Issues when working with shares • Multiple share permission levels caused by group memberships are cumulative • Deny always overrides any other specifics allowed • The most restrictive permissions of cumulative share or cumulative NTFS apply • Share permissions only restrict access for network users, not local users Guide to MCDST 70-271
Troubleshooting Access and Permission Problems • To resolve permission or access problems: • Determine what valid access the user should have • Inspect the resource object’s permissions based on: • Groups and the specific user • What actions are set to Allow or Deny • Inspect the share’s permissions based on: • Groups and the specific user • What actions are set to Allow or Deny Guide to MCDST 70-271
Troubleshooting Access and Permission Problems (continued) • To resolve permission or access problems (continued): • Inspect the user’s group memberships • Attempt to access other resources with the user account from the same computer and a different computer • Attempt to access the problematic resource with the Administrator account from the same computer and a different computer Guide to MCDST 70-271
Troubleshooting Access and Permission Problems (continued) • Guidelines when designing permission levels • Grant permission only as needed • Rely upon NTFS to restrict access • Grant Full Control only when necessary, even on shares • Change permissions on a folder level; allow changes to affect all child elements Guide to MCDST 70-271
Auditing for Security • Auditing • The security process that records the occurrence of specific operating system events • Events • Significant occurrences in the system that require users to be notified or a log entry to be added • Can provide valuable information about: • Security breaches • Resource activity • User adeptness Guide to MCDST 70-271
Auditing for Security (continued) Guide to MCDST 70-271
Auditing for Security (continued) Guide to MCDST 70-271
Summary • Windows XP • Can participate as a client in workgroup and domain networks • Supports FAT/FAT32 and NTFS file systems • Local and network access to NTFS-hosted resources • Controlled through the use of permissions • Compression • Reduces the amount of drive space that some files consume Guide to MCDST 70-271
Summary (continued) • File encryption • Used to restrict access to files and folders to a specific user account • Sharing file resources can be done through • Simple file sharing for workgroup members or • Classic file sharing for domain members • Troubleshooting access and permissions involves verifying that users are members of the correct groups Guide to MCDST 70-271