1 / 17

Configuring and Managing Resource Access

Configuring and Managing Resource Access. Lecture 5. Folder and File Security. Access Control List (ACL) – list of privileges given to a user account or a group DACL – discretionary ACL – configured by an admin or owner SACL – system control ACL – contains information for auditing access.

van
Download Presentation

Configuring and Managing Resource Access

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Configuring and Managing Resource Access Lecture 5

  2. Folder and File Security • Access Control List (ACL) – list of privileges given to a user account or a group • DACL – discretionary ACL – configured by an admin or owner • SACL – system control ACL – contains information for auditing access

  3. Folder and File Attributes • Read-only • Hidden • Extended attributes: Archive, Index (not Windows Search Service), Compress, Encrypt

  4. Folder and File Permissions • Permissions (NTFS) control access to an object • DACL

  5. NTFS permissions • NTFS permissions are specified in the object’s ACL and are used to control access to the object • 2 Categories of permissions: Standard and Special • Standard are pre-set, frequently used permissions for objects • Special provide finer granularity to file/folder security

  6. NTFS permissions • NTFS permissions can be assigned by an owner, a user with Full Control, or a user with Change Permissions. Also, a user with Take Ownership permission can take ownership of the file/folder and then change permissions.

  7. Standard NTFS Permissions • Read • Read&Execute • List Folder Contents • Write • Modify • Full Control

  8. Folder and File Auditing • Auditing tracks access to folders and files • Audited events are recorded in the Windows Server 2008 Security Log in Event Viewer

  9. Folder and File ownership • An owner is the person who creates a folder/file. • Owner can change permissions • Ownership can be transferred to a user with Full Control or Take Ownership permissions • Administrators can always take ownership

  10. New, Moved and Copied files and folders permissions • When a file or folder is moved or copied, it will inherit the destination folder permissions. • The only exception is when a file/folder is moved within the same NTFS volume - then it will retain its original permissions.

  11. Shared Folders and Permissions • Shared folder gives users access over the network • In Server 2008 sharing is more secure (not shared with Everyone by default)

  12. Shared Folder Permissions • Share permissions are different from NTFS (NTFS and share permissions are cumulative) • Deny permissions take precedence’ • Shared folders can be cached • Shared Folders can be published in AD

  13. Shared Folder Permissions • Reader (former Read) • Contributor (former Change) • Co-owner (former Full Control) • Owner

  14. Effective permissions • User and Group NTFS permissions combine for the least restrictive combination, except where Deny overrides Allow. Files may have different permissions that parent folder permissions. • When combining share and NTFS permissions always chose the MOST restrictive combination

  15. Effective NTFS permissions • Determine effective shared by choosing the least restrictive of all shared. The exception is Denied permission overrides Allow. • Determine effective NTFS by choosing the least restrictive of all shared. The exception is Denied permission overrides Allow.   • Combine the results of steps 1 and 2 and choose the MOST restrictive permission out of share and NTFS. IF there is no overlap - no permissions are effective.

  16. Troubleshooting Permissions Problems • When permissions are granted through group membership, a user needs to log off and log back on • Watch out for “Deny” Permissions • Watch out for individual folder permissions • Watch out for a conflicting combination of NTFS/Shared permissions • File permissions change after being moved/copied

  17. Distributed File Services • A way to combine multiple shared folders on different servers into one hierarchy (under 1 root) • Stand-alone- only exists on 1 server • Domain-based – allows fault-tolerance and load balancing, as well as using AD for copying a folder to multiple targets

More Related