Module 4Managing Access to Resources in Active Directory® Domain
Services
Module Overview • Managing Access Overview • Managing NTFS File and Folder Permissions • Assigning Permissions to Shared Resources • Determining Effective Permission
Lesson 1: Managing Access Overview • What Are Security Principals? • What Are Access Tokens? • What Are Permissions? • How Access Control Works
What Are Security Principals?
Security Principal - A user, group, or computer object that can be used for authentication and to assign access to resources.
Relative ID (RID) - The part of a security ID (SID) that uniquely identifies an account or group within a domain.
Security ID (SID) - A unique value assigned when a user, computer or security group is created. Internal processes in Windows refer to an account’s SID instead of the account's user or group name.
Security Principal
S-1-5-21-1454471165-1004336348-1606980848-5555
SID
RID
DomainID
What Are Access Tokens?
User’s Access Token
Subject
Other access information
List of user rights
Group SID
User SID
What Are Permissions?
How are permissions assigned?
Allow or deny permissions can be assigned to a resource (folder, printer, file)
Permissions:• Are rules to grant or deny access to an object• Used to control access
Permissions can be assigned to accounts from the local computer or from AD DS
Permissions can be explicitly applied, implicitly or inherited applied
How Access Control Works
Discretionary Access Control List (DACL)DACL contains a list of users and groups that can access or have been denied access to the resourceEvery file and folder on a NTFS volume has an associated DACL
System Access Control List (SACL)SACL controls auditing of access to the resource
Access Control Entry (ACE)Defines each entry in a DACL or SACLSpecifies the set of SIDs that are to be allowed, denied or auditedIf no ACE is specified within a DACL, access to the resource is denied
Lesson 2: Managing NTFS File and Folder Permissions • What Are NTFS Permissions? • What Are Standard and Special Permissions?• What Is NTFS Permissions Inheritance? • Effects on NTFS Permissions When Copying and Moving
Files and Folders
What Are NTFS Permissions?
File Permissions Folder PermissionsRead ReadWrite WriteRead & Execute List Folder ContentsModify Read & ExecuteFull Control Modify
Full Control
Deny Permissions take precedence over Allow Permissions
What Are Standard and Special Permissions?
Special PermissionsTraverse Folder/ Execute File Create Folders/Append Data Read Permissions
List Folder/ Read Data Write Attributes Change Permissions Read Attributes Write Extended Attributes Take Ownership Read Extended Attributes Delete Subfolders and Files Synchronize Create Files/Write Data Delete
Standard PermissionsRead List Folder Contents Modify Write Read & Execute Full Control
What Is NTFS Permissions Inheritance?
Blocking Permission Inheritance can be blocked
Inheritance is used to manage access to resources without assigning explicit permissions to each object
By default, NTFS permissions are inherited in a parent/child relationship
Blocking can be performed at the file or folder level
Blocking on a folder can be set to propagate the new permissions to child objects
Demonstration: Configuring NTFS PermissionsIn this demonstration, you will see how to: • Configure NTFS permissions
Effects on NTFS Permissions When Copying and Moving Files and Folders
• When you copy files and folders, they inherit the permissions of the destination folder
• When you move files and folders within the same partition, they keep their permissions
• When you move files and folders to a different partition, they inherit the permissions of the destination folder
NTFS PartitionC:\
NTFS PartitionE:\NTFS Partition
D:\Move
Copyor
Move
Copy
Lesson 3: Assigning Permissions to Shared Resources • What Are Shared Folders? • What Are Administrative Shared Folders? • Shared Folder Permissions • Connecting to Shared Folders • Considerations for Using Shared Folders• Offline File Configuration and Deployment
What Are Shared Folders?
Folders can be shared, but individual files cannot
Shared Folders are folders that allow network access to their contents
By default the shared folders permission is Full Control for the user that shared the folder
Shared folders can be identified:Through the MMC Console Share and Storage ManagementIn Windows Explorer by the two user icon under the folderThrough the command line through Net ShareThrough Computer Manager under Shared Files
What Are Administrative Shared Folders?
Administrative Shares:• Are hidden shares• Are not displayed when using Net View or in the
Network view
Administrators have full permissions
Share permissions cannot be changed
Shared Folder Permissions
Permission Level Access
Read
• Allows for viewing of data in files • Allows for subfolder browsing• Programs in the shared folder can be executed• By default, applied to the Everyone group
Change
• All the permissions in the Read category • New files and subfolders can be created• Data in existing files can be modified or removed• Files and subfolders can be deleted
Full Control • Full permissions included in the Read and Change
categories plus permission to change security settings
Demonstration: Creating Shared FoldersIn this demonstration, you will see how to: • Create shared folders
Connecting to Shared FoldersAccess through UNC:
Naming convention is \\servername\share or \\servername\share\fileCan be accessed through Windows Explorer, command line, or programmatically
Access through Network: Uses a graphical tool to browse the network for sharesWorks in domain or workgroup modeDoes not show hidden or administrative shares
Access through mapped drives: Use Windows Explorer or command line to map a drive to \\servername\share
Demonstration: Managing Shared FoldersIn this demonstration, you will see how to: • Manage access to shared folders by using the Share and
Storage Management tool
Considerations for Using Shared Folders
When creating shared folders:
Use the most restrictive permissions possible
Avoid assigning permissions to individual users, use groups whenever possible
Remember Full Control lets users modify NTFS permissions. Add groups to the Full Control permission group with caution
Add the Authenticated Users group and remove the Everyone group from the share’s permissions
Offline File Configuration and Deployment
When creating offline files:Select a folder at a networking place, synchronize and then disconnect computer
Make edits to documents on disconnected computer
Reconnect to the computer to the network again to update changes
Files are synchronized automatically
Lesson 4: Determining Effective Permission • What Are Effective NTFS Permissions • Discussion: Applying NTFS Permissions • Effects of Combining Shared Folder and NTFS Permissions • Discussion: Determining Effective NTFS and Shared Folder
Permissions • Considerations for Implementing NTFS and Shared Folder
Permissions
What Are Effective NTFS Permissions?
NTFS Permissions are cumulative
ModifyExecuteWriteRead
Deny takes precedence
Permissions can be applied to a user or a group
File permissions override folder permissions
Creators of file and folders are the owners
Discussion: Applying NTFS Permissions
Users Group
Sales Group
User1
Users group hasWrite for Folder1Sales group hasRead for Folder1
1
Users group hasRead for Folder1Sales group hasWrite for Folder2
2
Users group hasModify for Folder1File2 should only be available to Sales group with Read permission
3
NTFS Partition
File2
Folder1
Folder2
File1
Demonstration: Evaluating Effective PermissionsIn this demonstration, you will see how to: • Evaluate effective permissions
Effects of Combining Shared Folder and NTFS Permissions
When combining shared folder and NTFS permissions, the most restrictive permission is applied
Both the share and the NTFS File and Folder permissions must have the correct permissions, otherwise the user or group will be implicitly denied access to the resource
Example: If a user or group is given the Share permission of Read and the NTFS permission of Write, the user or group will only be able to read the file because it is the more restrictive permission
Discussion: Determining Effective NTFS and Shared Folder Permissions
Class discussion:• Determine effective NTFS permissions• Determine shared folder permissions
NTFS Volume
UsersUsers Group FC
User3
User2
User1 User1
1
User3
User2
FC
FC
FC
FC = Full Control
NTFS Volume
DataSales Group
Sales Group
2
FC
Sales
Pubs
HR
FC
Considerations for Implementing NTFS and Shared Folder Permissions
Grant permissions to groups instead of users
Use Deny permissions only when necessary
Never deny the Everyone group access to an object
Grant permissions as high in the folder structure as possible
Use NTFS permissions instead of shared permissions for fine-grained access
Lab: Managing Access to Resources • Exercise 1: Planning a Shared Folder Implementation
(Discussion) • Exercise 2: Implementing a Shared Folder Implementation • Exercise 3: Evaluating the Shared Folder Implementation
Logon informationVirtual machine 6419A-NYC-DC1, 6419A-NYC-CL1User name Administrator , Sven, Dorena
Password Pa$$w0rd
Estimated time: 45 minutes
Lab ScenarioWoodgrove Bank is an enterprise that has offices located in several cities throughout the world. Woodgrove Bank has deployed AD DS in Windows Server 2008. They have recently opened a new subsidiary in Toronto, Canada. As a network administrator assigned to the new subsidiary, one of your primary tasks will be to create and manage access to resources, including the shared folder implementation. For example, groups that mirror the departmental organization of the bank need shared file storage areas. You must also have shared folders to enable files to be shared during special projects between departments.
Lab Review• To give several of your colleagues access to a shared
folder, what should you do to assign access most efficiently?
• How could you configure a shared folder that would enable a department to share files where everyone could add their files and read those of others, but only a small group of individuals could edit the contents of all the files?
• Why might you want to use Share and Storage Management MMC instead of Windows Explorer to create a shared folder?
Module Review and Takeaways• Review questions• Considerations for managing shared folders and NTFS
permissions
Top Related