# MCSE Windows server 2003- P5

Chia sẻ: Thanh Cong | Ngày: | Loại File: PDF | Số trang:50

0
68
lượt xem
20

## MCSE Windows server 2003- P5

Mô tả tài liệu

MCSE Windows server 2003- P5: Windows Server 2003 is, of course, more secure, more reliable, more available, and easier to administer than any previous version of Windows. Let’s take a close look at the platform and how it compares to Microsoft Windows 2000. This lesson provides a brief overview of the Windows Server 2003 family, focusing on the differences among the product editions: Web Edition, Standard Edition, Enterprise Edition, and Datacenter Edition.

Chủ đề:

Bình luận(0)

Lưu

## Nội dung Text: MCSE Windows server 2003- P5

1. Lesson 1 Setting Up Shared Folders 6-3 Lesson 1: Setting Up Shared Folders We would not have networks, or our jobs, if organizations did not find it valuable to provide access to information and resources stored on one computer to users of another computer. Creating a shared folder to provide such access is therefore among the most fundamental tasks for any network administrator. Windows Server 2003 shared folders are managed with the Shared Folders snap-in. After this lesson, you will be able to ■ Create a shared folder with Windows Explorer and the Shared Folders snap-in ■ Configure permissions and other properties of shared folders ■ Manage user sessions and open files Estimated lesson time: 15 minutes Sharing a Folder Sharing a folder configures the File And Printer Sharing For Microsoft Networks service (also known as the Server service) to allow network connections to that folder and its subfolders by clients running the Client For Microsoft Networks (also known as the Workstation service). You certainly have shared a folder using Windows Explorer by right-clicking a folder, choosing Sharing And Security, and selecting Share This Folder. However, the familiar Sharing tab of a folder’s properties dialog box in Windows Explorer is available only when you configure a share while logged on to a computer interactively or through terminal services. You cannot share a folder on a remote sys tem using Windows Explorer. Therefore, you will examine the creation, properties, configuration, and management of a shared folder using the Shared Folders snap-in, which can be used on both local and remote systems. When you open the Shared Folders snap-in, either as a custom MMC console snap-in or as part of the Computer Management or File Server Management consoles, you will immediately notice that Windows Server 2003 has several default administrative shares already configured. These shares provide connection to the system directory (typically, C:\Windows) as well as to the root of each fixed hard disk drive. Each of these shares uses the dollar sign ($) in the share name. The dollar sign at the end of a share name configures the share as a hidden share that will not appear on browse lists, but that you may connect to with a Universal Naming Convention (UNC) in the form \\servername\sharename$. Only administrators can connect to the administrative shares. To share a folder on a computer, connect to the computer using the Shared Folders snap-in by right-clicking the root Shared Folders node and choosing Connect To Another Computer. Once the snap-in is focused on the computer, click the Shares node Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
2. 6-4 Chapter 6 Files and Folders and, from the shortcut or Action menu, choose New Share. The important pages and settings exposed by the wizard are ■ The Folder Path page Type the path to the folder on the local hard drives so, for example, if the folder is located on the server’s D drive, the folder path would be D:\foldername. ■ The Name, Description, and Settings page Type the share name. If your net- work has any down-level clients (those using DOS-based systems), be sure to adhere to the 8.3 naming convention to ensure their access to the shares. The share name will, with the server name, create the UNC to the resource, in the form \\servername\sharename. Add a dollar sign to the end of the share name to make the share a hidden share. Unlike the built-in hidden administrative shares, hidden shares that are created manually can be connected to by any user, restricted only by the share permissions on the folder. ■ The Permissions page Select the appropriate share permissions. Managing a Shared Folder The Shares node in the Shared Folders snap-in lists all shares on a computer and pro vides a context menu for each share that enables you to stop sharing the folder, open the share in Windows Explorer, or configure the share’s properties. All the properties that you are prompted to fill out by the Share A Folder Wizard can be modified in the share’s Properties dialog box, illustrated in Figure 6-1. Figure 6-1 The General tab of a shared folder Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
3. Lesson 1 Setting Up Shared Folders 6-5 The Properties tabs in the dialog box are ■ General The first tab provides access to the share name, folder path, descrip tion, the number of concurrent user connections, and offline files settings. The share name and folder path are read-only. To rename a share, you must first stop sharing the folder then create a share with the new name. ■ Publish If you select Publish This Share In Active Directory (as shown in Figure 6-2), an object is created in Active Directory to represent the shared folder. Figure 6-2 The Publish tab of a shared folder The object’s properties include a description and keywords. Administrators can then locate the shared folder based on its description or keywords, using the Find Users, Contacts and Groups dialog box. By selecting Shared Folders from the Find drop-down list, this dialog box becomes the Find Shared Folders dialog box shown in Figure 6-3. ■ Share Permissions The Share Permissions tab allows you to configure share permissions. ■ Security The Security tab allows you to configure NTFS permissions for the folder. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
4. 6-6 Chapter 6 Files and Folders Figure 6-3 Searching for a shared folder Configuring Share Permissions Available share permissions are listed in Table 6-1. While share permissions are not as detailed as NTFS permissions, they allow you to configure a shared folder for funda mental access scenarios: Read, Change, and Full Control. Table 6-1 Share Permissions Permissions Description Read Users can display folder names, file names, file data and attributes. Users can also run program files and access other folders within the shared folder. Change Users can create folders, add files to folders, change data in files, append data to files, change file attributes, delete folders and files, and perform actions permitted by the Read permission. Full Control Users can change file permissions, take ownership of files, and perform all tasks allowed by the Change permission. Share permissions can be allowed or denied. The effective set of share permissions is the cumulative result of the Allow permissions granted to a user and all groups to which that user belongs. If, for example, you are a member of a group that has Read permission and a member of another group that has Change permission, your effective permissions are Change. However, a Deny permission will override an Allow permis sion. If, on the other hand, you are in one group that has been allowed Read access and in another group that has been denied Full Control, you will be unable to read the files or folders in that share. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
7. Lesson 1 Setting Up Shared Folders 6-9 viable option for access control, means that you must understand share permis sions to meet the objectives of the MCSA and MCSE exams. Of particular impor tance are scenarios in which both share permissions and NTFS permissions are applied to a resource, in which case the most restrictive effective permission set becomes the effective permissions set for the resource when it is accessed by a Client For Microsoft Networks service. So pay attention to share permissions. Learn their nuances. Know how to evalu ate effective permissions in combination with NTFS permissions. Then configure your shares according to your organization’s guidelines, which will most likely be, unlike the new default share permission in Windows Server 2003, to allow Everyone Full Control. Managing User Sessions and Open Files Occasionally, a server must be taken offline for maintenance, backups must be run, or other tasks must be performed that require users to be disconnected and any open files to be closed and unlocked. Each of these scenarios will use the Shared Folders snap-in. The Sessions node of the Shared Folders snap-in allows you to monitor the number of users connected to a particular server and, if necessary, to disconnect the user. The Open Files node enumerates a list of all open files and file locks for a single server, and allows you to close one open file or disconnect all open files. Before you perform any of these actions, it is useful to notify the user that the user will be disconnected, so that the user has time to save any unsaved data. You can send a console message by right-clicking the Shares node. Messages are sent by the Messen ger Service using the computer name, not the user name. The default state of the Mes senger service in Windows Server 2003 is disabled. The Messenger service must be configured for Automatic or Manual startup and must be running before a computer can send console messages. Practice: Setting Up Shared Folders In this practice, you will configure a shared folder and modify the share permissions. You will then connect to the share and simulate the common procedures used before taking a server offline. Exercise 1: Share a Folder 1. Create a folder on your C drive called Docs. Do not share the folder yet. 2. Open the Manage Your Server page from Administrative Tools. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
10. 6-12 Chapter 6 Files and Folders 2. A folder is shared on a FAT32 volume. The Project Managers group is given Allow Full Control permission. The Project Engineers group is given Allow Read permis sion. Julie belongs to the Project Engineers group. She is promoted and is added to the Project Managers group. What are her effective permissions to the folder? 3. A folder is shared on a NTFS volume, with the default share permissions. The Project Managers group is given Allow Full Control NTFS permission. Julie, who belongs to the Project Managers group, calls to report problems creating files in the folder. Why can’t Julie create files? Lesson Summary ■ Windows Explorer can only be used to configure shares on a local volume. This means you must be logged on locally (interactively) to the server, or using Remote Desktop (terminal services) to use Explorer to manage shares. ■ The Shared Folders snap-in allows you to manage shares on a local or remote computer. ■ You can create a hidden share that does not appear on browse lists by adding a dollar sign ($) to the end of the share name. Connections to the share use the UNC format: \\servername\sharename$. ■ Share permissions define the maximum effective permissions for all files and fold ers accessed by the Client for Microsoft Networks connection to the shared folder. ■ Share permissions do not apply to local (interactive), terminal services, IIS, or other types of access. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
11. Lesson 2 Configuring File System Permissions 6-13 Lesson 2: Configuring File System Permissions Windows servers support granular or detailed control of access to files and folders through NTFS. Resource access permissions are stored as access control entries (ACEs) on an ACL that is part of the security descriptor of each resource. When a user attempts to access a resource, the user’s security access token, which contains the security iden tifiers (SIDs) of the user’s account and group accounts, is compared to the SIDs in the ACEs of the ACL. This process of authorization has not changed fundamentally since Windows NT was introduced. However, the details of the implementation of authori zation, the tools available to manage resource access, and the specificity with which you can configure access have changed with each release of Windows. This lesson will explore the nuances and new features of Windows Server 2003’s resource access control. You will learn how to use the ACL editor to manage permis sions templates, inheritance, special permissions, and how to evaluate resulting effec tive permissions for a user or group. After this lesson, you will be able to ■ Configure permissions with the Windows Server 2003 ACL editor ■ Manage ACL inheritance ■ Evaluate resulting, or effective permissions ■ Verify effective permissions ■ Change ownership of files and folders ■ Transfer ownership of files and folders Estimated lesson time: 30 minutes Configuring Permissions Windows Explorer is the most common tool used to initiate management of resource access permissions, both on a local volume as well as on a remote server. Unlike shared folders, Windows Explorer can configure permissions locally and remotely. The Access Control List Editor As in earlier versions of Windows, security can be configured for files and folders on any NTFS volume by right-clicking the resource and choosing Properties (or Sharing And Security) then clicking the Security tab. The interface that appears has many aliases; it has been called the Permissions dialog box, the Security Settings dialog box, the Security tab or the Access Control List editor (ACL editor). Whatever you call it, it looks the same. An example can be seen in the Security tab of the Docs Properties dia log box, as shown in Figure 6-4. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
12. 6-14 Chapter 6 Files and Folders Figure 6-4 The ACL editor in the Docs Properties dialog box Prior to Windows 2000, permissions were fairly simplistic, but with Windows 2000 and later versions, Microsoft enabled significantly more flexible and powerful control over resource access. With more power came more complexity, and now the ACL editor has three dialog boxes, each of which supports different and important functionality. The first dialog box provides a “big picture” view of the resource’s security settings or permissions, allowing you to select each account that has access defined and to see the permissions templates assigned to that user, group, or computer. Each template shown in this dialog box represents a bundle of permissions that together allow a commonly configured level of access. For example, to allow a user to read a file, several granular permissions are needed. To mask that complexity, you can simply apply the Allow:Read & Execute permissions template and, behind the scenes, Windows sets the correct file or folder permissions. To view more details about the ACL, click Advanced, which exposes the second of the ACL editor’s dialog boxes, the Advanced Security Settings For Docs dialog box, as shown in Figure 6-5. This dialog box lists the specific access control entries that have been assigned to the file or folder. The listing is the closest approximation in the user interface to the actual information stored in the ACL itself. The second dialog also enables you to configure auditing, manage ownership, and evaluate effective permissions. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
13. Lesson 2 Configuring File System Permissions 6-15 Figure 6-5 The ACL editor’s Advanced Security Settings dialog box If you select a permission in the Permission Entries list and click Edit, the ACL editor’s third dialog box appears. This Permission Entry For Docs dialog box, shown in Figure 6-6, lists the detailed, most granular permissions that comprise the permissions entry in the second dialog box’s Permissions Entries list and the first dialog box’s Permissions For Users list. Figure 6-6 The ACL editor’s Permission Entry dialog box ! Exam Tip The Shared Folders snap-in also allows you to access the ACL editor. Open the properties of a shared folder and click the Security tab. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
15. Lesson 2 Configuring File System Permissions 6-17 Network represents a connection from the network, for example a Windows system running Client for Microsoft Networks. Permissions Templates and Special Permissions Permissions templates, visible on the Security tab in the first dialog box are bundles of special permissions, which are fully enumerated in the third dialog box, Permissions Entry For Docs. Most of the templates and special permissions are self-explanatory, while others are beyond the scope of this book. However, the following points are worth noting: ■ Read & Execute This permissions template is sufficient to allow users to open and read files and folders. Read & Execute will also allow a user to copy a resource, assuming they have permission to write to a target folder or media. There is no permission in Windows to prevent copying. Such functionality will be possible with Digital Rights Management technologies as they are incorporated into Windows platforms. ■ Write and Modify The Write permissions template applied to a folder allows users to create a new file or folder (when applied to a folder) and, when applied to a file, to modify the contents of a file as well as its attributes (hidden, system, read-only) and extended attributes (defined by the application responsible for the document). The Modify template adds the permission to delete the object. ■ Change Permissions After modifying ACLs for a while, you might wonder who can modify permissions. The answer is, first, the owner of the resource. Owner- ship will be discussed later in this lesson. Second, any user who has an effective permission that allows Change Permission can modify the ACL on the resource. The Change Permission must be managed using the ACL editor’s third dialog box, Permission Entry For Docs. It is also included in the Full Control permission template. Inheritance Windows Server 2003 supports permissions inheritance, which simply means that per- missions applied to a folder will, by default, apply to the files and folders beneath that folder. Any change to the parent’s ACL will similarly affect all contents of that folder. Inheritance enables you to create single points of administration, managing a single ACL on a branch or resources under a folder. Understanding Inheritance Inheritance is the result of two characteristics of a resource’s security descriptor. First, permissions are, by default, inheritable. As previously shown in Figure 6-5, the permis sion Allow Users to Read & Execute is specified to Apply to: This folder, subfolders, Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.