# Windows Server 2008 Inside Out- P13

Chia sẻ: Thanh Cong | Ngày: | Loại File: PDF | Số trang:50

0
45
lượt xem
10

## Windows Server 2008 Inside Out- P13

Mô tả tài liệu
Download Vui lòng tải xuống để xem tài liệu đầy đủ

Tham khảo tài liệu 'windows server 2008 inside out- p13', công nghệ thông tin, quản trị mạng phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:

Bình luận(0)

Lưu

## Nội dung Text: Windows Server 2008 Inside Out- P13

1. Managing File and Folder Permissions 567 Managing File and Folder Permissions You can think of ﬁle and folder permissions as the base-level permissions—the permis- sions that are applied no matter what. For NTFS volumes, you use ﬁ le and folder per- missions and ownership to further constrain actions within the share as well as share permissions. For FAT volumes, share permissions provide the only access controls. The reason for this is that FAT volumes have no ﬁle and folder permission capabilities. File and folder permissions are much more complex than share permissions, and to really understand how they can be used and applied, you must understand ownership and inheritance as well as the permissions that are available. SIDE OUT Changes to basic ﬁle and folder attributes are sometimes necessary As administrators, we often forget about the basic ﬁle and folder attributes that can be assigned. However, basic ﬁle and folder attributes can affect access, so let’s look at these attributes ﬁrst and then at the ﬁle and folder permissions you can apply to NTFS volumes. All ﬁles and folders have basic attributes regardless of whether you are work- ing with FAT or NTFS. These attributes can be examined in Windows Explorer by right- clicking the ﬁle or folder icon and then selecting Properties. Folder and ﬁle attributes include Hidden and Read-Only. Hidden determines whether the ﬁle is displayed in ﬁle listings. You can override this by telling Windows Explorer to display hidden ﬁles. On NTFS, the Read-Only attribute for folders is initially shown as unavailable. Here, this means the attribute is in a mixed state regardless of the current state of ﬁles in the folder. If you override the mixed state by selecting the Read-Only check box for a folder, all ﬁles in the folder will be read-only. If you override the mixed state and clear the Read-Only check box for a folder, all ﬁles in the folder will be writable. File and Folder Ownership Chapter 17 Before working with ﬁ le and folder permissions, you should understand the concept of ownership as it applies to ﬁ les and folders. In Windows Server 2008, the ﬁ le or folder owner isn’t necessarily the ﬁle or folder’s creator. Instead, the ﬁle or folder owner is the person who has direct control over the ﬁle or folder. File or folder owners can grant access permissions and give other users permission to take ownership of a ﬁle or folder. The way ownership is assigned initially depends on where the ﬁle or folder is being created. By default, the user who created the ﬁle or folder is listed as the current owner. Ownership can be taken or transferred in several ways. Any administrator can take ownership. Any user or group with the Take Ownership permission can take owner- ship. Any user who has the right to Restore Files And Directories, such as a member of the Backup Operators group, can take ownership as well. Any current owner can trans- fer ownership to another user as well.
2. 568 Chapter 17 File Sharing and Security Taking Ownership of a File or Folder You can take ownership using a ﬁle or folder’s Properties dialog box. Right-click the ﬁ le or folder, and then select Properties. On the Security tab of the Properties dialog box, display the Advanced Security Settings dialog box by clicking Advanced. Next, on the Owner tab, click Edit to display an editable version of the Owner tab, as shown in Fig- ure 17-17. In the Change Owner To list box, select the new owner. If you’re taking own- ership of a folder, you can take ownership of all subfolders and ﬁles within the folder by selecting the Replace Owner On Subcontainers And Objects check box. Click OK twice when you are ﬁnished. Figure 17-17 Taking ownership is done by using the Owner tab. Transferring Ownership If you are an administrator or a current owner of a ﬁle or folder, you can transfer own- ership to another user by using a ﬁle or folder’s Properties dialog box. In Windows Explorer, right-click the ﬁle or folder, and then select Properties. On the Security tab of the Properties dialog box, display the Advanced Security Settings dialog box by click- Chapter 17 ing the Advanced button. Next, on the Owner tab, click Edit to display an editable ver- sion of the Owner tab, as shown in Figure 17-17. Click Other Users Or Groups to display the Select User, Computer, Or Group dialog box. Type the name of a user or group, and click Check Names. If multiple names match the value you entered, you’ll see a list of names and will be able to choose the one you want to use. Otherwise, the name will be ﬁlled in for you, and you can click OK to close the Select User, Computer, Or Group dialog box. Under Change Owner To on the Owner tab of the Advanced Security Settings dialog box, the user you added is listed and selected. When you click OK, ownership is transferred to this user.
4. 570 Chapter 17 File Sharing and Security Figure 17-18 Change inheritance as necessary. Clear the Include Inheritable Permissions From This Object’s Parent check box. As shown in Figure 17-19, you now have the opportunity to copy over the permissions that were previously applied or remove the inherited permissions and apply only the permissions that you explicitly set on the folder or ﬁle. Click Copy or Remove as appropriate. Figure 17-19 Copy over or remove the inherited permissions. Chapter 17 Resetting and Replacing Permissions Another way to manage permissions is to reset the permissions of subfolders and ﬁles within a folder, replacing their permissions with the current permissions assigned to the folder you are working with. In this way, subfolders and ﬁles get all inheritable permissions from the parent folder and all other explicitly deﬁned permissions on the individual subfolders and ﬁles are removed. To reset permissions for subfolders and ﬁles of a folder, right-click the ﬁle or folder in Windows Explorer, and then select Properties. On the Security tab of the Properties dialog box, click Advanced to display the Advanced Security Settings dialog box. On the Permissions tab, click Edit to display an editable version of the Permissions tab.
5. Managing File and Folder Permissions 571 Select Replace All Existing Inheritable Permissions…, and then click OK. As shown in Figure 17-20, you will see a prompt explaining that this action will remove all explicitly deﬁned permissions and enable propagation of inheritable permissions. Click Yes. Figure 17-20 Confirm that you want to replace the existing permissions on subfolders and files. Conﬁguring File and Folder Permissions On NTFS volumes, you can assign access permissions to ﬁles and folders. These per- missions grant or deny access to users and groups. Basic Permissions In Windows Explorer you can view basic permissions by right-clicking the ﬁle or folder you want to work with, selecting Properties on the shortcut menu, and then in the Properties dialog box selecting the Security tab, as shown in Figure 17-21. The Group Or User Names list shows groups and users with assigned permissions. If you select a group or user in this list, the applicable permissions are shown in the Permissions For list. If permissions are unavailable, it means the permissions are inherited from a par- ent folder as discussed previously. Chapter 17 Figure 17-21 The Security tab shows the basic permissions assigned to each user or group.
8. 574 Chapter 17 File Sharing and Security Figure 17-22 The Advanced Security Settings dialog box can be used to access the special permissions assigned to each user or group. Read Extended Attributes Lets you view the extended attributes (named data streams) associated with a ﬁ le. As discussed in Chapter 16, “Managing Windows Server 2008 File Systems,” these include Summary ﬁelds, such as Title, Subject, and Author, as well as other types of data. Create Files/Write Data Create Files lets you put new ﬁ les in a folder. Write Data allows you to overwrite existing data in a ﬁ le (but not add new data to an existing ﬁle because this is covered by Append Data). Create Folders/Append Data Create Folders lets you create subfolders within folders. Append Data allows you to add data to the end of an existing ﬁle (but not to overwrite existing data because this is covered by Write Data). Write Attributes Lets you change the basic attributes of a ﬁle or folder. These attributes include Read-Only, Hidden, System, and Archive. Write Extended Attributes Lets you change the extended attributes (named data streams) associated with a ﬁ le. As discussed in Chapter 16, these include Sum- Chapter 17 mary ﬁelds, such as Title, Subject, and Author, as well as other types of data. Delete Subfolders And Files Lets you delete the contents of a folder. If you have this permission, you can delete the subfolders and ﬁles in a folder even if you don’t speciﬁcally have Delete permission on the subfolder or ﬁle. Delete Lets you delete a ﬁ le or folder. If a folder isn’t empty and you don’t have Delete permission for one of its ﬁles or subfolders, you won’t be able to delete it. You can do this only if you have the Delete Subfolders And Files permission.
9. Managing File and Folder Permissions 575 Read Permissions Lets you read all basic and special permissions assigned to a ﬁle or folder. Change Permissions Lets you change basic and special permissions assigned to a ﬁle or folder. Take Ownership Lets you take ownership of a ﬁle or folder. By default, admin- istrators can always take ownership of a ﬁle or folder and can also grant this permission to others. Tables 17-3 and 17-4 show how special permissions are combined to make the basic permissions for ﬁles and folders. Because special permissions are combined to make the basic permissions, they are also referred to as atomic permissions. Table 17-3 Special Permissions for Folders List Full Read & Folder Special Permissions Control Modify Execute Contents Read Write Traverse Folder/ X X X X Execute File List Folder/Read Data X X X X X Read Attributes X X X X X Read Extended X X X X X Attributes Create Files/Write X X X Data Create Folders/ X X X Append Data Write Attributes X X X Write Extended X X X Attributes Delete Subfolders And X Files Chapter 17 Delete X X Read Permissions X X X X X X Change Permissions X Take Ownership X
14. 580 Chapter 17 File Sharing and Security To view a list of conﬁgured shares, type net share at the command prompt. The output of Net Share shows you the name of each share on the server, the location of the actual folder being shared, and any descriptions you’ve added. Here is an example: Share name Resource Remark ---------------------------------------------------------- ADMIN$C:\Windows Remote Admin C$ C:\ Default share F$F:\ Default share IPC$ Remote IPC CorpData C:\CorpData CorpTech F:\CorpTech DevData F:\DevData EngData C:\EngData HRData F:\HRData Public C:\Users\Public UserData C:\UserData The command completed successfully. The list of shares shown includes the ﬁ le shares CorpData, CorpTech, EngData, Public, and others, and administrative shares created and managed by Windows, including ADMIN$, IPC$, and any drive shares. If you want to redirect the output to a ﬁ le, you can do this by typing net share > File- Name.txt, where FileName.txt is the name of the ﬁle to create and to which you want to write, such as net share > C:\logs\ﬁleshares.txt If you follow the Net Share command with the name of a conﬁgured share, you’ll see the complete conﬁguration details for the share as shown in the following example: Share name EngData Path C:\EngData Remark Maximum users No limit Users Chapter 17 Caching Manual caching of documents Permission CPANDL\Domain Admins, FULL CPANDL\Domain Users, READ CPANDL\EngineeringUsers, READ The command completed successfully. You can append the share conﬁguration details to the previously created log ﬁ le by using the append symbol (>>) instead of the standard redirect symbol (>), as shown in the following example: net share corpdata >> C:\logs\ﬁleshares.txt
15. Auditing File and Folder Access 581 Listing 17-1 shows the source of a command-line script that you could use to create a conﬁguration log for the key shares on the computer. Although the path in the example is set to c:\logs\ﬁ leshares.txt, you can set any log path you want. Listing 17-1 A sample share logging script net share > C:\logs\ﬁleshares.txt net share c$>> C:\logs\ﬁleshares.txt net share f$ >> C:\logs\ﬁleshares.txt net share corpdata >> C:\logs\ﬁleshares.txt net share corptech >> C:\logs\ﬁleshares.txt net share devdata >> C:\logs\ﬁleshares.txt net share engdata >> C:\logs\ﬁleshares.txt net share hrdata >> C:\logs\ﬁleshares.txt net share public >> C:\logs\ﬁleshares.txt net share userdata >> C:\logs\ﬁleshares.txt Auditing File and Folder Access Access permissions will only help protect data; they won’t tell you who deleted impor- tant data or who was trying to access ﬁles and folders inappropriately. To track who accessed ﬁles and folders and what they did, you must conﬁgure auditing for ﬁ le and folder access. Every comprehensive security strategy should include auditing. To track ﬁle and folder access, you must: Enable auditing Specify which ﬁles and folders to audit Monitor the security logs Enabling Auditing for Files and Folders You conﬁgure auditing policies by using Group Policy or local security policy. Group Policy is used when you want to set auditing policies for an entire site, domain, or orga- nizational unit, and is used as discussed in Part 5 of this book, “Managing Active Direc- Chapter 17 tory and Security.” Local security policy settings apply to an individual workstation or server and can be overridden by Group Policy. To enable auditing of ﬁles and folders for a speciﬁc computer, start the Local Security Policy tool by clicking Start, All Programs, Administrative Tools, and Local Security Policy. Expand Local Policies, and then select Audit Policy, as shown in Figure 17-25.