File systems security: Shared folders & NTFS permissions, EFSLearning ObjectiveFAT vs. NTFSShared Folder ?Shared FoldersShared folder permissionsShared Folder PermissionsAssigning Shared Folders permissionsShared Folder Permissions’ RulesGuidelines for Shared Folder PermissionsAdministrative & Hidden sharesNTFS permissionsStandard NTFS permissionsExtended NTFS permissionsSlide 15NTFS Permissions’ RulesShares & permissions: RecapEncrypting File SystemWhy use EFS?How to encrypt a folderExercise1File systems security:Shared folders & NTFS permissions, EFS(Week 6, Monday 2/12/2007)© Abdou Illia, Spring 20072Learning ObjectiveUnderstandShared FoldersAssignShared Folder permissionsNTFS PermissionsUnderstand EFS3FAT vs. NTFSFATSupports partitions up to 4 GB (FAT16) and 2 TB (FAT32)Provides only folder-level securityAllows limited permission setting (Read, Change, Full Control)NTFSSupports lager partitions size than FAT (w/o disk performance decrease)File-level and Folder-level securityData compressionFile encryption (Encrypting File System)Disk quotas managementNeeded for AD servicesFaster access to dataRemote storage: provides an extension to your disk space by making removable media (such as tapes) more accessible. Note: Windows and MS-DOS-based applications can read compressed files because they are automatically decompressed by NTFS when requested.Decision about what file system to use depends on:Whether multiple OS will be installed on the computerSecurity requirements for the system4Shared Folder ?A folder used to provide network users with access to file resources. When a folder is shared on a server, users can connect to the server and gain access to the files it contains.5Shared FoldersTo see all shared folders on a computer:1) Click Start. Then click Run2) Type \\ComputerName (where ComputerName is a valid network computer name like SRVDC18)3) Click OK.To share a folder on a computer:1) Open My Computer (Right-click/Open)2) Select a disk, then the folder to share3) Right-click the selected folder4) Click Properties5) Click the Sharing tab6) Check Share this folder7) Click Apply, and then OK.Requirements for creating a shared folder:Any supported File system (FAT, NTFS)If server in a domain, you must be Administrator or Server OperatorIf server in a workgroup, you must be Administrator or Power userIf client computer running a workstation OS, you must be Administrator or Power userNote: Users that are granted the Create Permanent Shared Objects right can also create shared folders on the computer where the right is assignedOR1) Open Computer Management2) In the console tree, double-click Shared Folders3) Click Shares6Shared folder permissionsA shared folder can contain application programs, data or other users’ personnel dataEach type of data can require different permissions ------------Subfolder 1------------Subfolder 2------------Subfolder 3------------Subfolder 4File 1 File 2 File 3Shared FolderUser 1User 3User 2With FAT, permissions could only be set for folders, not for individual filesIf permissions at file level are required, you need to use NTFS permissions7Shared Folder PermissionsShared folder permissions do not restrict access to users who gain access to the folder at the computer where the folder is stored.Shared folder permissions are the only way to secure network resources on FAT partitions.The default folder permission is Full Control.You can allow or deny shared folder permissions to individual users or to user groups.Read- Display folder names, filenames, file data and attributes- Run program filesChange Read permission +- Create folders, add files to folders, change data in files, append data to files, change files attributes, delete folders and files.Full Control Change permission +- Change file permissions and take ownership of files8Assigning Shared Folders permissions1) Open My Computer (Right-click/Open)2) Select the disk, then the folder3) Right-click the selected folder4) Click Properties5) Click the Sharing tab6) Click Permissions7) Assign permissions8) Click OK, and then OK.9Shared Folder Permissions’ RulesMultiple Permissions (The Combination Rule)If a user is assigned a permission for a Shared folder andIf the use user belongs to a group to which a different permission is assigned,Then the user’s effective permissions are the combination of the user and group permissionsDeny overrides AllowIf you deny a shared folder permission to a user andIf you allow the same permission to a group the user belongs toThen the user will not have that permission.Copying or Moving Shared foldersIf you copy a Shared folder, the original folder is shared but not the copyIf you move a Shared folder, it is no longer shared.10Guidelines for Shared Folder PermissionsDetermine which groups need access to each resource and the level of access they require.Assign permissions to groups instead of user accounts to simplify access administration.Assign the most restrictive permissions that still allow users to perform required tasks.Use intuitive share names so that users can easily recognize and locate resources.11Administrative & Hidden sharesAdministrative shares (created by default):All hard drives are shared as C$, D$, etc.The system folder (\WINNT) is shared as Admin$Driver’s folder for printers (\Winnt\System32\Spool\Drivers) is shared as Print$Hidden shares (created by users)Share name should end with $ for the share to be hiddenNot visible by other users unless they know the nameIf a user knows the name of a hidden share, he/she can access the share using the UNC nameStart/Run. Then type \\ComputerName\ShareNameUniversal Naming Convention (UNC) name12NTFS permissionsIf permissions at file level are required, and/or If more specific permissions are requiredThen, NTFS permissions must be used1) Open My Computer (Right-click/Open)2) Select the disk, then the folder/file to share3) Right-click the selected folder or file4) Click Properties5) Click the Security tab6) Assign permissions7) Click Apply, and then OK.Assigning NTFS permissions13Standard NTFS permissionsRead User can open and view content of files/folders. They can also view objects ownership, assigned permissions, and objects attributes (Read-Only, Hidden, etc.)Write Read permission + - Create new files/subfolders in a folder- Change
View Full Document