11File systems security:Shared folders & NTFS permissions, EFS(Week 6, Monday 2/12/2007)© Abdou Illia, Spring 20072Learning Objective Understand Shared Folders Assign Shared Folder permissions NTFS Permissions Understand EFS3FAT vs. NTFSProvides only folder-level securityAllows limited permission setting (Read, Change, Full Control)Supports partitions up to 4 GB (FAT16) and 2 TB (FAT32)FATFile-level and Folder-level securityData compressionFile encryption (Encrypting File System)Disk quotas managementNeeded for AD servicesFaster access to dataRemote storage: provides an extension to your disk space by making removable media (such as tapes) more accessible. Supports lager partitions size than FAT (w/o disk performance decrease)NTFSNote: Windows and MS-DOS-based applications can read compressed files because they are automatically decompressed by NTFS when requested. Decision about what file system to use depends on: Whether multiple OS will be installed on the computer Security requirements for the system24Shared Folder ? A folder used to provide network users with access to file resources. When a folder is shared on a server, users can connect to the server and gain access to the files it contains.5Shared FoldersTo see all shared folders on a computer:1) Click Start. Then click Run2) Type \\ComputerName (where ComputerName is a valid network computer name like SRVDC18)3) Click OK.To share a folder on a computer:1) Open My Computer (Right-click/Open)2) Select a disk, then the folder to share3) Right-click the selected folder4) Click Properties5) Click the Sharing tab6) Check Share this folder7) Click Apply, and then OK. Requirements for creating a shared folder: Any supported File system (FAT, NTFS) If server in a domain, you must be Administrator or Server Operator If server in a workgroup, you must be Administrator or Power user If client computer running a workstation OS, you must be Administrator orPower userNote: Users that are granted the Create Permanent Shared Objects right can also create shared folders on the computer where the right is assignedOR1) Open Computer Management2) In the console tree, double-click Shared Folders3) Click Shares6Shared folder permissions A shared folder can contain application programs, data or other users’personnel data Each type of data can require different permissions ------------Subfolder 1------------Subfolder 2------------Subfolder 3------------Subfolder 4File 1 File 2 File 3Shared FolderUser 1User 3User 2 With FAT, permissions could only be set for folders, not for individual files If permissions at file level are required, you need to use NTFS permissions37Shared Folder Permissions Shared folder permissions do not restrict access to users who gain access to the folder at the computer where the folder is stored. Shared folder permissions are the only way to secure network resources on FAT partitions. The default folder permission is Full Control. You can allow or deny shared folder permissions to individual users or to user groups.Change permission +- Change file permissions and take ownership of filesFull ControlRead permission +- Create folders, add files to folders, change data in files, append data to files, change files attributes, delete folders and files.Change- Display folder names, filenames, file data and attributes- Run program filesRead8Assigning Shared Folders permissions1) Open My Computer (Right-click/Open)2) Select the disk, then the folder3) Right-click the selected folder4) Click Properties5) Click the Sharing tab6) Click Permissions7) Assign permissions8) Click OK, and then OK.9Shared Folder Permissions’ Rules Multiple Permissions (The Combination Rule) If a user is assigned a permission for a Shared folder and If the use user belongs to a group to which a different permission is assigned, Then the user’s effective permissions are the combination of the user and group permissions Deny overrides Allow If you deny a shared folder permission to a user and If you allow the same permission to a group the user belongs to Then the user will not have that permission. Copying or Moving Shared folders If you copy a Shared folder, the original folder is shared but not the copy If you move a Shared folder, it is no longer shared.410Guidelines for Shared Folder Permissions Determine which groups need access to each resource and the level of access they require. Assign permissions to groups instead of user accounts to simplify access administration. Assign the most restrictive permissions that still allow users to perform required tasks. Use intuitive share names so that users can easily recognize and locate resources.11Administrative & Hidden shares Administrative shares (created by default): All hard drives are shared as C$, D$, etc. The system folder (\WINNT) is shared as Admin$ Driver’s folder for printers (\Winnt\System32\Spool\Drivers) is shared as Print$ Hidden shares (created by users) Share name should end with $ for the share to be hidden Not visible by other users unless they know the name If a user knows the name of a hidden share, he/she can access the share using the UNC name Start/Run. Then type \\ComputerName\ShareNameUniversal Naming Convention (UNC) name12NTFS permissions If permissions at file level are required, and/or If more specific permissions are requiredX Then, NTFS permissions must be used1) Open My Computer (Right-click/Open)2) Select the disk, then the folder/file to share3) Right-click the selected folder or file4) Click Properties5) Click the Security tab6) Assign permissions7) Click Apply, and then OK.Assigning NTFS permissions513Standard NTFS permissionsFull ControlModifyRead and ExecuteList Folder ContentsWriteReadCan only view names of folders/filesRead and List Folder Content permissions +- Ability for users to navigate through folders for which they don’t have permission in order to get files and subfolders for which they do have permissions.Read + Write + Read and Execute permissions(Users can view, create, delete, modify content of folders, etc.)Users can do everythingRead permission + - Create new files/subfolders in a folder- Change attributesUser can open and view content of files/folders. They can also view objects ownership, assigned permissions, and objects attributes (Read-Only, Hidden, etc.)14Extended NTFS permissionsExecute