Hands-On Microsoft Windows Server 2003

Chapter 5
Configuring, Managing, and Troubleshooting Resource Access

• Manage object security for files and folders • Configure shared folders and share permissions • Publish a shared folder in Active Directory • Configure Web sharing


• Troubleshoot a security conflict • Implement the Distributed File System • Configure disk quotas


Managing Object and Object Security
• Each object has an access control list (ACL) for shared resource management • Access is controlled through common security techniques:
– Attributes – Permissions – Auditing – Ownership

• Attributes are a carryover from earlier DOS-based systems • Used to convert files and directories from NetWare • Use by DOS and NetWare for security and file management • Stored as header information

FAT File System and Attributes
• FAT has three attributes for files and folders:
– Read-only
• Files in a read-only folder cannot automatically be read • Instead, use the read-only permission to allow the files to inherit the folder’s permission

– Hidden
• Can be defeated in post-Windows 95 systems

– Archive
• Files are automatically flagged to be backed up when new or modified


NT File System and Attributes
• Allows the FAT attributes of:
– Read-only and hidden on the General tab – Archive on the Extended tab

• Extended tab also contains:
– Index – Compress – Encrypt

• Extended attributes have the option to be applied to:
– A folder and its files – A folder, its files, and all subfolders and files


NT File System (cont.)
• Index
– Allows for quick searches – Indexing Service must be installed and set to start automatically

• Compress
– Saves space on infrequently used files or limited disk space – Takes longer to search compressed files – Compressed files cannot be encrypted

NT File System (cont.)
• Encrypt
– Can only be read by the user who encrypted the file or folder – Uses the Microsoft Encryption File System (EFS)
• Sets up a unique, private encryption key

– An encrypted file remains encrypted when moved to another folder, even of renamed – Can also encrypt and decrypt at the command prompt with the cipher command

Folder and File Permissions
• Permissions control access to an object • Use the folder properties Security tab • Check the Allow and Deny boxes to set access permissions for groups and users
– If none of the Allow and Deny boxes are checked, all access is denied – Deny overrides any other access

• Inherited permissions
– The permissions of the parent object applies to the child objects – Set by default but can be deactivated





Guidelines for permissions
• Protect the \Windows folder from general users
– Traverse Folder / Execute File

• Protect server utility folders
– Access permissions only for Administrators, Server Operators, and Backup Operators

• Protect software application folders from users, but allow execution
– Read & Execute, Write

Guidelines for permissions (cont.)
• Create publicly used folders for broad access except for administrative tasks
– Modify

• Provide users Full Control of their own home folders • Remove general access groups from confidential folders
– Everyone and Users

• Always err on the side of too much security

Configuring Folder and File Auditing
• Track activity on a folder or file through auditing • Windows Server NTFS folders and files allow auditing of any or all of the special permissions • Each type of access can be tracked according to successful or failed attempts • Set up an auditing policy to fully configure auditing for an object
– Use the Domain Security Policy tool



Configuring Folder and File Ownership
• Folders are first owned by the account that creates them • Folder owners may change permissions for their folders • Ownership can be transferred only by having the Take Ownership or Full Control permission • Administrators group can take control of any group, regardless of permissions


Configuring Shared Folders
• Shared folders can be accessed over the network • Specify number of users or allow the maximum
– Maximum is the number of Server 2003 client access licenses

• Share Permissions
– Full Control: Full access control of share permissions – Change: Read, add, modify, execute, and delete – Read: Read and execute

• Option to hide shared folders from browser lists
– Place a $ sign just after its name



Offline Settings
• Caches a folder on the client’s drive so that it can be accessed without a network connection • Cache options
– Only files and programs that users specify – All files and programs that users open from the share – No caching

• Any modified files will be synchronized with the network versions upon resumed connection
– If two or more users synchronize at the same time, they can save one or both files

Publishing a Shared Folder in Active Directory
• Makes object available for users to access quickly through Active Directory • Allows object information to be replicated on DCs • Enables faster client searches
– Use Active Directory for Windows 2000 and XP – Install Directory Service Client for pre-Windows 2000

• Can be published to be shared for:
– Domainwide access – OU management and access settings


Configuring Web Sharing
• Installing Internet Information Services (IIS) enables the Web Sharing properties tab



Troubleshooting a Security Conflict
• Look at the Effective Permissions tab
– Calculates account group membership and permission inheritance

• Take file and folder locations into account
– A new file inherits its folder permissions – Files copied to a folder on the same volume inherits the new folder’s permissions – Files moved to a folder on the same volume keeps its original permissions – Files moved to another volume inherits the new folder’s permissions


Distributed File System
• Shared folders on a network appear in one hierarchy of folders
– Simplifies user access

• Fault tolerance is an option by replicating shared folders
– Uses the Microsoft File Replication Service

• Load balancing can be performed by distributing folder access across several servers • Access is improved to Internet and Intranet sites • Backups from one set of master folders

DFS Models
• Standalone
– No Active Directory implementation – DFS folders are not linked to other computers

• Domain-based
– – – – – Available only to members of a domain Takes full advantage of Active Directory Has a multilevel hierarchical structure Can implement fault tolerance and load balancing Domains with NT Servers can fully implement DFS with Service Pack 3 or above

DFS Topology
• The DFS root
– Main container in Active Directory that holds links to shared folders – Folders from all domain computers appear as if they reside in one main folder

• DFS links
– Designated access path between the DFS root and shared folders

• Replica sets (targets)
– Set of shared folders that is replicated to one or more servers in a domain

Configuring the Standalone DFS Model


Configuring the Domain-based DFS Model


Managing a Domain-based DFS Root System
• Publishing a DFS root
– Provides easier management and user access

• Deleting a DFS Root
– Delete a root to change configuration

• Adding and Removing a DFS Link
– Link to the shared folder on the same computer or to another computer that is a domain member – The first link automatically becomes the master folder – Security of the shared folder is retained – DFS cache timeout can be set
• The default is 1800 sec

Managing a Domain-based DFS Root System (cont.)
• Checking the status of a root or link for troubleshooting connectivity
– Find servers that are disconnected by checking the status under a root target

• Adding DFS root and link replicas
– Replica servers provide fault tolerance – Load balancing – Computer with a replica of DFS root and links cannot have any other roots – Specify server name, replica path, and synchronization schedule

Managing a Domain-based DFS Root System (cont.)
• Set up synchronization of replicas using the File Replication Service
– Automatic synchronization fully replicates all links
• Default interval is 15 minutes

– Manual synchronization replicates only designated links
• Used for load balancing


Configuring Disk Quotas
• NTFS offers the ability to establish dish quotas • Prevents users from filling the disk capacity • Encourages users to help manage disk space through warnings about quota limits • Tracks disk capacity needs on a per user basis for future planning • Provides server administrator with information about when users are nearing or have reached their quota limits

Disk Quotas Options
• Set on any local or shared volume • Enable the disk quota feature to track, but not set user quotas • Set default quotas on all users, particularly home folders • Establish on a per user basis in order to make special exceptions


• Windows Server 2003 objects are managed through tools that include folder and file attributes, permissions, auditing, and ownership • Attributes enable you to manage folder and file properties such as read-only, archiving, compression, and encryption • Permissions are set to control who has access to a folder or file • Auditing is used to monitor who has been given access to a folder or file

• Ownership is used to grant full control over a folder or file • Folder and files can be shared over a network
– Folder and file security can be managed through share permissions – A shared folder can be published in Active Directory for better management

• Folders and files intended for access through the Web can be specially configured for Websharing properties

• Use security troubleshooting techniques and Windows Server 2003 troubleshooting tools to diagnose a security conflict • The Distributed File System (DFS) enables you to set up shared folders
– Easier for users to access folders – Can be replicated for backup and load distribution

• Use disk quotas to manage the resources that are put on a server disk volume so you do not prematurely or unexpectedly run out of disk space

Sign up to vote on this title
UsefulNot useful