Chapter 5

Managing Network access

 Network access defines what access/rights a user has to local resources.

 It refers to the scope of access users can have to the resources
 Network administrator can limit user’s access by using NTFS permission to files and folders
 A powerful feature of networking is the ability to allow or protect access to files and folders
Accessing files and folders

Network administrator can create shared files /folders on a network so that users with appropriate access
rights can access files and folders.

To enable users to access files and folders the Network administrator must perform the following tasks:

1. create shared files and folders

2. assign access rights to the users

Partition system and local security policy

 There are two types of file systems used by local partitions

o FAT(which includes FAT 16 and FAT 32)
o NTFS
 FAT partitions don’t support local security option
 NTFS partitions also support local security options
 If the partition is NTFS the network administrator can specify the access level each user has to
the folders and files on the partition
 NTFS permission is the process to control access to NTFS folders and files
 Network administrator can configure access level by allowing or denying NTFS permissions to
the users
 NTFS permissions are cumulative type, based on group member’s access type
 If the user has denied access and allowed access through group, denied permissions over ride
allowed permissions
 o If user “A” allowed a “write” permission in the accounting group and denied to “write” in
the marketing group, the cumulative permissions of user “A” indicate that user “A” has
no any permission to “write”

Levels of NTFS Permissions

Windows server 2003 offers six levels of NTFS permissions:

 Level1-Full control: this permission allows the following rights:

o Create folders and execute files/ programs in the folders(folder properties,copy and move
files)
o List the content of folders and read data in the folder
o Create new files and write data to the file
o Delete folders and files
o See files or folders attributes(read only, hidden, archive)
o Set /change permissions for files and folders

If you select full control permission, all permissions will be checked by default.

If you unchecked any lower level permission (such as read, or others) the full control allow check box
will be automatically unchecked

 Level 2-Modify: This permission allows the following rights

o Create new folders and write data to the files
o Delete folders and files
o List the contents of folders and read the data in a folders
o Execute files(Access files) in the folders
o See files or folders attributes(read only, hidden, archive)
  If you select modify permission the following will be checked /allowed
o Read and execute
o List folder content
o Read
o Write
 Level 3-Read and execute: This permission allows the following rights:
o Execute files in the folders (copy, move,& renaming…)
o List the content of folder and read data in a folder’s file
o See files or folders attributes(read only, hidden, archive)
 If you select the read and execute permission the following will be allowed automatically
o List folder contents &
o Read permission

 Level4-list folder contents: this permission allows the following rights

o List the content of folders
o See files/folders attributes

 Level 5- Read: this permission allows the following rights

o List the content of folder and
o read the data in a folder’s files
 Level 6- Write: this permission allows the following rights
o Create new folder/file
o Write data to the file
o Overwrite a file(modify a file)
o Change files/folder’s attribute
Applying NTFS permissions

 Write click the file/folder you want

 Select properties
 From properties dialog box click security tab
 Use add button, to add user to whom you want to assign access permission
 Use remove button, to remove user from access permission
  Finally click ok

This dialog box allow you to set NTFS permissions to the users/groups

Understanding user’s effective permissions

 Users effective permission is the right the user actually has to access file or folder
 To determine user’s effective permission combine all permissions that have been allowed to the
user through user name or group association and subtract/remove/ all permissions that have been
denied to the user

o Example: Suppose “Merry” was a member of accounting and IT groups. She was
assigned the following access permissions through groups
Merry’s permissions in the Accounting group

Permission Allowed Deny

Full control

Modify √

Read and execute √

List folder contents √

Read √

Write √

Merry’s permissions in the IT group

Permission Allowed Deny

Full control

Modify √

Read and execute

List folder contents √

Read √

Write √

Merry’s effective permissions are:

Permissions allowed (pA) – permissions denied (PD)= Effective permissions(EP)

Or effective permissions will be all permissions allowed that are not found in permissions denied
  Therefore, Merry’s effective permissions are:
o Read and execute
o List folder contents and
o Read

Permission inheritance

 Suppose you may have sub folders in the main folders that you apply permission to
 By default parent folders permissions are applied to any files and sub folders in the folder-This is
called inherited permission
To configure permission inheritance

 Right click the folder you want

 Click properties
 Click advanced tab
 Select allow inheritable permissions from the parent to propagate to this object check box and
click ok

The following dialog box indicates permission inheritance allowed to the users in the entries box
You should assign permissions at higher level folders with in directory structure and use inheritable
permissions to propagate permissions to all child objects with in structure

Determining NTFS permissions

1. copy files
2. Move files

When you move or copy NTFS files, the permissions that have been set for those files might be changed

1. If you move a file from one folder to another folder on the same NTFS volume, the file will retain
the original NTFS permissions(NTFS permissions of the source folder)
2. If you move file from one folder to another folder b/n different NTFS volumes, the file is treated
as a copy and will have the same permissions as the destination folder
3. If you copy a file from one folder to another folder on the same NTFS volume or on
different volume the file will have the same permission as the destination folder
4. If you copy/move a folder or file to a FAT partition, it will not retains any NTFS permission

Creating shared folders

To share a folder, you must be logged on as a member of administrator or server operators group

 In the folder properties dialog box, click sharing tab

  Select don’t share this folder option to unshared folder
 Select share this folder option to share folder

The following dialog box indicate how a folder called merry was shared

Configuring share permissions

 To control users’ access to shared folders, you have to assign share permissions.
 Share permissions are less complex than NTFS permissions and they can applied only to
folders where as NTFS permissions are applied to both folders and files
To assign share permissions:

 Click permission button in the sharing tab of the folder properties dialog box
o You can assign 3-types of share permissions:
1. Full control share permission to allow full access to the shared folder
2. change share permission to allow users to change data in a file( to modify)
 3. Read share permission to allow users to view and execute files in the shared
folders

Full control permissions allowed to the user Merry

 Read is a default share permission on a shared folder for every one

 Shared folders do not use the concept of inheritance as NTFS permission
 If you share a folder there is no way to block access to lower level resources in the structure
Viewing shared folders

 When you select shares in the shared folder utility, you will see all shares that have been
configured on the computer
 A share that is followed by a dollar sigh($) indicated that the share is hidden from view when
user access through my network places
o Example: C$ for C:\ and D$ for D:\
 A shared folder looks like the following