SECURITY AND SECURITY PERMISSIONS Chapter 9
CHAPTER OVERVIEW AND OBJECTIVES Simple File Sharing Share-level permissions NTFS permissions Combined permissions Security and group policies
SIMPLE FILE SHARING
RUNNING THE NETWORK SETUP WIZARD
SHARING A FOLDER ON THE NETWORK
ENABLING SHARE-LEVEL PERMISSIONS
SHARE-LEVEL PERMISSIONS Read Allows users to view files and  folders, view the contents of files  and  subfolders, and execute programs.* Change Full Control Share Permission Description Allows the user to change NTFS permissions on files and folders (including the shared folder). Administrators must configure share permissions locally or using the Computer Management console. Allows users to add and remove files and subfolders and edit files. *Programs requiring the ability to write to configuration files will not run properly without the Change permission.
SETTING SHARE-LEVEL PERMISSIONS
CALCULATING EFFECTIVE PERMISSIONS Evaluate all group memberships Effective permission is the least restrictive
TROUBLESHOOTING SHARE-LEVEL PERMISSIONS Evaluate all group memberships Ensure permissions are appropriate to requirements Consider Deny permissions
NTFS PERMISSIONS
STANDARD NTFS PERMISSIONS Read Open files and subfolders  Open files List Folder Contents Read and Execute Write Modify Full Control NTFS Permission Folders Files Not applicable List contents of folder, traverse folder to open subfolders Create subfolders and add files Not applicable Open files, execute programs All the above + delete All the above + change permissions and take ownership, delete subfolders All the above Modify files All the above + change permissions and take ownership
EFFECTIVE NTFS PERMISSIONS Evaluate all group memberships Effective permission is the least restrictive Deny overrides all others
TROUBLESHOOTING NTFS PERMISSIONS Evaluate all group memberships Ensure permissions are appropriate to requirements Consider Deny permissions
COMBINING SHARE-LEVEL AND NTFS PERMISSIONS
DISCUSSION SCENARIO Finance Bob W., Renee K., Jason G.  Manufacturing Ron C., Jerome J. Managers Ron C., Renee K. Reports Finance (Change) Finance (Full Control) Manufacturing (Full Control) Manufacturing (Read + Write) Managers (Read) Managers (Read) Graphics Managers (Change) Managers (Modify) Manufacturing (Deny Read) Group Users in Group Folder Share Permissions NTFS Permissions
BUILT-IN GROUPS Administrators Power Users Backup Operators Users
CHANGING USER GROUP MEMBERSHIPS User gets access token at logon based on group membership Group membership is changed User needs to log on again to receive new access token
LOCAL SECURITY SETTINGS
ACCOUNT POLICIES
ACCOUNT POLICIES (CONT.)
LOCAL POLICIES
GROUP POLICIES
CONFIGURING GROUP POLICY SETTINGS
TROUBLESHOOTING GROUP POLICIES Help and Support Gpresult.exe Rsoc.exe
SUMMARY Simple File Sharing is used in small and home offices No permission restriction for locally shared files Network shared files can be marked read-only Standard share-level permissions are used in larger organizations Ability to control access to Read, Change, Full Control Effective permission is the least restrictive
SUMMARY (CONT.) NTFS permissions Incorporated into the file system More granular than share-level permissions Effective permission is the least restrictive Combined permissions The more restrictive of either share-level or NTFS
SUMMARY (CONT.) Local security policy Controls password strength Controls account lockout policy Assigns user rights and other security-related settings Group policy Controls desktop and application configuration Is tiered so site, domain, and organizational unit override local settings

70-272 Chapter09

  • 1.
    SECURITY AND SECURITYPERMISSIONS Chapter 9
  • 2.
    CHAPTER OVERVIEW ANDOBJECTIVES Simple File Sharing Share-level permissions NTFS permissions Combined permissions Security and group policies
  • 3.
  • 4.
    RUNNING THE NETWORKSETUP WIZARD
  • 5.
    SHARING A FOLDERON THE NETWORK
  • 6.
  • 7.
    SHARE-LEVEL PERMISSIONS ReadAllows users to view files and folders, view the contents of files and subfolders, and execute programs.* Change Full Control Share Permission Description Allows the user to change NTFS permissions on files and folders (including the shared folder). Administrators must configure share permissions locally or using the Computer Management console. Allows users to add and remove files and subfolders and edit files. *Programs requiring the ability to write to configuration files will not run properly without the Change permission.
  • 8.
  • 9.
    CALCULATING EFFECTIVE PERMISSIONSEvaluate all group memberships Effective permission is the least restrictive
  • 10.
    TROUBLESHOOTING SHARE-LEVEL PERMISSIONSEvaluate all group memberships Ensure permissions are appropriate to requirements Consider Deny permissions
  • 11.
  • 12.
    STANDARD NTFS PERMISSIONSRead Open files and subfolders Open files List Folder Contents Read and Execute Write Modify Full Control NTFS Permission Folders Files Not applicable List contents of folder, traverse folder to open subfolders Create subfolders and add files Not applicable Open files, execute programs All the above + delete All the above + change permissions and take ownership, delete subfolders All the above Modify files All the above + change permissions and take ownership
  • 13.
    EFFECTIVE NTFS PERMISSIONSEvaluate all group memberships Effective permission is the least restrictive Deny overrides all others
  • 14.
    TROUBLESHOOTING NTFS PERMISSIONSEvaluate all group memberships Ensure permissions are appropriate to requirements Consider Deny permissions
  • 15.
    COMBINING SHARE-LEVEL ANDNTFS PERMISSIONS
  • 16.
    DISCUSSION SCENARIO FinanceBob W., Renee K., Jason G. Manufacturing Ron C., Jerome J. Managers Ron C., Renee K. Reports Finance (Change) Finance (Full Control) Manufacturing (Full Control) Manufacturing (Read + Write) Managers (Read) Managers (Read) Graphics Managers (Change) Managers (Modify) Manufacturing (Deny Read) Group Users in Group Folder Share Permissions NTFS Permissions
  • 17.
    BUILT-IN GROUPS AdministratorsPower Users Backup Operators Users
  • 18.
    CHANGING USER GROUPMEMBERSHIPS User gets access token at logon based on group membership Group membership is changed User needs to log on again to receive new access token
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
    TROUBLESHOOTING GROUP POLICIESHelp and Support Gpresult.exe Rsoc.exe
  • 26.
    SUMMARY Simple FileSharing is used in small and home offices No permission restriction for locally shared files Network shared files can be marked read-only Standard share-level permissions are used in larger organizations Ability to control access to Read, Change, Full Control Effective permission is the least restrictive
  • 27.
    SUMMARY (CONT.) NTFSpermissions Incorporated into the file system More granular than share-level permissions Effective permission is the least restrictive Combined permissions The more restrictive of either share-level or NTFS
  • 28.
    SUMMARY (CONT.) Localsecurity policy Controls password strength Controls account lockout policy Assigns user rights and other security-related settings Group policy Controls desktop and application configuration Is tiered so site, domain, and organizational unit override local settings