Lecture 9 further permissions


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Lecture 9 further permissions

  1. 1. Lecture 9:More Access Controland PermissionsNetwork Design & Administration
  2. 2. Registry Keys• Registry Keys are the entities used to store information about a Windows PC.• They are used for: • Hardware information Network Design & Administration • OS information • Non-OS programs • Users • Preferences 2
  3. 3. Registry Structure and Use• The registry is separated into Hives: • HKEY_CLASSES_ROOT • For installed apps – file associations, etc. Network Design & Administration • HKEY_CURRENT_USER • Specific settings for current user. e.g. printer settings. • HKEY_LOCAL_MACHINE • General to all users. E.g. driver versions. • HKEY_USERS • Details of all user profiles keys that can access machine. • Current_User is a partial list of information. 3 • HKEY_CURRENT_CONFIG • Generated at boot time to give information on local machine configuration.
  4. 4. Registry Entries • For a registry entry to be modified, the program or user has to be allowed to change it! Network Design & Administration • Here we see the Administrators group given Full Control over this sub-key (via inheritance) 4
  5. 5. Registry Permissions• Can see similarities and differences between these and NTFS permissions.• Different set of standard Network Design & Administration and special permissions.• Again, inheritance can be allowed or stopped, and deny/allow priority applies. (Note: Write DAC = ability to change ACL for key) 5
  6. 6. Why of interest in a network?• Various programs may need to run on a server. • Those programs must have appropriate access to registry keys.• If users want applications installed locally, Network Design & Administration problems can occur if the registry keys do not have the appropriate ACL’s set. 6
  7. 7. Active Directory ObjectPermissionsVery different again to NTFS and Registry. e.g. - • Create child • Delete child • Standard delete Network Design & Administration • Delete tree • Read property • Write property• Microsoft recommend not changing.• If changed, performance can be lost due amount of information transmitted around network. 7
  8. 8. Microsoft File Shares• Allow network clients to actually see folders on a server remotely.• Some shares are created automatically due to the role of a server. e.g. NETLOGON share created when becomes a Network Design & Administration domain controller.• Shares can be hidden by appending $ to name (so how do users find it?) 8
  9. 9. Who can create file systemshares?• Depends on role of machine and therefore security risks associated with doing it: • Domain Controller – Administrators, Server Operators, Enterprise Admins, Domain Admins Network Design & Administration groups only. • Domain Member Server or Workstation - Administrators, Server Operators, Power Users groups only. • Workgroup or Standalone computer (?) - Administrators, Power Users groups only. 9
  10. 10. Creating a share using theMMC Shared Folders Snap-in Network Design & Administration 10
  11. 11. File share permissions• They differ from NTFS.• Much coarser grain – no special permissions.• Change in Share Permissions is not the same as Network Design & Administration Modify in NTFS in the delete area.• When Share and NTFS permissions both present, resultant applied is the most restrictive.• Do not apply to locally logged on users. (e.g. physically local or by Terminal Server) 11
  12. 12. Limitations / Problems• Limited scope - Can be applied only to folders and only when connecting to the share.• Lack of flexibility - Permissions applied to the share apply to all levels below.• No replication - Share permissions are not replicated by Network Design & Administration domain controller.• No resiliency - Share permissions cannot be backed up or restored via Domain Controller.• Fragility - Shares (and therefore share permissions) are lost when a folder is moved or renamed.• No auditing possible.• Do not show up in Effective Permissions tab – Need to be looked at independently then considered with NTFS 12 permissions to give resultant most restrictive .
  13. 13. Printer Server Topologies• For cost effectiveness, want multiple users to access a single printer.• What are the options? • Locally Attached Printers Network Design & Administration • Network Attached Printers • Logical printer on every client workstation • Logical Printer – object used by operating system to represent physical device. Contains settings, defaults, drivers and other properties. • Print server • Print server – receives jobs from clients, stores them 13 in a print queue and sends 1 by 1 to physical printer,
  14. 14. Locally Attached Printer[1] Network Design & Administration• Physical security issues (printer has to be close to server).• When printer share is created the attached server functions as 14 the print server.
  15. 15. Network attached printer, withlogical printer in every client[1] Network Design & Administration 15
  16. 16. Problems…• Each user sees only own jobs – not rest of queue (may be lots waiting ahead!)• Admins cannot manage print queue or implement advanced features. Network Design & Administration• Error messages only appear to user machine.• If driver update required, has to be done on each client.• Print processing not offloaded to server. 16
  17. 17. Network attached printer, withprint server[1] Network Design & Administration 17• Advantages…?
  18. 18. Old UNIX/Linux permissions• Each file has a set of bits that specify its permissions for 3 classes of user: • Owner, Group Owner, Everyone Else• Owner is special, and can totally limit access. Network Design & Administration• Each class has 3 bits: (r) Read, (w) Write, (x) Execute• These are expressed as rwx if allowed or a – if not allowed • e.g. rwxr-xr-x means owner allowed all 3, but all others only allowed read and execute.• Super user (root access) can do anything even if not owner. 18
  19. 19. Modern UNIX/Linux permissions• Now support ACLs (partly for compatibility with Windows via SAMBA).• Still based on read, write, execute (not as fiddly as Windows NTFS, so SAMBA has to ‘translate’ Network Design & Administration between them)• ACL’s allow rwx to be set for multiple groups and specific users. 19
  20. 20. Next Time & references• Keeping systems up to date.• Hotfixes vs. Service Packs.• Managing/automating processes. Network Design & Administration• [1] MOAC 290 chapter 10 20