Microsoft Windows XP Networking Inside Out
.pdf
Part 4: Network Resources
4In the Permission Entry dialog box shown here, select Allow or Deny for the special permissions you need to modify. Wherever possible, refrain from using the Deny permissions and depend on selectively enabling the Allow permissions to achieve your objectives. Click OK when you’re done.
14 Chapter
When the Advanced Security Settings dialog box reappears, notice that in the Permission column for the modified user or group, the previous standard permission has been replaced with the label Special. You won’t know what the characteristics of the special permissions are from this dialog box. You’ll have to select the Edit button again to examine which permissions the account has.
newfeature!
Checking an Account’s Effective Permissions
To help you understand the ramifications of special configurations you’ve made, especially for an account that is a member of more than one group, check the effective, or net, permissions of the account you’ve modified by taking these steps:
1Open the resource’s properties dialog box by right-clicking the folder or file and choosing Properties.
2Click the Advanced button, and then select the Effective Permissions tab. Notice that the Group Or User Name box is blank and that you can’t type into the box directly.
3Click the Select button, click the Advanced button in the second dialog box, and then click the Find Now button in the third dialog box.
4All the computer’s user and group accounts will be displayed at the bottom of the Select User Or Group dialog box. Select the account you’ve modified and click OK.
438
4: Network Resources
Chapter 14: Understanding Resource Sharing and NTFS Security
5Click OK again to close the remaining Select User Or Group dialog box.
6The Effective Permissions tab reappears with the account you selected displayed in the Group Or User Name box, and its effective NTFS permissions are displayed in the Effective Permissions list, as shown in Figure 14-24.
Chapter 14
Figure 14-24. The Effective Permissions tab can help you understand the actions a selected user or group can take with a particular NTFS resource.
A list and brief explanations of the six basic access permissions available on an NTFS volume follows:
●Full Control. Users with the Full Control right assigned can view, create, modify, and delete files or folders. This right also allows a user to change the ACLs for the object in question. That means a user with Full Control permission can also change the object’s access permissions as well as the object itself.
●Modify. Essentially, the Modify permission allows a user to make changes to the file or the files inside a folder but does not allow the user to change the access level to those resources or to take ownership of a file. This is the same as selecting both the Read & Execute and Write permissions.
●Read & Execute. A user assigned the Read & Execute permission has the right to read the contents of a file or folder, and execute programs and batch files that have the Read & Execute permission. Selecting this permission also selects the List Folder Contents and Read permissions.
439
4: Network Resources
14 Chapter
440
Part 4: Network Resources
●List Folder Contents. This permission allows the user to view the individual objects contained within the folder. It is similar to the Read & Execute permission but only acts on folders and is passed down to subfolders but not to the files in those subfolders.
●Read. The user can read the file or folder. This is the most basic permission of all the permissions.
●Write. The user can create files and modify new or existing files and folders.
An additional entry in the Permissions section of the Security tab of an object’s properties dialog box is called Special Permissions. To access these special attributes, perform the following steps:
1Right-click a file or folder, and choose Properties from the shortcut menu that appears.
2Select the Security tab.
3Click the Advanced button.
4Select a user name or group, and click the Edit button. The Permission Entry For dialog box displays a listing of special permissions in the Permissions list, as shown in Figure 14-25.
Figure 14-25. Special permissions enable you to set up complex and highly specific permissions for a user or group.
caution Adjust the permissions in this dialog box only if you’re sure of the effects of your actions. Although most of these settings are self-explanatory, they are best left alone unless you are trying to address a specific security issue that the standard rights will not accommodate.
4: Network Resources
Chapter 14: Understanding Resource Sharing and NTFS Security
For example, suppose there is a user who needs to have most of the rights that make up the Full Control permission, but you don’t want the user to have the ability to change permissions (ACLs) or take ownership (taking ownership of a file or folder restores a user’s ability to change permissions). To make these special settings, you could set two permissions in the Permissions list, Change Permissions and Take Ownership, by clearing their Allow check boxes or by selecting their Deny check boxes. Check the results by selecting the Effective Permissions tab of the Advanced Security Settings dialog box and entering the user or group name in the Group Or User Name box (you’ll have to click the Select button to enter the name—it can’t be typed directly). Notice that the check boxes are cleared in the Effective Permissions list for Take Ownership and several permissions relating to managing attributes. The Full Control check box is also cleared because the user no longer has the full set of permissions that make up the Full Control permission.
Chapter 14
Using the Create Shared Folder Wizard
If you want help sharing a folder, you can use the Create Shared Folder Wizard. You can access it from Computer Management (in the Administrative Tools folder). In Computer Management, open System Tools, Shared Folders, right-click Shares, and then choose New File Share from the shortcut menu. You can also run the wizard directly by typing shrpubw at any command prompt. Using the wizard, you can share a folder and configure NTFS permissions by choosing from three preconfigured basic share permissions or by selecting the Custom option to make the full slate of NTFS permissions available. However, even though you can use the wizard on a Windows XP Home Edition computer to specify different permissions for different users and groups, the permissions will not work because all network users are authenticated as Guests in Windows XP Home Edition and therefore have the permissions of the Everyone group. However, for Windows XP Professional, you might prefer using the friendly interface of a wizard when creating a network share.
Exploring Scenarios to Troubleshoot NTFS Permissions
Understanding NTFS permissions and the steps to configure them is beneficial and useful. However, the cumulative effect of group and user rights, and the least common denominator effect of NTFS level and network share permissions makes it important to understand how to identify and correct permissions conflicts and confusions relating to disk formats. This section presents several scenarios or case studies that point out some common problems and solutions when using NTFS.
441
4: Network Resources
14 Chapter
442
Part 4: Network Resources
Scenario #1: Implementing Permissions
Melanie is the new systems administrator for the Tailspin Toys Company. Melanie’s first task is to configure a new Windows XP Professional computer as a workstation for a member of the Power Users group (Power Users is a predefined group in Windows XP that grants many but not all privileges of the Administrators group). This workstation will be used to support a small portion of the company’s intranet, store user files for the marketing department, and also act as the primary workstation for the marketing director. The computer, named Marketdept, has two disks installed. One disk is a 10 GB disk used for the operating system and boot files, and the other disk
is a 60 GB disk used for the intranet files and the marketing director’s personal data.
Melanie formats the 10 GB boot and system disk with the FAT32 file system. This volume will contain the files needed to boot the computer and the Windows directory. FAT32 is required because the company has standardized on a disk imaging software package that does not support NTFS volumes. This imaging software is used to make a master image for every computer that provides multiple user services and that does not have a backup device attached locally. The Marketdept computer does not have a backup device attached, so the boot disk has to be FAT32. The 60 GB disk will be formatted with the NTFS file system, and the drive will be partitioned into three volumes of approximately 20 GB each.
After all the required applications are installed and the user storage file structures are created, Melanie configures the NTFS file permissions to only allow members of the Domain Admins group (this is a group present only on computers joined to a domain, as discussed in Chapter 11, “Understanding Domain Connectivity”), not local Administrators, to access the folder. The marketing director is added to the local Administrators group so that she can configure the IIS services when changes are needed and perform general management tasks.
After configuring the computer, Melanie takes ill and is out of work for a week. Upon her return, there is a small but serious list of issues with the Marketdept computer. The following issues have been reported to the marketing director who is frustrated that her new workstation is already failing:
1The marketing director is now sharing the new computer with the vice president of Finance for reasons unknown. The marketing director is worried that the Finance VP will start tinkering with system files, and she has made attempts to secure them. She is unable to configure security permissions for
the system files. She has managed to share the Windows directory and assign permissions there, but she is concerned that this is not an adequate solution. She wants to know how to completely secure the drive.
2Users have complained that the marketing director is accessing their files, modifying them, and occasionally deleting them. Collectively, they want the files secured from the tinkering of the marketing director. How is the market-
4: Network Resources
Chapter 14: Understanding Resource Sharing and NTFS Security
ing director gaining access to their files? What change(s) can be made to correct this problem?
3Some users report that they have never been able to access their folders on the Marketdept computer. Melanie double-checks the permissions for the directories and notices that the share permissions allowing access are correct for all the users reporting access trouble. What has Melanie overlooked?
4Access to the intranet only works for the marketing director. Melanie attempts to connect and finds out that she can connect as well. Melanie checks the IIS configuration and finds nothing out of order. Where might Melanie look to find the source of the intranet troubles?
The solutions to these problems follow:
1The boot drive, which contains the system files that the marketing director wants to protect, has to be converted to NTFS. The current file system (FAT32) does not support ACLs.
2The marketing director is a member of the local Administrators group and can add herself to any ACL on the local computer. Melanie should place the marketing director in a different group that has the functionality needed but does not have permission to change the ACLs of computer objects.
3Melanie has not checked the NTFS permissions. If they are more restrictive than the share permissions, they will limit the access of the users who can’t access their folders on the Marketdept computer.
4Melanie should check the NTFS permissions on the root folder of the intranet site. It is probable that only members of the Administrators group have access to the intranet files.
Scenario #2: A Permissions Nightmare
Chapter 14
Melanie has moved on to a new job at Wingtip Toys as a network technician. Users are complaining about access problems and demand that these problems be fixed as
quickly as possible. Melanie begins to correct the access issues. While doing so, she also encounters additional issues:
1The previous network administration staff left the NTFS file level permissions wide open. The previous staff decided to use the network share permissions to control access. Unfortunately, the members of the staff did not configure the share permissions correctly. Melanie starts configuring the NTFS permissions to the correct settings but neglects to first modify the share permissions. This results in a serious mess of access rights. What can Melanie do to quickly clean up this mess?
2To help a user gain some much needed disk space, Melanie enabled disk compression on the user’s boot drive, which had about 10 percent free
443
4: Network Resources
14 Chapter
444
Part 4: Network Resources
space. During the compression routine, the computer crashed and now will not start Windows. What steps can Melanie take to complete the compression process and hopefully regain access to Windows XP?
3Another user is complaining about the amount of free disk space available on his computer. Melanie does not want to tamper with compressing another volume, and the user doesn’t have any files on the computer that can be deleted to free up more disk space. What other options does Melanie have?
Melanie could implement the following solutions:
1Melanie needs to reset the NTFS permissions for the folders in question. She needs to remove all the existing (and incorrect) user and group permissions and replace them with the correct permissions. These changes then need to be applied to all subfolders and files. The share permissions should be modified to allow the desired level of access by users, while removing the Everyone group’s Full Control over the computer. The following are the steps for clearing the existing permissions and restoring the correct ACL configuration:
■Locate the problematic files or folders using Microsoft Windows Explorer.
■Right-click the file or folder, and choose Sharing And Security or Properties.
■Select the Security tab, and then click the Advanced button.
■Clear the check box labeled Inherit From Parent The Permission Entries That Apply To Child Objects. Include These With Entries Explicitly Defined Here.
■When prompted, select either Copy or Remove. Either choice breaks the inherited permissions from the parent folder. Copy lets you start over with the current inherited permissions, whereas Remove lets you start over with a clean slate.
■If you select Remove, the Permission Entries list will be empty. Click the Add button to add users and groups, and specify their permissions. If you select Copy, use the Remove, Add, and Edit buttons to remove unwanted permission entries, edit those you want to change, and add new entries as needed to reconfigure the ACL properly.
■Select the check box labeled Replace Permission Entries On All Child Objects With Entries Shown Here That Apply To Child Objects. This will propagate the corrected ACL entries downward to subfolders and their files.
■Click Apply. In the Security message box that appears, click OK.
■When the process of applying permissions has been completed, click OK in each dialog box.
4: Network Resources
Chapter 14: Understanding Resource Sharing and NTFS Security
note For a large number of computers, Melanie could use the Cacls.exe command-line tool. This tool would allow Melanie to build a logon script that changes the ACL automatically for all of the user folders in question when the users log on. If constructed correctly, this file will save Melanie a lot of time.
2Melanie needs to reboot the computer and press F8 during startup to access the boot options. From the boot menu, she should select Safe Mode With Command Prompt and press Enter. At the prompt, Melanie needs to log on and run the Compact.exe utility to force the compression of the drive to complete. Presuming it is drive C that is not starting up correctly, Melanie would switch to the root of the problem drive, type compact /C /I /F /S:C:\, and then press Enter. The /C parameter compresses the specified files; the /I parameter continues the operation, even if errors occur; the /F parameter forces the compression of all specified files, even if they are already compressed; and the /S:C:\ parameter includes all subfolders starting from the root folder. If the previous compression resulted in some files being incompletely compressed, the /F parameter might enable the compression to complete successfully. Once the compression is complete, Melanie should reboot the computer. If all goes well, the compressed drive will again be accessible.
3Melanie can mount another volume onto the full drive to provide more disk space. If the drives cannot be converted to dynamic disks (perhaps the full drive is also the system or boot volume), she can create a volume mount point within the full drive to provide additional space. Melanie can also move the user’s data to another location on the network and reformat the drive using a smaller cluster size. The smaller cluster sizes will help free up additional disk capacity.
Scenario #3: Managing Sensitive Data
Chapter 14
Stephanie was recently hired as the new network services manager at Wide World Importers. Although the previous manager’s departure was apparently on good terms, management is concerned about the level of access general users have, in particular, whether they have access to sensitive managerial information. Also of concern is that users who have left the company might be able to access sensitive corporate data after their departure. These are more of their concerns:
1The primary data server, World1, had three new drives installed immediately prior to the departure of the previous manager. Network users are becoming quite vocal about obtaining additional space to store files and increase the space for the company’s sales database. All network users access the storage space on World1 through a shared folder called Data Access. What is the most streamlined way in which Stephanie can make the new disk space available to current network users?
445
4: Network Resources
14 Chapter
446
Part 4: Network Resources
2It is company policy to restrict the amount of data stored in users’ personal directories. Currently, there is no system in place to enforce this policy. What steps can Stephanie perform to implement disk quotas?
3Operations management is unsure of who has access to which files on the network. Management has requested that Stephanie ensure that the permissions for the Human Resources folders on the file server do not allow anyone outside that department to access them. How can Stephanie determine which user rights are currently configured? How can she make changes if they are needed?
4Stephanie has to make sure that the previous manager does not have access to any internal files through hidden accounts. How can she ensure that these secret accounts do not have access to sensitive information?
Stephanie could implement the following solutions:
1The new volumes should be added by Stephanie as mounted volumes to the existing volume. By mounting the new space inside the existing share point, users will be able to immediately access the new space.
2Stephanie needs to access the Disk Quota tab in the volume’s properties dialog box and configure disk quotas that are in compliance with company rules and policies.
3Stephanie should reset the permissions on the sensitive folders so that only authorized users have access. To do this, she needs to access the security settings for the folders in question, make changes, and then propagate those changes to all the subfolders and files within the parent folders.
4This solution is essentially the same as the previous solution. Barring the ability to identify and disable rogue accounts, the next step is for Stephanie to identify the users who should have access and remove everyone else from the ACLs. The individual members of groups with sensitive access must also be scrutinized so that the ex-manager can’t gain access through a group account.
Scenario #4: Restricting User File System Access
Trey Research is in the middle of a major company-wide systems overhaul. It has come to the attention of the executives that there is a need for expanded storage on client computers.
Each of the 2000 user computers worldwide will have additional hard disks installed, and the operating systems will be upgraded to Windows XP. The new drives will be formatted using the NTFS file system, and the existing disks, which are currently FAT volumes, will be converted to NTFS. Additionally, the company has decided to crack down on users installing personal software on their work computers. Along with removing
4: Network Resources
Chapter 14: Understanding Resource Sharing and NTFS Security
individual user accounts from the local Administrators group, the NTFS permissions will be configured to restrict access to the newly installed drives.
Disk quotas will also be implemented on the new volumes. A portion of each new volume will be used to store administrative files. The disk quotas will be used to prevent users from filling up the new drives with nonwork-related files such as digital music files and other personal material. The network staff has collected a list of current issues that must be addressed before and during the upgrades:
1 |
All the administrative data needs to be protected as much as possible. What |
14 |
2 |
options are present in the NTFS file system that will allow the data in ques- |
|
The company’s summer intern left for college yesterday. His last task was |
Chapter |
|
|
tion to be protected? |
|
|
to configure the NTFS and share permissions on the personal folders of 23 |
|
|
new hires. Of the 23 new hires starting today, 15 have access to their shared |
|
|
folders. What is the likely reason that 8 of the new hires can’t access their |
|
|
shared folders? |
|
3 |
One of the network administrators is able to create and add files to his |
|
|
departmental share, but he cannot delete any of the files in the share. The |
|
|
share permissions are set to allow Full Control to the Everyone group. What |
|
|
might be the cause of his inability to delete files? |
|
4 |
Users need to be able to read the administrative files stored on their comput- |
|
|
ers. But they should not be able to modify, remove, or create files within the |
|
|
administrative data folder. What is the most convenient method of control- |
|
|
ling access to the administrative files? |
|
The solutions follow:
1NTFS supports both DACL permissions and file encryption. With the two features combined, the net result is a robust security scheme.
2Most likely, one of two things is happening. First, the DACLs for the individual folders might not all have been configured to allow access to their intended users. Second, there might be a conflict between the NTFS permissions and the network share permissions.
3This user had the Delete permission specifically denied in the DACL for the folder in question. By checking the Advanced Security properties and clearing the Deny option for the Delete permission, the problem is easily solved.
4By configuring NTFS permissions to only allow the Read permission in the administrative folders, users will be able to access the administrative data without the danger of compromising the information stored on the disk.
447
4: Network Resources