1 / 45

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access . Partitions. Partitions Portion of the disk that functions as a separate storage unit Primary partitions used to start computer Must be marked as ACTIVE

caradoc
Télécharger la présentation

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 EnvironmentChapter 5: Managing File Access

  2. Partitions • Partitions • Portion of the disk that functions as a separate storage unit • Primary partitions used to start computer • Must be marked as ACTIVE • Removable storage cannot be marked ACTIVE • Basic disk • 4 Primary partitions • 3 Primary partitions and 1 Extended partition • Extended partitions used to create logical drives • Win2003 • System Partition – ACTIVE – needed to Load OS • Boot Partition primary partition or logical drive – Where OS files live

  3. Disk Management Snap-In

  4. Windows Server 2003 File Systems • Three main file systems • File Allocation Table (FAT) • FAT32 • NTFS • Final choice of file system depends on • How system will be used • Whether there are multiple operating systems • Security requirements • NTFS is most highly recommended

  5. FAT • Used by MS-DOS • Supported by all versions of Windows since • Traditionally limited to partitions up to 2 GB • Windows Server 2003 version supports partitions up to 4 GB • Limitations • Small partition sizes • No file system security features • Disk space usage is poor

  6. FAT32 • A derivative of the FAT file system • Supports partition sizes up to 2 TB • Still does not provide advanced security features • Cannot configure permissions on file and folder resources

  7. NTFS • Introduced with Windows NT operating system • Current version (version 5) • Windows NT 4.0 • Windows 2000 • Windows XP • Windows Server 2003 • Theoretically supports partition sizes of up to 16 Exabytes (EB) • Practically supports maximum partition sizes from 2 TB to 16 TB

  8. Windows Master File Table and Metadata • When a volume is formatted with NTFS, a Master File Table (MFT) and Metadata are created. • NTFS uses MFT entries to define the files that they correspond to. • NTFS creates a file record for each file and directory record created on an NTFS volume. Each file usually has one file record. • Metadata consists of the files NTFS uses to implement the file system structure.

  9. NTFS File Attributes • Every allocated sector on an NTFS partition belongs to a file, including the file system Metadata. • NTFS views each file or folder as a set of file attributes. • Resident attributes reside within the MFT • Non-resident reside elsewhere on the volume • An attribute type code and, optionally, an attribute name identify each attribute. • Read only • Hidden • Ready for Archiving • Fast Searching • Compress • Encrypt

  10. NTFS (continued) • Advantages of NTFS • Greater scalability and performance on larger partitions • Support for Active Directory on systems configured as domain controllers • Ability to configure security permissions on individual files and folders • Built-in support for compression and encryption • Ability to configure disk quotas for individual users • Shadow copies • Support for Remote Storage • Recovery logging of disk activities

  11. Creating and Managing Shared Folders • Shared folder • A data resource made available over a network to authorized network clients • Specific permissions required for creating, reading, modifying • Groups that can create shared folders: • Administrators • Server Operators • Power Users (only on member servers) • Users who have been granted the right

  12. Creating and Managing Shared Folders (continued) • Several ways to create shared folders • Two important methods • Windows Explorer Interface • Computer Management console • Also allows shared folders to be monitored

  13. Using Windows Explorer • Used since Windows 95 • Can create, maintain, and share folders • Folders can be on any drive connected to the computer • Folders are shared in Windows Explorer by accessing the Sharing tab of folder’s properties

  14. Using Windows Explorer (continued) • Shared name of folder does not have to be the actual file name • Hand icon used to indicate shared status • Shared folders can be hidden from My Network Places and Network Neighborhood • Place dollar sign ($) after name, e.g., Salary$ • Number of hidden administrative shares created automatically at installation

  15. Administrative Shared Folders • C$, D$, E$, . . . • Admin$ • %systemroot%\windows • Print$ • Installable printer drivers

  16. Using Windows Explorer (continued)

  17. Using Computer Management • Computer Management console is a pre-defined Microsoft Management Console (MMC) • Allows you to share and monitor folders for local and remote computers • Allows you to stop sharing if desired

  18. Using Computer Management (continued) • Share a Folder Wizard • Used to create folders in Shared Folders section of Computer Management • Used to provide preconfigured or manual permissions • All users have read-only access • Administrators have full access; others have read-only access • Administrators have full access; others have read and write access • Custom share and folder permissions

  19. Monitoring Access to Shared Folders • Monitoring involves • Who is using shared files • What shared files are open at any given time • Other functions • Disconnect users from a share • Send network alert messages • Primary monitoring tool is Computer Management

  20. Monitoring Access to Shared Folders

  21. Managing Shared Folder Permissions • A shared folder has a discretionary access control list (DACL) • Contains a list of user or group references that have been allowed or denied permissions • Each reference is an access control entry (ACE) • Accessed from Permissions button on Sharing tab of folder’s properties • Permissions only apply to network users, not those logged on directly to local machine

  22. Managing Shared Folder Permissions (continued)

  23. Managing Shared Folder Permissions (continued) • To deny access to a user or group • Windows Server 2003 does not include No Access share permission • Must explicitly deny access to each individually • Default permission is read access for Everyone group • Should be immediately addressed when a share is created • Folder permissions are inherited by all contained objects

  24. Shared Folder Permissions • Shared folder permissions apply to folders, not individual files. • Shared folder permissions do not restrict local access • Shared folder permissions are the only way to secure network resources on FAT volumes. • To control how users gain access to a shared folder, you must assign shared folder permissions. • You can allow or deny shared folder permissions to individual users or to user groups.

  25. Applying Shared Folder Permissions • Multiple permissions. • Effective permissions are a combination • Denied permissions override allowed permissions. • NTFS permissions – Most restrictive is applied • Copying or moving shared folders. • Copy does not destroy the share • Move will destroy the share

  26. Guidelines for Shared Folder Permissions • Determine which groups need access to each resource and the level of access they require. • Assign permissions to groups instead of user accounts to simplify access administration. • Assign the most restrictive permissions that still allow users to perform required tasks. • Organize resources so that folders with the same security requirements are located within a folder. • Use intuitive share names so that users can easily recognize and locate resources.

  27. NTFS Permissions • Resources located on an NTFS partition or volume can be given NTFS permissions • An administrator must • Know how permissions are applied • Standard and special NTFS permissions available • How effective permissions are determined

  28. NTFS Permission Concepts • NTFS permissions are configured via the Security tab • NTFS permissions are cumulative • Access denial always overrides permitted access • NTFS folder permissions are inherited unless otherwise specified • NTFS permissions can be set at file or folder level

  29. NTFS Permission Concepts (continued) • A new ACE has default permission • Read and Read and Execute for files • List Folder Contents for folders • Windows Server 2003 has set of standard permissions plus special permissions

  30. NTFS Permission Concepts (continued)

  31. Special NTFS Permissions • Can provide more or less access than standard permissions • Special permissions accessed from Advanced button in the Security tab on Properties dialog box for resource • Permission Entry dialog box enables assignment of permissions and control of inheritance settings

  32. Special NTFS Permissions (continued)

  33. Special NTFS Permissions (continued) • Inheritance settings • This folder only • This folder, subfolders, and files (default) • This folder and subfolders • This folder and files • Subfolders and files only • Subfolders only • Files only

  34. Special NTFS Permissions (continued)

  35. Special NTFS Permissions (continued)

  36. File/Folder Ownership • Every file/folder has an owner (usually a user who created a file) • Ownership doesn’t change by users simply editing a file • An owner has Full Control permission for a file/folder and can grant other users NTFS permission to that file and folder • A user with appropriate permission can take ownership of someone else’s file/folder

  37. Determining Effective Permissions • Permissions that actually apply to a user can be the result of membership in multiple groups • Prior to Windows Server 2003, determining effective permissions was done manually • In Windows Server 2003, there is an Effective Permissions tab in Advanced Security Settings dialog box for resource • Shows specific permissions for a user or group

  38. NTFS Permissions • No Access is stronger than all permissions. User permissionsW =RW FolderC:\Thomas Group permissionsR =None User permissionsNo Access FolderC:\Thomas User permissionsRW

  39. Determining Effective Permissions (continued)

  40. Combining Shared Folder and NTFS Permissions • NTFS permissions can be combined with share permissions • When accessing a share across a network, if both apply, use most restrictive • When accessing a file locally, only NTFS permissions apply

  41. Assigning NTFS Permissions • NTFS Full Control permission • When user creates to becomes the owner • Multiple NTFS permissions • File permissions supercede folder permissions • May access a file even if no folder permissions • Permission inheritance • Folder permissions are inherited by files and sub-folders • Inheritance can be prevented • Permissions can be set directly • Most recent parent wins

  42. Copying Files and Folders

  43. Moving Files or Folders Between NTFS Volumes

  44. Converting a FAT Partition to NTFS • For highest security, partitions and volumes should be configured to use NTFS • Command-line utility, CONVERT, will convert FAT or FAT32 partitions and volumes to NTFS • All existing files and folders are retained • CONVERT cannot convert NTFS to FAT or FAT32

  45. Glad that’s over!!!!

More Related