Managing Access to Resources
In this section, you will learn how to:
- Manage access to files and folders
- Create and manage shared folders
- Determine effective permissions on a resource
- Manage access to shared files using offline caching
Introduction to Managing Access
Microsoft Server 2003 has very detailed security rights assignments so you can assign access to specific resources for specific users and groups of users. NTFS, the default Windows Server 2003 file system, allows for security on individual files and folders. FAT32 does not have security functionality built in. Share permissions can be set on either file system, however.
Understanding NTFS Permissions
When you grant a user or group permission to a resource (such as a file, folder, or drive), there are six primary permissions:
Full Control – Full control to the resource. Can set security, modify, delete, or create files. Can change the ownership on the resource.
Modify – Has the ability to create, modify, or delete files.
Read & Execute – Can read and execute files but cannot modify or delete unless allowed.
List Folder Contents – Can view a file listing in a folder.
Read – Can read files and folders, but cannot write.
Write – Can write files and folders but cannot perform any of the other tasks unless permitted.
You will see a seventh permission in most security dialog boxes, Special Permissions. If you want more granular control of permissions, you can allow or deny very specific permissions in the Advanced dialog box.
There are three ways to control permissions: Allow, Deny, or not selected. Allow specifically allows the user or group to access the resource, Deny specifically disallows. Not checked is no response with a default of denied. For example, you could give the entire accounting team access to a shared folder by allowing the group permission to it. If there was one user in the team you didn’t want access you could add that user and Deny him access. The entire accounting team would have access except for the one user specifically named.
Since the permissions are separated into these primary categories, you can setup some unique situations. If the payroll department has a folder they want departments to submit timesheets to but they do not want the departments to see the other timesheets, you could set a Write permission on the folder for those groups. The departments can write files but not read them – or delete them. Once submitted, they cannot change the files or folder.
For our users or departments, we typically grant them the Modify permission (and everything below it) to their personal folders or group folders. This allows them to create, edit, read, or delete files and folders, but not change security rights to them. Be aware though that with department or group folders, any user with permissions can delete other user’s files.
Managing Access to Files and Folders
You set specific security on files and folders and allows users or groups a variety of permissions. To set permissions on a folder:
- Right-click on the folder and select Properties.
- Click on the Security tab.
- You will see a list of the current users and groups with access to this folder. The folder inherits its security settings from its parent folder. We will discuss permissions inheritance in a few pages.
- Click Add to add a user or group.
- Type in the name of the user or group you want to add. If you do not know the name, you can use the search functionality to find the user. Once you have found the user or group, click OK.
- The group or user is added with the default permissions – Read & Execute, List Folder Contents, and Read. You can change these permissions to reflect the requirements for this folder.
- In this example, we allowed the group Modify rights. Click OK to save the permissions.
Permission Inheritance
The basic security model of NTFS permissions is one based on inheriting the permissions of the parent. By default, the security of folders and files several layers deep in a file structure is inherited from its parent folders.
For example, in this folder diagram:
All of the folders are inheriting permissions from the parent folders. If you view the security of the Orlando folder and view the security of the IT folder, they match. However, you can change this so certain folders do not inherit permissions from its parent and you can set specific permissions for those folders.
Changing Inheritance on a Folder
- Right-click the folder you want to change and choose Properties.
- Click on the Security tab.
- Click on the Advanced button.
- Uncheck the Allow inheritable permissions from the parent to propogate to this object and all child objects. Include these entries explicitly defined here.
- You are now give the option to Copy or Remove the current permissions. By copying the permissions, you have same entries before and can change them. If yo
u remove the permissions, you will start with a blank slate and add users or groups as you wish. In this example, we are going to choose Copy. - Click OK.
- You can now change permissions, or add/remove users and groups.
- If you want to reset the permissions on files and folders underneath the folder you just changed, click Advanced.
- Check the Replace permission entries on all child objects with entries shown here that apply to child objects.
- Click OK.
- Click Yes to continue.
- Click OK to close the Properties window.
Managing Access to Shared Folders
Shared Folders access is set on the server on the Sharing tab in Windows Explorer. Individual files cannot be shared, only folders and drives can be. Though you can set permissions in Sharing for certain users, the security is compared with effective NTFS permission and the most restrictive permission is the final effective permission. If you setup a user to access a shared folder in the Sharing tab but then set the user to be denied access in NTFS, the user will not be able to reach the shared folder.
Setting Up a Shared Folder
We setup a file structure to allow users to access a group folder through a share on the server. We setup five department folders:
We are going to setup shares on each folder.
- Right-click on the folder and select Sharing and Security.
- Click Share this folder.
- A default name will populate the Share name field. You can change this if you want.
- Click Permissions to change permissions on the drive.
- Add the users or groups you want to have permissions on this share. Click OK.
- Click OK to create the share.
- The folder now has a “hand” icon on it signify it is shared.
- Repeat this process for each folder you want to share.
In the directions above, you setup Share Permissions on each folder, you could repeat the same process and instead setup NTFS Security Permissions on each folder and leave the Share permissions with the defaults. From a security and administration perspective, this is the preferred method to setup security on network folders.
In addition, if you have restrictive NTFS permissions on a folder, setting Share Permissions may not allow users access to the resource.
Determining Effective Permissions
Effective Permissions are the permissions allowed a user after all of the access control methods are taken into account. Effective Permissions is a tab on the Advanced Security Settings tab. To view effective permissions:
- Right-click the folder or file you want to view Effective Permissions on. Select Sharing and Security.
- Click on the Security tab.
- Click on the Advanced button.
- Click on the Effective Permissions tab.
- Click the Select button to select a user or group you want to view the effective permissions for.
- Enter the name or find the name. Click OK.
- The Effective Permissions for the selected group or user is displayed.
Managing Access to Shared Files Using Offline Caching
Offline caching allows users to save network folders local to their machines and take the files and folders with them. You can control the settings of Offline caching to disallow this if required on certain folders.
- Right-click on the shared folder you want to change and click Sharing and Security.
- Click the Offline Settings button.
- Click the option you want to change:
Only the files and programs that users specify will be available offline. – The default setting which allows users to control offline caching.
All files and programs that users open from the share will be automatically available offline. – This option allows any files a user opens will automatically be cached.
Files or programs from the share will not be available offline. – Prevents users from using offline caching on the folder.
In this section, you learned how to:
- Manage access to files and folders
- Create and manage shared folders
- Determine effective permissions on a resource
- Manage access to shared files using offline caching
Practice Exercises
1. Create a shared folder.
2. Grant permissions to the shared folder for a certain user group.
3. Grant “Modify” NTFS permissions to the folder to a certain group.
4. Create a user folder. Give the user account Modify NTFS Permissions on the folder.