Logo
programming4us
programming4us
programming4us
programming4us
 Home
programming4us
 XP
programming4us
 Windows Vista
programming4us
 Windows 7
programming4us
 Windows Azure
programming4us
 Windows Server
programming4us
 Windows Phone
 
Windows Vista

Configure Network Security (part1 ) - Secure Files and Printer Shares with Access Control Lists (ACLs)

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
3/18/2011 9:51:49 PM
File and Printer Share Security

You learned about the settings found in Sharing and Discovery of the Network and Sharing Center. These settings affect how the local computer offers up resource access and discovery of those resources to other users on a local network. This section looks at these settings from a troubleshooting perspective.

If all the settings in Sharing and Discovery are set at the default level of the Public profile, all the settings are set to Off. When these settings are left off, network access to any share, including the default administrative shares, on this computer is prohibited. Previously set up shares are inaccessible if the Public profile or any network profile using the same settings is selected for the network connection. To allow access to configured shares, you must turn on file sharing. This allows access only via a direct network request using a Universal Naming Convention (UNC) path or a drive mapping.

To allow network browsing of the shares on a computer, you need to turn on Network Discovery. Alternatively, if Network Discovery is turned on but file sharing is turned off, a remote Windows Vista computer can see that computer but not access any of the file shares.

Public folder sharing and media sharing allow access to the Public folder and Media files, respectively. These settings were discussed earlier.

Printer sharing follows the same settings as discussed with file sharing.

If a computer is set to use the Domain network profile, the password-protected sharing option is removed. When available as an option, password-protected sharing allows the enforcement of user account and password-protected access to resources on the local computer.

Creating a share enables the file sharing option immediately. The password-protected sharing option needs to be manually adjusted and turned on.

Secure Files and Printer Shares with Access Control Lists (ACLs)

Securing access to file and printer shares is more involved than setting Sharing and Discovery options in the Network and Sharing Center. Network access to file shares also involves configuring Access Control Lists (ACLs) on the file share and NTFS file permissions on the folders and files within the share. Printer shares require print permissions to be configured on the printers.

When you are assigning permissions, a Windows Vista computer that is in a workgroup can utilize only the local user and group accounts. If a Windows Vista computer is a member of a domain, domain user and domain group accounts can also be selected. It is still considered best practice to use group accounts from either the local or domain account database when configuring access to a resource. This limits the number of assignments that are necessary when allowing access to a resource.

Public Folder Sharing

Public folder sharing is similar to the use of the Shared Documents folder in Windows XP. Turning Public folder sharing on in the Network and Sharing Center enables access to the Public folder found under the Users folder of the system root:

%SYSTEMROOT%\Users\Public

The default for any access to shared folders is password-protected access. To enable the same Simple File Sharing from Windows XP, you would have to disable password-protected file sharing in the Sharing and Discovery section of the Network and Sharing Center and assign the Guest account or the Everyone account access to the Public folder.

Note

In the Network and Sharing Center, selecting the Turn On Sharing So Anyone with Network Access Can Open, Change, and Create Files option under Public folder sharing automatically assigns the Everyone group the share permission Full Control. Conversely, selecting the Turn On Sharing So Anyone with Network Access Can Open Files option allows only the Read share permission to be assigned to the Everyone group.
Creating and Configuring Folder Shares

Share permissions with file shares have undergone relatively little modification since the early Windows NT days. Share permissions on folders still involve setting share permissions on a per-share basis. The share permissions affect only network access to the shared resource because local user access is unaffected by the share permissions. In addition, if the share resides on an NTFS partition, the NTFS permissions are also calculated on accessing the shared folder whether the access is from a local user or network user. This means that a network user has two sets of permissions that affect his access to the share. When you are combining NTFS and share permission settings, the most restrictive permission of the two will be the result.

Alert

When you are calculating the results of a user’s effective permissions when accessing a share on an NTFS partition, remember that the most restrictive permission of the two will be the result.

The share permissions found when administering shares on Windows Vista are listed with different terms according to the interface chosen to manage the share. If you manage a share through Windows Explorer by right-clicking the folder to share and selecting the Share option, the share permissions presented are as follows:

  • Reader— A user with this permission is able to read the files and list the folders within the share but not alter any of the share’s content or save additional files back to the share nor add folders to the directory under the share. This permission setting is analogous to the Read share permission.

  • Contributor— A user with this permission is able to perform anything a Reader is capable of doing in addition to saving files and modifying the content of the files within the share. The user is also able to add folders under the share and modify the folders found within the share. This permission setting is analogous to the Change share permission.

  • Co-owner— A user with this permission is given the same ability as the previous two share permission settings, as well as the ability to access and modify permission and attribute settings of a file or folder within the share as long as the share resides on an NTFS partition.

Figure 1 shows management of a share via the newer share permissions wizard accessed through the Windows Explorer application.

Figure 1. The File Sharing dialog box for administering share permissions.

To view the traditional share permissions Read, Change, and Full Control, you can manage the share by clicking the Advanced Sharing option found on the Sharing tab of the folder’s properties.

Another option to view the use of the traditional share permissions is to use the updated MMC available for Computer Management and manage the shares from the Shared folders node in the Computer Management console. Figure 2 shows this console and the shares that have been created as well the share dialog box to modify the share permissions.

Figure 2. Using the Computer Management MMC to manage share permissions.

Folder shares created on Windows Vista allow up to 10 simultaneous connections. If there are more than 10 simultaneous connections needed when accessing the share, you should move the share to a Windows Server 2003 computer.

NTFS File Permissions

The exam highlights securing access to network resources. Although NTFS is a permission placed on a file or folder object on a local computer, the permission is applied whether the access to the resource is from the local computer or across the network.

NTFS permissions have not undergone any major changes in Windows Vista. Table 1 gives a brief definition of the NTFS permissions that can be assigned to a file or folder. These permissions were once referred to as the Standard NTFS permissions with the more advanced permission settings referred to as the Special permissions.

Table 1. NTFS File and Folder Permissions
NTFS Permission SettingPermission Defined
Full ControlThe accumulation of all NTFS permissions as well as the ability to assign permissions and take ownership of a file or folder.
ModifyThe ability to perform all the functions of Read, Write, and Execute, as well as delete any content within a folder and its subfolders. The user does not have the special permission assignments of taking ownership or assigning permissions.
Read & ExecuteThe ability to read a file, folder, and their attributes and perform execution on a file or folder. No writing or modification to the file or folder is allowed.
List Folder ContentsEssentially the same permission as Read & Execute, except this permission is not inherited on files. Folder execution is referred to as traversing or clicking a folder to view the contents in subfolders.
ReadAllows the same as Read & Execute, except no execution on a folder. To read subfolders, a user needs the List Folder Contents or Read & Execute permissions.
WriteAllows the permission to create content in a file or folder. To create content in an existing file or folder, a user must also assign one of the permissions: Read & Execute, List Folder Contents, or Read.
Special permissionsAn assignment of permissions using the Advanced NTFS permissions that do not fall neatly into one of the Standard NTFS permission settings.

For example, say you have a user named Joe, and he is a member of a group named Sales. His Sales group is assigned the Full Control permission to the share as well as Full Control NTFS permissions to all the files within the share. His user account is assigned Full Control to the share, but he is also assigned the Deny NTFS permission to all files and folders within the share. By combining the share permission assignments to his user and his group, as well as the NTFS permission assignments to his user and group, Joe has an effective permission level of Deny. Joe is unable to perform any function on any file or folder within the share. If you remove the Deny permission assignment to his user account for the NTFS files and folders, Joe can now have an effective permission of Full Control to all files and folders within the share.

To provide additional help in viewing the results of all permission assignments, including the use of Deny permissions, you can use the Effective Permissions tab from the Advanced tab.

Microsoft has these permissions well documented in the Windows Server 2003 TechCenter Library. Use the following link to research the previous NTFS permissions:

http://technet2.microsoft.com/WindowsServer/en/library/e8854fff-2f01-454a-9d94-6557b4f45a4f1033.mspx

Printer Permissions

Assigning Printer permissions is similar to assigning Share permissions. You assign permissions to users and groups depending on the extent of access needed to print documents, manage other documents in the printer, or manage properties of the printer. The following Printer permissions are available for assignment:

  • Print— This permission allows a user to print, cancel, pause, or restart his own documents sent to the printer.

  • Manage documents— A user with this permission is permitted to manage all the documents sent to the printer.

  • Manage printers— This permission enables a user to manage the properties of the printer, including share, delete, rename the printer, as well as configure preferences and permission assignments for the printer.
Other -----------------
- Configure and Troubleshoot Remote Access (part 2) - Troubleshooting Windows Vista Remote Access Connections
- Configure and Troubleshoot Remote Access (part 1) - Remote Client Access Connections
- Configure and Troubleshoot Wireless Networking (part 3) - Troubleshooting Wireless Connections
- Configure and Troubleshoot Wireless Networking (part 2) - Wireless Security
- Configure and Troubleshoot Wireless Networking (part 1) - Managing Wireless Connectivity in the Enterprise
- Troubleshoot Resource Access and Connectivity Issues (part 2)
- Troubleshoot Resource Access and Connectivity Issues (part 1) - Troubleshooting TCP/IP Configuration
- Configure and Troubleshoot Network Services at the Client Level
- Configure and Troubleshoot Network Protocols (part 3) - Configuring TCP/IP Version 6
- Configure and Troubleshoot Network Protocols (part 2) - WINS & NAT
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
 Windows Vista
programming4us
 Windows 7
programming4us
 Windows Azure
programming4us
 Windows Server