The following excerpt is from Chapter 6 of the MCSE Exam Cram 2 book "Designing security for a Microsoft Windows Server 2003 network" written by Ed Tittel, courtesy of Sams Publishing. Click to purchase,
check out the complete book excerpt series or go straight to the practice exam if you think you're ready to be tested.
Designing a permission structure for files and folders
Although your users might all share the same physical volumes to store their data, they still have the expectation that the files and folders are secure. You provide this security using the file systems built in to Windows Server 2003. You can control two types of permissions -- shares and NTFS. You need to be familiar with both types, and you need to understand how to combine the two types for expected effective permissions.
As mentioned previously, a user can obtain permissions for an object based on groups of which he is a member. Windows Server 2003 includes a new tool to assist you in determining effective permissions when a user has NTFS permissions from multiple sources. You need to be familiar with the following in regard to permissions structure for files and folders:
- Share permissions for files and folders
- NTFS permissions for folders
- NTFS permissions for files
- Effective permissions
Share permissions for files and folders
Share permissions allow a user to gain access to a resource through the network. If a file or folder is not shared, the only access to that file or folder would be from the local computer where the file exists. The following are levels of share permissions:
NTFS permissions for folders
The following are NTFS permissions for folders:
NTFS permissions for files
The following are NTFS permissions for files:
ALERT: In addition to the standard NTFS permissions for files and folders, you can also select Special Permission in the Advanced security properties of the file or folder. Special permissions allow you to tailor the specific actions that a user is allowed to perform on a file or folder.
If a file or folder exists on an NTFS volume and is also shared through the network, the share permissions might be different than the NTFS permissions for the file or folder. In addition, if a user has permissions to the file from membership in multiple groups, the permissions might differ by group. The effective permissions are, therefore, a combination of all of the separate permissions. You need to remember this three-step method of determining the effective permissions for a resource:
1. Combine all of the share permissions.
2. Combine all of the NTFS permissions.
3. The effective permissions are the combination that is the most restrictive.
NOTE: A combination that includes NTFS Deny permissions always overrides and results in permissions being denied. A combination that includes share Deny permissions results in permissions being denied unless the user is logging on locally to the resource, in which case the share permissions would not apply.
Windows Server 2003 contains a new tool called the Effective Permissions tool. This tool automatically combines the NTFS permissions for a resource. You only need to select the resource and then select the user on which you want to determine the effective permissions. This tool only combines the NTFS permissions and does not take share permissions into account. It is only accurate if the combined share permissions are of the same restriction or less restrictive than the share permissions. Figure 6.5 illustrates the Effective Permissions tool.
Figure 6.5: You can use the Effective Permissions tool to determine the effective NTFS permissions.
Click for the next excerpt in this series: Designing security for a backup and recovery strategy
Click for the book excerpt series or purchase the book here.