Hands-On Microsoft

Windows Server 2003

Chapter 5
Configuring, Managing, and
Troubleshooting Resource
Access
Objectives
• Manage object security for files and
folders
• Configure shared folders and share
permissions
• Publish a shared folder in Active Directory
• Configure Web sharing

2
Objectives
• Troubleshoot a security conflict
• Implement the Distributed File System
• Configure disk quotas

3
Managing Object and Object
Security
• Each object has an access control list
(ACL) for shared resource management
• Access is controlled through common
security techniques:
– Attributes
– Permissions
– Auditing
– Ownership

4
Attributes
• Attributes are a carryover from earlier
DOS-based systems
• Used to convert files and directories from
NetWare
• Use by DOS and NetWare for security and
file management
• Stored as header information

5
FAT File System and Attributes
• FAT has three attributes for files and folders:
– Read-only
• Files in a read-only folder cannot automatically be read
• Instead, use the read-only permission to allow the files to
inherit the folder’s permission
– Hidden
• Can be defeated in post-Windows 95 systems
– Archive
• Files are automatically flagged to be backed up when new or
modified

6
NT File System and Attributes
• Allows the FAT attributes of:
– Read-only and hidden on the General tab
– Archive on the Extended tab
• Extended tab also contains:
– Index
– Compress
– Encrypt
• Extended attributes have the option to be
applied to:
– A folder and its files
– A folder, its files, and all subfolders and files
7
8
NT File System (cont.)
• Index
– Allows for quick searches
– Indexing Service must be installed and set to
start automatically
• Compress
– Saves space on infrequently used files or
limited disk space
– Takes longer to search compressed files
– Compressed files cannot be encrypted

9
NT File System (cont.)
• Encrypt
– Can only be read by the user who encrypted
the file or folder
– Uses the Microsoft Encryption File System
(EFS)
• Sets up a unique, private encryption key
– An encrypted file remains encrypted when
moved to another folder, even of renamed
– Can also encrypt and decrypt at the command
prompt with the cipher command
10
Folder and File Permissions
• Permissions control access to an object
• Use the folder properties Security tab
• Check the Allow and Deny boxes to set access
permissions for groups and users
– If none of the Allow and Deny boxes are checked, all
access is denied
– Deny overrides any other access
• Inherited permissions
– The permissions of the parent object applies to the
child objects
– Set by default but can be deactivated
11
12
13
14
15
Guidelines for permissions
• Protect the \Windows folder from general
users
– Traverse Folder / Execute File
• Protect server utility folders
– Access permissions only for Administrators,
Server Operators, and Backup Operators
• Protect software application folders from
users, but allow execution
– Read & Execute, Write

16
Guidelines for permissions
(cont.)
• Create publicly used folders for broad access
except for administrative tasks
– Modify
• Provide users Full Control of their own home
folders
• Remove general access groups from
confidential folders
– Everyone and Users
• Always err on the side of too much security

17
Configuring Folder and File
Auditing
• Track activity on a folder or file through auditing
• Windows Server NTFS folders and files allow
auditing of any or all of the special permissions
• Each type of access can be tracked according to
successful or failed attempts
• Set up an auditing policy to fully configure
auditing for an object
– Use the Domain Security Policy tool

18
19
Configuring Folder and File
Ownership
• Folders are first owned by the account that
creates them
• Folder owners may change permissions
for their folders
• Ownership can be transferred only by
having the Take Ownership or Full Control
permission
• Administrators group can take control of
any group, regardless of permissions
20
21
Configuring Shared Folders
• Shared folders can be accessed over the
network
• Specify number of users or allow the maximum
– Maximum is the number of Server 2003 client access
licenses
• Share Permissions
– Full Control: Full access control of share permissions
– Change: Read, add, modify, execute, and delete
– Read: Read and execute
• Option to hide shared folders from browser lists
– Place a $ sign just after its name
22
23
24
Offline Settings
• Caches a folder on the client’s drive so that it
can be accessed without a network connection
• Cache options
– Only files and programs that users specify
– All files and programs that users open from the share
– No caching
• Any modified files will be synchronized with the
network versions upon resumed connection
– If two or more users synchronize at the same time,
they can save one or both files
25
Publishing a Shared Folder in
Active Directory
• Makes object available for users to access
quickly through Active Directory
• Allows object information to be replicated on
DCs
• Enables faster client searches
– Use Active Directory for Windows 2000 and XP
– Install Directory Service Client for pre-Windows 2000
• Can be published to be shared for:
– Domainwide access
– OU management and access settings

26
27
Configuring Web Sharing
• Installing Internet Information Services (IIS) enables the
Web Sharing properties tab

28
29
Troubleshooting a Security
Conflict
• Look at the Effective Permissions tab
– Calculates account group membership and
permission inheritance
• Take file and folder locations into account
– A new file inherits its folder permissions
– Files copied to a folder on the same volume inherits
the new folder’s permissions
– Files moved to a folder on the same volume keeps its
original permissions
– Files moved to another volume inherits the new
folder’s permissions

30
31
Distributed File System
• Shared folders on a network appear in one
hierarchy of folders
– Simplifies user access
• Fault tolerance is an option by replicating shared
folders
– Uses the Microsoft File Replication Service
• Load balancing can be performed by distributing
folder access across several servers
• Access is improved to Internet and Intranet sites
• Backups from one set of master folders

32
DFS Models
• Standalone
– No Active Directory implementation
– DFS folders are not linked to other computers
• Domain-based
– Available only to members of a domain
– Takes full advantage of Active Directory
– Has a multilevel hierarchical structure
– Can implement fault tolerance and load balancing
– Domains with NT Servers can fully implement DFS
with Service Pack 3 or above
33
DFS Topology
• The DFS root
– Main container in Active Directory that holds links to
shared folders
– Folders from all domain computers appear as if they
reside in one main folder
• DFS links
– Designated access path between the DFS root and
shared folders
• Replica sets (targets)
– Set of shared folders that is replicated to one or more
servers in a domain

34
Configuring the Standalone
DFS Model

35
Configuring the Domain-based
DFS Model

36
Managing a Domain-based DFS
Root System
• Publishing a DFS root
– Provides easier management and user access
• Deleting a DFS Root
– Delete a root to change configuration
• Adding and Removing a DFS Link
– Link to the shared folder on the same computer or to
another computer that is a domain member
– The first link automatically becomes the master folder
– Security of the shared folder is retained
– DFS cache timeout can be set
• The default is 1800 sec

37
Managing a Domain-based DFS
Root System (cont.)
• Checking the status of a root or link for
troubleshooting connectivity
– Find servers that are disconnected by checking the
status under a root target
• Adding DFS root and link replicas
– Replica servers provide fault tolerance
– Load balancing
– Computer with a replica of DFS root and links cannot
have any other roots
– Specify server name, replica path, and
synchronization schedule

38
Managing a Domain-based DFS
Root System (cont.)
• Set up synchronization of replicas using
the File Replication Service
– Automatic synchronization fully replicates all
links
• Default interval is 15 minutes
– Manual synchronization replicates only
designated links
• Used for load balancing

39
Configuring Disk Quotas
• NTFS offers the ability to establish dish quotas
• Prevents users from filling the disk capacity
• Encourages users to help manage disk space
through warnings about quota limits
• Tracks disk capacity needs on a per user basis
for future planning
• Provides server administrator with information
about when users are nearing or have reached
their quota limits

40
Disk Quotas Options
• Set on any local or shared volume
• Enable the disk quota feature to track, but
not set user quotas
• Set default quotas on all users, particularly
home folders
• Establish on a per user basis in order to
make special exceptions

41
42
Summary
• Windows Server 2003 objects are managed
through tools that include folder and file
attributes, permissions, auditing, and ownership
• Attributes enable you to manage folder and file
properties such as read-only, archiving,
compression, and encryption
• Permissions are set to control who has access
to a folder or file
• Auditing is used to monitor who has been given
access to a folder or file

43
Summary
• Ownership is used to grant full control over a
folder or file
• Folder and files can be shared over a network
– Folder and file security can be managed through
share permissions
– A shared folder can be published in Active Directory
for better management
• Folders and files intended for access through the
Web can be specially configured for Web-
sharing properties
44
Summary
• Use security troubleshooting techniques and
Windows Server 2003 troubleshooting tools to
diagnose a security conflict
• The Distributed File System (DFS) enables you
to set up shared folders
– Easier for users to access folders
– Can be replicated for backup and load distribution
• Use disk quotas to manage the resources that
are put on a server disk volume so you do not
prematurely or unexpectedly run out of disk
space
45