Module 5: Securing Network Resources with Shared Folder
Permissions
Shared Folder Permissions |
- Shared folders are used to give users access to network
applications, data and user home folders:
- Network application folders centralize
administration by designating one location for configuring and upgrading software.
- Data folders provide a central location for users to
store and access common files.
- User home folders provide a central location for
backing up users data.
Note: Using shared folders is the only way to secure network resources on
a FAT volume.
The following describes the shared folder permissions :
- Full Control (default):
- Change file permissions
- Take ownership of files on NTFS volumes
- Perform all tasks permitted by the Change permission
- Change:
- Create folders and add files
- Change data in files
- Change file attributes
- Delete folders and files
- Perform all tasks permitted by the Read permission
- Read:
- Display folder and file names
- Display the data and the attributes of files
- Run program files
- Change to folders within a folder
- NOTE: Can't delete files here, only copy
- No Access:
- Establishes only a connection to the shared folder. Access
to the folder is denied and the contents don't appear.
How User and Group Permissions Are Applied |
- Permissions are applied in the following ways:
- When a user is assigned permission to a shared folder and
that user is a member of a group to which a different permission is assigned, the user's
effective permissions are the combination of the user and the group permissions. ==> the MOST PERMISSIVE PERMISSION APPLIES
- The only exception on this rule is the No Access
permission. This one always overrides any other permission assigned to a user or to any
group to which the user belongs. No Access Always Wins!
- Guidelines for sharing folders:
- Use intuitive share names so that users can easily
recognize and locate resources (Apps)
- Use share names and folder names that are readable by all
client operating systems.
O/S |
Share Name |
Folder Name |
Windows NT and 95 |
12 characters |
255 characters |
MS-DOS |
8.3 characters |
8.3 characters |
- Organize disk resources so that folders with the same
security requirements are located within one folder hierarchy.
- Guidelines for Assigning Permissions:
- Determine which groups need access to each resource and
what level of access they require.
- Assign permissions to groups instead of users to simplify
administration.
- Add global groups to local groups and then assign
permissions to the local group.
- Assign permissions to only the groups that need access to
the resource.
- Assign to a resource the most restrictive permissions that
allow network users to perform required tasks.
- Remove the default permission Everyone, Full Control from
the group for a new shared folder. Use Domain Users - Read instead.
- Everyone group includes even Guests; Domain Users includes
only the account you created.
Note: When a folder is shared, the Everyone
group is automatically assigned Full Control permission.
- Guidelines for Network Application Folders:
When you share application folders, consider the
following points:
- Create a common shared folder and organize your
applications under it.
- Assign the Administrators group Full Control permissions to
the Apps folder.
- Remove Full Control from the Everyone group and assign Read
permission to the Users group. This provides more security because the Users group
includes only accounts you created, whereas the Everyone group includes anyone who has
access.
- Assign Change permissions to groups responsible for
upgrading and troubleshooting application software.
- Guidelines for Data Folders:
- Public Data; when you share a public folder,
consider the following points:
- Use centralized data folders so that data can be
consistently backed up.
- Create and share a Public folder on a volume separate
from the operating system and applications.
- Assign the Change permission to Users. This will provide
users with a central, publicly accessible location to store and share files with others.
- Working Data; when you share a data folder for
working files , consider the following points:
- Create and share a Data folder on a volume separate from
the operating system and applications.
- Share lower-level data folders to the appropriate groups
when you need to restrict access to those folders.
- Guidelines for Home Folders on a FAT
volume:
To create home folders for users on a FAT volume using
only shared folder permissions to restrict access, follow these guidelines:
- Create a central folder named \Users on a volume separate
from the operating system and applications.
- Create a folder in \Users for each user account, with the
same name as their user name.
- On a FAT volume, share each user's home folder and assign
only the respective user Full Control permission to his or her home folder. This is the
only way to protect users folders on a FAT volume.
- To specify the user's home folder, when the user logs on,
in User Manager for Domains, type a UNC path in the Home Directory To box that includes
the server name and the %username% variable.
- To ensure privacy, do not share the top-level folder Users.
Note: On a FAT volume, you need
to create and share home folders before you
specify the home folder path in User Manager for Domains.
Requirements for Sharing a Folder:
Any folder on an NT computer can be shared.
The following table lists the groups and operating system
requirements required to share a folder.
Group |
Operating System |
Administrators |
Any computer running Windows NT |
Server Operators |
Only Windows NT Server Domain
Controllers (PDC, BDC) |
Power Users |
Only Windows NT Server Member
Servers and Windows NT Workstation |
Note: If the volume is NTFS, then the user must
have at least the List permission to share a folder.
- Sharing a folder:
- Three tabs: General, Tools and Sharing.
- Sharing tab has following options:
- Share Name; adding $ hides the shared folder from users
browsing the computer.
- Comment
- User Limit (NT WS max 10; NT Server no limit)
- Permissions - sets permissions on folder ONLY, if accessed
over the network
- New Share (a folder can be shared multiple times
with different names and permissions, but this increases administration)
- Now apply permissions
- use Sharing, Properties, Permissions
Tab
- click Add, then Add Users or Groups and
assign permissions
- Accessing Shared Folders:
In Windows NT Explorer click Map Network Drive and
configure the following options:
- Drive:
- Assign a drive letter to the shared folder.
- Drive letters that are used by local devices do not appear
in the Drive list.
- Path: Enter a UNC path.
- Connect As: Connects to the shared folder using a
different user account
- Reconnect At Logon. This options requires a
"Domain\Username" format
|