Chapter 9: Managing Groups, Folders, Files, and Object Security

1
Chapter 9Managing Groups, Folders, Files, and
Object Security
2
Learning Objectives

• Set up groups, including local, domain local,
  global, and universal groups, and convert Windows
  NT groups to Windows 2000 groups
• Manage objects, such as folders, through user
  rights, attributes permissions, share
  permissions, auditing, and Web permissions

3
Learning Objectives (continued)

• Troubleshoot a security conflict
• Determine how creating, moving, and copying
  folders and files affect security

4
Managing Resources

• Three ways of managing resources and user
  accounts include
• By individual user
• By resource
• By group
• Managing resources by groups is one effective way
  to reduce time spent on management

5
Scope of Influence

• Scope of influence The reach of a type of group,
  such as access to resources in a single domain or
  access to all resources in all domains in a
  forest

6
Types of Security Groups

• Local Used on standalone servers that are not
  part of a domain
• Domain local Used in a single domain or to
  manage resources in a domain so that global and
  universal groups can access those resources

7
Types of Security Groups (continued)

• Global Used to manage accounts from the same
  domain and to access resources in the same and
  other domains
• Universal Used to provide access to resources in
  any domain within a forest

8
Local Security Group

• Use local groups on a standalone server (Active
  Directory not implemented), such as to manage
  multiple accounts in a small office

9
Domain Local Security Group

• Typically a domain local security group is on the
  ACLs of resources such as folders, shared
  folders, printers, and other resources. Global
  security groups in the same or in a different
  domain gain access to those resources by becoming
  members of the domain local group.
• Domain local groups can contain accounts, but
  usually that is not the best approach.

10
Membership Capabilities of a Domain Local Group
Table 9-1 Membership Capabilities of a Domain
Local Group
11
Implementing Global Groups

• Use global groups to contain accounts for
  accessing resources in the same and in other
  domains via domain local groups

12
Membership Capabilities of a Global Group
Table 9-2 Membership Capabilities of a Global
Group
13
Nesting Global Groups

• Global groups can be nested to reflect the
  structure of OUs

14
Nesting Example
Figure 9-1 Nested global groups
15
Planning Tip

• Plan nesting to take into account that you may
  want to later convert specific global groups,
  because a global group cannot be converted if it
  is a member of another global group
• Keep in mind that global groups can only be
  nested in native mode domains

16
Global Group Example
Figure 9-2 Managing security through domain local
and global groups
17
Implementing Universal Groups

• Use universal groups to provide access to
  forest-wide resources (to be included on the ACLs
  of resources such as servers, shared folders, and
  printers)
• Universal groups enable the scope of influence to
  span domains and trees

18
Membership Capabilities of a Universal Group
Table 9-3 Membership Capabilities of a Universal
Group
19
Guidelines for Using Groups

• Use global groups to hold accounts as members.
  Give accounts access by joining them to a global
  group and then placing that global group into a
  domain local or universal group or both.
• Use domain local groups to provide access to
  resources in a specific domain by adding them to
  the ACLs of those resources.

20
Guidelines for Using Groups (continued)

• Use universal groups to provide extensive access
  to resources, such as when the Active Directory
  contains trees and forests. Make universal groups
  members of ACLs for objects in any domain, tree,
  or forest. Manage user account access by placing
  accounts in global groups and joining those
  global groups to domain local or universal groups.

21
Example Universal Group Setup
Figure 9-3 Managing security through universal
and global groups
22
Creating a Group

• To create a group
• Click the container in which to create the group
• Click the Create a new group in current container
  icon
• Enter the name of the group
• Select the group scope
• Select the group type
• Click OK

23
Entering the Group Parameters
Figure 9-4 Creating a group
24
Group Properties Tabs

• General Used to enter a description, set the
  scope, and set the group type
• Members Used to add group members
• Member Of Used to join another group
• Managed By Establishes who will manage the group
• Object Provides information about the group as
  an object (on newer versions of Windows 2000)
• Security Enables you to set up security (on
  newer versions of Windows 2000)

25
Converting NT Groups to Windows 2000 Server Groups

• Existing NT local groups on a PDC are converted
  to domain local groups
• Existing NT global groups on a PDC are converted
  to global groups
• If still running in mixed mode, universal groups
  are not recognized
• If running in native mode, but there are still
  Windows NT servers, the NT servers treat Windows
  2000 universal groups as NT global groups

26
Windows 2000 Predefined Security Groups
1The group scope cannot be changed
Table 9-4 Windows 2000 Predefined Security Groups
27
Windows 2000 Predefined Security Groups
(continued)
1The group scope cannot be changed
28
Windows 2000 Predefined Security Groups
(continued)
1The group scope cannot be changed
29
Windows 2000 Predefined Security Groups
(continued)
1The group scope cannot be changed
30
Windows 2000 Predefined Security Groups
(continued)
1The group scope cannot be changed
31
Windows 2000 Predefined Security Groups
(continued)
1The group scope cannot be changed
32
Windows 2000 Predefined Security Groups
(continued)
1The group scope cannot be changed
33
Windows 2000 Predefined Security Groups
(continued)
1The group scope cannot be changed
34
Rights Security

• User rights Enable an account or group to
  perform predefined tasks, such as the right to
  access a server or to increase disk quotas

35
Rights Security
Table 9-5 Rights Security
36
Rights Security (continued)
37
Rights Security (continued)
38
Rights Security (continued)
39
Inherited Rights

• Inherited rights User rights that are assigned
  to a group and that automatically apply to all
  members of that group

40
Configuring Rights

• To configure rights in a domain
• Open the Active Directory Users and Computers
  tool
• Right-click a domain or OU, for example
• Click Properties, click the Group Policy tab,
  click the group policy, and click Edit
• Double-click (if necessary) Computer
  Configuration,Windows Settings, Security
  Settings, and Local Policies
• Double-click User Rights Assignment
• Double-click any policies to configure them

41
Configuring Rights (continued)
Figure 9-6 Configuring user rights as part of
group policy
42
File and Folder Attributes

• Attributes A characteristic associated with a
  folder or file used to help manage access and
  backups

43
FAT Attributes

• Read-only
• Hidden
• Archive

44
FAT Attributes (continued)
Figure 9-7 Attributes of a folder on a
FAT-formatted disk
45
NTFS Attributes

• Regular attributes
• Read-only
• Hidden
• Archive
• Extended attributes
• Index
• Compress
• Encrypt

46
NTFS Attributes (continued)
Figure 9-8 Attributes of a folder on an
NTFS-formatted disk
47
Troubleshooting Tip

• If you configure the Index attribute, but
  indexing it is not working check the following
• Make sure that the Indexing Service is installed
• Makes sure that the Indexing Service is started
  and set to start automatically

48
Troubleshooting Tip

• Files that are compressed cannot be encrypted

49
Encrypting File System

• The encrypt attribute uses Microsoft Encrypting
  File System (EFS) that sets a unique private
  encryption key that is associated with the user
  account that encrypted the file or folder. Only
  that account has access to the encrypted file or
  folder contents.

50
Troubleshooting Tip

• De-encrypt an encrypted file or folder before you
  move it to another location, or else the file or
  folder remains encrypted in the new location

51
Permissions

• Permissions Privileges to access and manipulate
  resource objects, such as folders and printers
  for example, privilege to read a file, or to
  create a new file

52
Auditing

• Auditing Tracking the success or failure of
  events associated with an object, such as writing
  to a file, and recording the audited events in an
  event log of a Windows 2000 server or workstation

53
Ownership

• Ownership Having the privilege to change
  permissions and to fully manipulate an object.
  The account that creates an object, such as a
  folder or printer, initially has ownership.

54
Design Tip

• If possible, set permissions on folders and not
  on individual files, so you can minimize the
  number of permission exceptions to remember
• One variance from this recommendation is large
  database files that may require individual
  security

55
Security Options
Figure 9-9 Configuring security options
56
Inherited Permissions

• Inherited permissions Permissions of a parent
  object that also apply to child objects of the
  parent, such as to subfolders within a folder

57
Configuring Permissions
Figure 9-10 Configuring permissions by groups
and users
58
Configuring Inherited Permissions
Figure 9-11 Configuring inherited permissions
59
NTFS Folder and File Permissions
Table 9-6 NTFS Folder and File Permissions
60
NTFS Folder and File Permissions (continued)
61
Special Permissions

• You can customize permissions to meet particular
  security needs by using special permissions

62
Configuring Special Permissions
Figure 9-12 Configuring special permissions
63
NTFS Folder and File Special Permissions
Table 9-7
64
NTFS Folder and File Special Permissions
(continued)
65
Example Guidelines for Setting Permissions

• Protect the Winnt folder by allowing limited
  access, such as Read Execute
• Protect server utility folders, such as folders
  containing backup software, with access for
  Administrators only
• Protect software application folders with access
  such as Read Execute (and Write if necessary
  for temporary or configuration files)

66
Example Guidelines for Setting Permissions
(continued)

• Set up publicly used folders with Modify for
  broad user access
• Give users Full Control of their own home folders
• Remove groups such as Everyone and Users from
  confidential folders

67
Planning Tip

• Err on the side of too much security at first,
  because it is easier to give users more
  permissions later than to take away permissions
  after users are used to having them

68
Configuring Auditing

• Start by configuring a group policy for auditing
• Configure auditing on an as needed basis for
  particular objects, such as a folder or file

69
Folder Auditing
Figure 9-13 Configuring folder auditing
70
Setting an Audit Policy
Figure 9-14 Configuring audit policy as part of
the default domain policy
71
Ownership

• Guidelines for ownership
• The account that creates an object is the initial
  owner
• Ownership is changed by first having permission
  to take ownership and then by taking ownership
• Full Control permissions are required to take
  ownership (or the special permission, Take
  Ownership)

72
Share Permissions

• Share permissions Limited permissions that apply
  to a particular shared object, such as a shared
  folder or printer

73
Configuring Share Permissions
Figure 9-15 Configuring a shared folder
74
Share Permissions for a Folder

• Read Permits groups or users to read and execute
  files
• Change Enables users to read, add, modify,
  execute, and delete files
• Full Control Permits full access to the folder,
  including the ability to take ownership control
  or change permissions

75
Offline Access to a Folder through Caching

• Use the Caching button in the folder Properties
  dialog box on the the Sharing tab to set up a
  folder for offline access via caching
• Caching a folder means that it can be accessed by
  a client even when the client computer is not
  connected to the network

76
Folder Caching Options

• Automatic Caching for Documents Documents are
  cached without using intervention all files in
  the folder that are opened by the client are
  cached automatically
• Manual Caching for Documents documents are
  cached only per the users request
• Automatic Caching of Programs document and
  program files are automatically cached when
  opened, but cannot be modified

77
Troubleshooting Tip

• If the Sharing tab is not displayed, make sure
  that the Server service is started

78
Web Sharing

• Use the Web Sharing tab in a folders properties
  to configure that folder for Web access

79
Configuring Web Sharing
Figure 9-16 Entering Web sharing permissions
80
Web Sharing Access Permissions
Table 9-8 Web Sharing Access Permissions
81
Web Sharing Application Permissions
Table 9-9 Web Sharing Application Permissions
82
Troubleshooting a Security Conflict

• Check the groups to which a user or group belongs
• Look for group permissions that conflict,
  particularly because the Deny box is checked for
  a permission

83
Moving and Copying Files and Folders

• A newly created file inherits the permissions
  already set up in a folder
• A file copied from one folder to another on the
  same volume inherits the permissions of the
  folder to which it is copied
• A folder that is moved from one folder to another
  on the same volume takes with it the permissions
  it had in the original folder

84
Moving and Copying Files and Folders (continued)

• A file or folder that is moved or copied to a
  folder on a different volume inherits the
  permissions of the folder to which it is moved or
  copied
• A file or folder that is moved or copied from an
  NTFS volume to a shared FAT folder inherits the
  share permissions of the FAT folder
• A file or folder moved from a FAT to an NTFS
  folder inherits the NTFS permissions of that
  folder

85
Chapter Summary

• Without the Active Directory, use local groups to
  manage access to resources
• With the Active Directory implemented, use domain
  local, global, and universal groups to manage
  resources

86
Chapter Summary

• Windows 2000 Server objects are secured through
  ACLs, user rights, permissions, inherited rights
  and permissions, share permissions, Web
  permissions, auditing, and ownership
• Troubleshoot permissions conflicts by examining
  the security assigned to all groups to which a
  user account or group belongs