Sharing and Securing Files and Folders

Sharing and Securing Files and Folders his chapter provides an understanding of access control to network file and folder resources. Chapter 21 provided an in-depth review of the Windows 2000 file systems, especially NTFS. Now, let’s look at the file systems from other viewpoints: users and applications and, of course, administrators. C H A P T E R In This Chapter The Concept of Shares, Permissions, and Ownership Strategies for Effective Folder, File, and Data Security Most data is generated and stored on computer systems, using the file and folder metaphors inherited from our three-dimensional world. However, since the advent of local and wide area networks, particularly the Internet, your files and folders (directories) are accessible to anyone with a computer and a network connection unless you secure them. You need to secure the data within their files, and the folders that contain those files, while at the same time providing controlled access to authorized users. The NT File System (NTFS) lets you do that on three security access levels: Shares Folder permissions and file permissions (called NTFS permissions) Encryption Note NTFS creates a hierarchy of folders in a volume, all starting from a root folder (see also Dfs and mounted volumes in Chapter 21). The earlier versions of NTFS could only store a single folder hierarchy on a single hard drive or volume, maintained on a single computer. As we stated in Chapter 21, the folder hierarchy (or folder namespace) can traverse or span hard disk volumes on any computer on the net-work. To keep things simple in this chapter, we’ll discuss folder and files independently of where they may be located on the network. 790 Part VI File, Print, and Web Services Sharing and Securing Your Data Windows 2000, like all modern graphically managed operating systems, allows you to manage your files and folders in the same way as your hardcopy filing systems: in folders and filing cabinets. Think about the file room in a law firm or a newspaper morgue. It is unlikely you would be allowed to just walk into this room: It is usually locked or guarded, and you would need authority to enter, but you know it’s there. The company does not hide it away from you, because it is a shared resource, and they usually want you to know about it because you might need data in it to do your work. Shares are the clubhouses of the network. A share is where users and groups of users go to share resources. You enable folder-sharing for your users and applica-tions by creating a share, or in the lingo of mainframes, midrange, and legacy sys-tems, a share-point. By owning the files and folders on your own machine (and we discuss ownership next), you automatically have full access and control over your folders and their contents. Administrators own all the folders they create anywhere on the network, and can thus share them. Note Over the years, we have found that most calls to the support desk originate because a user or a group cannot connect to shared resources, such as folders, files, and printers. When users cannot connect, and get the “access denied” mes-sage, they assume the world has ended, such is the extent of their panic. Usually, it is a simple case of an incorrect permission. However, we have seen how per-mission misadventure causes much consternation and is a waste of time, so we stress that every administrator should become an expert in this subject. Getting back to our brick and mahogany file room: By having access to the file room, you do not necessarily have access to every file or folder it contains. Depending on your rank in the company, the department you work for, and the work you do, you may or may not be allowed to open a file cabinet, read a file, check it out, change its contents, or add data to it. Likewise, by being a member of a group of users or by having individual authority, you may gain access to the NTFS share, but some files will not be for your eyes. Others will be accessible for reading only—you might not be allowed to change, delete, copy, or move them. The levels of access you have to the folders and files are called permissions. Administrators, members of Admin-istrator groups, and the owners of objects can assign permissions and control access to these objects, and they can also encrypt the files. Folder and file encryption is the third mechanism you can now use for protecting your files and folders. It has been added to the Windows 2000 file system and is only supported under NTFS. When you add Windows 2000’s support for cryptography and distributed security services, such as Kerberos and digital certificates, to the file system, you have what is known as the encrypting file system or EFS. The EFS is fully discussed later in this chapter. Chapter 22 Sharing and Securing Files and Folders 791 Ownership Another means of understanding shares or share-points is by understanding ownership. Ownership is not a configuration setting, or a mere value in the registry or Active Directory; it derives from the security services of the NTFS and the Win32 security system (this is discussed in more detail in Chapters 3 and 10). It helps to understand ownership if you’ve done some Windows programming. The Win32 API has a Create or CreateFile function that creates objects such as folders and files. If the Create function you are calling can take a security parameter, you can lock the object (pass a security descriptor) and keep other processes from accessing it. The lock is like a key that you, the owner, get to keep when you create the object. That is the essence of ownership. Of course, the whole process is managed by the OS and requires no user actions. When a process creates a file or a folder—objects—the file system assigns that process the rights of ownership, and passes it a key. The process created it, so that process owns it . . . and it can do whatever it likes with that object. If you cre-ate a folder on the computer you are logged onto, or within a folder namespace to which you have access, you own the folder. Only you and the processes that oper-ate within your security context (activated by the validation of your password) can access that folder. Now, when other users or processes need access to the folder you just created, do you allow them to take ownership, hand them the key? No, not normally, because if you did, you would be losing your right to the object. By creating a share, you are essentially inviting others to access the folder (with restrictions, of course), but you don’t give them the key. If someone else with bad intentions got hold of your keys, they might come back after dark and destroy your network. Remember the old adage: Possession is nine-tenths of the law. And remember what we said about safeguarding the Administrator account back in Chapter 10. You can do tremendous damage with 50 lines of code and access to the Administrator account. The owner of an object can actually allow a specified user or a group to take over the ownership of the object (we’ll get to that shortly). Taking ownership is a one-way action. You can take ownership, but you cannot bestow it or return it. You can allow someone else to take ownership; you assign them this permission. Ownership can only be transferred if the would-be benefactor is willing to take it. By not being able to transfer ownership unilaterally, NTFS prevents users from hiding dirty work. In other words, you cannot go and lock up a folder and throw away the key, and then make it look like someone else did the damage. 792 Part VI File, Print, and Web Services Publishing Shares in Active Directory The idea of published shares is new to the Windows networking environment, and it begins with Active Directory, as discussed in the previous chapter. Windows 2000 users connect to shared resources on a Windows 2000 domain by looking them up in the Active Directory. You can still connect to shares on the browse list and from the command line, as described later in this chapter. Creating shares on Windows 2000 is really easy, and if you have Windows experience, you will only need to read the next section as a refresher and to pick up subtle yet important differences. Establishing shares on remote computers is another story, however, and the process is handled in the new Computer Management snap-in described later in this chapter. Creating a Share When you first create a share, the file system automatically gives access to the Everyone group, unless you have taken steps to prevent that, discussed later. If the contents of the files are sensitive, you need to remove the Everyone group and assign access only to authorized users or groups. Note Back in Chapter 10, we encouraged you to use common sense management prac-tices and avoid assigning rights to individual users. The same advice applies to shares. Share folders with groups, not individuals. One of the only times you should circumvent this advice is when you need to audit individuals. Sharing a Local Folder If you are the owner of the folder or the folders within the local folder namespace, then sharing a folder involves little more than right-clicking the new or existing folder and selecting Sharing from the Context menu. Select the option Share this folder in the dialog box. The share name field is enabled. This is demonstrated in Figure 22-1. As soon as the dialog box is enabled, you can enter the following share data: Share name: The actual folder name is used as the default share name, but you can change this to reflect any name that better suits the application for the share. It is a good idea to use the best share name for the share, possibly one that better informs the user of the purpose of the share or that provides a hint of the share’s contents. For example, a folder might be named Y2K, and rather than changing that name (it’s been done before), which would impact other applications, it would be better to make the share name “Y2K data files and documents.” Share names can be up to 80 characters in length, and they can contain spaces. However, if your users are attaching from the command line or you have applications that might send share attach commands to Chapter 22 Sharing and Securing Files and Folders 793 the system console, you should stick to single names of between 8 and 12 characters (and even 8.3 names for those still using Windows 3.1). The best command-line-compliant substitute for the aforementioned share name is the simple Y2KDATA. Figure 22-1: The Sharing tab on the folder’s Properties dialog box Comment: The comment field will take 100 characters, so you can be creative here. It is a good idea to include the comment field wherever possible because it shows up in Explorer when users browse for a share. Although we said you can be creative, be conservative. A hundred-character comment field forces most users to waste time scrolling to the right. User limit: You will ignore this most of the time, allowing the client access licensing to monitor the number of connections. On server shares there is no maximum limit, but you can restrict connections for application-specific purposes or licensing. Windows 2000 Professional prohibits more than ten concurrent connections and several other exclusions you will discover . . . so forget about using it as a substitute for a server. Caching: The cache settings allow you to configure offline access to the shared folder. Offline folder and file access is touched upon later in this chapter, and explained in the context of Group Policy and change control in Chapter 11. As soon as you enter the share name and comment, you can click the Permissions button to admit users to the share and set the desired access types. Once you have created a share, you will notice, as shown in Figure 22-1, that you now have the option of creating another share. The New Share button does not replace the old share; you can share a folder as many times as you like, each time with different access clients and permissions. At any time you need to end a share, just select the share name from the drop-down list and click Remove Share. ... - tailieumienphi.vn