Chapter 7: Configuring File and Share Access

Questions and Answers

Advanced Permissions are commonly utilized in Windows Permissions Architecture.

False (B)

Deny permissions have a higher priority than Allow permissions in determining access rights.

True (A)

The Specify permissions to control access page is the last step in the New Share Wizard.

False (B)

Permissions in Windows are structured such that they can only be denied and not allowed.

False (B)

Effective Access is determined solely by Allow permissions in a Windows environment.

False (B)

Server Message Blocks (SMB) is the file-sharing protocol used solely by UNIX systems.

False (B)

Creating a folder share involves determining which folders to share and the permissions to grant.

True (A)

The Advanced Sharing dialog box provides a simplified interface for sharing folders.

False (B)

To access shared folders, users must be granted permissions by the owner of those folders.

True (A)

Network File System (NFS) requires the role service to be installed on a Windows server to function.

False (B)

The Effective Access tab in the Advanced Security Settings dialog box allows users to set NTFS permissions only.

False (B)

In NTFS, every file and folder has an Access Control List (ACL) that contains Access Control Entries (ACEs).

True (A)

To access files, a user’s Security Identifier (SID) must match the permissions defined in the Access Control Entries (ACEs).

True (A)

The Share Permissions tab allows users to perform actions that are usually restricted to Read permissions.

False (B)

Full Control in NTFS permissions allows a user to modify folder permissions but does not include taking ownership of files.

False (B)

What is the primary protocol used for file sharing in Windows environments?

Server Message Blocks (SMB) (D)

Which of the following steps is NOT required when creating a folder share?

Configuring the network topology (A)

What role service is required for the Network File System (NFS) to operate?

NFS role service (D)

Which interface allows for a more detailed configuration when sharing folders?

Advanced Sharing dialog box (C)

When sharing folders, which of the following is typically NOT a parameter that needs to be set?

Folder content type (A)

What is the main purpose of the Specify permissions to control access page in the New Share Wizard?

To assign permissions for different security principals (C)

Which statement best describes the characteristics of Advanced Permissions in Windows Permissions Architecture?

They allow for individual permission adjustments but are rarely utilized. (B)

In Windows Permissions, what does the term 'Effective Access' refer to?

The combination of permissions that a security principal can effectively utilize (A)

Which principle is primarily followed when granting permissions in Windows environments?

Additive method, starting with no permissions and granting allow permissions. (A)

How does Inheriting Permissions function in the context of file sharing?

Permissions descend through a hierarchy from parent folders to child folders. (D)

What action is NOT permitted by the Full Control permission in NTFS for folders?

Append data to files (C)

During the authorization of file accesses, what is compared against the Access Control Entries (ACEs)?

The user's Security Identifier (SID) (A)

Which of the following statements about Share Permissions is TRUE?

They can control the ability to change permissions and display folder names. (B)

What is the role of Security Principals in NTFS and ReFS authorization?

They are users and groups identified by Windows using security identifiers (SIDs). (D)

What does an Access Control List (ACL) specifically contain regarding file permissions?

Access Control Entries (ACEs) that list users and their permissions (B)

Flashcards

Folder Share

A folder that is accessible over the network, allowing users to read, write, or modify files.

Server Message Block (SMB)

The protocol used for file sharing on Windows servers, allowing computers to access files, folders, and printers across a network.

Network File System (NFS)

The protocol for file sharing on UNIX and Linux systems, enabling access to files and resources on a network.

Creator/Owner

The user who initially created a folder or file, with full permissions and control over its access.

Advanced Sharing Dialog Box

A dialog box that allows administrators to configure advanced settings for a shared folder, including permissions, access levels, and security options.

Access Control List (ACL)

A list of entries that defines the permissions for a file, folder, or other system object.

Access Control Entry (ACE)

An entry in an ACL that represents a specific permission for a security principal.

Security Principal

A user, group, or computer account that can be granted permissions.

Permission

The ability to access a resource, such as read, write, or execute.

Configuring File and Share Access

The process of configuring permissions for files, folders, and other system objects to control access.

Share Permission - Read

A type of permission that allows users to perform all actions permitted by the Read permission, as well as change file data, attributes, delete files, and execute program files.

Share Permission - Full Control

A type of permission that allows users to modify file permissions, take ownership of files, create folders, add files, change data, and delete files.

Setting Share Permissions

The process of assigning access rights to users or groups for specific files or folders, allowing them to interact with those resources.

Share Permission - Change

A type of permission that allows users to modify file permissions, take ownership of files, and perform all actions permitted by the Read permission.

Share Permissions

Determines who can perform specific actions on a shared folder or file. These can be read, write, modify, or delete permissions, allowing for controlled access to resources.

What are Access Control Lists (ACLs)?

A set of rules that determine what access users or groups have to a file or folder.

What are Access Control Entries (ACEs)?

An individual entry within an ACL that specifies specific permissions for a user or group.

What is 'Configuring File and Share Access'?

The process of granting specific permissions to users or groups, allowing them to interact with files and folders.

What is 'Effective Access'?

The effective permissions a user receives when all permissions are combined, including allowances and denials.

What are 'Allowing and Denying Permissions'?

Permissions can be applied either by granting them first and then denying them (subtractive), or by starting with no permissions and then granting them (additive).

NTFS Authorization

NTFS and ReFS file systems on Windows use access control lists (ACLs) to manage file and folder permissions. Each ACL contains access control entries (ACEs) that specify which users and groups have access to a specific file or folder. When a user tries to access a file, Windows checks the ACEs to determine the user's permissions. These permissions are determined by comparing the user's security identifiers (SIDs) with those stored in the ACEs.

Study Notes

Chapter 7: Configuring File and Share Access

• The chapter covers configuring file and share access, designing file sharing strategies, creating folder shares, assigning permissions, and configuring NTFS quotas.

Overview of Chapter Objectives

• Chapter objectives include configuring file and share access, designing file sharing strategies, creating folder shares, assigning permissions, and configuring NTFS quotas.

Creating Folder Shares

• Shares must be created for network users to access server disks.

• Crucial factors to determine when creating shares include:

  • Folders to share
  • Share names
  • User permissions for shares
  • Offline Files settings for shares

• Folder shares can be created by right-clicking a folder and selecting "Share with Specific People."

• A simplified interface is provided by this method.

• Users can also configure folders for sharing through the folder's properties sheet, offering more control options.

Types of Folder Shares

• Server Message Blocks (SMB):
  • A standard file-sharing protocol used across all Windows versions.
  • Requires the File Server role service.
• Network File System (NFS):
  • A standard file-sharing protocol predominantly employed in UNIX and Linux systems.
  • Requires the server to have NFS role service installed.

Creating a Folder Share Steps

• Select the profile: Choose from basic SMB profiles (Quick, Advanced, Applications) or NFS profiles. Profiles dictate settings for sharing style.
• Select the server and path: Determine the server and folder path for the share. Options include volume selection or custom path; the location will be a new folder in the \Shares directory on the selected volume.
• Specify share name: Assign a name and description for the folder share.
• Configure share settings:
  • Decide on access enumeration for files on the share.
  • Determine whether to enable caching or BranchCache for offline file access making content available to offline users.
  • Decide on encryption for data access during share operations to secure data transmitted to and from the share.
• Specify permissions: Define folder permissions for security principals using Basic or Advanced Permissions.
• Confirm selections: Review the configured settings for the file share. A confirmation page verifies the local path, server, cluster role, protocol, and other settings.

Assigning Permissions

• Windows Permissions Architecture:

  • Access Control List (ACL): A list of permissions related to a folder.
  • Access Control Entries (ACEs): Define permissions for specific security principals, like users or groups.

• Windows permits granular control of permissions through the security settings page.

• The "Additive" approach to assigning permissions begins with a blank set and uses multiple "Allow" entries to grant various access levels.

• The "Subtractive" approach starts by assigning all access ("Allowed"), then selectively removing ("Deny").

• Permissions:

  • "Full Control": Grants all possible rights (change permissions, take ownership, perform any action enabled by the "Change" permission).
  • "Change": Allows modification of file permissions and ownership.
  • "Read": Viewing folder names, filenames, file data, attributes, and accessing other folders within the shared folder.
  • "Write": Overwriting files, modifying attributes, viewing ownership and permissions.
  • "Read & Execute": Navigating restricted folders and performing actions allowed by Read permissions (including reading and running application files).
  • "List Folder Contents": Viewing folder names and subfolder names.
  • Additional permissions include special permissions, like "Read Extended Attributes", "Create Files/Write Data," "Create Folders/Append Data," etc.

NTFS Authorization

• NTFS and ReFS support permissions for each file and folder, including an ACL with ACEs.
• Each ACE specifies permissions for security principals (users and groups) using security identifiers (SIDs).
• Authorization involves comparing user SIDs with elements’ ACEs to determine access levels.

NTFS Basic Permissions (Folder and File), Overview

• Permissions listed include:
  • Full Control
  • Modify
  • Read & Execute
  • List Folder Contents
  • Read
  • Write

Combining Share and NTFS Permissions

• Share permissions (FC) and NTFS permissions combined offer network folder access.
• Local permissions are often NTFS permissions, while the more restrictive permission set will prevail during conflicting remote share or NTFS access.

Volume Shadow Copies

• Allows maintainance of file versions, recovering accidentally deleted or overwritten data.
• Functionally available for entire volumes only, not specific shares or folders.

Configuring NTFS Quotas

• Enables administrative control of storage limits per volume.
• NTFS quotas limit the storage space available to specific users on a shared volume, preventing disk usage overload.
• To configure, use the “Quota” tab in the Volume’s Properties page.