LAB8 - NTFS Permissions and Sharing Notes.pdf

Full Transcript

NETW-0005 NETWORKING 1 LAB 8 – NTFS Permissions and Sharing - NTFS (New Technology File System) - NTFS Permissions - NFTS Permission Rules & Tools - ICACLS - NTFS Sharing NTFS {NEW TECHNOLOGY FILE SYSTEM) Previous Operating Systems before Windows 2000...

NETW-0005 NETWORKING 1 LAB 8 – NTFS Permissions and Sharing - NTFS (New Technology File System) - NTFS Permissions - NFTS Permission Rules & Tools - ICACLS - NTFS Sharing NTFS {NEW TECHNOLOGY FILE SYSTEM) Previous Operating Systems before Windows 2000 (ME, 98, 95) did not have any security on the file system and allowed any user with access to logon to the Operating System full administrative control over everything including the Operating System and any files. Windows 2000 was the first Operating System to introduce NTFS on a client Operating System. 1. When a user logs onto an NTFS formatted computer an Access Token is created containing: - User SID - Group SID - Permissions 2. All processes check the token and compare to the requested resource ACL (Contains ACE) - ACL o Access Control List - ACE o Access Control Entry - An ACL is just a list of people allowed. Each person allowed is an ACE NETW-0005 NETWORKING 1 3. The system looks for a match between the token and an ACE in the ACL ALLOW = Access Granted DENY = Access Denied NO MATCH FOUND = Access Denied FAT (File Allocation Table) File System NTFS (New Technology File System) Windows 95, 98, ME and below OS Windows 2000 and up Commonly used for USB devices Usage Used on all Windows Server and Clients NTFS PERMISSIONS NTFS permissions have a simple set of rules. If you follow the rules, you can figure out the permissions any user has to any object. This also allows us to apply different permissions for different users efficiently. What permissions do - NTFS permissions specify what users, groups and computers can access files, folders and objects (printers) - NTFS permissions dictate what level of access (read, write, modify, etc.) users, group and computers can do with the files, folders and objects - Files \ Folders use the same permissions settings/template - Basic permissions are comprised of advanced permissions - We use BASIC permissions 99% of the time NETW-0005 NETWORKING 1 BASIC PERMISSIONS ADVANCED PERMISSIONS FULL CONTROL MODIFY 13 Permissions for FILES READ & EXECUTE 14 Permissions for FOLDERS LIST FOLDER CONTENTS (Folder Only) READ Full Control, Traverse folder / Execute file, list WRITE folder / Read data, Read attributes, Read SPECIAL PERMISSIONS extended attributes, Create files / write data, Create folders / append data, Write attributes, Write extended attributes, Delete subfolders and files, Delete, Read permissions, change permissions, Take ownership - Groups are used to make permissions easier (set permissions to the group and just add / remove members) NTFS PERMISSION RULES & TOOLS NTFS permissions have a simple set of rules. If you follow the rules, you can figure out the permissions any user has to any object. This also allows us to apply different permissions for different users efficiently. NETW-0005 NETWORKING 1 1. GET / SET PERMISSIONS Where do default permissions come from when I create a new file, folder or object? o EXPLICIT – Permissions set directly at the object o INHERITED – Permissions always propagate down from a parent folder to a child folder unless we stop inheritance. This is the (DEFAULT) and permission will be greyed out so we can’t change inherited permissions. 2. PERMISSIONS ARE CUMULATIVE All permissions are added to make up your effective permissions to an object o USER has READ to a Example.txt o STUDENTS GROUP (USER, DOG, CAT) has WRITE to Example.txt o USER = READ and WRITE to Example.txt 3. INHERITANCE CAN BE DISABLED o You can DISABLE INHERITANCE to stop the flow of inherited permissions so you can set new explicit permissions. o The previous child folder that has DISABLED INHERITANCE will become a parent folder and start a new chain of inheritance flowing down to the child folders. o Options when DISABLING INHERITANCE are CONVERT or REMOVE NETW-0005 NETWORKING 1 a. CONVERT = Previous inherited permissions (greyed out) will turn black and become explicit permissions that you can edit. This will also keep existing permissions intact so the Windows System will maintain full control of the object. b. REMOVE = All existing permissions are removed (including System) and new explicit permissions can be set. 4. DENY overrides ALLOW o DENY permission will cancel ALL existing permissions to that object for that user. o DENY should not be used if possible. Better practice is to modify group membership and permissions to allow those who need access. 5. OWNERSHIP o Every object (File, Folder, Printer, etc.) has an owner. o Can be used for auditing and administration. NETW-0005 NETWORKING 1 o Owner can change permissions to an object even if they don’t have any permissions to it. o Administrator accounts can take ownership of an orphaned object.(nobody has any rights to the object) 6. COPY / MOVE (with NTFS Permissions) o COPY = Copied object will become a NEW object in its new location and inherit permissions from its new parent. o MOVE = Moved object will keep its existing permissions because a new object is not being created. The file pointer will change to point at the objects new location. What happens between NTFS and FAT volumes/partitions? a. New objects will inherit permissions from parent b. Move on same NTFS volume will keep permissions (because pointer to object changes and no new object is created) c. Copy on same NTFS volume will inherit permissions (because a new object is created) d. Move/Copy to different NTFS volume will inherit from parent (because a new object is created on the new NTFS volume) e. Move/Copy from NTFS volume to FAT partition = Lose all permissions f. Move/Copy from FAT partition to NTFS volume = Inherit permissions from parent 7. EFFECTIVE PERMISSIONS o We can check a specific users cumulative permissions to an object o SECURITY → ADVANCED → EFFECTIVE ACCESS → Select User NETW-0005 NETWORKING 1 ICACLS (Integrity Control Access Control List) - CMD Line tool for checking and setting permissions - Allows us to save permissions settings for an object before making changes so if something goes wrong we can restore. (/save) - Can be used in a script to automate permission modification - Examples: ICACLS /? For help ICACLS EFFECT icacls testfolder /grant Tom:F /t /c Gives tom full control to testfolder icacls testfolder /reset /t /c Resets folder permissions for testfolder icacls testfolder /inheritance:d /t /c Disables inheritance on testfolder NTFS SHARING NETW-0005 NETWORKING 1 There are two options for sharing objects. In the real world, Microsoft world and in the NAT program, there is only one correct way to configure shares. SHARE PERMISSIONS - 3 NTFS Share permissions o Read o Change Allow or Deny o Full Control - NTFS share permissions and NTFS object permissions work together - The most restrictive permissions apply SHARE NTFS RESULT Full Control Read Read Read Full Control Read This creates a situation where a user would have different permissions depending on if they are accessing the object locally or remotely To avoid this, we always set share permissions as: EVERYONE = FULL CONTROL o This means that the user will have the same permissions locally and remotely as the NTFS permissions will always be the most restrictive - Access share using UNC path (Universal Naming Convention) NETW-0005 NETWORKING 1 o Format = \\ComputerName\ShareName o Ex. \\Deathstar\plans o Ex. \\192.168.215.10\plans - Share name can be different than the folder name HIDDEN SHARES - Won’t show up in File Explorer, must explicitly enter the share UNC - Create hidden share by adding $ to the end of a share name o \\ComputerName\SecretShare$ - C:\ is a hidden share by default o \\ComputerName\C$ - Default share accessible on Domain network, but not on home network. Must use Registry Editor to enable on our network. o Open REGEDIT.EXE o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Polici es\System o Create New DWORD = LocalAccountTokenFilterPolicy with a value of 1

Use Quizgecko on...
Browser
Browser