LAB8 - NTFS Permissions and Sharing Answer Key PDF
Document Details
Uploaded by WellRoundedQuantum5312
Tags
Summary
This document is an answer key to a lab on NTFS file system permissions and sharing practices. It provides detailed solutions and instructions for configuring NTFS permissions and manipulating file and folder access.
Full Transcript
# LAB8 – NTFS Permissions and Sharing This lab will guide you through the following tasks: - Lab Setup - NTFS Permissions - NTFS Rules - ICACLS - NTFS Sharing ## LAB SETUP NTFS rules are not complicated if you don't make them complicated. Follow the basic NTFS rules and you will have your answer...
# LAB8 – NTFS Permissions and Sharing This lab will guide you through the following tasks: - Lab Setup - NTFS Permissions - NTFS Rules - ICACLS - NTFS Sharing ## LAB SETUP NTFS rules are not complicated if you don't make them complicated. Follow the basic NTFS rules and you will have your answer each time. We need to prove all of the rules first so we trust that the rules work the way they are supposed to. Copy the 2 script files from \\192.168.215.30\Volume_1\Course Material\Networks 1\Lab8\Scripts and place on your desktop. - Run LAB8 SETUP SCRIPT.bat as Administrator. This will create your users and groups. Make sure the users are created and placed into the correct groups before moving on. | GROUPS | USERS | |-----------------|----------------| | INSTRUCTORS | Dean, Ken | | STUDENTS | Student1, Student2, Student3 | | SUPERHEROES | BATMAN, SUPERMAN, JOKER | - Run FILES STRUCTURE.bat as Administrator. This will create the folder structure we will use for this exercise. I have removed AUTHENTICATED USERS = MODIFY from the NAT folder so all users are restricted to USER = READ and EXECUTE to start the lab. ### FOLDERS (testing rules) | FOLDERS | |-----------------------| | C:\Nat | | C:\Nat\Rules | | C:\Nat\Rules\Inheritance | | C:\Nat\Rules\Inheritance\Convert | | C:\Nat\Rules\Inheritance\Remove | | C:\Nat\Rules\Orphan | | C:\Nat\Rules\Cumulative | | C:\Nat\Rules\Deny | | C:\Nat\Rules\No Match | ### FOLDERS (apply knowledge) | FOLDERS | Permissions | |----------------------|--------------------------| | C:\Nat | SYSTEM = Full Control | | C:\Nat\Rooms | Administrators = Full Control | | C:\Nat\Rooms\215 | Users = Read & Execute | | C:\Nat\Rooms\219 | Inherited from C:\Nat | | C:\Nat\Rooms\Heroes_Only | Inherited from C:\Nat | | | Inherited from C:\Nat | | | Inherited from C:\Nat | | | Inherited from C:\Nat | | | Inherited from C:\Nat | ## NTFS PERMISSIONS The 7 BASIC permissions we use 99% of the time are made up from 14 ADVANCED permissions. We will assign a single BASIC permission one at a time and view what ADVANCED permissions make up that BASIC permission. - On your desktop, create a folder named "BASIC PERMISSIONS" - Go to the SECURITY TAB and add the system group "EVERYONE” to the ACL - Only assign the single permission one at a time for EVERYONE to fill out the table | BASIC PERMISSION TO ASSIGN FOLDER | FULL CONTROL | MODIFY | READ & EXECUTE | LIST FOLDER CONTENTS | READ | WRITE | SPECIAL PERMISSION | |-------------------------------------|--------------|--------|---------------|-----------------------|------|-------|---------------------| | FULL CONTROL | X | | | | | | | | TRAVERES FOLDER / EXECUTE FILE | X | X | | | X | | | | LIST FOLDER / READ DATE | X | X | X | | X | | | | READ ATTRIBUTES | X | X | X | X | X | | | | READ EXTENDED ATTRIBUTES | X | X | X | X | X | | | | CREATE FILES / WRITE DATA | | X | X | X | X | X | | | CREATE FOLDERS / APPEND DATA | | X | X | X | X | X | | | WRITE ATTRIBUTES | | X | X | X | | X | | | WRITE EXTENDED ATTRIBUTES | | X | X | X | | X | | | DELETE SUBFOLDERS AND FILES | | | X | | | | X | | DELETE | | | | | | | X | | READ PERMISSIONS | | | X | | X | | | | CHANGE PERMISSIONS | | | X | | | | X | | TAKE OWNERSHIP | | | | | | | X | - Create a file inside the BASIC PERMISSIONS folder named "FILE PERMISSIONS.TXT" - Does a file inherit the same permissions as the Parent folder? YES - What ADVANCED PERMISSION does a folder have that a file does not? DELETE SUBFOLDERS + FILES ## NTFS RULES We will test each rule to prove it true. Follow steps carefully and remember that Users have Read & Execute permissions to all folders due to inheritance from the C:\Nat folder. Use the SECURITY TAB and/or EFFECTIVE PERMISSIONS TAB to check your answers. **RULE 1 = PERMISSIONS ARE INHERITED FROM THE PARENT BY DEFAULT** Give INSTRUCTORS group FULL CONTROL to the C:\NAT folder - What permissions do INSTRUCTORS have at the C:\NAT\Rules\Inheritance folder? FULL CONTROL - What color are the checkmarks under the ALLOW? grayed out - Try to remove any group from the permissions ACL? What happens? Cant remove BECAUSE OBJECT IS INHERITING PERMISSIONS FROM ITS PARENT **What did we prove?** - Permissions are inherited by default from the parent folder - You can't remove or modify permissions while inherited **RULE 2 = PERMISSIONS ARE CUMULATIVE** Give STUDENTS group MODIFY to the C:\NAT\Rules folder Give STUDENT1 user FULL CONTROL to the C:\NAT\Rules\Cumulative folder | FOLDER | STUDENT1 PERMISSIONS | WHERE DID PERMISSIONS COME FROM | |-----------------------------------|------------------------|-----------------------------------| | C:\NAT | READ, EXECUTE | USERS GROUP | | C:\NAT\Rules | MODIFY | STUDENTS GROUP | | C:\NAT\Rules\Cumulative | FULL CONTROL | STUDENT 1 EXPLICIT PERMISsion | **What did we prove?** - Permissions are cumulative - Permissions can come from System Group (USERS), Admin Group (STUDENTS) and Explicitly Assigned Permissions (STUDENT1) **RULE 3 - INHERITANCE CAN BE BROKEN TWO WAYS. (REMOVE AND CONVERT)** Disable Inheritance at the C:\NAT\Rules\Inheritance\Convert folder and choose CONVERT Disable Inheritance at the C:\NAT\Rules\Inheritance\Remove folder and choose REMOVE Close each folder when you are done making changes to it | FOLDER | WHAT HAPPENED | |-----------------------------------|----------------------------------------------------------------------| | C:\NAT\Rules\Inheritance\Convert | PERMISSION STAY THE SAME, PERMISSIONS ARE STAT EXPLICIT (BLACK) + CAN BE EDITED | | C:\NAT\Rules\Inheritance\Remove | NO PERMISSIONS (ORPHANED FOLDER) | **What did we prove?** - Inheritance can be REMOVED or CONVERTED - CONVERT will remove inheritance but convert all of the permissions as explicit - REMOVE will remove inheritance and all permissions **RULE 4 = IF THERE IS NO MATCH FOR “ALLOW” OR “DENY”, THE DEFAULT IS "DENY")** Disable Inheritance at the C:\NAT\Rules\No Match folder and choose CONVERT Remove USERS Group from the C:\NAT\Rules\Inheritance\No Match folder Test each user's effective permissions at the C:\NAT\Rules\No Match folder | USER | EFFECTIVE PERMISSIONS AT "NO MATCH" FOLDER | GROUP ACE PERMISSION | |-------------|-------------------------------------------|-----------------------| | Student | Full Control | Administrators | | Dean | Full Control | INSTRUCTORS | | Student1 | MODIFY | STUDENTS | | BATMAN | NO PERMISSIONS | NONE | **What did we prove?** - Users with an ACE that matches "ALLOW" will give access - Users with an ACE that matches "DENY" will be denied - Users with no ACE that matches will be denied by default **RULE 5 = "DENY" OVERRIDES "ALLOW"** At the C:\NAT\Rules\Deny folder, add an ACE to for KEN and DENY Full Control USER | EFFECTIVE PERMISSIONS AT "DENY" FOLDER | |---|---| | Dean | FULL CONTROL | | Ken | NONE | What is the warning you get when you apply the DENY permission? _DENY TAKES PRECEDENCE OVER ALL OTHER ENTRIES. THIS MEANS IF A USER IS A MEMBER OF TWO GROUPS, ONE THAT IS ALLOWED A PERMISSION AND ANOTHER THAT IS DENIED A PERMISSion, USER IS DENIED THAT PERMISSION._ **What did we prove?** - "DENY" overrides "ALLOW" - Ken and Dean both had FULL CONTROL from INTRUCTOR group membership - Ken was given a "DENY” **RULE 6 = OWNERSHIP** Disable Inheritance at the C:\NAT\Rules\Orphan folder and choose REMOVE What is the warning you get when you REMOVE permissions? _YOU HAVE DENIED ALL USERS TO ORPHAN. NO ONE WILL BE ABLE TO ACCESS ORPHAN AND ONLY THE OWNER WILL BE ABLE TO CHANGE PERMISsions_ Take OWNERSHIP of this folder. What steps did you need to follow? - SECURITY - ADVANCED - OWNER: CHANGE - STUDENT REPLACE OWNER ON SUBCONTAINERS + OBJECTS - CLOSE - OPEN AND GIVE STUDENT PERMISSIONs **What did we prove?** - An ADMINISTRATOR can take OWNERSHIP of an object - The OWNER of any object can assign permissions **RULE 7 = COPYING AND MOVING OBJECTS TO, FROM AND WITHIN NTFS** Use DISK MANAGEMENT to create the two volumes on your hard disk. | Volume Name | Size | Drive Letter | |---|---|---| | NTFS | 2 GB | N: | | FAT32 | 2 GB | F: | - Run "MOVE COPY FILES SETUP.bat" as Administrator. - This will create a folder named C:\ORIGINAL_FILES and the files required for this question - All files will have SUPERHEROES group granted MODIFY permissions to the folder and all files | | NEW OBJECT CREATED | PERMISSIONS INHERIT | PERMISSION REMAIN | |---|---|---|---| | Copy FILE1.TXT to your desktop | YES | YES | | | Move FILE2.TXT to your desktop (DENY in SUPERHERO ACE) | NO | YES | YES | | Copy FILE3.TXT to your NTFS drive (N:) | YES | YES | | | Move FILE4.TXT to your NTFS drive (N:) | YES | YES | | | Copy or Move your FILE5.TXT to your FAT32 drive (F:) | YES | YES | NONE | | Copy or Move your F:\FILE6.TXT from your FAT32 (F:) drive to your desktop | YES | YES | | **What did we prove?** - The only time an object retains its permissions is if it is moved on the SAME volume - This is a tricky concept to prove without adding a DENY ACE - Object can only retain the NTFS permissions that it is allowed in the first place when MOVED to a new location on the same NTFS drive - FAT does not support permissions & SECURITY ## ICACLS I have created the scripts used at the start of this lab to automate the creation of GROUPS, USERS and PERMISSIONS. This has saved us lots of time and ensured a consistent starting point for the lab for all students. It is your turn to use ICACLS to create, remove and modify some permissions. You may use the ICACLS /? OR ChatGPT OR Google to assist with this question. All commands will be targeted at the C:\NAT\ROOMS\HEROES_ONLY\SECRET.TXT folder and file - Use ICACLS to accomplish the following: - Give SUPERHEROES group FULL CONTROL to the HEROES_ONLY folder ``` ICACLS C:\NAT\ROOMS\HEROES-ONLY\GRANT SUPERHEROES:(CI)F /T ``` - Give JOKER user DENY FULL CONTROL to the SECRET.TXT file ``` ICACLS C:\NAT\ROOMS\HEROES-ONLY\SECRET.TXT /DENY JOKER:(F) ``` - BACKUP the ACL from C:\NAT\ROOMS and all subdirectories to C:\NAT\ACL_Backup.txt ``` ICACLS C:\NAT\ROOMS\ /SAVE C:\NAT\ACL_BACKUP.TXT /T ``` - DISABLE Inheritance on the C:\NAT\ROOMS\215 folder and REMOVE SYSTEM and change USERS permissions - RESTORE the ACL to the C:\NAT\ROOMS\215 folder from C:\NAT\ACL_Backup.txt ## NTFS SHARING You can work with a partner on this section or you can work by yourself. Sharing resources is the largest reason a network exists. We must understand all of the methods and standards available. You should be able to setup the NTFS permissions to test this concept out. Create a user and use that account to test with. **REMEMBER!** - Accessing a folder or file from the local machine = NTFS rules apply - Accessing a folder from a share on a remote machine = SHARE and NTFS rules apply - When using Windows Explorer or Microsoft Edge to access a local share using a UNC path, \\ComputerName\Share Windows will think it is a remote user and apply SHARE and NTFS rules Create a folder on your desktop named SHARE and make a README.TXT file inside of it. ### SHARING Share the folder using the permissions in the table. To test, try creating a file inside the folder to see what your permissions are | SHARE PERMISSIONS | NTFS PERMISSIONS | LOCAL ACCESS RIGHTS | REMOTE ACCESS RIGHTS | |---|---|---|---| | EVERYONE = FULL CONTROL | USERS = READ | FULL CONTROL | READ | | EVERYONE = READ | USERS = FULL CONTROL | READ | READ | - Why do we ALWAYS have EVERYONE FULL CONTROL SHARE PERMISSIONS? - SO PERMISSIONS STAY THE SAME FOR USERS INDEPENDANT OF THEM BEING LOCAL OR REMOTE - Change the Share Name to “COOKIES” and test to make sure you can access the SHARE folder using the UNC \\ComputerName\Cookies ## HIDDEN SHARES - Remove the Share Names and add a new Share Name TOPSECRET$ - What is the UNC to access this hidden share? \\192.168.215.109\TOPSECRET$ ## DEFAULT HIDDEN SHARES Every Windows client and server is sharing every drive letter including the C:\. This is for administrative access so that computers can network together in a Domain environment - Connect to another computers C$, what happens? NOT ACCESSIBLE - Apply the registry fix from your notes and reboot your computer. (What computer needs the fix applied?) This happens because the STUDENT accounts are not the same accounts? The fix we apply tells Windows not to bother checking the SID, and just accept the STUDENT account is the same person on both computers. | | COMPUTER A | COMPUTER B | RESULT | |---|---------------------------|---------------------------|------------| | | Account SID: 998A497-2987E-998AE8-23478 | Account SID: 788449-8675309-438A76-A9421 | NO MATCH | | | Account Name: Student | Account Name: Student | NO ACCESS | - Apply the registry fix so Windows does not check to make sure Student is the same SID | | COMPUTER A | COMPUTER B | RESULT | |---|---------------------------|---------------------------|------------| | | Account SID: 998A497-2987E-998AE8-23478 | Account SID: 788449-8675309-438A76-A9421 | MATCH | | | Account Name: Student | Account Name: Student | ACCESS | - Connect to another computers C$, what happens? WORKS \\192.168.215.109\C$ - This is a great way to connect to a remote Volume and perform a remote Anti-Virus scan! **What did we prove?** - Sharing should be done with FULL CONTROL share permissions - Folders can have different or multiple share names - By default, all drives are hidden shares - Must apply registry fix or be in a Domain environment for hidden C$ access ## BONUS QUESTION Explain why an Administrator account in a Domain would be able to access all Windows client and servers hidden admin c$ without having to apply the registry fix to each computer? - **ADMINISTRATOR HAS 1 ACCOUNT ON DOMAIN CONTROLLER** - **ALL USERS AUTHENTICTE TO DOMAIN CONTROLLER**