1 administering shared folders understanding shared folders planning shared folders sharing folders...
Post on 29-Jan-2016
Embed Size (px)
Administering Shared FoldersUnderstanding Shared FoldersPlanning Shared FoldersSharing FoldersCombining Shared Folder Permissions and NTFS PermissionsConfiguring Dfs to Gain Access to Network Resources
Understanding Shared FoldersShared FoldersShared Folder PermissionsHow Shared Folder Permissions Are AppliedGuidelines for Shared Folder PermissionsPractice: Applied Permissions
Shared Folders in Windows Explorer
Shared FoldersProvide network users centralized access to network files.Contain applications, data, or a users personal data in a home directory.All users by default can connect to the shared folder and gain access to the folders content.Each type of data requires different shared folder permissions.
Shared Folder PermissionsShared folder permissions can be assigned to user and group accounts to control what users can do with the content of a shared folder.Shared folder permissions are assigned to control how users gain access to a shared folder.Shared folder permissions can be allowed or denied.It is best to allow permissions and to assign permissions to a group rather than to individual users.Permissions should be denied only when necessary to override permissions that are otherwise applied.
Characteristics of Shared Folder PermissionsApply to folders, not to individual files; provide less-detailed security than NTFS permissions.Do not restrict access to users who gain access to the folder at the computer where the folder is stored; only apply to users who connect to the folder over the network.Are the only way to secure network resources on a FAT volume; NTFS permissions are not available on FAT volumes.The default is Full Control, which is assigned to the Everyone group when the folder is shared.
Shared Folder PermissionsRead: View file names and subfolder names, view data in files, traverse to subfolders, and run programsChange: Add files and subfolders to the shared folder, change data in files, delete subfolders and files, and perform actions permitted by the Read permissionFull Control: Change file permissions (NTFS only), take ownership of files (NTFS only), and perform all tasks permitted by the Change permission
Applied Permissions OverviewApplying shared permissions to user accounts and groups affects access to a shared folder.Denying permission takes precedence over the permissions that are allowed.
Effective PermissionA user can be a member of multiple groups, each with different permissions that provide different levels of access to a shared folder.Effective permissions are the combination of the user and group permissions.
Deny Overrides Other PermissionsDenied permissions take precedence over any permissions that are otherwise allowed for user accounts and groups.If shared folder permissions are denied, the user will not have that permission, even if the permission is allowed for a group of which the user is a member.
NTFS Permissions Are Required on NTFS VolumesShared folder permissions are sufficient to gain access to files and folders on a FAT volume, but not on an NTFS volume.Users can gain access to a shared folder for which they have permissions, as well as all of the folders contents.When users gain access to a shared folder on an NTFS volume, they need the shared folder permission and the appropriate NTFS permissions for each file and folder to which they gain access.
Copied, Moved, or Renamed Shared FoldersWhen a shared folder is copied, the original shared folder is still shared, but the copy is not shared.When a shared folder is moved or renamed, it is no longer shared.
Guidelines for Shared Folder PermissionsDetermine which groups need access to each resource and the level of access they require.Document the groups and their permissions for each resource.Assign permissions to groups instead of user accounts to simplify access administration.Assign to a resource the most restrictive permissions that still allow users to perform required tasks.Organize resources so that folders with the same security requirements are located within a folder.Use intuitive share names so that users can easily recognize and locate resources.Use share names that all client operating systems can use.
Shared Folder Naming ConventionsMicrosoft Windows 2000, Windows NT, Windows 98, and Windows 95Share name length: 80 charactersFolder name length: 255 charactersMS-DOS, Windows 3.1, and Windows for WorkgroupsShare name length: 8.3 charactersFolder name length: 8.3 characters
Planning Shared FoldersApplication FoldersData Folders
Planning Shared Folders OverviewPlanning shared folders helps to reduce administrative overhead and ease user access.Planning shared folders involvesDetermining which resources are to be shared.Organizing resources according to function, use, and administration needs.Shared folders contain applications and data.Using shared application folders centralizes administration.Using shared data folders provides a central location for users to store and gain access to common files.
Application Folders OverviewApplication folders are used for applications that are installed on a network server, and can be used from client computers.The primary advantage of shared applications is that most components of the applications do not need to be installed and maintained on each computer.Program files for applications can be stored on a server; configuration information for most network applications is often stored on each workstation.The exact way in which application folders are shared depends upon the application, network environment, and organization.
Creating and Sharing Application Folders
Data FoldersOverviewData folders are used by users on a network to exchange public and working data.Two types: working data folders and public data folders.When data folders are used, common data folders should be created and shared on a volume that is separate from the operating system and applications.Data files should be backed up frequently, and with data folders on a separate volume, they can be backed up conveniently.If the operating system requires reinstallation, the volume containing the data folder remains intact.
Public Data and Working Data Shared Folders
Public DataPublic data folders are used by larger groups of users who all need access to common data.Centralized data folders are used so that data can be easily backed up.The Change permission should be assigned to the Users group for the common data folder, thereby providing users with a central, publicly accessible location for storing data files they want to share with other users.
Working DataWorking data folders are used by members of a team who need access to shared files.Full Control permission should be assigned to the Administrators group for a central data folder, which allows administrators to perform maintenance more easily.Lower-level data folders below the central folder should be shared with the Change permission for the appropriate groups when restricted access to those folders is needed.
Sharing FoldersRequirements for Sharing FoldersAdministrative Shared FoldersSharing a FolderAssigning Shared Folder PermissionsModifying Shared FoldersConnecting to a Shared Folder
Sharing FoldersResources can be shared with others by sharing folders containing those resources.The creator of the shared folder must be a member of one of several groups, depending on the role of the computer on which the shared folder resides.Access to a shared folder is controlled by limiting the number of users who can simultaneously gain access to it or by assigning permissions to selected users and groups.Folder sharing properties may be modified after the folder is created.Users must first have appropriate permissions before making a connection to a shared folder.
Requirements for Sharing FoldersIn a Windows 2000 DomainThe Administrators and Server Operators groups can share folders residing on any machines in the domain.The Power Users group is a local group and can only share folders residing on the stand-alone server or computer running Windows 2000 Professional where the group is located.In a Windows 2000 WorkgroupThe Administrators and Power Users groups can share folders on the stand-alone server or the computer running Windows 2000 Professional on which the group exists.
Administrative Shared FoldersAutomatically shared folders are appended with a dollar sign ($).The $ hides the shared folder from users who browse the computer.The root of each volume, the system root folder, and the location of the printer drivers are all hidden shared folders that can be accessed from across the network.Hidden shared folders are not limited to those that the system automatically creates.Additional folders can be shared and a $ can be appended to the end of the share name.Only users who know the folder name and possess proper permissions can gain access to the hidden folder.
Windows 2000 Administrative Shared FoldersC$, D$, E$, and so on: The root of each volume on a hard diskAdmin$: The system root folder, which is C:\Winnt by defaultPrint$: The printer drivers folder, systemroot\System32\Spool\Drivers
Sharing a FolderAssign a share name to the folder.Provide comments to describe the folder and its content.Limit the number of users who have access to the folder.Assign permissions.Share the same folder multiple times.
Sharing Tab of the Properties Dialog Box for a Folder
Permissions For Dialog Box for a Shared Folder
Select Users, Computers, Or Groups Dialog Box