Files and Folders

Share folders with explorer or Shared Folders snap-in. fsmgmt can also be used to create shares on remote computers. Only administrators can connect to administrative shares. Action menu in fsmgmt allows you to stop sharing the folder, open folder in explorer or configure its properties:

• General: sharename, path, description, user limit, offline settings
• Publish: publish in AD, unc (read only), description, owner, keywords
• Share Permissions
• Security

Share Permissions

Share access levels

• Read: read access to files and folders, execute programs
• Change: create, delete, change files and folders
• Full Control: change permissions, take ownership

Share permissions are cumulative, but Deny overrides Allow. Share and NTFS permissions combine to apply the most restrictive settings. Limitations of Share Permissions:

• Scope: share permissions apply to resources accessed through Client for Microsoft Networks: they do not apply to access to interactive logons, rdp, http, ftp, etc
• Replication: share permissions do not replicate through File Replication Service (FRS)
• Resilience: share permissions are not included in backup or restore operations
• Fragility: share permissions are lost if you move or rename folder
• Lack of Detail: share permissions applied at top level of container only: no granularity
• Auditing: no auditing available
• Complexity: adds coplexity to analysis of effective permissions

Common practice is to use NTFS for detailed control, and set share permissions to Everyone: Full Control. Windows 2003 defaults share permissions to Everyone: Read. Use Session node of fsmgmt to monitor and disconnect users; use Open Files node to monitor open files and locks and to close connections; use the Shares node to send messages to connected machines (not sent to usernames). In Windows 2003, messenger service is disabled by default. See also Filesvr.msc

NTFS Permissions

When a user attempts to access a resource, SIDs in users security access token are compared to SIDs in ACE of resource's ACL. Explorer can be used to configure NTFS permissions both locally and remotely. Permissions templates:

• Full Control
• Modify
• Read & Execute
• List Folder Contents
• Read
• Write

Use advanced button to see specific ace's applied to object, set auditing, owner and see effective permissions. Choose edit to see (and edit) specific permissions associated with an ACE. ACL Editor is also available from fsmgmt. Valid security principals:

• Users
• Groups
• Computers
• InetOrgPerson object class (see RFC 2798)

Only explicit permissions can be editted in ACL Editor, inherited permissions require special treatment. No permission setting currently available to deny user from copying a file if they have Read access: planned digital rights management controls may address this. Effective permissions tab of ACL Editor gives an approximation: no account is taken of Share level permissions nor does it account for special group memberships (eg anonymous, batch, creator owner, dialup, enterprise domain controllers, interactive, network, proxy, restricted, remote interactive logon, service, system, ts user, other organisation, this organisation). Try running effective permissions on user, then on these groups to get the full picture. Any permissions assigned to Creator Owner on parent are assigned to the user creating a child object. An objects owner can ALWAYS modify its ACL. Ownership also used by disk quota software. Administrators can take ownership or allow 'take ownership' for another user. Users with 'Restore Files and Directories' right can transfer ownership to another user.

Inheritance

By default permissions applied to folders apply to files and folders beneath it. Changes to the parent are applied to its children when inheritance is turned on. Inheritance can be managed from both the parent object (using apply onto) and child (using allow inheritance). You cannot simply untick an inherited permission. You can override it with an explicit assignment, or you can block inheritance for the object and assign an explicit ACL. You can also block all propagation from the parent object: in which case you'll be prompted to copy or remove existing inherited permissions. Blocking inheritance should be used sparingly: increases complexity of access control management. Inheritance can be reinstated from either the parent or child. From child, simply select Allow Inheritable Permissions and those permissions will be applied. Existing explicit permissions will be preserved. If you choose replace permissions from parent, all permissions are removed and inheritable permissions are applied. Assessing effective permissions:

• the only ACL that matters is the ACL on the resource
• allow permissions are cumulative
• deny permissions take precedence
• Explicit permissions mask conflicting inherited permissions: for example you can override an inherited deny with an explicit allow.

Auditing File Access

Auditing File access achieved in three steps:

• specify auditing settings in advanced security settings dialog. Select user, group or computer to audit, specify permissions usage to audit, select fail , success or both. Audit settings are inheritable
• enable audit policy using local security policy or domain controller security policy. Go to Local Policy\Audit Policy (or Computer Configuration\Windows Settings\Security Settings\Local Policy\Audit Policy from gpedit). Define policy and enable both if you want to audit fail and success.
• monitor security log, use filtering to ease analysis