Saturday, December 8, 2007

Securing Network Resources

Understanding NTFS Permissions

NTFS permissions are rules associated with objects that regulate which users can gain access to an object and in what manner. This lesson introduces standard NTFS folder and file permissions. It also explores the effects of combining user account and group permissions with file and folder permissions.

After this lesson, you will be able to

  • Define standard NTFS folder and file permissions
  • Describe the result when multiple NTFS permissions are applied to a resource
  • Describe the result when you combine user account and group permissions for a resource

NTFS Permissions

Use NTFS permissions to specify which users and groups can gain access to files and folders, and what they can do with the contents of the file or folder. NTFS permissions are only available on NTFS volumes. NTFS permissions are not available on volumes that are formatted with the file allocation table (FAT) or FAT32 file systems. NTFS security is effective whether a user gains access to the file or folder at the computer or over the network. The permissions you assign for folders are different from the permissions you assign for files.

NTFS Folder Permissions

You assign folder permissions to control the access that users have to folders and to the files and subfolders that are contained within the folder.

Multiple NTFS Permissions

You can assign multiple permissions to a user account by assigning permissions for a resource to an individual user account and to each group of which the user is a member. You need to understand the rules and priorities that are associated with how NTFS assigns and combines multiple permissions. You also need to understand NTFS permission inheritance.

Assigning NTFS Permissions

There are certain guidelines you should follow for assigning NTFS permissions. Assign permissions according to group and user needs; this includes allowing or preventing permissions inheritance from parent folders to subfolders and files that are contained in the parent folder. This lesson presents guidelines for planning NTFS permissions and then walks you through the steps of assigning NTFS permissions.

After this lesson, you will be able to

  • Plan what permissions to assign to users or groups for applications and data folders
  • Assign NTFS folder and file permissions to user accounts and groups

Planning NTFS Permissions

If you take the time to plan your NTFS permissions and follow a few guidelines, you will find that NTFS permissions are easy to manage. Use the following guidelines when you assign NTFS permissions:

  1. To simplify administration, group files into application, data, and home folders. Centralize home and public folders on a volume that is separate from applications and the operating system. Doing so provides the following benefits:

    • You assign permissions only to folders, not to individual files.
    • Backup is less complex because there is no need to back up application files, and all home and public folders are in one location.
  2. Allow users only the level of access that they require. If a user only needs to read a file, assign the Read permission to his or her user account for the file. This reduces the possibility of users accidentally modifying or deleting important documents and application files.
  3. Create groups according to the access that the group members require for resources, and then assign the appropriate permissions to the group. Assign permissions to individual user accounts only when necessary.
  4. When you assign permissions for working with data or application folders, assign the Read & Execute permission to the Users group and the Administrators group. This prevents application files from being accidentally deleted or damaged by users or viruses.
  5. Turn off the permissions inheritance option at the home directory level. This allows the user to consider permissions for each file or folder in the home directory.
  6. When you assign permissions for public data folders, assign the Read & Execute permission and the Write permission to the Users group, and the Full Control permission to CREATOR OWNER identity group. The user who creates a file is by default the creator and owner of the file. After you create a file, you may grant another user permission to take ownership of the file. The person who takes ownership would then become the owner of the file. If you assign the Read & Execute permission and the Write permission to the Users group, and the Full Control permission to CREATOR OWNER, users have the ability to read and modify documents that other users create and the ability to read, modify, and delete the files and folders that they create.
  7. Deny permissions only when it is essential to deny specific access to a specific user account or group.
  8. Encourage users to assign permissions to the files and folders that they create and educate them about how to do so.

Setting NTFS Permissions

By default, when you format a volume with NTFS, the Full Control permission is assigned to the Everyone group. You should change this default permission and assign other appropriate NTFS permissions to control the access that users have to resources. Be careful if you assign permissions to the Everyone group and enable the Guest account. Windows 2000 will authenticate a user who does not have a valid user account as Guest. The user automatically gets all rights and permissions that you have assigned to the Everyone group.

Troubleshooting Permissions Problems

When you assign or modify NTFS permissions to files and folders, problems might arise. Troubleshooting these problems is important to keep resources available to users. This lesson describes common permission-related problems and their solutions.

After this lesson, you will be able to

  • Recognize common reasons why users cannot gain access to resources
  • Solve common permission-related problems

Avoiding Permissions Problems

The following list provides best practices for implementing NTFS permissions. These guidelines will help you avoid permission problems.

  • Assign the most restrictive NTFS permissions that still enable users and groups to accomplish necessary tasks.
  • Assign all permissions at the folder level, not at the file level. Group files in a separate folder for which you want to restrict user access, and then assign that folder restricted access.
  • For all application executable files, assign Read & Execute and Change Permissions to the Administrators group, and assign Read & Execute to the Users group. Damage to application files is usually a result of accidents and viruses. By assigning Read & Execute to Users and Read & Execute and Change Permissions to Administrators, you can prevent users or viruses from modifying or deleting executable files. To update files, members of the Administrators group can assign Full Control to their user account to make changes and then reassign Read & Execute and Change Permissions to their user account.
  • Assign Full Control to CREATOR OWNER for public data folders so that users can delete and modify files and folders that they create. Doing so gives the user who creates the file or folder (CREATOR OWNER) full access to only the files or folders that he or she creates in the public data folder.
  • For public folders, assign Full Control to CREATOR OWNER and Read and Write to the Everyone group. This gives users full access to the files that they create, but members of the Everyone group can only read files in the folder and add files to the folder.
  • Use long, descriptive names if the resource will be accessed only at the computer. If a folder will eventually be shared, use folder and file names that are accessible by all client computers.
  • Allow permissions rather than deny permissions. If you do not want a user or group to gain access to a particular folder or file, do not assign permissions. Denying permissions should be an exception, not a common practice.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)