Hiya – I am the publisher for the Microsoft Small Business Specialist Primer book and I like to hold virtual book readings! Here is my entry for the day – permissions! BTW – my SBS 2008 book is now HERE!
Share Permissions
In terms of “Microsoft think” on the 70-282 exam, you should always secure objects that are shared on the network. That could be folders, printers, and other devices and applications. For other users to gain access to the shared resource, it must be shared out. By default, shares allow access to Everyone (yes, there is an “Everyone” group) and assign read permissions. Once the resource is shared, you could remove the Everyone group and just add the security groups that should have Read, Change, or Full Control permissions. Share permissions apply to
folders not files and will be inherited from subfolders. They are displayed in Table 6-1.
Table 6-1
|
Read |
View the folder, subfolders, and all files contained in them; allows running programs. |
|
Change |
Allows Read access; allows changing data in files, adding and deleting files; allows creating documents and subfolders. |
|
Full Control |
Allows Change permissions access; allows changing permission settings on the folder. |
IMPORTANT: What Microsoft doesn’t offer (but NetWare did) is the hidden share permission attribute as a permission selection. But have no fear. It can be re-created by appending a share name with a dollar sign. (Granted—this is a very American way to hide something and probably is culturally offensive to the international readers of this book.) So a share named HARRYB$ would not be visible from the network. Hidden share questions have been known to appear on Microsoft certification exams.
IMPORTANT: Share permissions are only effective across the network. If a user logs on locally or via terminal services, share permissions will not be effective. On the other hand, Windows Server 2003 (and SBS 2003) now has all default share permissions set to READ only for the Everyone Group as shown in Figure 6-3. You should change permission settings to be more generous (in many cases), otherwise a user will encounter a “read-only” condition when working with a document. Another example is a line-of-business application. If you set up a database for sharing, users will encounter errors when trying to work with the database application.
Notes:
Chapter 6 Securing Windows Small Business Server 2003
Figure 6-3
Default share permissions set to READ only for the Everyone Group! In prior SBS releases (SBS 2000), this was Full Control.
NTFS Permissions
NTFS permissions use ACLs (Access Control Lists) that are checked against the access token assigned to the user when logging into the domain.
NTFS can be configured on files AND folders and allows for greater control than share permissions. If share and NTFS permissions are applied to the same folder, the more restrictive rule will apply. NTFS permissions are effective across the network and locally.
At a minimum, you need to memorize the following NTFS permissions:
· Read,
· Write,
· List Folder Contents,
· Read and Execute,
· Modify, and
· Full Control.
You should seek to understand how the core NTFS permissions are made up of a set of special permissions as shown in the following table. Depending on what object you assign permissions to, certain permission may not be available due to the type of object. (Take a look at folder permissions compared to printer permissions.) Let’s take a quick dive into table 6-2 before continuing.
Table 6-2
Deep dive into NTFS permissions In prior SBS releases (SBS 2000), this was Full Control.
|
Special |
Full |
Modify |
Read & |
List |
Read |
Write |
|
Travers |
x |
x |
x |
x |
- |
- |
|
List Folder/ |
x |
x |
|
x |
x |
- |
|
Read |
x |
x |
x |
x |
x |
- |
|
Read |
x |
x |
x |
x |
x |
- |
|
Create Files/ |
x |
x |
- |
- |
- |
x |
|
Create |
x |
x |
- |
- |
- |
x |
|
Write |
x |
x |
- |
- |
- |
x |
Chapter 6 Securing Windows Small Business Server 2003
|
Special |
Full |
Modify |
Read & |
List |
Read |
Write |
|
Write |
x |
x |
- |
- |
- |
x |
|
Delete |
x |
- |
- |
- |
- |
- |
|
Delete |
x |
x |
- |
- |
- |
- |
|
Read |
x |
x |
x |
x |
x |
x |
|
Change |
x |
- |
- |
- |
- |
- |
|
Take |
x |
- |
- |
- |
- |
- |
Note that the Modify permission in the above table only has three less permissions than the Full permissions (see gray boxes). This is a MAJOR HINT!
IMPORTANT: An interesting question that has emerged in the SBS community concerns NTFS folders versus Windows SharePoint Services (WSS). In a sense, NTFS and WSS compete with each other because they are used to store information like files inside folders. As you seek to understand the SBS product en route to becoming certified on the 70-282 exam, you’ll appreciate this cultural debate. NTFS, being based on ACLs, has a very rich set of permissions. WSS, being based on four roles, has a limited set of permissions it can apply to objects like files and folders. However, WSS has version control
and alerts, something missing from NTFS. So both approaches, NTFS and WSS, have strengths and weaknesses and are present on the 70-282 exam.
Here is another test tip factoid you’ll want to memorize. NTFS permissions are either explicit or inherited. When you see a permission box grayed out in on the security tab under file or folder properties, you know this is an inherited permission, whereas explicit permissions are set when you create a new folder.
cheers….harrybbbb
Harry Brelsford, CEO at SMB Nation (www.smbnation.com)
MBA, MCSE, CNE, CLSE, CNP, MCP, MCT, SBSC (Microsoft Small Business Specialist)
PS – my Small Business Server 2008 (SBS 2008) book is now here!
