70-282 Exm Cram – Share Permissions (Microsoft Small Business Specialist Primer book excerpt)

Hiya – I am the publisher for the Microsoft Small Business Specialist Primer book and I like to hold virtual book readings! Here is my entry for the day – permissions! BTW – my SBS 2008 book is now HERE!

Share Permissions

In terms of “Microsoft think” on the 70-282 exam, you should always secure objects that are shared on the network. That could be folders, printers, and other devices and applications. For other users to gain access to the shared resource, it must be shared out. By default, shares allow access to Everyone (yes, there is an “Everyone” group) and assign read permissions. Once the resource is shared, you could remove the Everyone group and just add the security groups that should have Read, Change, or Full Control permissions. Share permissions apply to


folders not files and will be inherited from subfolders. They are displayed in Table 6-1.

Table 6-1

 

Read

View the folder, subfolders, and all files contained in them; allows running programs.

Change

Allows Read access;

allows changing data in files, adding and deleting files; allows creating documents and subfolders.

Full Control

Allows Change permissions access;

allows changing permission settings on the folder.

 

IMPORTANT: What Microsoft doesn’t offer (but NetWare did) is the hidden share permission attribute as a permission selection. But have no fear. It can be re-created by appending a share name with a dollar sign. (Granted—this is a very American way to hide something and probably is culturally offensive to the international readers of this book.) So a share named HARRYB$ would not be visible from the network. Hidden share questions have been known to appear on Microsoft certification exams.

IMPORTANT: Share permissions are only effective across the network. If a user logs on locally or via terminal services, share permissions will not be effective. On the other hand, Windows Server 2003 (and SBS 2003) now has all default share permissions set to READ only for the Everyone Group as shown in Figure 6-3. You should change permission settings to be more generous (in many cases), otherwise a user will encounter a “read-only” condition when working with a document. Another example is a line-of-business application. If you set up a database for sharing, users will encounter errors when trying to work with the database application.

Notes:


Chapter 6Securing Windows Small Business Server 2003

Figure 6-3

Default share permissions set to READ only for the Everyone Group! In prior SBS releases (SBS 2000), this was Full Control.

NTFS Permissions

NTFS permissions use ACLs (Access Control Lists) that are checked against the access token assigned to the user when logging into the domain.

NTFS can be configured on files AND folders and allows for greater control than share permissions. If share and NTFS permissions are applied to the same folder, the more restrictive rule will apply. NTFS permissions are effective across the network and locally.

At a minimum, you need to memorize the following NTFS permissions:

·     Read,

·     Write,

·     List Folder Contents,

·     Read and Execute,

·     Modify, and

·     Full Control.


You should seek to understand how the core NTFS permissions are made up of a set of special permissions as shown in the following table. Depending on what object you assign permissions to, certain permission may not be available due to the type of object. (Take a look at folder permissions compared to printer permissions.) Let’s take a quick dive into table 6-2 before continuing.

Table 6-2

Deep dive into NTFS permissions In prior SBS releases (SBS 2000), this was Full Control.

 

Special
Permissions

Full
Control

Modify

Read &
Execute

List
Folder
Contents

Read

Write

Travers
Folder/
Execute File

x

x

x

x

List Folder/
Read Data

x

x

 

x

x

Read
Attributes

x

x

x

x

x

Read
Extended
Attributes

x

x

x

x

x

Create Files/
Write Data

x

x

x

Create
Folders/
Append Data

x

x

x

Write
Attributes

x

x

x


Chapter 6Securing Windows Small Business Server 2003

 

Special
Permissions

Full
Control

Modify

Read &
Execute

List
Folder
Contents

Read

Write

Write
Extended
Attributes

x

x

x

Delete
Subfolder
and Files

x

Delete

x

x

Read
Permissions

x

x

x

x

x

x

Change
Permissions

x

Take
Ownership

x

 

Note that the Modify permission in the above table only has three less permissions than the Full permissions (see gray boxes). This is a MAJOR HINT!

IMPORTANT: An interesting question that has emerged in the SBS community concerns NTFS folders versus Windows SharePoint Ser­vices (WSS). In a sense, NTFS and WSS compete with each other because they are used to store information like files inside folders. As you seek to understand the SBS product en route to becoming certified on the 70-282 exam, you’ll appreciate this cultural debate. NTFS, being based on ACLs, has a very rich set of permissions. WSS, being based on four roles, has a limited set of permissions it can apply to objects like files and folders. However, WSS has version control


and alerts, something missing from NTFS. So both approaches, NTFS and WSS, have strengths and weaknesses and are present on the 70-282 exam.

Here is another test tip factoid you’ll want to memorize. NTFS permissions are either explicit or inherited. When you see a permission box grayed out in on the security tab under file or folder properties, you know this is an inherited permission, whereas explicit permissions are set when you create a new folder.

cheers….harrybbbb

Harry Brelsford, CEO at SMB Nation (www.smbnation.com)

MBA, MCSE, CNE, CLSE, CNP, MCP, MCT, SBSC (Microsoft Small Business Specialist)

PS – my Small Business Server 2008 (SBS 2008) book is now here!

Advertisements

Leave a comment

Filed under Book

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s