24. UNC PATHS Chapter 8: CONFIGURING AND MANAGING SHARED FOLDER SECURITY Universal Naming Convention (UNC) paths consist of the server name followed by the share name and any subfolders. They are used to specify the share for mapped drives or for direct access from applications.
25.
26. COMBINING NTFS AND SHARE PERMISSIONS Chapter 8: CONFIGURING AND MANAGING SHARED FOLDER SECURITY
39. CLIENT CONNECTIONS TO WEB FOLDERS Chapter 8: CONFIGURING AND MANAGING SHARED FOLDER SECURITY Note: This slide shows Internet Explorer’s Open dialog box opening a Web folder. Explain that failure to select Open As Web Folder will cause the browser to open the folder as a Web site (read-only).
40.
41.
Notes de l'éditeur
This chapter discusses shared folders and shared folder security. We will examine why shared folders are used, how they are configured, and how security is applied. We will discuss how clients access shared folders and how shared folder permissions combine with NTFS permissions. We will also examine offline files and Web folders and their uses for traveling or remote users.
Shared folders make it possible to access files across the network. Server systems make shared folders available to client computers.
Shared folders have three basic permissions: Read, Change, and Full Control. It is possible, as with NTFS permissions, to also deny a permission, with the same effect as Deny for NTFS. As with NTFS, it is best to use Deny only to support exception policies, and you should be sure to document use of Deny to prevent later confusion.
As you discuss the points on this slide, also mention that access to a file system via shared folders includes the same access to any subfolders. Be sure to discuss the security exposures created by allowing Everyone access to folders and files. As you present this chapter, emphasize the importance of replacing Everyone with Users or Authenticated Users.
This slide shows how access to a higher-level shared folder can provide access to lower-level folders. Administrators in this example have Full Control access to all folders when they access the hidden administrative root shares; the other groups have access only to lower-level folders.
This slide lists best practices for shared folders. Consolidating data that requires like permissions into folders and assigning permissions to groups of users greatly simplifies the process of assigning permissions. Use of intuitive share names makes is simpler for users to locate the folders they need.
When you assign permissions to a folder, consider the effects of multiple permissions. Permissions are the sum of all the permissions assigned to groups that the user belongs to. Deny overrides all other permissions. When share permissions are combined with NTFS permissions, the effective permission is the more restrictive of the two. When a shared folder is renamed or moved, the folder is no longer shared. It must be shared again manually. When a shared folder is copied, the copy is not shared.
In Windows XP Professional, only Administrators and Power Users can share folders. In addition, the user who shares a folder must have at least the Read NTFS standard permission to the folder.
This slide depicts using the Create Shared Folder Wizard to add a shared folder. This wizard lets you create and set basic permissions on a share all at once. You can access the wizard from the Shared Folders snap-in in Computer Management.
This slide shows the Sharing tab of a folder’s Properties dialog box. Note the Permissions button. We will discuss configuring shared folder permissions in a later slide.
This slide shows the NET SHARE command in use. If time permits, display the NET SHARE /? command to explore some of its available options. Note how the NET SHARE options map to options in the Create Shared Folder Wizard and the Sharing tab of the Properties dialog box for a folder.
This slide depicts the Shared Folders snap-in with the default administrative folders displayed. Show your students how to connect to administrative shares, and describe uses for each share. Explain that the dollar sign ($) “hides” the share.
This slide describes the three main ways to stop sharing folders. As you discuss each one, demonstrate the operation in the appropriate application. Remind students to have connected users disconnect from the share before stopping a share, to protect data files in the share.
You can create multiple shares for one folder for different types of access. Suppose you have an application folder that you access with Read permission for day-to-day operations. If you need Change permission to carry out maintenance tasks, you can create both shares and use the Read version for normal operations. When you need to perform maintenance, you can connect to the Change share.
Universal Naming Convention (UNC) paths consist of the server name followed by the share name and any subfolders. They are used to specify the share for mapped drives or for direct access from applications.
You can access shared folders by browsing My Network Places and finding the share, by mapping a drive in Windows Explorer (if you know the share path), or from a command line. You can also open a share by entering the UNC path in the Run dialog box (opened via the Start menu).
This slide depicts the result of combining NTFS permissions and shared folder permissions. Discuss this scenario and perhaps run through a few additional examples. Many organizations share folders with Full Control and control all permissions via NTFS. This simplifies control because only one set of permissions is considered.
Shared folder monitoring is done in the Shared Folder snap-in in Computer Management or another custom MMC console. Step through some of the operations you can perform in Shared Folders. Demonstrate disconnecting a user, sending a message to a user, and disconnecting all users.
To support the discussion in the previous slide, this slide shows Computer Management being used to monitor Shared Folders.
You can enable offline files by clicking the Caching button on the Sharing tab of a folder’s Properties dialog box. This allows a client computer to cache files in the folder for offline use. This is a great tool for organizations with mobile users. It allows the documents to be changed from outside the office, with changes being synchronized when the user returns.
This slide depicts enabling the client system for offline files. If Fast User Switching is enabled on a system, you are prompted to disable it before you can enable offline files.
You configure offline files by selecting Make Available Offline from the shortcut menu for the file. If automatic caching is enabled, each file you access from a configured folder on the server will be cached on the client. By default, 10 percent of the client’s free space is made available for caching offline files.
In Windows Explorer or My Computer, click Tools and select Synchronize to display the Items To Synchronize dialog box. You can then click the Setup button to configure synchronization. As you progress through the frames on this slide, discuss Logon/Logoff settings and On Idle settings. The slide ends with a shot of a synchronization event in progress.
Web folders use Web Distributed Authoring and Versioning (WebDAV) to allow users to read and write files to a folder served from IIS. WebDAV clients such as Internet Explorer 5 and later and Microsoft Office XP and later can use Web folders as if they were file system folders. In the next few slides, we will discuss setting up this service.
If classroom equipment allows, install IIS in the Windows Components section of Add/Remove Programs. As you do, discuss installation of this service from a security perspective. Since our application is using the WWW service, you would naturally forego installing FTP and SMTP services. Also, stress immediate application of Windows Updates to patch any known vulnerabilities in IIS. If the Windows Firewall is enabled on the classroom computer, be sure that firewall exceptions are configured to allow Web serving.
This slide shows the Internet Management console for IIS. You can launch it from the Administrative Tools folder or from the Run dialog box (by entering IIS.msc in the Run dialog box and clicking OK ) . This console is nearly identical to that for IIS 6, so users familiar with that interface will find this one familiar. Virtual folders and server settings can be configured in the same ways as in IIS 6. If you have time, consider a short tour of the settings for the default Web site.
This slide depicts sharing a Web folder using the Web Sharing tab of a folder’s Properties dialog box. This tab is added when you install IIS. After you apply the change, the Edit Alias dialog box appears, allowing you to apply security settings on the folder. The last frame in the slide shows the Directory Security dialog box in IIS with Integrated Windows authentication enabled. This setting ensures that secure authentication methods are used when allowing access to these folders. As you step through these frames, discuss the various permissions and settings. Explain why Integrated Windows authentication is more secure than basic authentication. Also suggest using SSL if basic authentication is a requirement, to avoid transmitting passwords in the clear.
This slide shows Internet Explorer’s Open dialog box opening a Web folder. Explain that failure to select Open As Web Folder will cause the browser to open the folder as a Web site (read-only).
This slide and the next summarize this chapter’s slides. As you present these items, ask for details about shared folders and offline files to determine their level of comprehension. Emphasize again the security risk of leaving Everyone:Read in place. Ask if students have any questions about combined NTFS/share permissions.
Mention to students that little has been written about IIS in Windows XP. Encourage them to work with IIS to become familiar with how it works.