Security and Resource Sharing in an Nt Environment

84-10-51

DATA SECURITY MANAGEMENT SECURITY AND RESOURCE SHARING IN AN NT ENVIRONMENT

Gilbert Held

INSIDE Overview; Share Creation; Setting Permissions; Multiple Identities; Considering Subfolders; Operational Control

Because an understanding of the method by which shares are created fa- cilitates an understanding of different levels of data security associated with resource sharing, this article examines in detail the creation of a shared folder on one computer and its access via another computer. In doing so, this article references a series of screen images that illustrate the actual use of the Windows NT operating system to create shares and discusses and describes methods that control access to shared resources, providing different levels of security concerning the ability of network users to access shared resources and, once accessed, their ability to ma- nipulate data.

PAYOFF IDEA OVERVIEW The ability to enable remote users to share re- Windows NT provides users with the sources on NT workstations and servers repre- ability to share access to the contents sents one of the major benefits of the use of this of an entire drive or folder over a operating system. By enabling employees in an organization to share access to drives, folders, network. Although shares only oper- and files, one obtains the ability to significantly ate at the drive and folder level, the enhance productivity. However, one also pro- operating system provides several vides the potential for other persons with access methods to control access down to to the organization’s network to either intention- individual files. ally or unintentionally read or modify existing data as well as store new files whose contents could Because sharing is integrated with have an adverse effect on the operation of the or- the operating system’s database of ganization. Thus, it is important to understand the user accounts and passwords, it is options associated with Windows NT resource possible to restrict sharing to a spe- sharing, as they control access to shares as well as govern the level of security associated with cific user, a group of users, or several network-based resources.

predefined user groups. In addition, because sharing is also integrated with the Windows NT file system, it is also possible to assign a variety of permissions to shared resources. However, the ability to do so depends on the file system used to create a volume. If a share resides on a volume created using the original File Allocation Table (FAT) file system that dates to the original IBM PC, shared resource permissions will be restrict- ed to a series of basic permissions. In comparison, shares residing on a volume created through the use of the more modern NT File System (NTFS) can be assigned additional file-by-file permissions due to the en- hanced level of capability of that file system.

SHARE CREATION An appreciation for the security of data associated with resource sharing is best facilitated by creating a shared resource. Thus, this section will create a shared folder and examine how access to data in the folder can be controlled. The creation of a shared resource requires one first selects a drive or folder icon. Once that is accomplished, right-click on the previously selected icon to display a list of options associated with the drive or folder. Exhibit 1 illustrates the selection of the folder icon labeled PKZIPW located in the folder PKWARE and the resulting pop-up menu displayed as a result of right-clicking on the selected icon. Consider the selected folder to represent a subfolder or, for die-hard DOS fans, a subdirectory. From the pop-up menu displayed as a result of right-clicking on an icon, one can invoke sharing in one of two ways: either selecting the Properties or the Sharing menu entries. Selecting the Properties menu entry results in the display of a dialog box labeled Properties, prefixed with the name of the previously selected icon. That dialog box contains two tabs, as illustrated in Exhibit 2. The first tab is labeled General. The contents of this tab are displayed in the foreground and provide information about the selected icon, such as its location, storage size, contents, creation date, and any assigned attributes. The second tab, labeled Sharing, which is located in the background of the display, provides the ability to share the resource as well as control access to it. If one selects Properties from the pop-up menu shown in Exhibit 1, one would then have to select the Sharing tab shown in Exhibit 2. In comparison, if one selects the Sharing entry in the previously shown pop-up menu, the Sharing tab would be directly displayed. Thus, the selection of the Sharing entry from the pop-up menu can be considered as a small shortcut for accessing the sharing facility for a Properties dialog box for a selected drive or folder icon. Because one wants to create a share, one would either click on the tab labeled Sharing in Exhibit 2 or select Sharing from the pop-up menu en-

that enablesasharetobecreated. EXHIBIT 1— Right-clicking onaselectedfolderordriveiconresultsinpop-upmenubeingdisplayed

EXHIBIT 2 — A folder or drive Properties dialog box contains two tabs, with the General tab providing information about the selected icon, while the tab labeled Sharing providing the ability to share the selected resource.

try shown in Exhibit 1. Either action will result in the display of the Shar- ing tab for the Properties menu of the selected icon. Exhibit 3 illustrates the display of the Sharing tab for the previously selected PKZIPW folder. Several entries in the tab display were either placed by default by the operating system into an appropriate box or en- tered by the author of this article and will now be described as one takes a tour of the entries. When initially selecting a nonshared drive or folder, the button labeled Not Shared will be shown selected. When one clicks on the button labeled Shared As, the name of the folder by default will be placed in the box associated with the label Shared Name. One can enter a share name up to 80 characters in length; however, one should probably consider a

EXHIBIT 3 — The Sharing tab in the Properties dialog box for a selected icon provides the ability to control resource sharing.

much shorter name length, especially if the organization has Windows 95-based computers that will access the share. This is because a Win- dows 95 system cannot see a share name more than 12 characters in length. In addition, DOS and Windows for Workgroup users are restrict- ed to the 8.3 DOS file naming convention; so, when in doubt as to who will access a share, it is best to use the lowest common denominator of naming restrictions. The actual composition of a share name can include all letters and numbers and the special characters $ % ‘ - _ @ ~ ! ( ) ^ # and &. If using long filenames, one can also include the six additional special characters + , : = [ and ]. One additional item that is worthy of mention concerns the use of the dollar sign ($) as a suffix to a share name. Doing so hides the share from direct viewing by other network users when browsing Net-

work Neighborhood and provides a bit of privacy. However, if improper permissions are assigned to the share, other users who know its Univer- sal Naming Convention (UNC) address can access the data in the share. Note the down arrow to the right of the box for the Share Name. As noted shortly, the operating system provides the ability to share a resource under multiple names, allowing one to tailor access and permissions to each share name. Another word of caution is in order concerning share names: once a share is named, the only way to rename it is to disable it and then re-enable it using a new name. Continuing the tour of the Sharing tab, the box labeled Comment provides the ability to add a comment concerning the share. The User Limit area provides the ability to control the number of users that can access the share at one time. While this option does not restrict access based on any permissions, it is valuable to consider from both a license and performance perspective. That is, its use enables one to remain in compli- ance with certain software product licenses that restrict the number of users that can use the product at any one time. In addition, this feature allows one to consider the movement of data across a network and indi- rectly control both data ﬂow on the network and its effect on network performance. For example, a shared application that enables clients to back-up the contents of their drives to a disk array on a server could bring the network to a halt if a large number of employees decided to initiate the application at the same time.

SETTING PERMISSIONS Returning to the Sharing tab displayed in Exhibit 3, note the button labeled Permissions. This button provides the ability to control access to the share both via users that have accounts on the computer, as well as by setting permissions that control access to the data in the share. Exhibit 4 illustrates the result of clicking on the button labeled Permis- sions. This action results in the display of a dialog box labeled Access Through Share Permissions. At the lower right portion of Exhibit 4, note a drop-down menu displayed that lists the four types of access control that can be placed on a shared drive or folder: No Access, Read, Change, and Full Control. No Access, as its name implies, prevents access to the share, even if a user belongs to a group that has access to the share. Read enables the user to view data and run files that are programs. Change adds the ability to modify data in a file or delete files. Finally, Full Control adds the ability of a user to change permissions and take over ownership. Thus, the latter should be assigned with caution. Another item that deserves attention is the relationship of share access permissions to any previously established file permissions. Because the Windows NT file system is part of the operating system’s security module file, system permissions

user andgroupaccesstoashare,aswellthetypeofpermitted. EXHIBIT 4— Through theAccessSharePermissionsdialogbox,onecancontrol

override share permissions. That is, if one previously associated a read- only permission to a file but the share for a folder in which the file resides was set to Change, a network user would be limited to reading the contents of the file or running it if it was a program. Thus, it is also important to note the file permissions within a share to ensure their set- tings, along with the type of share access one sets provides the intended result one seeks. Hidden from view by the drop-down menu in Exhibit 4 are buttons labeled Add and Delete. Those buttons provide the ability to control individual users and groups of users that will have access to the share being created. By clicking on the button labeled Add, the operating system links the share creation to its User Manager for Domains, allowing one to add users or user groups. By default, when setting up a share, access is assigned to the group labeled Everyone, with full control assigned to this group. In this author’s opinion, this is a dangerous default and should be carefully examined prior to finalizing the share. Exhibit 5 illustrates the resulting display obtained by clicking on the obscured button labeled Add in Exhibit 4 to obtain the ability to add individual users and user groups with access to a share. Note that the resulting display resembles the display of the Windows NT Administrative Tool ‘User Manager for Domains’ for, as previously noted, its linked to that facility. Thus, one can assign access to a share to any previously established Windows NT account.

Multiple Identities Two powerful capabilities included in the Windows NT sharing facility are the ability to create multiple-named shares, as well as to create more than one share at a time. By clicking on the button labeled New Share shown in Exhibit 3, a dialog box appropriately labeled New Share will be displayed. An example of this dialog box is illustrated in Exhibit 6. The use of this dialog box provides the ability to assign a new name and de- scription, as well as user access limits and permissions to the same share. Although one may initially have reservations concerning the creation of a new name and attributes for an existing share, from a security perspective this capability provides an additional level of control. For example, one might wish to create a share and provide different levels of access to different groups. However, if some groups only require tempo- rary access to the share, it might be easier to assign them to a new name that can be easily deleted when their access requirements expire.

CONSIDERING SUBFOLDERS In the example a share for the folder PKZIPW located in the PKWARE folder was created. If one creates another share and associates it with the higher level directory (PKWARE), one can segment access to a directory

can enableaccesstothesharefromanypreviouslyestablisheduserorgroup. EXHIBIT 5— Through Sharing’s linktotheAdministrativeTool “UserManagerforDomains,”one

EXHIBIT 6 — The New Share dialog box provides the ability to assign a new identity to an existing share.

and one or more of its subdirectories, an important concept to note. For example, if one creates a share named PKWARE, then anyone who con- nects to that share can also see the contents of the subdirectory PKZIPW, which may or may not be the intention. Thus, one should carefully consider the directory structure of the computer prior to setting up shares. In some instances, it may be advisable to move a folder to a new location prior to sharing it, especially if those sharing the folder have no need for accessing ﬁles located in one or more subdirectories currently located under the folder.

OPERATIONAL CONTROL Exhibit 7 illustrates the access of the shared folder PKZIPW from a Win- dows 2000 computer, explaining the display of Microsoft’s Internet Ex- plorer as the browsing facility. This screen display occurred by ﬁrst selecting Network Neighborhood and accessing the computer WWW3 to obtain access to the shared folder. Many network managers and administrators can be lulled into com- placency after they set up one or more shares. Thus, it is normally a good idea to periodically examine the User Sessions display to determine who is using the shares established on a computer. One can display information concerning the use of shares through the Windows NT Control Panel by ﬁrst selecting the Server icon in the Con- trol Panel. This action provides the ability to display a variety of computer usage data. In Exhibit 8, the User Sessions display is shown in the foreground, resulting from the pressing of the button labeled Users in the Server dialog box shown in the background. Note that in this example, the display indicates the user accessing the share as well as the share resource being accessed. Also note that if one detects a problem, one can

EXHIBIT 7— Viewing thesharedfolderfromaWindows2000client.

user ofsharedresourcesaswelldisconnectusersfromthecomputer. EXHIBIT 8— Through theServericonincontrolpanel,onecandisplayinformationabout

immediately disconnect the user prior to changing his or her ability to access the share via its conﬁguration screen.

SUMMARY Sharing provides an important productivity tool that enables employees to gain access to common programs and data files. However, sharing cannot be done in a vacuum and requires careful consideration of the users and user groups that require access to shared data. In addition, one must consider existing file permissions for all files in the share in con- junction with the type of access assigned to users. Finally, one needs to consider the location of shared data and the content of any subdirectories under the folders to be shared. By proper planning, one can share data in a safe and reliable manner without having a security loophole that can harm the organization.

Gilbert Held is an internationally known lecturer and author of books and technical articles covering the ﬁeld of data communications. He can be reached at [email protected].