Managing File System Security 7
Total Page:16
File Type:pdf, Size:1020Kb
Color profile: Generic CMYK printer profile Composite Default screen CertPrs8 / MCSE/MCSA Windows Server 2003 Environment Study Guide / Desai / 222322-7 / Chapter 4 Managing File System Security 7 CERTIFICATION OBJECTIVE 4.01 Managing File System Security One of the many benefits of networked systems is the ability to quickly and easily share data across systems. However, this benefit comes at the price of security. The file system is an extremely important part of modern computers. A large amount of most organizations’ sensitive information is stored in the file system in the form of documents, images, and other pieces of data. As a systems administrator, it’s your job to ensure that these files stay secure and that only authorized users can access them. That’s where the important topic of file system security comes in. Let’s start with the most important point: If you want to implement security at the file system level, you must choose to use NTFS. The FAT and FAT32 partition types do not provide any security at all, and there’s little to stop someone from booting off a floppy and accessing all of the information on your computers. Furthermore, the only level of network security provided by FAT-based partitions is at the level of shared folders (a topic that you’ll encounter later in this chapter). With that in mind, let’s take a look at the file system security architecture of Windows Server 2003. Understanding NTFS Permissions Earlier, I mentioned that permissions are placed on objects through the use of ACLs that contain ACEs. Folders and files that are stored on an NTFS partition are treated as objects, each of which has its own unique identifier. You can protect files at the level of the file system using NTFS permissions. In Windows Server 2003, file system permissions can be applied to files and folders through the Security tab of the properties of the object. For example, to set properties on a file, you can right-click the file, select Properties, and then click the Security tab (see Figure 4-1). It’s important to keep in mind that file system security is only one part of an overall security strategy. Although NTFS permissions provide security while the operating system is running, it is possible to access this data without authorization, using a boot floppy disk and special utilities. To prevent this, it’s important to provide for the physical security of your server computers! P:\010Comp\CertPrs8\322-7\ch04tem.vp Monday, August 04, 2003 6:47:32 PM Color profile: Generic CMYK printer profile Composite Default screen CertPrs8 / MCSE/MCSA Windows Server 2003 Environment Study Guide / Desai / 222322-7 / Chapter 4 8 Chapter 4: Managing Resource Access FIGURE 4-1 Viewing security settings for a file In the Security dialog box, you’ll see a list of the users and groups for which permissions are configured. By clicking one of these items, you can view the permissions that are assigned. For each permission setting, you will see two columns: Allow and Deny. Actually, there are three possible states for each setting: You can choose to allow the permission, to deny it, or to leave it as unspecified (neither box will be checked). If the security permissions were inherited from a higher level (a topic that you’ll consider in the next section), you will see that the boxes are grayed out and cannot be changed. The permissions that are available for a file include the following: ■ Full Control This option provides full permissions on the object, including the ability to take ownership of files and to change security permissions. ■ Modify This permission specifies that users can open files and change their contents or delete them. ■ Read This permission allows users to read or open the specified file. ■ Read and Execute This permission allows users to read or open the files and to run executable programs. ■ Write This permission allows users to change the contents of existing files and to create new ones. P:\010Comp\CertPrs8\322-7\ch04tem.vp Monday, August 04, 2003 6:47:32 PM Color profile: Generic CMYK printer profile Composite Default screen CertPrs8 / MCSE/MCSA Windows Server 2003 Environment Study Guide / Desai / 222322-7 / Chapter 4 Managing File System Security 9 ■ Special Permissions (available for some objects) Through the use of the Advanced button, you can specify much more detailed permissions on specific objects (see Figure 4-2). In general, systems administrators will not need to apply permissions at this level. The Windows Help and Support Center provides details about the actual file and folder permissions that are assigned when you choose from the standard permissions. Certain combinations of permissions are not allowed for a single permission line item. For example, you cannot deny Modify permissions and, at the same time, allow Read and Execute. When you work with setting permissions using the Security tab, you’ll notice that the user interface will automatically check and uncheck boxes as appropriate. Therefore, it’s important to take the time to review your final selections before you apply them. The exact list of permissions that are available for various objects depends on the type of object and the actions it supports. For example, folders also have a permission setting for List Folder Contents. Or if you’re setting permissions on a Registry key, you will see a permission called “Create subkey” (see Figure 4-3). Later in this chapter, you’ll look at the steps that are required to assign permissions to files and folders. But first, you need to understand a few additional concepts regarding file system permissions. FIGURE 4-2 Viewing File and Folder Special Permissions settings P:\010Comp\CertPrs8\322-7\ch04tem.vp Monday, August 04, 2003 6:47:32 PM Color profile: Generic CMYK printer profile Composite Default screen CertPrs8 / MCSE/MCSA Windows Server 2003 Environment Study Guide / Desai / 222322-7 / Chapter 4 10 Chapter 4: Managing Resource Access FIGURE 4-3 Setting advanced permissions on a Registry key Understanding Inheritance In modern networked environments, file systems tend to have many thousands of files and folders. For systems administrators, this can pose a daunting challenge: How can you possibly ensure that all of these objects have the right security settings? Even harder would be setting the appropriate permissions for objects that have not yet been created (such as new files or folders). That’s where inheritance comes in. The basic rule for inheritance is that permissions that are assigned at a higher-level folder will propagate to child files and folders. This is the default behavior for files and folders in Windows Server 2003. There are two main types of permissions that can apply to objects. The first is explicit permissions. These permissions are the access control rules that are directly applied to an object. Implicit permissions, on the other hand, are access rules that are defined for parent objects and that are propagated down to the object itself (Figure 4-4 compares explicit and implicit permissions). Note that explicit permissions automatically override implicit permissions. This is even true for the Deny permissions on a parent level (an explicit allow permission will override an implicit deny). P:\010Comp\CertPrs8\322-7\ch04tem.vp Monday, August 04, 2003 6:47:33 PM Color profile: Generic CMYK printer profile Composite Default screen CertPrs8 / MCSE/MCSA Windows Server 2003 Environment Study Guide / Desai / 222322-7 / Chapter 4 Managing File System Security 11 FIGURE 4-4 Explicit vs. implicit permissions For example, if you grant Change permissions on a folder to members of the Engineering group, by default, all new files and folders created within that folder will have the same permissions. As another example, suppose you have a folder called Sales that’s used by your organization’s salespeople. All of the data in the Sales folder and its subfolders should be made available to the entire sales team. In this case, you would assign the necessary permissions at the level of the Sales folder and choose to propagate the changes to all child objects. By default, files and folders will inherit permissions from their parent objects. This is designed to make the administration of file system permissions simpler. So, if you create a new file called SalesData.xls in the Sales folder, the new file will automatically have the permissions that were applied to the Sales folder. If you attempt to remove a permissions entry on this page, you will see a warning message. When you change permissions at any level (for example a parent folder), the permission changes will, by default, apply only to that object. That is, the permissions on subfolders and files will not be modified. So, what if you really do want to set individual permissions on the SalesData.xls file, or you want to propagate the new security settings to all child objects? This is where the Advanced button on the Security tab comes in. When you click the Advanced button, you’ll see two options (shown in Figure 4-5). The check boxes at the bottom determine the inheritance behavior for this object. P:\010Comp\CertPrs8\322-7\ch04tem.vp Monday, August 04, 2003 6:47:33 PM Color profile: Generic CMYK printer profile Composite Default screen CertPrs8 / MCSE/MCSA Windows Server 2003 Environment Study Guide / Desai / 222322-7 / Chapter 4 12 Chapter 4: Managing Resource Access FIGURE 4-5 Selecting inheritance of permissions The two options are: ■ “Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here”: When enabled, this option specifies that permissions assigned at higher-level objects (for example, a parent folder) will be inherited by this file or folder.