Sams Teach Yourself MCSE Windows NT Server 4 in 14 Days
(Publisher: Macmillan Computer Publishing)
Author(s): David Schaer, et al
ISBN: 0672311283
Publication Date: 12/15/97

8.2.3. Implementing Security on Shares

Security is one of the most important aspects of your job as a network administrator. It is important to put the data where users can get to it and do what they need to do, but no more.

The security of the network enables us to have confidence in the data stored on the network. Without it, we can never be sure the data on the network is accurate or that unauthorized individuals have not stolen, changed, deleted, or otherwise accessed or modified the data. So what are the threats to your security?

•  Ignorant users: This is probably the biggest source of problems. The term ignorant users implies not that they are dumb or stupid, just uninformed about certain issues, including security and what certain files or folders are for.

•  Malicious users: Those users who have an ax to grind and are purposely trying to cause problems, for example by deleting files or accessing confidential data such as payroll.

•  Industrial spies/competitors: Those who are trying to gather data, such as customer lists, for the competition.

Knowing the source of the threats enables you to deal with them. Because most of the problems that you are likely to encounter are in the form of the accidental mistakes users cause, you must plan a policy that protects the data from, and maybe in spite of, the users. This having been said, the users obviously need the appropriate access to their data to do their jobs, and if you are too restrictive, their productivity will suffer and frustration will mount.

Now take a look at what control you have over the shares you set up. In doing so, please keep in mind that on a FAT partition, share permissions are the only control you have. An NTFS partition has a combination of permissions that will be discussed later in the chapter in section 8.5.

By default, the group Everyone gets full control to all shares you create.

8.2.4. The Four Levels of Share Control

The following are the four levels of share control (from most to least restrictive):

•  No Access: Disenables all access and overrides and other permission that may be granted from other sources.

•  Read: Enables read-only access to all data within the share. Data can be viewed, files can be searched and browsed, but nothing can be changed or deleted. No new files can be written.

•  Change: Enables the same access as Read, with the additional capabilities to modify existing files, add new files, and delete existing files.

•  Full Control: Enables all the access of Change, with the additional capability to exercise the NTFS permissions of Change Permission and Take Ownership.

As you can see from the preceding list, the default assignment of Everyone to full control will probably need to be modified, unless all permissions will be controlled through NTFS.

8.3. Granting Access to Users and Groups

It is better administrative practice to assign permissions based on groups rather than by individual users. This same logic is applied when assigning permissions in an NT environment.

Permissions apply to resources, not to users. They are used to create the access control list (ACL).

8.3.1. AGLP

Now that you know the permissions, you must learn to manage them. You can grant access to any user or group (local or global) in your domain and any user or global group in any trusted domains. As was previously discussed, Microsoft’s AGLP (Accounts—such as Users—in Global groups in Local groups that are then granted Permissions) policy recommendation dictates that you place your users (from any domain) in the appropriate global groups and then place these global groups in the local groups and then, and only then, grant permissions to the local groups only. This obviously is not a hard and fast rule, but it will make your life easier if you abide by it and forgo assigning permission to users.

8.3.2. Combining User and Group Permissions

Knowing that you can assign permission to users and groups, you might wonder what the net, or effective, permissions will be if a user belongs to multiple groups that are granted permissions. The user gets the sum of permissions granted to each group of which she is a member, plus any permissions assigned to her individually. If she or any of the groups to which she belongs is given No Access permission, she will get No Access. For example, If user A is given Read permission and he also belongs to group B, which has Change permission, he will get Read plus Change permission, which equals Change. If you take that example and continue by stating that he also belongs to group C, which has No Access permission, then user A will have No Access.

No Access will always win out over any other permission. Use it sparingly.

8.4. How to Implement Shared Directories

Sharing directories is the means by which an administrator must make data accessible on an NT network. This section details how the share is established and how to properly protect the resources with permissions.

8.4.1. Setting Up Shares and Assigning Permissions

Share permissions are assigned in one of several ways. The most common is to right-click the folder that you want to share, and click Sharing. Figure 8.1 shows the first step in creating a new share.

Figure 8.1.  A shortcut menu is presented when you click a folder with the secondary mouse button.

On the Sharing tab of the properties dialog box for the folder Msdos, the administrator then clicks Shared As, instead of Not Shared (the default for all folders) and enters a share name (see Figure 8.2).

Figure 8.2.  Here you can determine the name of your share.

For share names, stick to the familiar DOS 8.3 names unless all of your clients can use long filenames (Windows 95 or NT); otherwise, those clients that don’t support long names will not be able to access the share.

To make a share name invisible from across the network, end the name with a $, such as Money$.