eTutorials.org
Custom Search

Lesson 3: Combining Shared Folder Permissions and NTFS Permissions

Lesson 3:?Combining Shared Folder Permissions and NTFS Permissions

You share folders to provide network users with access to resources. If you are using a FAT volume, the shared folder permissions are the only resource available to provide security for the folders you have shared and the folders and files they contain. If you are using an NTFS volume, you can assign NTFS permissions to individual users and groups to better control access to the files and subfolders in the shared folders. When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.


After this lesson, you will be able to

  • Combine shared folder permissions and NTFS permissions

Estimated lesson time: 45 minutes


Strategies for Combining Shared Folder Permissions and NTFS Permissions

One strategy for providing access to resources on an NTFS volume is to share folders with the default shared folder permissions and then control access by assigning NTFS permissions. When you share a folder on an NTFS volume, both shared folder permissions and NTFS permissions combine to secure file resources.

Shared folder permissions provide limited security for resources. You gain the greatest flexibility by using NTFS permissions to control access to shared folders. Also, NTFS permissions apply whether the resource is accessed locally or over the network.

When you use shared folder permissions on an NTFS volume, the following rules apply:

  • You can apply NTFS permissions to files and subfolders in the shared folder. You can apply different NTFS permissions to each file and subfolder contained in a shared folder.
  • In addition to shared folder permissions, users must have NTFS permissions for the files and subfolders contained in shared folders to access those files and subfolders. This is in contrast to FAT volumes, in which permissions for a shared folder are the only permissions protecting files and subfolders in the shared folder.
  • When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.

In Figure 9.10, the Everyone group has the shared folder Full Control permission for the Public folder and the NTFS Read permission for FileA. The Everyone group's effective permission for FileA is the more restrictive Read permission. The effective permission for FileB is Full Control because both the shared folder permission and the NTFS permission allow this level of access.

Figure 9.10??Combining shared folder permissions and NTFS permissions

Practice:?Managing Shared Folders

In this practice, you will determine users' effective permissions, plan shared folders, plan permissions, share a folder, assign shared folder permissions, connect to a shared folder, stop sharing a folder, and test the combined effects of shared folder permissions and NTFS permissions.

To complete the optional exercises (5 and 8), you must have two networked computers. One computer must be running Windows XP Professional and the other must be running one of the following Windows products: Windows XP, Windows 2000 Professional, Windows 2000 Server, or Windows 2000 Advanced Server. Both computers must use password as the password for the Administrator account.

Exercise 1: Combining Permissions

Figure 9.11 shows examples of shared folders on NTFS volumes. These shared folders contain subfolders that have also been assigned NTFS permissions. Determine a user's effective permissions for each example.

Figure 9.11??Combined permissions
  1. In the first example, the Data folder is shared. The Sales group has the shared folder Read permission for the Data folder and the NTFS Full Control permission for the Sales subfolder.

    What are the Sales group's effective permissions for the Sales subfolder when they gain access to the Sales subfolder by making a connection to the Data shared folder?

  2. In the second example, the Users folder contains user home folders. Each user home folder contains data accessible only to the user for whom the folder is named. The Users folder has been shared, and the Users group has the shared folder Full Control permission for the Users folder. User1 and User2 have the NTFS Full Control permission for their home folder only and no NTFS permissions for other folders. These users are all members of the Users group.

    What permissions does User1 have when he or she accesses the User1 subfolder by making a connection to the Users shared folder? What are User1's permissions for the User2 subfolder?

Exercise 2: Planning Shared Folders

In this exercise, you plan how to share resources on servers in the main office of a manufacturing company. Record your decisions in the table at the end of this exercise. Figure 9.12 illustrates a partial folder structure for the servers at the manufacturing company.

Figure 9.12??A partial folder structure for the servers at a manufacturing company

You need to make resources on these servers available to network users. To do this, determine which folders to share and which permissions to assign to groups, including the appropriate built-in groups. Base your planning decisions on the following criteria:

  • Members of the Managers group need to read and revise documents in the Management Guidelines folder. Nobody else should have access to this folder.
  • Administrators need complete access to all shared folders, except for Management Guidelines.
  • The customer service department needs its own network location to store working files. All customer service representatives are members of the Customer Service group.
  • All employees need a network location to share information with each other.
  • All employees need to use the spreadsheet, database, and word processing software.
  • Only members of the Managers group should have access to the project management software.
  • Members of the CustomerDBFull group need to read and update the customer database.
  • Members of the CustomerDBRead group need to read only the customer database.
  • Each user needs a private network location to store files, which must be accessible only to that user.
  • Share names must be accessible from Windows XP Professional, Windows 2000, Windows NT, Windows 98, Windows 95, and non-Windows-NT-based platforms.

Record your answers in this table.

Exercise 3: Sharing Folders

In this exercise, you share a folder.

Run the SharedFolders file in the Demos folder on the CD-ROM accompanying this book for a demonstration of sharing a folder.

To share a folder

  1. Log on as Fred or with a user account that is a member of the Administrators group.
  2. Start Windows Explorer, create a C:\MktApps folder, right-click MktApps, and then click Properties.
  3. In the MktApps Properties dialog box, click the Sharing tab.

    Notice that the folder is currently not shared.

  4. Click Share This Folder.

    The Share Name value defaults to the name of the folder. If you want the share name to be different from the folder's name, change it here.

  5. In the Comment text box, type Shared Marketing Applications and then click OK.

    Windows Explorer changes the appearance of the Apps folder by placing a hand icon under it to indicate that it is a shared folder.

Exercise 4: Assigning Shared Folder Permissions

In this exercise, you determine the current permissions for a shared folder and assign shared folder permissions to groups in your domain.

To determine the current permissions for the MktApps shared folder

  1. In Windows Explorer, right-click C:\MktApps, and then click Sharing And Security.

    Windows XP Professional displays the MktApps Properties dialog box with the Sharing tab active.

  2. Click Permissions.

    Windows XP Professional displays the Permissions For MktApps dialog box.

    The default permission for the MktApps shared folder is for the Everyone group to have Full Control permission.

To remove permissions for a group

  1. Verify that Everyone is selected.
  2. Click Remove.

To assign permissions to a group

  1. Click Add.

    Windows XP Professional displays the Select Users Or Groups dialog box.

  2. In the Name text box, type administrators and then click OK.

    Windows XP Professional adds Administrators to the list of names with permissions.

    Which type of access does Windows XP Professional assign to the Administrators group by default?

  3. In the Permissions For Administrators dialog box, under Allow, select the Full Control check box.

    Why did Windows Explorer also select the Change permission for you?

  4. Click Add.

    Windows XP Professional displays the Select Users Or Groups dialog box.

  5. In the Name text box, type users and then click OK.

    Windows XP Professional adds Users to the list of names with permissions and assigns Read as the default permission.

  6. Click OK to close the Permissions For MktApps dialog box.
  7. Click OK to close the MktApps Properties dialog box.
  8. Close Windows Explorer.

Exercise 5 (Optional): Connecting to a Shared Folder

In this exercise, you use the Run command to connect to a shared folder.

To complete this exercise, you must have two networked computers. One computer must be running Windows XP Professional and the other must be running Windows XP or Windows 2000. Both computers must use password as the password for the Administrator account.

To connect to a network drive using the Run command

  1. Log on as Administrator on your second computer.
  2. Click Start and then click Run.
  3. In the Open text box, type \\PRO1. (If you didn't use PRO1 as the name of your computer, use the appropriate name here and in the following steps.) Click OK.

    Your second computer displays the PRO1 window. Notice that only the folders that are shared appear to network users.

  4. Double-click MktApps to confirm that you can gain access to its contents.

    MktApps contains no files or folders for you to access, but the system opens the folder and displays its contents.

  5. Close the MktApps On PRO1 window.

Exercise 6: Stopping Folder Sharing

In this exercise, you stop sharing a folder.

To stop sharing a folder

  1. Log on as Administrator on the PRO1 computer (or the computer running Windows XP Professional with the name you specified), and then start Windows Explorer.
  2. Right-click C:\MktApps, and then click Sharing And Security.
  3. Click Do Not Share This Folder, and then click OK.

    A Sharing dialog box appears, indicating that a file is still open and asking if you want to continue.

  4. Click Yes to continue.

    Windows XP Professional no longer displays the hand icon that identifies a shared folder under the MktApps folder. You might need to refresh the screen; if so, press F5.

  5. Close Windows Explorer.

Exercise 7: Assigning NTFS Permissions and Sharing Folders

In this exercise, you assign NTFS permissions to the MktApps, Manuals, and Public folders. Then you will share MktApps.

To assign NTFS permissions

  1. Open Windows Explorer and create C:\MktApps.
  2. In the Security tab of the MktApps Properties dialog box, add the Administrators group and assign it the Full Control NTFS permission.
  3. Add the Users group and assign it the Read & Execute NTFS permission.
  4. Remove the Everyone group.
    Before you can remove the Everyone group, you must clear the Inherit From Parents The Permission Entries That Apply to Child Objects check box located in the Advanced Security Settings For MktApps dialog box. When prompted, remove the permission entries that were previously applied from the parent.
  5. Click OK to close the Advanced Security Settings For MktApps dialog box and then click OK to close the MktApps Properties dialog box.
  6. Use Windows Explorer to create the C:\MktApps\Manuals folder.
  7. Clear the Inherit From Parents The Permission Entries That Apply to Child Objects check box, and when prompted, click Remove to remove the permission entries that were previously applied from the parent.
  8. Click Add and add the Administrators group with the Full Control NTFS permission.
  9. Click OK to close the Permission Entry For Manual dialog box.
  10. Click OK to close the Advanced Security Settings For Manual dialog box.
  11. Add the Users group with the Read & Execute NTFS permission.
  12. Use Windows Explorer to create the C:\MktApps\Public folder.
  13. Clear the Inherit From Parents The Permission Entries That Apply to Child Objects check box and, when prompted, click Remove to remove the permission entries that were previously applied from the parent.
  14. Click Add and add the Administrators group with the Full Control NTFS permission.
  15. Click OK to close the Permission Entry For Manual dialog box.
  16. Click OK to close the Advanced Security Settings For Manual dialog box.
  17. Add the Users group with the Read & Execute NTFS permission.

To share folders and assign shared folder permissions

Share the MktApps folder and assign permissions to network user accounts based on the information in the following table. Remove all other shared folder permissions.

Exercise 8 (Optional): Testing NTFS and Shared Folder Permissions

In this exercise, you use different user accounts to test how NTFS permissions and shared folder permissions combine. To answer the questions in this exercise, refer to the tables in Exercise 7.

To complete this exercise, you must have two networked computers. One computer must be running Windows XP Professional and the other must be running Windows XP or Windows 2000. Both computers must use password as the password for the Administrator account.

To test permissions for the Manuals folder when a user logs on locally

  1. Log on as User1 with a password of password on the PRO1 computer.
  2. In Windows Explorer, expand C:\MktApps\Manuals.
  3. In the Manuals folder, attempt to create a test document.

    Were you successful? Why or why not?

  4. Close Windows Explorer.

To test permissions for the Manuals folder when a user makes a connection over the network

  1. Log on as Administrator with a password of password on your second computer.
  2. Create a user account, User1, with a password of User1 and clear the User Must Change Password At Next Logon check box, if necessary.
    In a workgroup, no centralized database of user accounts exists. Therefore, you must create the same user account with the same password on each computer in the workgroup. This applies to the Administrator account as well.
  3. Log off and then log on as User1 at your second computer.
  4. Click Start and then click Run.
  5. In the Open text box, type \\PRO1\MktApps and then click OK.
  6. In the MktApps On PRO1 window, double-click Manuals.
  7. In the Manuals window, attempt to create a file.

    Were you successful? Why or why not?

  8. Close all windows and log off Windows XP Professional.

To test permissions for the Manuals folder when a user logs on over the network as Administrator

  1. Log on as Administrator with a password of password at your second computer, not PRO1.
  2. Make a connection to the shared folder C:\MktApps on PRO1.
  3. In the MktApps On PRO1 window, double-click Manuals.
  4. In the Manuals window, attempt to create a file.

    Were you successful? Why or why not?

  5. Close all windows and log off Windows XP Professional.

To test permissions for the Public folder when a user makes a connection over the network

  1. Log on as User1 with a password of User1 on your second computer.
  2. Click Start and then click Run.
  3. In the Open text box, type \\PRO1\MktApps and then click OK.
  4. In the MktApps On PRO1 window, double-click Public.
  5. In the Public window, attempt to create a file.

    Were you successful? Why or why not?

  6. Close all windows and log off Windows XP Professional.

Lesson Review

The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next chapter. The answers are in Appendix A, "Questions and Answers."

  1. If you are using both shared folder and NTFS permissions, the ______________ (least/most) restrictive permission is always the overriding permission.
  2. Which of the following statements about combining shared folder permissions and NTFS permissions are true? (Choose all answers that are correct.)
    1. You can use shared folder permissions on all shared folders.
    2. The Change shared folder permission is more restrictive than the Read NTFS permission.
    3. You can use NTFS permissions on all shared folders.
    4. The Read NTFS permission is more restrictive than the Change shared folder permission.
  3. Which of the following statements about shared folder permissions and NTFS permissions are true? (Choose all answers that are correct.)
    1. NTFS permissions apply only when the resource is accessed over the network.
    2. NTFS permissions apply whether the resource is accessed locally or over the network.
    3. Shared folder permissions apply only when the resource is accessed over the network.
    4. Shared folder permissions apply whether the resource is accessed locally or over the network.
  4. If needed, you can apply different ______________________ permissions to each folder, file, and subfolder.

Lesson Summary

  • On a FAT volume, the shared folder permissions are the only available way to provide security for the folders you have shared and for the folders and files they contain.
  • On an NTFS volume, you can assign NTFS permissions to individual users and groups to better control access to the files and subfolders in the shared folders.
  • On an NTFS volume, you can apply different NTFS permissions to each file and subfolder in a shared folder.
  • When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.