Lesson 14: Configuring File and Folder Access. MOAC 70-687: Configuring Windows 8.1

Lesson 14: Configuring File and Folder Access MOAC 70-687: Configuring Windows 8.1

Overview Exam Objective 4.2: Configure file and folder access o Encrypt files and folders by using Encrypting File System (EFS) o Configure NTFS permissions o Configure disk quotas o Configure file access auditing 2013 John Wiley & Sons, Inc. 2

Security Principal: Managing Permissions Lesson 14: Configuring File and Folder Access 2013 John Wiley & Sons, Inc. 3

Permissions Permissions are privileges granted to specific system entities, such as users, groups, or computers, enabling them to perform a task or access a resource. As an administrator, you should be familiar with the operation of the following four permission systems: o NTFS permissions o Share permissions o Registry permissions o Active Directory permissions 2013 John Wiley & Sons, Inc. 4

Understanding the Windows Permission Architecture To store permissions, each of these elements has an access control list (ACL). An ACL is a collection of individual permissions, in the form of access control entries (ACEs). To manage permissions in Windows 8.1, you use the controls in the Security tab of the element s Properties dialog box with the security principals listed at the top and the permissions associated with them at the bottom. 2013 John Wiley & Sons, Inc. 5

Understanding the Windows Permission Architecture The Security tab of a Properties dialog box 2013 John Wiley & Sons, Inc. 6

Understanding Basic and Advanced Permissions When you open the Properties dialog box for a system element and look at its Security tab, the permissions you are seeing are called basic permissions. Basic permissions are combinations of advanced permissions, which provide the most granular control over the element. 2013 John Wiley & Sons, Inc. 7

Understanding Basic and Advanced Permissions The Advanced Security Settings dialog box 2013 John Wiley & Sons, Inc. 8

Allowing and Denying Permissions When you assign permissions to a system element, you are, in effect, creating a new ACE in the element s ACL. There are two basic types of ACEs: o Allow o Deny This makes it possible to approach permission management tasks from two directions: o Additive o Subtractive 2013 John Wiley & Sons, Inc. 9

Inheriting Permissions The most important principle in permission management is that permissions tend to run downwards through a hierarchy. The tendency of permissions to flow downwards through a file system or other hierarchy is called permission inheritance. Permission inheritance means that parent elements pass their permissions down to their subordinate elements. 2013 John Wiley & Sons, Inc. 10

Inheriting Permissions A sample xfer directory structure 2013 John Wiley & Sons, Inc. 11

Inheriting Permissions Granting Allow permissions to the xfer folder 2013 John Wiley & Sons, Inc. 12

Inheriting Permissions Granting Full Control to individual user folders 2013 John Wiley & Sons, Inc. 13

Copying NTFS Files and Folders When you copy NTFS files or folders from one location to another, whether the destination is on the same or a different NTFS volume, the new copy does not take the permissions from its original location with it. Instead, the new copy new inherits permissions from its parent folder at the new location. 2013 John Wiley & Sons, Inc. 14

Moving NTFS Files and Folders If you move files or folders to a new location on the same NTFS volume, their existing permissions move with them. If you move files or folders to a different volume, they leave their existing permissions behind and inherit permissions from the parent folder at the new location. 2013 John Wiley & Sons, Inc. 15

Understanding Effective Access Effective access is the combination of Allow permissions and Deny permissions that a security principal receives for a given system element, whether explicitly assigned, inherited, or received through a group membership. 2013 John Wiley & Sons, Inc. 16

Understanding Effective Access The Effective Access tab of the Advanced Security Settings dialog box 2013 John Wiley & Sons, Inc. 17

Managing NTFS Permissions New Technology File System (NTFS), the primary Windows file system, is required to implement various security and administrative features in Windows. NTFS permissions are available to drives formatted with NTFS. The advantage with NTFS permissions is that they affect local users as well as network users and they are based on the permission granted to each individual user at the Windows logon, regardless of where the user is connecting. 2013 John Wiley & Sons, Inc. 18

Assigning Basic NTFS Permissions Most Windows system administrators work with basic NTFS permissions almost exclusively. This is because there is no need to work directly with advanced permissions for most common access control tasks. 2013 John Wiley & Sons, Inc. 19

Assign Basic NTFS Permissions The Permissions for Test Folder dialog box 2013 John Wiley & Sons, Inc. 20

Assign Advanced NTFS Permissions The Permission Entry for Test Folder dialog box 2013 John Wiley & Sons, Inc. 21

Using Icacls.exe Using Icacls.exe, you can grant or revoke basic or advanced permissions by allowing or denying them to specific security principals. The syntax for granting permissions is: icacls.exe filespec /grant[:r] security_id:(permissions) [/T][/C][/L][/Q] 2013 John Wiley & Sons, Inc. 22

Understanding Resource Ownership Every file and folder on an NTFS drive has an owner. The owner can always modify the permissions for the file or folder, even if the owner has no permissions. By default, the owner of a file or folder is the user account that created it. However, any account possessing the Take Ownership advanced permission (or the Full Control basic permission) can take ownership of the file or folder. 2013 John Wiley & Sons, Inc. 23

Using the Encrypting File System Lesson 14: Configuring File and Folder Access 2013 John Wiley & Sons, Inc. 24

Encrypting File System (EFS) The EFS is a feature of NTFS that encodes the files on a computer so that even if an intruder can obtain a file, he or she will be unable to read it. The entire system is keyed to a specific user account, using the public and private keys that are the basis of the Windows public key infrastructure (PKI). The user who creates a file is the only person who can read it. 2013 John Wiley & Sons, Inc. 25

Encrypting a Folder with EFS In Windows 8.1, you can use File Explorer to encrypt or disable EFS on any individual files or folders, as long as they are on an NTFS drive. 2013 John Wiley & Sons, Inc. 26

Encrypt a Folder The Advanced Attributes dialog box 2013 John Wiley & Sons, Inc. 27

Determining Whether a File or Folder Is Encrypted Administrators commonly receive calls from users who are unable to access their files because they have been encrypted using EFS and the user is unaware of this fact. To resolve the problem, you must first determine whether their files are encrypted or not, and whether the user has the proper NTFS permissions. File Explorer displays the names of encrypted files in green, by default, but this setting is easily changed in the Folder Options dialog box. 2013 John Wiley & Sons, Inc. 28

Configuring Disk Quotas Lesson 14: Configuring File and Folder Access 2013 John Wiley & Sons, Inc. 29

NTFS Quotas NTFS quotas enable administrators to set a storage limit for users of a particular volume. Depending on how you configure the quota, users exceeding the limit can be denied disk space, or just receive a warning. The space consumed by individuals users is measured by the size of the files they own or create. 2013 John Wiley & Sons, Inc. 30

Configure Disk Quotas The Quota tab of a volume s Properties sheet 2013 John Wiley & Sons, Inc. 31

Configuring Object Access Auditing Lesson 14: Configuring File and Folder Access 2013 John Wiley & Sons, Inc. 32

Auditing Tracking events that take place on the local computer, a process referred to as auditing, is an important part of monitoring and managing activities on a computer running Windows 8.1. The Audit Policy section of a Group Policy object (GPO) enables administrators to log successful and failed security events, such as logons and logoffs, account access, and object access. You can use auditing to track both user activities and system activities. 2013 John Wiley & Sons, Inc. 33

Configuring Object Access Auditing Audit Policies in the Windows 8 Local Computer Policy 2013 John Wiley & Sons, Inc. 34

Audit Policy You must decide which computers, resources, and events you want to audit. The following guidelines can help you to plan your audit policy: o Audit only pertinent items. o Archive security logs to provide a documented history. o Configure the size of your security logs carefully. 2013 John Wiley & Sons, Inc. 35

Configure an Audit Policy The Properties sheet for a policy setting 2013 John Wiley & Sons, Inc. 36

Configure Files and Folders for Auditing The Auditing tab in a folder s Properties sheet 2013 John Wiley & Sons, Inc. 37

Lesson Summary Windows 8.1 has several sets of permissions, which operate independently of each other, including NTFS permissions, share permissions, registry permissions, and Active Directory permissions. NTFS permissions enable you to control access to files and folders by specifying just what tasks individual users can perform on them. The Encrypting File System (EFS) is a feature of NTFS that encodes the files on a computer so that even if an intruder can obtain a file, he or she will be unable to read it. NTFS quotas enable administrators to set a storage limit for users of a particular volume. Depending on how you configure the quota, users exceeding the limit can be denied disk space, or just receive a warning. 2013 John Wiley & Sons, Inc. 38

Copyright 2013 John Wiley & Sons, Inc.. All rights reserved. Reproduction or translation of this work beyond that named in Section 117 of the 1976 United States Copyright Act without the express written consent of the copyright owner is unlawful. Requests for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc.. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.