Sharing and Securing Files and Folders T his chapter provides an understanding of access control to network file and folder resources. Chapter 21 provided an in-depth review of the Windows 2000 file systems, especially NTFS. Now, let’s look at the file systems from other viewpoints: users and applications and, of course, administrators. Most data is generated and stored on computer systems, using the file and folder metaphors inherited from our three- dimensional world. However, since the advent of local and wide area networks, particularly the Internet, your files and folders (directories) are accessible to anyone with a computer and a network connection unless you secure them. You need to secure the data within their files, and the folders that contain those files, while at the same time providing controlled access to authorized users. The NT File System (NTFS) lets you do that on three security access levels: ✦ Shares ✦ Folder permissions and file permissions (called NTFS permissions) ✦ Encryption NTFS creates a hierarchy of folders in a volume, all starting from a root folder (see also Dfs and mounted volumes in Chapter 21). The earlier versions of NTFS could only store a single folder hierarchy on a single hard drive or volume, maintained on a single computer. As we stated in Chapter 21, the folder hierarchy (or folder namespace) can traverse or span hard disk volumes on any computer on the net- work. To keep things simple in this chapter, we’ll discuss folder and files independently of where they may be located on the network. Note 22 22 CHAPTER ✦✦✦✦ In This Chapter The Concept of Shares, Permissions, and Ownership Strategies for Effective Folder, File, and Data Security ✦✦✦✦ 4667-8 ch22.f.qc 5/15/00 2:18 PM Page 789 790 Part VI ✦ File, Print, and Web Services Sharing and Securing Your Data Windows 2000, like all modern graphically managed operating systems, allows you to manage your files and folders in the same way as your hardcopy filing systems: in folders and filing cabinets. Think about the file room in a law firm or a newspaper morgue. It is unlikely you would be allowed to just walk into this room: It is usually locked or guarded, and you would need authority to enter, but you know it’s there. The company does not hide it away from you, because it is a shared resource, and they usually want you to know about it because you might need data in it to do your work. Shares are the clubhouses of the network. A share is where users and groups of users go to share resources. You enable folder-sharing for your users and applica- tions by creating a share, or in the lingo of mainframes, midrange, and legacy sys- tems, a share-point. By owning the files and folders on your own machine (and we discuss ownership next), you automatically have full access and control over your folders and their contents. Administrators own all the folders they create anywhere on the network, and can thus share them. Over the years, we have found that most calls to the support desk originate because a user or a group cannot connect to shared resources, such as folders, files, and printers. When users cannot connect, and get the “access denied” mes- sage, they assume the world has ended, such is the extent of their panic. Usually, it is a simple case of an incorrect permission. However, we have seen how per- mission misadventure causes much consternation and is a waste of time, so we stress that every administrator should become an expert in this subject. Getting back to our brick and mahogany file room: By having access to the file room, you do not necessarily have access to every file or folder it contains. Depending on your rank in the company, the department you work for, and the work you do, you may or may not be allowed to open a file cabinet, read a file, check it out, change its contents, or add data to it. Likewise, by being a member of a group of users or by having individual authority, you may gain access to the NTFS share, but some files will not be for your eyes. Others will be accessible for reading only—you might not be allowed to change, delete, copy, or move them. The levels of access you have to the folders and files are called permissions. Administrators, members of Admin- istrator groups, and the owners of objects can assign permissions and control access to these objects, and they can also encrypt the files. Folder and file encryption is the third mechanism you can now use for protecting your files and folders. It has been added to the Windows 2000 file system and is only supported under NTFS. When you add Windows 2000’s support for cryptography and distributed security services, such as Kerberos and digital certificates, to the file system, you have what is known as the encrypting file system or EFS. The EFS is fully discussed later in this chapter. Note 4667-8 ch22.f.qc 5/15/00 2:18 PM Page 790 791 Chapter 22 ✦ Sharing and Securing Files and Folders Ownership Another means of understanding shares or share-points is by understanding ownership. Ownership is not a configuration setting, or a mere value in the registry or Active Directory; it derives from the security services of the NTFS and the Win32 security system (this is discussed in more detail in Chapters 3 and 10). It helps to understand ownership if you’ve done some Windows programming. The Win32 API has a Create or CreateFile function that creates objects such as folders and files. If the Create function you are calling can take a security parameter, you can lock the object (pass a security descriptor) and keep other processes from accessing it. The lock is like a key that you, the owner, get to keep when you create the object. That is the essence of ownership. Of course, the whole process is managed by the OS and requires no user actions. When a process creates a file or a folder—objects—the file system assigns that process the rights of ownership, and passes it a key. The process created it, so that process owns it . . . and it can do whatever it likes with that object. If you cre- ate a folder on the computer you are logged onto, or within a folder namespace to which you have access, you own the folder. Only you and the processes that oper- ate within your security context (activated by the validation of your password) can access that folder. Now, when other users or processes need access to the folder you just created, do you allow them to take ownership, hand them the key? No, not normally, because if you did, you would be losing your right to the object. By creating a share, you are essentially inviting others to access the folder (with restrictions, of course), but you don’t give them the key. If someone else with bad intentions got hold of your keys, they might come back after dark and destroy your network. Remember the old adage: Possession is nine-tenths of the law. And remember what we said about safeguarding the Administrator account back in Chapter 10. You can do tremendous damage with 50 lines of code and access to the Administrator account. The owner of an object can actually allow a specified user or a group to take over the ownership of the object (we’ll get to that shortly). Taking ownership is a one-way action. You can take ownership, but you cannot bestow it or return it. You can allow someone else to take ownership; you assign them this permission. Ownership can only be transferred if the would-be benefactor is willing to take it. By not being able to transfer ownership unilaterally, NTFS prevents users from hiding dirty work. In other words, you cannot go and lock up a folder and throw away the key, and then make it look like someone else did the damage. 4667-8 ch22.f.qc 5/15/00 2:18 PM Page 791 792 Part VI ✦ File, Print, and Web Services Publishing Shares in Active Directory The idea of published shares is new to the Windows networking environment, and it begins with Active Directory, as discussed in the previous chapter. Windows 2000 users connect to shared resources on a Windows 2000 domain by looking them up in the Active Directory. You can still connect to shares on the browse list and from the command line, as described later in this chapter. Creating shares on Windows 2000 is really easy, and if you have Windows experience, you will only need to read the next section as a refresher and to pick up subtle yet important differences. Establishing shares on remote computers is another story, however, and the process is handled in the new Computer Management snap-in described later in this chapter. Creating a Share When you first create a share, the file system automatically gives access to the Everyone group, unless you have taken steps to prevent that, discussed later. If the contents of the files are sensitive, you need to remove the Everyone group and assign access only to authorized users or groups. Back in Chapter 10, we encouraged you to use common sense management prac- tices and avoid assigning rights to individual users. The same advice applies to shares. Share folders with groups, not individuals. One of the only times you should circumvent this advice is when you need to audit individuals. Sharing a Local Folder If you are the owner of the folder or the folders within the local folder namespace, then sharing a folder involves little more than right-clicking the new or existing folder and selecting Sharing from the Context menu. Select the option Share this folder in the dialog box. The share name field is enabled. This is demonstrated in Figure 22-1. As soon as the dialog box is enabled, you can enter the following share data: ✦ Share name: The actual folder name is used as the default share name, but you can change this to reflect any name that better suits the application for the share. It is a good idea to use the best share name for the share, possibly one that better informs the user of the purpose of the share or that provides a hint of the share’s contents. For example, a folder might be named Y2K, and rather than changing that name (it’s been done before), which would impact other applications, it would be better to make the share name “Y2K data files and documents.” Share names can be up to 80 characters in length, and they can contain spaces. However, if your users are attaching from the command line or you have applications that might send share attach commands to Note 4667-8 ch22.f.qc 5/15/00 2:18 PM Page 792 793 Chapter 22 ✦ Sharing and Securing Files and Folders the system console, you should stick to single names of between 8 and 12 characters (and even 8.3 names for those still using Windows 3.1). The best command-line-compliant substitute for the aforementioned share name is the simple Y2KDATA. Figure 22-1: The Sharing tab on the folder’s Properties dialog box ✦ Comment: The comment field will take 100 characters, so you can be creative here. It is a good idea to include the comment field wherever possible because it shows up in Explorer when users browse for a share. Although we said you can be creative, be conservative. A hundred-character comment field forces most users to waste time scrolling to the right. ✦ User limit: You will ignore this most of the time, allowing the client access licensing to monitor the number of connections. On server shares there is no maximum limit, but you can restrict connections for application-specific purposes or licensing. Windows 2000 Professional prohibits more than ten concurrent connections and several other exclusions you will discover . . . so forget about using it as a substitute for a server. ✦ Caching: The cache settings allow you to configure offline access to the shared folder. Offline folder and file access is touched upon later in this chapter, and explained in the context of Group Policy and change control in Chapter 11. As soon as you enter the share name and comment, you can click the Permissions button to admit users to the share and set the desired access types. Once you have created a share, you will notice, as shown in Figure 22-1, that you now have the option of creating another share. The New Share button does not replace the old share; you can share a folder as many times as you like, each time with different access clients and permissions. At any time you need to end a share, just select the share name from the drop-down list and click Remove Share. 4667-8 ch22.f.qc 5/15/00 2:18 PM Page 793 794 Part VI ✦ File, Print, and Web Services Establishing Shares on Remote Computers There are two ways to connect to a remote computer and create a share-point on it. The first and hardest way is by using the NET SHARE command at the command prompt. This is explained in Appendix A. The second, and by far the easiest way, is by opening the Computer Management snap-in ( compmgmt.msc). Once you are in Computer Management, select the first option, Computer Manage- ment (Local). Right-click it and select Connect to another computer from the Con- text menu. This is illustrated in Figure 22-2. You can connect to a computer listed in the Active Directory (the best way), or you can connect to a computer listed in the domain. Once you have opened the remote computer into the snap-in, you will be able to expand the System Tools tree and select the remote computer Shared Folders option. From here on, the process of creating the share-point is no different from creating shares on the local machine. Figure 22-2: The Shared Folders option in the Computer Management snap-in Share Attributes Share access can be given directly to users or processes, or implicitly through group membership. Shared folders possess the following attributes: ✦ Shares only work on folder objects, and not on files that folders contain. You cannot select a file, x-file, and share it as x-file on the network. But you can share a folder called thexfiles and allow users to access the files in that folder. 4667-8 ch22.f.qc 5/15/00 2:18 PM Page 794 795 Chapter 22 ✦ Sharing and Securing Files and Folders ✦ The default access permission on a share is Full Control. This permission is assigned to the Everyone group. So, if you create such a share, and have your Guest account enabled and not governed by any domain policy, every com- puter user has access to it. But you are a common-sense administrator, and you will follow our advice and make sure that your network is locked down. ✦ Shares can be established on most file systems, including FAT. But NTFS permissions, discussed later in this chapter, are peculiar to the Windows NT and Windows 2000 operating systems. ✦ Shares are visible to you (if they are not hidden) when you are trying to connect over the network. Share access also applies to the local user logged onto the computer that is hosting the shared folder. This feature is extremely important because it means you can prevent users who log on locally from accessing folders. And it’s a surefire way of protecting your data on a note- book computer. ✦ A shared folder on your machine is represented as an icon with a hand holding the folder. But across the network, the icon does not include the hand. ✦ Shares can be hidden, a very valuable security and administration tool that we will discuss later in this chapter. Table 22-1 lists the folder permissions that apply to Windows 2000 shares. Remember that the access level is at the share only; NTFS permissions provide the “second line of defense” to locked-down resources. You set these permissions through the Share Permissions properties, which you can access by clicking Permissions on the Sharing page of the shared folder’s property sheet, as shown in Figure 22-3. Table 22-1 Shared Folder Permission Types Permission Privilege Read The user can see the entire shared folder tree (root shared folder and subfolders). The user can also see all the files in the folder tree (traversing) and open them for reading. The user can execute applications in the shared folder hierarchy. Change This privilege inherits the Read privileges and also allows the user to change the folders and the data in the files within the shared folder’s namespace. The user can also change file attributes, and can copy, move, and delete files and folders. The user cannot change the actual share. Full Control This privilege allows the user to take ownership of the files and folders, within the shared folder’s namespace. It inherits the privileges of the Read and Change permissions. Under NTFS, only Full Control allows a user to change permissions and take ownership of a file or folder. 4667-8 ch22.f.qc 5/15/00 2:18 PM Page 795 796 Part VI ✦ File, Print, and Web Services Figure 22-3: The Share Permissions dialog box Deny You can deny access to any of the above permissions. For example: If you deny Full Control, you drop the privilege level down to Change. Deny is useful if you wish to single out a user and deny him or her access (the same applies to groups). Deny is the strongest of permission attributes; in other words, it takes precedence over every permission. For example, if a user in a primary group has full access to a share, but you deny access directly or via a secondary group, the user is denied despite the access given in the primary group. However, it is better to take the user out of a group rather than keep him or her in the share and specifically deny him or her the access. Accumulation of Share Permissions Share permissions accumulate. If a user is a member of one group that is given Read access, but he or she is also a member of another group that is given Change access (to the same share), then the user’s cumulative permissions in the share are Read and Change. The user’s effective permission is Change, because it includes Read permission. Moving or Copying Folders When you move a folder, the shares assigned to it are deleted. The folder is not shared at the new location. If you copy a folder, the new copy is not shared, but the source folder remains shared. 4667-8 ch22.f.qc 5/15/00 2:18 PM Page 796 797 Chapter 22 ✦ Sharing and Securing Files and Folders Intra-Domain Shares Shares are not restricted to the users and groups of the domain in which they were created. If a trust relationship exists between two domains, then a user or group in one domain can be given access to the share in another domain (see Chapters 3, 7, and 10). The administrator of Domain A can provide access to a user or to a global or universal group from Domain B. Who Can Share Folders Members of the predefined Administrators, Server Operators, and Power Users groups can share folders. On a member server, in a Windows 2000 domain, the mem- bers of the Administrators or Server Operators groups can share folders that exist on any computer on the network. On a standalone computer, only the Administrator and members of the Power Users and local Administrators groups can share a folder. Workgroups do not make for such flexible sharing. Only members of the local Administrators group and the Power Users group can share folders. Remember that if you own the folder, you can share it. But an administrator can take owner- ship at any time. Hidden Shares The ability to hide shares is a useful feature of the Windows OS. It makes up for the problem of shares being visible to everyone on the network, even to users who do not have access to the shares. Relative hiding of shares is probably a very difficult and cumbersome technology to introduce into the OS, but it makes sense to only expose shares to users who have access to them. To the other users, the shares should just not be visible . . . only available on a need-to-know basis. Active Directory goes a long way to make that possible by locating published shares in organizational units. It is, however, possible to hide shares by simply ending the share name with the dollar sign ($). You can still connect to the share if you have access to it, but it does not show up on the browse list (as nothing ending with the dollar sign shows in the browse list). You connect to the share using Run, as explained next, or at the command line using NET SHARE (see Appendix A). Here is a good example of a hidden share in action: A certain company in Florida transmits millions of dollars of direct deposit information to the bank every after- noon. The application resides at the data center in Miami, but it logs into a hidden share on the wide area network, after an application in Los Angeles writes the direct deposit information to a file in the same hidden share. Both applications or processes are members of the Banking group, and they have Read and Write access to the file in the share. No one else can see the share on the network, and the cloak- ing affords the share a measure of concealment. Of course, it is possible to dig around on computers and look for hidden shares. But did you know that you can hide computers as well? See Chapter 3. 4667-8 ch22.f.qc 5/15/00 2:18 PM Page 797 798 Part VI ✦ File, Print, and Web Services Connecting to Shares There are several ways to connect to shares. You can connect using interactive tools or at the command line. You can also connect to published shares in Active Directory, which is the preferred way. DNS directs you to the domain controller hosting the Active Directory, so connecting to a share is as simple as browsing for a Web page: To connect to a share using the Map Network Drive Wizard (this option assigns a drive letter): 1. Right-click the My Network Places on the desktop and select Map Network Drive. 2. Type in the UNC path to the folder if you know it, or click Browse to drill down to the exact folder. 3. Enter a drive letter of your choice or use the default. 4. Check the Reconnect at Logon checkbox if you wish the connection to remain persistent. 5. You can also connect to the share under another user name. All you need is the logon name and password. This is useful if you need to connect to a resource on a domain for which you have not been fully authenticated. To connect to a share using Run: 1. Select Start➪ Run. 2. Type in the UNC path to the folder if you know it, or click Browse to drill down to the exact folder. To connect to a share from My Network Places: 1. Open My Network Places. 2. Find the computer that contains the share and drill down until you locate the folder in the browse list. 3. When you find the share, double-click it to establish the connection. To connect to a share in the Active Directory: 1. Open My Network Places. 2. Expand Active Directory until you locate the domain in which you wish to locate a published share. 3. When you find the share, double-click it to establish the connection. 4667-8 ch22.f.qc 5/15/00 2:18 PM Page 798 [...]... use multiple directory names and wildcards Use spaces between multiple parameters 4667-8 ch22.f.qc 5/15/00 2:18 PM Page 819 Chapter 22 ✦ Sharing and Securing Files and Folders Copying, Moving, or Renaming Encrypted Files As with compression, a folder’s encryption attribute also has an effect on files you copy or move between encrypted and non-encrypted folders, or files and folders you rename The following... process failed And the only damage done was the administrator was beeped at three in the morning to fix the problem 4667-8 ch22.f.qc 5/15/00 2:18 PM Page 811 Chapter 22 ✦ Sharing and Securing Files and Folders Consider the following guidelines when working permissions: ✦ Create groups for access to folders and files, and assign them only the necessary permissions required to work on the files If the... subfolders and files .” option on NT 4.0 and earlier versions of NTFS By running this option, you are replacing, not merging, the permissions on all child folders and files on the volume This means that any permissions applied to subfolders and files will be lost If that is not your desired end, you could end up losing weeks of work restoring permissions so that users and applications can operate And. .. default ✦ Copying and moving unencrypted folders or files to encrypted folders (NTFS volumes): The folders or files are encrypted This applies to copies on the same computer and to a remote computer that supports encryption ✦ Copying and moving encrypted or unencrypted files to FAT volumes: The folders or files are decrypted An exception to this is if you use the Backup utility to back up the files to a Backup... dialog box Encrypting and decrypting through the command prompt If you work substantially in a command console or need to integrate encryption processes in batch files, you can use the CIPHER command to encrypt and decrypt folders and files Following is the syntax for the command: CIPHER [/E | /D] [/S:dir] [/A] [/I] [/F] [/Q] [/H] [/K] [pathname [ ]] The following list summarizes the command options for... devices and wrapping hefty chains around your computers, is to use encryption Encryption on individual files is not always an answer, either Many applications create temporary files when you work with a document, and these temporary files are not encrypted unless you use an encryption system that automatically encrypts 4667-8 ch22.f.qc 5/15/00 2:18 PM Page 813 Chapter 22 ✦ Sharing and Securing Files and Folders. .. to share data among users, you can enable multiple users to access and work with encrypted folders and files The users simply need to share the same encryption keys For more information, see the section Sharing Encrypted Data” later in this chapter 4667-8 ch22.f.qc 5/15/00 2:18 PM Page 815 Chapter 22 ✦ Sharing and Securing Files and Folders ui398$%cj$ r9c9* #$2!@k9348# d93#!& Encryption (DES) The time... folder’s encryption attribute EFS uses this attribute to determine how to handle file creation and modification operations in the folder 4667-8 ch22.f.qc 5/15/00 2:18 PM Page 817 Chapter 22 ✦ Sharing and Securing Files and Folders Encrypting and decrypting through Explorer Encrypting a folder or file is easy Just right-click the object and choose Properties to display its property sheet On the object’s General... makes sense to classify files according to their level of importance and application, and then to group them in folders This would allow you to assign permissions to the folders, and not each file For most enterprise work environments, share and folder and file permissions are sufficient security However, if someone steals a server or a hard disk, and attempts to access its files from another operating... Print, and Web Services Figure 22-6: The Security tab on the Properties dialog box Table 22-4 lists the permissions possible on files Table 22-4 File Permissions Permission Purpose Read This permission permits the user to read the files and view their attributes, ownership, and permissions Write This permission permits the user to change the files contents and attributes, and to view ownership and permissions . Sharing and Securing Files and Folders T his chapter provides an understanding of access control to network file and folder resources 790 791 Chapter 22 ✦ Sharing and Securing Files and Folders Ownership Another means of understanding shares or share-points is by understanding ownership.