Share Permissions
In Windows there are two types of file and folder permissions. Firstly, there are the Share Permissions. Secondly, there are NTFS Permissions, which are also called Security Permissions. Securing shared folders is usually done with a combination of Share and NTFS Permissions. Since this is the case, it is essential to remember that the most restrictive permission always applies. For example, if the share permission gives the Everyone security principle read permission, but the NTFS permission allow users to make a change to the file, the share permission will take precedence, and the users will not be allowed to make changes. When you set the permissions, the LSASS(Local Security Authority) controls access to the resource. When you log on, you are given an access token with your SID on it. When you go to access the resource, the LSASS compares the SID that you added to the ACL (Access Control List). If the SID is on the ACL, it determines whether to allow or deny access. No matter what permissions you use, there are differences, so let’s take a look to get a better understanding of when we should use what.
Share Permissions:
Only apply to users who access the resource over the network. They don’t apply if you log on locally, for example through terminal services.
It applies to all files and folders in the shared resource. If you want to provide a more granular sort of restriction scheme you should use NTFS Permission in addition to shared permissions
If you have any FAT or FAT32 formatted volumes, this will be the only form of restriction available to you, as NTFS Permissions are not available on those file systems.
NTFS Permissions:
The only restriction on NTFS Permissions is that they can only be set on a volume that is formatted to the NTFS file system
Remember that NTFS Permissions are cumulative. That means that a user’s effective permissions are the result of combining the user’s assigned permissions and the permissions of any groups the user belongs to.
The New Share Permissions
Windows 7 bought along a new “easy” share technique. The options changed from Read, Change and Full Control to Read and Read/Write. The idea was part of the whole Homegroup mentality and makes it easy share a folder for non-computer literate people. This is done via the context menu and shares with your homegroup easily.
If you wanted to share with someone who is not in the home group, you could always choose the “Specific people…” option. Which would bring up a more “elaborate” dialog where you could specify a user or group.
There are only two permissions, as previously mentioned. Together, they offer an all or nothing protection scheme for your folders and files.
Read permission is the “look, don’t touch” option. Recipients can open, but not modify or delete a file.
Read/Write is the “do anything” option. Recipients can open, modify, or delete a file.
The Old School Permission
The old share dialog had more options, such as the option to share the folder under a different alias. It allowed us to limit the number of simultaneous connections as well as configure caching. None of this functionality is lost in Windows 7, but rather is hidden under an option called “Advanced Sharing”. If you right click on a folder and go to its properties you can find these “Advanced Sharing” settings under the sharing tab.
If you click on the “Advanced Sharing” button, which requires local administrator credentials, you can configure all the settings that you were familiar with in previous versions of Windows.
If you click on the permissions button, you’ll be presented with the 3 settings that we are all familiar with.
Read permission allows you to view and open files and subdirectories as well as execute applications. However it doesn’t allow any changes to be made.
Modify permission allows you to do anything that Read permission allows, and it also add the ability to add files and subdirectories, delete subfolders and change data in the files.
Full Control is the “do anything” of the classic permissions, as it allows for you to do any and all of the previous permissions. In addition, it gives you the advanced changing NTFS Permission, but this only applies on NTFS Folders.
Accessing a Shared Resource
So now that we have learned about the two methods we can use to share content on our PCs, how do you actually go about accessing it over the network? It is very simple. Just type the following into the navigation bar.
\\computername\sharename
Note: Obviously you will need to substitute computername for the name of the PC hosting the share and sharename for the name of the share.
This is great for once off connections, but what about in a larger corporate environment? Surely you don’t have to teach your users how to connect to a network resource using this method. To get around this, you will want to map a network drive for each user, this way you can advise them to store their documents on the “H” drive, rather than trying to explain how to connect to a share. To map a drive, open Computer and click on the “Map network drive” button.
Then simply type in the UNC path of the share.
Your probably wondering if you have to do that on every PC, and luckily the answer is no. Rather, you can write a batch script to automatically map the drives for your users at logon and deploy it via Group Policy.
If we dissect the command:
We are using the net use command to map the drive.
We use the * to denote that we want to use the next available drive letter.
Finally we specify the share we want to map the drive to. Notice that we used quotes because the UNC path contains spaces.
कोई टिप्पणी नहीं:
एक टिप्पणी भेजें
Thanks