MCSE Training Kit: Microsoft Windows 2000 Professional by Microsoft Corporation, Microsoft Corporation

From the Publisher

This official Microsoft training kit teaches IT professionals how to install, configure, and administer the Windows 2000 Professional desktop operating system -- as they prepare for the corresponding MCP exam. Topics include setting up and troubleshooting the software; monitoring and optimizing system resources such as files, printers, and applications; and configuring hardware devices and drivers. Students learn through skills-based tutorials and hands-on lab exercises. The content covers Windows 2000 Professional in a generic server environment, though many examples reference Windows 2000 Server. An economical alternative to classroom training, this kit enables students to set their own pace and learn by doing.

• Provides from-the-source information and hands-on practice supporting the next generation of Windows -- including preparation for the corresponding MCP exam.
• Offers detailed, from-the-source instruction on how to set up and support Windows 2000 Professional.
• Provides comprehensive preparation for the corresponding MCP exam
• Modular lessons and hands-on labs promote effective skills transfer to the job.

Booknews

A study guide for certification exam 70-210: installing, configuring, and administering Windows 2000 Professional. Elements of the operating system covered include the management console, task scheduler, control panel, registry, domain name system, active directory, and TCP/IP. Each chapter is divided into lessons with hands-on procedures to demonstrate that particular concept or skill. Annotation c. Book News, Inc., Portland, OR (booknews.com)

Product Details

• Table of Contents
• Read an Excerpt

Table of Contents

Read an Excerpt

Chapter Fourteen

About This Chapter

In Chapter 14, "Securing Resources with NTFS Permissions," you learned about Microsoft Windows 2000 File System (NTFS) permissions. You use NTFS permissions to specify which users and groups can gain access to files and folders, and what these permissions allow users to do with the contents of the file or folder. NTFS permissions are available only on NTFS volumes. NTFS security is effective whether a user gains access to the file or folder at the computer or over the network.

In this chapter, you will learn how to make folders accessible over the network. You can access a computer's folders and their contents only by physically sitting at the computer and logging on to it or by accessing a shared folder on a remote computer. Sharing folders is the only way to make folders and their contents available over the network. Shared folders also provide another way to secure file resources, one that can be used on FAT or FAT32 partitions. In this chapter, you will also learn how to share file resources, secure them with permissions, and provide access to them.

Before You Begin

To complete this chapter, you must have

• A computer that meets the minimum hardware requirements listed in "Hardware Requirements."
• Microsoft Windows 2000 Professional installed on the computer.

Lesson 1: Understanding Shared Folders

You use shared folders to provide network users with access to file resources. When a folder is shared, users can connect to the folder over the network and gain accessto the files that it contains. However, to gain access to the files, users must have permissions to access the shared folders.

After this lesson, you will be able to

• Use shared folders to provide access to network resources.
• Describe how permissions affect access to shared folders.

Estimated lesson time: 15 minutes

Shared Folder Permissions

A shared folder can contain applications, data, or a user's personal data, called a home folder. Each type of data requires different shared folder permissions.

The following are characteristics of shared folder permissions:

• Shared folder permissions apply to folders, not individual files. Since you can apply shared folder permissions only to the entire shared folder, and not to individual files or subfolders in the shared folder, shared folder permissions provide less detailed security than NTFS permissions.
• Shared folder permissions don't restrict access to users who gain access to the folder at the computer where the folder is stored. They apply only to users who connect to the folder over the network.
• Shared folder permissions are the only way to secure network resources on a FAT volume. NTFS permissions aren't available on FAT volumes.
• The default shared folder permission is Full Control, and it is assigned to the Everyone group when you share the folder.

NOTE
A shared folder appears in Windows Explorer as an icon of a hand holding the shared folder. (Figure 15.1 shows the sharing icon.)

To control how users gain access to a shared folder, you assign shared folder permissions.

Table 15.1 explains what each of the shared folder permissions allows a user to do. The permissions are presented from most restrictive to least restrictive.

Figure 15.1 Shared folders in Windows Explorer

Table 15.1 Shared Folder Permissions

Shared folder permission	Allows the user to
Read	Display folder names, filenames, file data, and attributes; run program files; and change folders within the shared folder.
Change	Create folders, add files to folders, change data in files, append data to files, change file attributes, delete folders and files, plus, it allows the user to perform actions permitted by the Read permission.
Full Control	Change file permissions, take ownership of files, and perform all tasks permitted by the Change permission.

You can allow or deny shared folder permissions. Generally, it is best to allow permissions and to assign permissions to a group rather than to individual users. You deny permissions only when it is necessary to override permissions that are otherwise applied. In most cases, you should deny permissions only when it is necessary to deny permission to a specific user who belongs to a group to which you have given the permission. If you deny a shared folder permission to a user, the user won't have that permission. For example, to deny all access to a shared folder, deny the Full Control permission.

How Shared Folder Permissions Are Applied

Applying shared permissions to user accounts and groups affects access to a shared folder. Denying permission takes precedence over the permissions that you allow. The following list describes the effects of applying permissions.

• Multiple Permissions Combine. A user can be a member of multiple groups, each with different permissions that provide different levels of access to a shared folder. When you assign permission to a user for a shared folder, and that user is a member of a group to which you assigned a different permission, the user's effective permissions are the combination of the user and group permissions. For example, if a user has Read permission and is a member of a group with Change permission, the user's effective permission is Change, which includes Read.
• Denying Permissions Overrides Other Permissions. Denied permissions take precedence over any permissions that you otherwise allow for user accounts and groups. If you deny a shared folder permission to a user, the user won't have that permission, even if you allow the permission for a group of which the user is a member.
• NTFS Permissions Are Required on NTFS Volumes. Shared folder permissions are sufficient to gain access to files and folders on a FAT volume but not on an NTFS volume. On a FAT volume, users can gain access to a shared folder for which they have permissions, as well as all of the folder's contents. When users gain access to a shared folder on an NTFS volume, they need the shared folder permission and also the appropriate NTFS permissions for each file and folder to which they gain access.
• Copied or Moved Shared Folders Are No Longer Shared. When you copy a shared folder, the original shared folder is still shared, but the copy is not shared. When you move a shared folder, it is no longer shared.

Guidelines for Shared Folder Permissions

The following list provides some general guidelines for managing your shared folders and assigning shared folder permissions:

• Determine which groups need access to each resource and the level of access that they require. Document the groups and their permissions for each resource.
• Assign permissions to groups instead of user accounts to simplify access administration.
• Assign to a resource the most restrictive permissions that still allow users to perform required tasks. For example, if users need only to read information in a folder, and they will never delete or create files, assign the Read permission.
• Organize resources so that folders with the same security requirements are located within a folder. For example, if users require Read permission for several application folders, store the application folders within the same folder. Then share this folder instead of sharing each individual application folder.
• Use intuitive share names so that users can easily recognize and locateresources. For example, for the Application folder, use Apps for the share name. You should also use share names that all client operating systems can use.

Although Windows 2000 allows for very long share names, try to keep share names short, about 12 characters. Shorter names are easier to remember and type. Products such as MS-DOS, Windows 3.x, and Windows for Workgroups require an 8.3-character share name.

Microsoft Windows 2000 provides 8.3-character equivalent names, but the resulting names might not be intuitive to users. For example, a Windows 2000 folder named Accountants Database would appear as Account~1 on client computers running MS-DOS, Windows 3.x, and Windows for Workgroups.

Practice: Applied Permissions

In the following practice, User101 has been assigned permissions to gain access to resources as an individual and as a member of a group, as shown in Figure 15.2. Determine which effective permissions User101 has in each situation:

1. User101 is a member of Group1, Group2, and Group3. Group1 has Read permission and Group3 has Full Control permission for FolderA. Group2 has no permissions assigned for FolderA. What are User101's effective permissions for FolderA?
2. User101 is also a member of the Sales group, which has the Read permission for FolderB. User101 has been denied the shared folder permission Full Control for FolderB as an individual user. What are User101's effective permissions for FolderB?

Figure 15.2 Applied permissions

Lesson Summary

In this lesson, you learned that you can make a folder and its contents available to other users over the network by sharing the folder. Using shared folder permissions is the only way to secure file resources on FAT volumes. Shared folder permissions apply to folders, not individual files. Shared folder permissions don't restrict access to users who gain access to the folder at the computer where the folder is stored. Shared folder permissions apply only to users who connect to the folder over the network.

You also learned about the three shared folder permissions: Read, Change, and Full Control. The Read permission allows users to display folder names, filenames, file data, and attributes. The Read permission also allows users to run program files and to change folders within the shared folder. The Change permission allows users to create folders, add files to folders, change data in files, append data to files, change file attributes, and delete folders and files, plus it allows the user to perform actions permitted by the Read permission. The Full Control permission allows users to change file permissions, take ownership of files, and perform all tasks permitted by the Change permission. The default shared folder permission is Full Control, and it is assigned to the Everyone group when you share the folder.

Lesson 2: Planning Shared Folders

When you plan shared folders, you can reduce administrative overhead and ease user access. You can organize resources that will be shared and put them into folders according to common access requirements. You can also determine which resources you want shared, organize resources according to function and use, and decide how you will administer the resources.

Shared folders can contain applications and data. Use shared application folders to centralize administration. Use shared data folders to provide a central location for users to store and gain access to common files. If all data files are centralized in one shared folder, users will find them easily. You will be able to back up data folders more easily if data folders are centralized, and you will be able to upgrade application software more easily if applications are centralized.

After this lesson, you will be able to

• Plan which shared folder permissions to assign to user accounts and groups for application and data folders.

Estimated lesson time: 5 minutes

Application Folders

Shared application folders are used for applications that are installed on a network server and can be used from client computers. The main advantage of shared applications is that you don't need to install and maintain most components of the applications on each computer. While program files for applications can be stored on a server, configuration information for most network applications is often stored on each client computer. The exact way in which you share application folders will vary depending on the application and your particular network environment and company organization.

When you share application folders, consider the points in Figure 15.3. These points are explained in more detail as follows:

• Create one shared folder for applications and organize all of your applications under this folder. When you combine all applications under one shared folder, you designate one location for installing and upgrading software.
• Assign the Administrators group the Full Control permission for the applications folder so that they can manage the application software and control user permissions.
• Remove the Full Control permission from the Everyone group and assign Read permission to the Users group. This provides more security because the Users group includes only user accounts that you created, whereas the Everyone group includes anyone who has access to network resources, including the Guest account.
• Assign the Change permission to groups that are responsible for upgrading and troubleshooting applications.
• Create a separate shared folder outside your application folder hierarchy for any application for which you need to assign different permissions. Then assign the appropriate permissions to that folder.

Figure 15.3 Creating and sharing application folders

Data Folders

Users on a network use data folders to exchange public and working data. Working data folders are used by members of a team who need access to shared files. Public data folders are used by larger groups of users who all need access to common data.

When you use data folders, create and share common data folders on a volume that is separate from the operating system and applications. Data files should be backed up frequently, and with data folders on a separate volume, you can conveniently back them up. If the operating system requires reinstallation, the volume containing the data folder remains intact.

When you share a common public data folder, do the following:

• Use centralized data folders so that data can be easily backed up.
• Assign the Change permission to the Users group for the common data folder (see Figure 15.4). This will provide users with a central, publicly accessible location for storing data files that they want to share with other users. Users will be able to gain access to the folder and read, create, or change files in it.

Figure 15.4 Public data and working data shared folders

When you share a data folder for working files, do the following:

• Assign the Full Control permission to the Administrators group for a central data folder so that administrators can perform maintenance.
• Share lower-level data folders below the central folder with the Change permission for the appropriate groups when you need to restrict access to those folders.

For an example, see Figure 15.4. To protect data in the Accountants folder, which is a subfolder of the Data folder, share the Accountants folder and assign the Change permission only to the Accountants group so that only members of the Accountants group can gain access to the Accountants folder.

Lesson Summary

In this lesson, you learned that you use shared application folders to centralize administration and make it easier to upgrade application software. When you use shared application folders, you should assign the Administrators group the Full Control permission for the applications folder so that members of this group can manage the application software and control user permissions. You should also remove the Full Control permission from the Everyone group and assign Read permission to the Users group. This provides more security because the Users group includes only user accounts that you created, whereas the Everyone group includes anyone who has access to network resources, including the Guest account.

You also learned that you use shared data folders to provide a central location for users to store and gain access to common files. When you use data folders, create and share common data folders on a volume that is separate from the operating system and applications. Data files should be backed up frequently, and with data folders on a separate volume, you can conveniently back them up.

Lesson 3: Sharing Folders

You can share resources with others by sharing folders containing those resources. To share a folder, you must be a member of one of several groups, depending on the role of the computer where the shared folder resides. When you share a folder, you can control access to the folder by limiting the number of users who can simultaneously gain access to it, and you can also control access to the folder and its contents by assigning permissions to selected users and groups. Once you have shared a folder, users must connect to the shared folder and must have the appropriate permissions to gain access to it. After you have shared a folder, you might want to modify it. You can stop sharing it, change its share name, and change user and group permissions to gain access to it.

After this lesson, you will be able to

• Create and modify shared folders.
• Make a connection to a shared folder.

Estimated lesson time: 20 minutes

Requirements for Sharing Folders

In Windows 2000 Professional, members of the built-in Administrators and Power Users groups are able to share folders. Which groups can share folders and on which machines they can share them depends on whether it is a workgroup or a domain and the type of computer on which the shared folders reside:

• In a Windows 2000 domain, the Administrators and Server Operators groups can share folders residing on any machines in the domain. The Power Users group is a local group and can share folders residing only on the stand-alone server or computer running Windows 2000 Professional where the group is located.
• In a Windows 2000 workgroup, the Administrators and Power Users groups can share folders on the Windows 2000 Server stand-alone server or the computer running Windows 2000 Professional on which the group exists.

NOTE
If the folder to be shared resides on an NTFS volume, users must also have at least the Read permission for that folder to be able to share it.

Administrative Shared Folders

Windows 2000 automatically shares folders for administrative purposes. These shares are appended with a dollar sign ($), which hides the shared folder from users who browse the computer. The root of each volume, the system root folder, and the location of the printer drivers are all hidden shared folders that you can gain access to across the network.

Table 15.2 describes the purpose of the administrative shared folders that Windows 2000 automatically provides.

Table 15.2 Windows 2000 Administrative Shared Folders

Share

Purpose

C$, D$, E$, and so on

The root of each volume on a hard disk is automatically shared, and the share name is the drive letter appended with a dollar sign ($). When you connect to this folder, you have access to the entire volume. You use the administrative shares to remotely connect to the computer to perform administrative tasks. Windows 2000 assigns the Full Control permission to the Administrators group. Windows 2000 also automatically shares CD-ROM drives and creates the share name by appending the dollar sign to the CD-ROM drive letter.