Sharing and Security

From Proprofs

You are here: Home > Schools > Microsoft Certification > WikiHome > 70-270 Study Guide

Exam 70-270 Study Guide
Table Of Contents

Contents 1 Sharing and Security 2 File Permissions in NTFS 2.1 Permissions and Privileges 2.2 Allow and Deny 2.3 Changing Permissions 2.4 Summary of Rules 3 Sharing in Windows XP 3.1 Default Shares 3.2 Creating Shares 3.3 Using Shares 4 Moving Forward 5 Quick Review 6 Answers

[edit section] Sharing and Security

The NTFS file system allows users to configure file and folder permissions and sharing in a way that FAT32 never offered. The configuration of said permissions is essential to the security of a Windows XP system and is therefore a crucial point of the Windows XP 70-270 examination. In this guide, we will look at NTFS permissions and file sharing.

[edit section] File Permissions in NTFS

In FAT file systems, files are open to all users to view and edit. That is, there is no built-in mechanism for protecting access to files. With NTFS, however, users must have the proper credentials in order to access files. In addition, different operations on files can require different levels of access.

Every file or folder in NTFS has something called an ACL, or Access Control List. This list determines which users have access to the files and the kind of access or permissions that they hold. A user who is not defined in the ACL necessarily has no access to the said file. In Windows systems, users are often meshed together into collections of users known as groups. Groups can also be explicitly given permissions to a file and therefore often appear in the ACL. Common groups include “Everyone,” “Administrators,” and “Guests.”

[edit section] Permissions and Privileges

Windows XP and NTFS define some basic permissions for interacting with files. In addition, there exist “advanced” or special permissions regarding files. The basic permissions are:

• Read: User can read file and attributes
• Write: Read + modify or change file/attributes
• Read + Execute: Read + the ability to execute
• Modify: Read + Write + Execute
• Full Control: Modify + Take Ownership + Change Permissions, among other options

For folders, permissions carry similar meanings:

• Read: User can read files and attributes of files in the folder
• List Contents: User can see all files in a folder without the ability to read or change
• Write: User can read and modify files/attributes as well as create new files
• Read + Execute: Read + User can execute files in folder
• Modify: Read + Write + Execute
• Full Control: Modify + Take Ownership + Change Permissions, among other options

Permissions in Windows XP (NTFS) are dished out on an explicit “need-to-know” basis. This means that a user can only do what he is specifically allowed to do via the ACL.

[edit section] Allow and Deny

One of the features of the ACL is the ability to specifically allow or deny privileges. Allow privileges are cumulative or “add up.” This means that a user who is a member of multiple groups inherits all of the permissions that those groups obtain. For example, if John is both a member of Company Employees and a member of Accounting, he inherits all of the explicit allow permissions of Employees and Accounting. Likewise, deny permissions explicitly override allow permissions. So, consider these two scenarios:

1. Employees may read the folder Company Secrets. John is an Employee. John’s access to the folder Company Secrets is set on “Deny.” John’s effective permission (sum of all permissions, allowing or denying) is “deny” as deny permissions override allow ones.

2. Employees may read the folder Handbook. Accountants may modify or delete files in the folder Handbook. John is both an Employee and an Accountant. His effective permission is to be able to both read and modify, or simply to modify, the Handbook folder.

In addition, file permissions are given preference to folder permissions. In practice, this means that users or groups can be given access to a particular folder, but restricted access to individual files in that folder. For example, if John may have access to the folder Accounts, but he may be denied access to the file Credit.doc.

Finally, remember that permissions are necessarily inherited. As a result, a member of a group receives all of the permissions that the group has. So, if Bob is a member of Team C, and Team C is a member of Sales, and Sales is a member of Governance, Bob inherits all of the permissions of Team C, Sales, and Governance.

[edit section] Changing Permissions

To change the permissions of a file right-click on the file and go to “Properties.” Click on the Security tab. If you cannot see the Security tab, disable Simple File Sharing (enabled by default on most installations of XP).

At the Security tab, you can see the ACL for that file or folder. Note that the ACL usually includes such elements as “Everyone” (every user) and specific users such as “Owner.” To add or remove members from the ACL, use the “Add” and “Remove” buttons below the ACL.

[edit section] Summary of Rules

Here are five simple rules to remember regarding the ACL and permissions in XP NTFS:

1. User must be specifically allowed to perform action

2. Allow permissions are cumulative

3. Permissions are inherited

4. Deny overrides allow

5. File permissions override folder permissions

[edit section] Sharing in Windows XP

Thanks to networking, users can share files without having to go through the cumbersome process of copying files to media. This process of sharing is accomplished by Windows networking in XP clients, and Microsoft has done all it could to make life for the user all the bit more complicated by adding in the rules of sharing permissions.

First, you must recognize what a share is. A share is a folder that is available to other members on the network via Windows networking. XP shares can be set to have special permissions and even limitations on the number of users if “simple file sharing” is disabled. Permissions in Windows XP file sharing apply to the share, but if the share resides on an NTFS volume, a user must also have the appropriate NTFS permissions to access the file. In practice, this means that having the correct share-level permissions to access a file doesn’t necessitate having access to that file.

Share permissions are less robust that NTFS permissions and have three levels of control:

• Read: List contents of folders and read files
• Write: Change contents of folders and read
• Full Control: Modify share permissions as well as Read + Write

Share permissions following similar rules to NTFS permissions. Read the NTFS rules above for a quick refresher.

[edit section] Default Shares

By default, Windows creates several administrative shares.

• Admin$: Root of system (the Windows directory); only Administrators can access
• Print$: Created when sharing printers; allows Everyone to download drivers
• [DriveLetter]$: Created when a new volume is assigned; allows Administrators

The dollar sign symbol ($) at the end of the share “hides” the share from public view.

[edit section] Creating Shares

There are several methods to create shares, including:

• Right-click on a folder, go to sharing tab, and choose to share
• Using command: net share name=driveletter:filepath (for example, net share videogames=C:\Games)
• Shared folders management snap-in on the Computer Management MMC

Like the default shares, you can also create a hidden shared folder with the dollar sign ($) at the end of the share name. Such as:

C:\Documents and Settings\krisb\My Documents\MCP\70-270 answers$

Only users who know the folder name can access it as long as they also possess the necessary permissions, otherwise this folder will remain hidden.

[edit section] Using Shares

There are also several ways to access shares, including:

• UNC Path to Share: \\Computername\Share
• Browse to the share in the Explorer interface
• Add Network Place wizard
• net use Driveletter: \\Computername\Share (for example, net use X: \\Bryan\videogames)

[edit section] Moving Forward

In the next lesson, we will move out of the file sharing and security arena and into the area of drivers and driver signing in Windows XP. We will also take a look at printer functionality. The next lesson should be a bit shorter than this mammoth, but try to remember all of the points listed in this lesson as this is arguably the most important lesson to remember for passing the 70-270 exam.

[edit section] Quick Review

1. The Accounting folder is on a Windows XP NTFS file system. Bob is a member of sales. Bob is also a member of trusted employees. Sales Group is allowed to read and execute the Accounting folder and Trusted Employees Group is allowed to write to the Accounting folder. What are Bob’s effective permissions?

a. Read the Accounting folder

b. Write the Accounting folder

c. Read + Execute the Accounting folder

d. Modify the Accounting folder

e. Full Control of the Accounting folder

2. Which of the following commands will create a shared folder named “Betsy” that points to the file path: “C:\MyFiles\Betsy” and is accessible via Windows file sharing?

a. net use C:\MyFiles\Betsy \\Betsy

b. net use D: \\MyFiles\Betsy

c. net share Betsy=\\MyFiles\Betsy

d. net share C: Betsy=\MyFiles\Betsy

e. net share Betsy=C:\MyFiles\Betsy

3. A user tries to access a shared folder over a Windows network. He complains that he is denied access to even read the folder. The folder is located on an NTFS volume. However, an administrator notes that the folder’s share permissions allow the user full control over the folder. What is the best remedy for this problem?

a. Reinstall Windows on the user’s computer as it has faulty Windows browser service files

b. Un-share and re-share the folder, giving the user only the permissions he needs

c. Correct the user’s NTFS permissions for the folder to allow him the appropriate level of access

d. Change the folder’s share permissions to allow “Everyone” full control

e. Reformat the partition that the folder lies on as it is corrupt

[edit section] Answers

1. Allow permissions are cumulative; since Bob is a member of both Sales and Trusted Employees, he inherits the permissions of both groups. Combined, these permissions are Write + Read + Execute. The permission level that corresponds to Read + Write + Execute is “Modify.” The answer is D.

2. The correct command to share a network resource is net share. The proper syntax for this command is: net share name=driveletter:filepath. The answer is E.

3. Simply because the user is given full control at the share level permissions does not require that the user has access to the folder. Because of NTFS permissions, the user is denied access to that folder. Therefore, the only solution would be to correct the NTFS permissions on the folder to be less restrictive on the user. The answer is C.

	Web ProProfs.com