Managing Shared Resources and Resource Security

Security on a network running Microsoft Windows NT Server begins with passwords for user accounts and is extended by the rights and permissions granted to users to interact with network resources. The following topics are discussed in this chapter:

·   Sharing network resources such as directories, files (including program files), printers, and the ClipBook Viewer

·   Securing shared network resources

·   Directory replication, in which directories shared with multiple users are stored on several computers to speed file access

·   Resource monitoring and protection features, including precautions that protect resources from virus and Trojan horse programs

 

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Sharing Network Resources

Windows NT Server enables you to designate resources you want to share with others. For example, when a directory is shared, authorized users can make connections to the directory (and access its files) from their own workstations. And when a printer is shared, many users can print from it over the network.

Once a resource is shared, you can restrict its availability over the network to certain users. These restrictions, called share permissions, can vary from user to user. With Windows NT Server, you create the appropriate level of network resource security with a combination of resource sharing and resource permissions.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Sharing Network Resources »Page 100

Differences Between NTFS and FAT Volume Security

Windows NT Server provides superior performance, reliability, and security for file sharing¾especially if you use the Windows NT file system (NTFS). With NTFS, you can use permissions to protect individual files, and you can apply this protection for access locally (at the workstation or server where the file is stored) as well as for access over the network.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Sharing Network Resources »Page 100

Differences Between NTFS and FAT Volume Security »Page 101

NTFS File and Directory Permissions

On NTFS volumes, you can set file permissions on files and directory permissions on directories that specify which groups and users have access and what level of access is permitted. NTFS file and directory permissions apply both to users working at the computer where the file is stored and to users accessing the file over the network when the file is in a shared directory.

Share permissions for NTFS volumes work in combination with file and directory permissions. When a directory is shared, these permissions, set through the shared directory, allow users to connect to the share. Using the default permissions (Full Control) for NTFS shared directories, you can manage the security of the files using directory and file permissions.

 

Note  Using Full Control permission for Everyone for all NTFS shared directories is the easiest way to manage NTFS file security. You can apply directory and file permissions, and allow share access to Everyone through share permissions.

 

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Sharing Network Resources »Page 100

Differences Between NTFS and FAT Volume Security »Page 101

FAT Share Permissions

With volumes that have the file allocation table (FAT) file system, you can protect files only at the directory level, only over the network, and only if the directory is shared. Once a directory is shared, you can protect it by specifying one set of share permissions that applies to the share point, and thus to users who connect to the shared directory over the network. Share permissions are significantly less versatile than the file and directory permissions used for NTFS volumes. File-level protection is not available for FAT volumes.

For information about setting share permissions see “Setting Permissions on Shared Directories,” later in this chapter.

created with unregistered evaluation copy of HLP2RTF

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Sharing Network Resources »Page 100

Differences Between NTFS and FAT Volume Security »Page 101

File and Directory Compression on NTFS Partitions

Files on NTFS volumes (but not FAT volumes) can be compressed and uncompressed using Windows NT Explorer or the command-line utility compact. In the Explorer, right-click any directory or file and click Properties to compress or uncompress:

·   You can compress one file or all files in a directory. Compressing a directory ensures that new files created in the directory are automatically compressed. Uncompressing a directory ensures that new files created in the directory are created uncompressed.

·   When you copy or move a file into a directory or subdirectory within an NTFS volume (or from one NTFS volume to another), the file inherits the compression state of the destination directory.

·   When you move a file into a directory or subdirectory within an NTFS volume, the file retains its compression state, regardless of the compression setting of the destination directory.

·   When you move a file from one NTFS volume to another, the file inherits the compression state of the destination directory.

·   When you compress or uncompress a directory, the Explorer prompts you to indicate whether to compress or uncompress existing subdirectories in the selected directory. Existing subdirectories in compressed or uncompressed directories retain their compression state unless you change it.

·   You can choose to highlight compressed files and directories in an alternate color by clicking Options on the View menu.

·   Other file operations can be performed during compression and uncompression.

 

For information about how to compress and uncompressed files, folders, and volumes, see “To compress a file on an NTFS volume”, and “Compressing an NTFS volume” in Windows NT Help.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Sharing Network Resources »Page 100

Sharing Resources With Network Users

The only way to make a file accessible over the network is to share its directory.

When you share a directory on the server, users can theoretically gain access to that directory, the files in it, all subdirectories of that directory and their contents, and all subdirectories of those subdirectories and their contents, and so on. Every point on the directory tree below the shared directory can be available to network users.

However, if the shared directory is in an NTFS volume, you can use directory permissions to effectively block access to some directories in a shared directory tree. A shared directory is often referred to simply as a share. For example, in the preceding figure, you could share the Applications directory but set permissions that restrict access to the dBASE® directory.

When you share a directory, you give it a share name, by which network users refer to it. (A share name can be the same as the actual directory name, but it does not have to be.)

 

Note  Windows NT Server, Windows NT Workstation, and Windows 95 users can see share names by double-clicking the names of computers on the network in Network Neighborhood. MS-DOS users can use the net view command to see share names. Windows for Workgroups users see share names in File Manager when they connect to a network drive.

 

You can share multiple directories on a directory tree, thereby making them accessible to users in two ways: as a directory that is actually shared and as a subdirectory of another shared directory.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Sharing Network Resources »Page 100

Sharing Resources With Network Users »Page 102

Connecting to Shared Directories

There are several ways to connect to shared directories. In Windows NT Server, Windows NT Workstation, and Windows 95, you can use the Find command on the Start menu to connect to any computer or shared directory on the network, or double-click a computer in Network Neighborhood.

To assign a drive letter in My Computer for a particular share, use the Map Network Drive command on the Tools menu in the Explorer. Type the server name and share name into the Path box using the form \\servername\sharename. For Drive you can use the next letter available, or select a letter from the drop-down list.

For example, to connect to the shared directory Applications on the server named Dept35, type the location in the Path box as shown below:

In the Explorer and My Computer, the mapped drive appears in the window as

Applications on ‘Dept35’ (F:)

 

The share appears as a drive on your computer, and the contents of the shared directory can be viewed as if they were on your computer. You can have the connection re-established each time you log on, or clear the Reconnect at Logon check box to automatically disconnect when you log off.

 

Note  In addition to uniform naming convention (UNC) names such as the names of network servers, domain name system (DNS) names can be used in the Map Network Drive dialog box. DNS names use periods to separate each part of the name; for example, \\accounting.trey.com.\public. For more information about DNS names, see TCP/IP online Help.

 

If you want to connect to a shared directory using a different user account, use the Connect As box to type the user name for that account. If the account is in a different domain, type the domain name followed by a backslash and then the user name; for example, projects\patc.

For MS-DOS computers with LAN Manager client software (but without Windows), use the net use command to make network connections:

net use f: \\dept35\applications

 

In the following diagram, the server on the left represents the Dept35, and the Applications directory is the share.

For information about how to map a connection to a network drive, see “To assign (map) a drive letter to a shared network resource” in Windows NT Help.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Sharing Network Resources »Page 100

Sharing Resources With Network Users »Page 102

Considerations for MS-DOS Users

·   If a share will be accessed by users of MS-DOS (including users of Windows for Workgroups), follow the MS-DOS 8.3 naming convention for the share name. (The name can have up to eight characters, optionally followed by a period and up to three more characters.) MS-DOS computer users will be unable to access shares with share names that do not follow this convention.

·   If a share will be accessed only by Windows NT Workstation or Windows NT Server users, the share name can include up to 80 characters.

·   On NTFS and FAT volumes, files and directories can have share names of up to 255 characters. And to ensure access by MS-DOS users, Windows NT Server and Windows NT Workstation provide name mapping: Each file or directory with a name that does not conform to the MS-DOS 8.3 standard is automatically given a second name that does. MS-DOS users connecting to the file or directory over the network see the name in the 8.3 format; Windows NT Workstation and Windows NT Server users see the long name. However, Windows NT Workstation and Windows NT Server do not generate short names for share names that do not conform to MS-DOS naming standards, only for files and directories with long names. When naming a share, use the 8.3 standard.

·   Windows NT Server name mapping also allows applications that do not support long file names to access files with such names. These applications refer to files that have long names by their shorter names.

 

 

Note  If an application that does not support long file names opens a file with a long name and then saves the file, the long name is lost, and only the short name remains.

 

Windows NT Server uses the following rules to convert a long name into a short name:

·   Spaces are removed.

·   Characters not allowed in MS-DOS names are changed to underscores (_).

·   The name is truncated to its first six remaining characters (or all the characters before the first period in the long name, if the first period is in the first six characters). A tilde and a digit are then added to these six characters. The digit for the first short name created for a set of six characters is 1. If more names using these six characters are created, the next short name uses a 2 instead of a 1, and so on up to ~4. If a fifth name is created, then the last 4 characters are replaced by a set of random characters, and ~1. The random characters change to create any successive names.

·   If the long name has any periods followed by another character, the last of those periods and the first three characters following that period are used as the file name extension of the short name. For example, VERY.IMPORTANT.MEMOS is shortened to VERYIM~1.MEM.

 

If you are using Windows NT Server in an environment where long file names are not always supported, you might want to continue using MS-DOS conventions for the first six characters of names and use periods only to separate the name from the extension. For example, you could name a file AUGSAL~August 1996 Sales Report.XLS. Then the short name would be AUGSAL~1.XLS.

Although a range of characters can appear in file names, the command prompt is limited to the characters available in the OEM code page you installed when you set up Windows NT Server or Windows NT Workstation. If you plan to work with files at the command prompt, use alphanumeric characters in file names and avoid using characters that do not map to the OEM code pages (such as the bullet character).

 

Caution  Disk tools, such as Scan Disk, and file maintenance tools that are not designed to use long file names should not be used on volumes containing Windows NT Workstation or Windows NT Server versions 3.51 or 4.0 files. The tools can corrupt long file names, which can lead to data loss. Do not modify long file names (or any Windows NT system files) when using another operation system.

 

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Sharing Network Resources »Page 100

Sharing Resources With Network Users »Page 102

Sharing Directories

Where and how you share directories depends on how you are logged on:

·   If you are logged on as a member of the Administrators or Power Users local group to a computer running Windows NT Server as a member server or a computer running Windows NT Workstation, you can share directories on the local computer.

·   If you are logged on to a domain controller as a member of the Administrators or Server Operators local group, you can share directories on the domain.

·   If you are logged on to a domain account as a member of the domain Administrators or Server Operators local group, you can share directories remotely using Server Manager.

 

If you are sharing a directory on your local computer, you can select the folder for the directory in Windows Explorer and click Properties on the File menu. Use the Sharing tab in the folder’s Properties dialog box to share the directory and set permissions.

For information about how to share a directory, see “To share a directory with other people” in Windows NT Help.

You can also use Server Manager to view a computer’s shares, add new shares, and stop sharing directories. Server Manager also allows you to monitor and control the use of shared files.

For information about how to share directories using Server Manager, see “Sharing a Directory”, “Viewing Shared Resources”, and “Stopping Directory Sharing” in Server Manager Help.

Windows NT Server automatically creates special shares for administrative and system use. Depending on the configuration of the computer being administered, some or all of the following special shares can appear in this list. Usually, you should not remove or modify these special shares.

Share name

Represents

driveletter$

The root directory of a storage device on the computer. For example, C$ is a share name by which the root directory of drive C can be accessed over the network. Only members of the Administrators, Backup Operators, and Server Operators groups can connect to these shares.

ADMIN$

A resource used by the system during remote administration of a computer. The path of this resource is always the Windows NT system root (the directory in which Windows NT was installed, for example, C:\WINNT). Only members of the Administrators, Backup Operators, and Server Operators groups can connect to this share.

IPC$

A resource sharing the named pipes that are essential for communication between programs. Used during remote administration of a computer and when viewing a computer’s shared resources.

NETLOGON

A resource used by the Net Logon service on domain controllers for processing domain logon requests. This resource is provided only for Windows NT Server, not for Windows NT Workstation.

PRINT$

A resource that supports shared printers.

REPL$

A resource created by the system when a Windows NT Server computer is configured as a replication export server. Required for export replication.

 

For information about how to view shared resources, see “Viewing Shared Resources” in Server Manager Help.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Sharing Network Resources »Page 100

Sharing Resources With Network Users »Page 102

Changing Share Properties

To change properties on a share, you must be logged on as a member of the Administrators or Server Operators group for domain controllers, or Administrators or Power Users for workstations and member servers. Members of the Administrators group can change share properties on administrative shares as well (for example, ADMIN$).

In Server Manager you can select a shared directory and make changes to its properties. Use the Share Properties dialog box to change the directory path, add a comment, or change the number of users allowed to connect to the share at one time. Click Permissions to see the users and groups who have permission to use the share and to change permissions.

 

Tip  For NTFS volumes, use directory and file permissions for controlling security both locally and over the network, and allow Full Control access to Everyone on the share.

 

For information about how to manage share permissions, see “To set, view, change, or remove permissions through a shared directory” in Windows NT Help.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Sharing Network Resources »Page 100

Sharing Resources With Network Users »Page 102

Stopping Directory Sharing

When you stop sharing a directory, it is no longer available over the network. To stop sharing a directory, you must be logged on as a member of the Administrators or Server Operators group.

The Shared Directory dialog box displays shared directories you have created, as well as shared directories created by the system. In general, you should not stop sharing directories created by the system (those shares that display “$,” such as C$ or PRINT$). Administrative shares that are deleted are re-created automatically the next time the Server service is started.

 

Caution  If you decide to stop sharing a directory while users are connected, users can lose data.

 

Use Server Manager or the Explorer to stop sharing a directory.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Sharing Network Resources »Page 100

Sharing Resources With Network Users »Page 102

Sharing ClipBook Pages

ClipBook Viewer enables you to share information among different applications and users and to dynamically link and embed that information into other files and documents on the same computer or on other Windows NT computers. For more information about ClipBook Viewer and object linking and embedding (OLE), see the Windows NT Server Resource Kit.

When a piece of information is transferred to ClipBook Viewer, it takes the format of a page. ClipBook Viewer can hold up to 127 pages, which can be shared with other users. The user who creates a page can set permissions specifying whether other users can use the page.

To create, share, stop sharing, and delete a ClipBook Viewer page, a user must be in one of the following groups:

·   Administrators

·   Server Operators

·   Power Users

·   Users

 

In addition, the special group Everyone can use ClipBook Viewer to see a list of pages shared on the computer.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Sharing Network Resources »Page 100

Sharing Resources With Network Users »Page 102

Sharing Printers

Printers can be shared by the following users:

·   Users logged on to a computer running Windows NT Workstation or a member server running Windows NT Workstation as a member of the Administrators or Power Users local group.

·   Users logged on to a domain controller as a member of the Administrators, Server Operators, or Print Operators local group.

·   Users logged on to a domain account as a member of the domain Administrators local group.

 

After a printer has been added, it can be shared using the Sharing tab in the Printer Properties dialog box. Click Printers in the Settings group on the Start menu to add printers, share printers, install printer drivers, configure printer ports, set printer properties, and set permissions.

For information about setting up and sharing printers, and about printer permissions, see Chapter 5, “Setting Up Print Servers.”

For information about how to manage printer sharing, see “To set up a new printer”, “To share your printer with other people”, “To use a shared network printer”, and “To stop sharing your printer” in Windows NT Help.

created with unregistered evaluation copy of HLP2RTF

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Sharing Network Resources »Page 100

Sharing Resources With Network Users »Page 102

Sharing Windows NT Server Resources With Other Network Computers

Computers running different operating systems that interact with other networks or with workgroups can share files and printers with Windows NT Server network computers:

·   Domain computers running Windows for Workgroups can use and share directories and printers on a Windows NT Server network.

·   LAN Manager 2.x servers and clients can use and share directories and printers on a Windows NT Server network.

·   Windows 95 computers running Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks can use and share directories and printers on a Windows NT Server network.

·   Apple Macintosh clients running Services for Macintosh can use files and printers on Windows NT Server and Windows NT Workstation computers.

·   Novell NetWare clients running File and Print Services for NetWare enables a Windows NT Server computer to function as a NetWare 3.12-compatible file and print server.

·   With the Client Service for NetWare in Windows NT Workstation and the Gateway Service for NetWare in Windows NT Server, users can access file and print resources on servers running NetWare 2.x through 4.x.

 

For information about integrating other computers with Windows NT Server, see Chapter 1, “Managing Windows NT Server Domains,” and the Windows NT Server Networking Supplement.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Securing Resources

For NTFS volumes, you can use Windows NT Explorer to set permissions on directories and files on computers running Windows NT Server. Permissions set on the directories and files themselves apply both to users working at the computer itself and, if the directory is shared, to users accessing these files over the network.

You can set file permissions to a fine degree of granularity. For example, you can set different permissions for each file in a directory. You can set many types of permissions, as well. You can let one user read the contents of a file and change it, let another user only read the file, and prevent all other users from any access to the file.

 

Note  This type of access restriction is not available for files on FAT volumes, which are always readable and changeable by users working at the computer itself. However, you can protect shared directories on FAT volumes by specifying one set of permissions that apply to users for all files and subdirectories of the shared directory. These permissions are called share permissions.

 

Similar types of permissions can be set on shared printers managed by Windows NT Server computers. For information about setting printer permissions, see “Setting Permissions on Network Printers” later in this chapter.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Securing Resources »Page 111

How NTFS Permissions Work

Before sharing a directory on an NTFS volume, set individual permissions on the directory and its files and subdirectories. Each permission specifies the access that a group or user can have to the directory or file.

Windows NT Server offers a set of standard permissions for NTFS directories and files. The standard permissions are combinations of specific types of access, which are called individual permissions. The individual permissions and their abbreviations are:

Read (R)

Write (W)

Execute (X)

Delete (D)

Change Permissions (P)

Take Ownership (O)

 

Standard permissions and their meanings for directories and files are shown in the following tables, along with the individual permissions they represent. In the first column of the first table (for directory permissions), the first set of parentheses following the standard permission indicates the individual permissions for the directory itself. The second set of parentheses indicates the individual permissions that apply for new files subsequently created in the directory.

Standard Permissions for NTFS Directories and Files

Permissions

Meaning

Directory:

 

No Access (None) (None)

User cannot access the directory in any way, even if the user is a member of a group that has been granted access to the directory.

List (RX) (Not Specified)

User can list only the files and subdirectories in this directory and change to a subdirectory of this directory. User cannot access new files created in this directory.

Read (RX) (RX)

User can read the contents of files in this directory and run applications in the directory.

Add (WX) (Not Specified)

User can add files to the directory but cannot view the contents of the directory.

Add & Read (RWX) (RX)

User can add files to the directory and read current files but cannot change files.

Change (RWXD) (RWXD)

User can read and add files and change the contents of current files.

Full Control (All) (All)

User can read and change files, add new ones, change permissions for the directory and its files, and take ownership of the directory and its files.

File:

 

No Access

User cannot access the file in any way, even if the user is a member of a group that has been granted access to the file.

Read (RX)

User can read the contents of the file and run it if it is an application.

Change (RWXD)

User can read, modify, and delete the file.

Full Control (All)

User can read, modify, delete, set permissions for, and take ownership of the file.

 

When you set a standard permission, the abbreviations for the individual permissions appear beside the standard permission. For example, when you set the standard permission Read on a file, the abbreviation RX appears beside it.

In addition to setting standard permissions, you can set special access permissions. Special access permissions allow you to define a custom set of individual permissions for directories and files. For information about special access permissions, see “Setting Customized ‘Special Access’ Permissions,” later in this chapter.

To work with NTFS security effectively:

·   Users can use a directory or file only if they have been granted permission to do so or if they belong to a group that has permission to do so.

·   Permissions are cumulative, but the No Access permission overrides all others. For example, if the coworkers group has Change permission for a file, and the finance group has only Read permission and John is a member of both groups, John will be granted Change permission. However, if the finance group’s permission for the file is changed to No Access, John will be unable to use the file, despite his membership in the coworkers group.

·   When you create files and subdirectories in a directory, they inherit permissions from the directory. For example, if you add a file to a directory that allows the coworkers group Change permission and the finance group Read permission, those same permissions apply to the file.

·   The user who creates a file or directory is the owner of that file or directory. The owner can always control access to the file or directory by changing the permissions set on it. Users who are members of the Administrators group can always take ownership of a file or directory.

·   File permissions always override directory permissions.

·   The easiest way to administer security is by setting permissions for groups rather than individual users. Typically, a user needs access to many files. If the user is a member of a group that has access to the files, you can end the user’s access by removing the user from the group rather than changing the permissions on each of the files. Setting permissions for an individual user does not override the access granted to the user through groups to which the user belongs.

 

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Securing Resources »Page 111

How NTFS Permissions Work »Page 112

Taking Ownership of NTFS Files and Directories

Every file and directory on an NTFS volume has an owner. The owner controls how permissions are set on the file or directory and can grant permissions to others.

When a file or directory is created, the person creating the file or directory automatically becomes its owner. It is expected that administrators will create most files on network servers, such as when they install applications on the server. Therefore, most files on a server will be owned by administrators, except for data files created by users and files in users’ home directories.

Ownership can be transferred in the following two ways:

·   The current owner can grant the Take Ownership permission to other users, allowing those users to take ownership at any time.

·   An administrator can take ownership of any file on the computer. For example, if an employee leaves the company suddenly, the administrator can take control of the employee’s files.

 

Note  Although an administrator can take ownership, the administrator cannot transfer ownership to others. This restriction keeps the administrator accountable.

 

For more information, see “To take ownership of files or directories” in Windows NT Help.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Securing Resources »Page 111

Setting Permissions on NTFS Volumes

When you set permissions on directories and files on a server running Windows NT Server, you control directory and file access by:

·   Local groups, global groups, and individual users in the domain containing the server

·   Global groups and individual users in domains that this domain trusts

·   The special identities Everyone, System, Network, Interactive, and Creator Owner

 

You can grant permissions to the built-in local groups (such as Administrators and Domain Users) and to any groups you create in the domain.

 

Special IdentitiesEveryone represents all current and future users of the network, including guests and users from other domains. You can assign Everyone permissions for both directories and files.

System represents the operating system of the local computer. System is initially granted permissions for several system directories when Windows NT is installed, and you should not revoke these permissions. You usually do not have to grant permissions to System for any file or directories you create, unless a system service needs to access them.

Network represents all current and future users accessing this file or directory over the network. Interactive is the opposite¾it represents any user who accesses the file or directory while working at the server itself. For example, while CristalW accesses a file over the network (while working at her own workstation), she has any permissions assigned to Network, but not those assigned to Interactive. If CristalW moves to the server and accesses the file from there, she then has permissions assigned to Interactive but not those assigned to Network.

You can set Creator Owner permissions only on directories. Creator Owner represents users who subsequently create files and directories in the current directory. If you set Creator Owner permissions on a directory, anyone who creates a file or subdirectory there is automatically granted the permissions you gave to Creator Owner for that file or subdirectory.

 

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Securing Resources »Page 111

Setting Permissions on NTFS Volumes »Page 114

Default Directory Permissions

When a new subdirectory or file is created on an NTFS volume, you can set permissions on it. If you do not set permissions, the new subdirectory or file inherits the permissions of the directory containing it. The following tables list the permissions set by default on directories on both Windows NT Server and Windows NT Workstation.

Default Directory Permissions on Windows NT Server

Default Directory Permissions on Windows NT Server (continued)

Default Directory Permissions on Windows NT Workstation

Default Directory Permissions on Windows NT Workstation (continued)

In addition to these permissions, the special identity System (representing the operating system) has Full Control permission for all these directories.

 

Caution  Do not revoke the default permissions on these directories. If you do, parts of the operating system might not work.

 

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Securing Resources »Page 111

Setting Permissions on NTFS Volumes »Page 114

Setting Permissions on NTFS Directories

When you set directory permissions, you set permissions on not only the directory but, by default, on all the files and subdirectories in the directory.

 

Note  To change permissions on the directory, you must be the owner of the directory or have been granted permission to do so by the owner.

 

New files and new subdirectories inherit the permissions of the directory that contains them. The Directory Permissions dialog box shows these inherited permissions. The Name box shows the groups and users for whom permissions have been set. (If you have selected multiple directories, permissions are shown only if they are the same for all directories.) You can change permissions, add a group or user to the list, or remove a group or user from the list.

When you set a standard permission, two sets of individual permissions are displayed next to it: the permissions set on the directory and the permissions set on files in the directory. For example, when you set Add & Read permission on a directory, you see (RWX), signifying Read, Write, and Execute permissions on the directory, and (RX), signifying Read and Execute permissions on files in the directory.

Some directory permissions set file permissions to Not Specified. When file access for a user or group is not specified, that group or user cannot use files in the directory unless access is granted by another means (for example, by permissions set on individual files).

The following table shows permissions for directories and the actions on directories available to users for each permission.

Note  Groups or users granted Full Control permission on a directory can delete files in that directory no matter what permissions protect the files.

 

The following table shows permissions for directories and the actions on files available to users for each permission.

Controlling Subdirectory Permissions

When a group or user is granted permissions through the Creator Owner identity, directory permissions are not passed on to subdirectories.

When you are setting permissions on an NTFS directory, you can use the Creator Owner special group to allow users to control only the subdirectories and files that they create within the directory. Permissions set for Creator Owner are transferred to the user who creates a directory or file within the directory.

For example, if you give Add & Read permission to Everyone on the directory, and Change permission to Creator Owner, when one user adds files to the directory, the user can change and delete the files, while other users can only read them. Permissions that are not inherited by subdirectories are marked with an asterisk.

For information about how to manage directory permissions, see “To set, view, change, or remove directory permissions” in Windows NT Help.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Securing Resources »Page 111

Setting Permissions on NTFS Volumes »Page 114

Setting Permissions on NTFS Files

The File Permissions dialog box shows the permissions the file inherited. The Name box shows the groups and users for whom permissions have been set on the file. (If you have selected multiple files, permissions are shown only if they are the same for all files.) You can change permissions set for the listed groups and users, add a group or user to the list, or remove a group or user from the list.

 

Note  To change permissions on the file, you must be the owner of the file or have been granted permission to do so by the owner.

 

The following table shows permissions for files and the actions available to users for each permission.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Securing Resources »Page 111

Setting Permissions on NTFS Volumes »Page 114

Strategies for Using NTFS File Permissions

·   Grant permissions to groups, not individual users.

·   Create local groups and assign permissions to them, rather than assigning permissions directly to global groups.

For more information about the strategies of using groups and users, see Chapter 2, “Working With User and Group Accounts.”

·   When you create and share a file or directory on a server, grant Full Control to the Administrators local group. This ensures that all administrators of that domain can change permissions for and otherwise administer the file or directory in the future.

Example for Setting Up File Permissions

Suppose you need to set file permissions on a server used by a small department. The file server includes an applications directory, home directories for each of the department’s users, a public directory where users can share files, and a drop directory where users can file confidential reports that only the group manager can read.

In the applications directory, make all executable programs read-only to all users, to prevent viruses and Trojan horses. You can also grant the individual Change Permissions (P) permission to members of the Administrators group, so that administrators can give themselves Write permission when it is time to update an application. Giving members of the Administrators group the Write permission initially provides less virus protection than giving them Change permission and forcing them to change permissions before updating the application.

If none of your applications need to write any files (such as initialization setting files) in their own directories, you should also make all the directories containing applications read-only.

For the home directories, give each user Full Control over his or her own directory, and do not give anyone permissions for any other directory.

For the public directory, you can give all users Change permission, which lets them read and write to the directory. Change is more appropriate than Full Control because Full Control also allows users to set permissions for the public directory and take ownership of it.

To create a drop directory, just grant Users or Everyone the Add permission for the directory, and give the Change permission to the manager who is to read the files in the directory.

Give access to WINNT directory files or subdirectories only to Administrators or Server Operators.

 

created with unregistered evaluation copy of HLP2RTF

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Securing Resources »Page 111

Setting Permissions on NTFS Volumes »Page 114

Setting Customized “Special Access” Permissions

In general, the standard directory and file permissions are all you need to secure your directories and files. However, if you use NTFS and need to create a custom set of permissions, you can use special access permissions. You can set special access permissions on directories, on all the files in selected directories, or on selected files. (Special access permissions on a directory affect the directory only.)

The following table shows special access permissions for directories and the actions available to users for each directory permission.

The following table shows special access permissions for files and the actions available to users for each permission.

For information about setting special access permissions, see “To set special access permissions” in Windows NT Help.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Securing Resources »Page 111

Setting Permissions on Shared Directories

Permissions set on shared directories are called share permissions, and they determine who can use shared directories over the network, and in what manner.

On NTFS volumes, you can set permissions on directories and files, and these permissions apply to users accessing the files at the server. When the NTFS directory is shared, these same file and directory permissions apply to users accessing the shared directory over the network. Therefore, share permissions are not critical to security of NTFS directories.

Directories on FAT volumes, however, cannot be protected from access by users working at the computer itself; they can be protected by permissions only after they are shared, and the permissions affect only access over the network. For FAT volumes, share permissions provide the only way to limit access to network files. You can specify one set of share permissions on a shared directory that applies to users for all files and subdirectories of the shared directory.

The method for setting share permissions is the same for NTFS and FAT file types. Use the Sharing tab in the directory property sheet to set permissions on the shared directory. When you share a directory, you can grant each group and user one of four types of permissions for the share and all of its subdirectories and files: Full Control, Change, Read, or No Access.

To secure shared directories effectively, keep the following in mind:

·   To work with shared directory permissions, you must be logged on as a member of the Administrators or Server Operators group.

·   The default permissions set on a newly created share are Full Control for Everyone.

·   Permissions set through a shared directory are effective only when the directory is reached over the network.

·   Permissions set through a shared directory apply to all files and subdirectories in the shared directory.

·   Permissions set through a shared directory in an NTFS volume operate in addition to NTFS permissions set on the directory itself.

 

The following table shows the permissions for files and directories granted through a shared directory and the actions available to users for each permission:

Use the Access Through Share Permissions dialog box to change permissions for the listed groups and users and to modify the permissions list.

For information about how to manage share permissions, see “To set, view, change, or remove permissions through a shared directory” in Windows NT Help.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Securing Resources »Page 111

Setting Permissions on Shared Directories »Page 123

Share Permissions for NTFS Volumes

Share permissions on directories in NTFS volumes work with the permissions you set on an individual directory and its files, but they affect the permissions a user has when accessing a directory over the network.

Because NTFS volumes allow individual directory and file permissions, you can control these permissions best at these levels. If you use share permissions, you can use the default shared directory access of Full Control for Everyone, and use directory and file permissions to control access.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Securing Resources »Page 111

Setting Permissions on Network Printers

Printer permissions specify the type of access a user or group has to use the printer. The printer permissions are No Access, Print, Manage Documents, and Full Control.

 

Note  If you are the owner of the printer or have Full Control permission, you can set and change printer permissions.

 

For information about setting print permissions, see Chapter 5, “Setting Up Print Servers.”

For information about how to set printer permissions, see “To limit access to a shared printer”, in Windows NT Help.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Securing Resources »Page 111

Setting Permissions on Network Printers »Page 125

File Sharing and Permission Examples

Suppose you need to set file permissions on a server used by a small department. The file server includes an applications directory, home directories for each of the department’s users, a public directory where users can share files, and a drop directory where users can file confidential reports that only the group manager can read. In the applications directory, make all executable programs read-only to all users to prevent introduction of viruses and Trojan horses. (For information about viruses and Trojan horses, see “Protecting Against Viruses and Trojan Horses” later in this chapter.) You can also grant the individual Change Permissions (P) permission to Administrators. This allows administrators to give themselves Write permission when it is time to update an application. Giving Administrators the Write permission initially provides less virus protection than giving them the Change Permissions permission and forcing them to change permissions before updating the application.

·   If none of your applications needs to write any files (such as initialization setting files) in their own directories, make all the directories containing applications read-only.

·   For home directories, give each user Full Control over his or her own directory, and do not give anyone permissions for any other directory.

·   For the public directory, give all users Change permission, which lets them read and write to the directory. (Change is more appropriate than Full Control, which also allows users to set permissions for the public directory and take ownership of it.)

·   To create a drop directory, grant Users or Everyone the Add permission for the directory, and grant the Change permission to the manager who is to read the files in the directory.

·   Give only Administrators or Server Operators access to files or subdirectories under the WINNT directory.

 

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Managing Directory Replication

Keeping shared resources current is a helpful task performed by Windows NT Server Directory Replicator service. If you have a set of files that you want distributed to many users, you can set up and maintain identical directory trees on multiple servers and workstations, and split the load between several computers.

Configure one server to act as an export server. Place the master copies of the files here. Configure the other computers to act as import computers.

Only one copy of each file needs to be maintained, yet every computer that participates has an available, identical copy of that set of files. Each export server maintains a list of computers to which subdirectories are exported, and each import computer maintains a list of computers from which subdirectories are imported.

When you update a file in the directory tree on one server (the export server), the updated file is automatically copied to all the other computers (the import computers). Only servers running Windows NT Server can be export servers; import computers can run either Windows NT Server or Windows NT Workstation.

A file is replicated when it is first added to an exported directory and every time a change is saved to the file on the export server.

Replication helps balance loads. If you have many users who need to periodically receive the same file, you can replicate the file directory to several computers to prevent any one server from becoming overburdened.

You can even replicate directories between computers in different domains. Export servers can export to domain names, and import computers can import from those domain names. This is a convenient way to set up directory replication for many computers; each export server and import computer needs to specify only a few domain names for export or import, rather than a long list of many computer names.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Managing Directory Replication  »Page 126

How Directory Replication Works

Directory replication is initiated and carried out by the Directory Replicator service. This service operates on each export server and import computer that participates in replication. The service on each computer logs on to the same user account, which you create for this purpose.

You set up an export server and import computers to send and receive updated files. An export directory on the export server contains all the directories and subdirectories of files to be replicated, and when changes are saved to files in these directories, the files automatically replace the existing files on all the import computers.

You can also specify whether to have the export server send changes out as soon as a file has changed or, to prevent exporting partially changed trees, to wait until one export subdirectory has been stable for two minutes before exporting.

In addition, you can lock a particular export or import directory, when needed. Changes to the locked directory are not exported or imported until you unlock the directory.

On the export server, you also designate which computers or domains are to receive replicated copies of the directories this server is exporting.

An export server has a default export path:

C:\systemroot\SYSTEM32\REPL\EXPORT

All directories to be replicated are exported as subdirectories in the export path. Subdirectories created in the export path, and files placed in those subdirectories, are automatically exported. Export servers can replicate any number of subdirectories (limited only by available memory), with each exported subdirectory having up to 32 subdirectory levels in its tree.

An import computer has a default import path:

C:\systemroot\SYSTEM32\REPL\IMPORT.

Imported subdirectories and their files are automatically placed here. You do not need to create these import subdirectories. They are created automatically when replication occurs.

A network can have multiple export servers. To ensure the integrity of replicated information, they usually do not export duplicate subdirectories. Each master export subdirectory is usually maintained on and exported by a single export server. It is possible to set up multiple servers that export the same subdirectory, but the exported files in those multiple master subdirectories might not be identical.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Managing Directory Replication  »Page 126

How Directory Replication Works »Page 127

Replication Prerequisites

Before a computer can participate in replication, you must create a special user account. Then for each computer in a domain that will participate in replication, configure its Directory Replicator service to log on using that special account:

·   In User Manager for Domains, create a domain user account for the Directory Replicator service to use to log on. Be sure the user account has the Password Never Expires option selected, all logon hours allowed, and membership in the domain’s Backup Operators group.

·   After the user account is created for each computer that will be configured as an export server or an import computer, use Server Manager to configure the Directory Replicator service to start up automatically and to log on under that user account. Be sure the password for that user account is typed correctly.

 

For more information, see “To configure startup for a service” in Windows NT Help.

For information about managing user accounts, see Chapter 2, “Working With User and Group Accounts.”

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Managing Directory Replication  »Page 126

Setting Up an Export Server

Any computer running Windows NT Server can be set up as an export server. (A computer running Windows NT Workstation cannot.)

Before you set up an export server, you must perform these tasks on the export server:

·   Assign a logon account to the Directory Replicator service of the export server.

·   Create the directories to be exported. They must be subdirectories of the replication export path (usually C:\systemroot\ SYSTEM32\REPL\EXPORT).

 

Use the Directory Replication dialog box to set up an export server.

For more information, see “To set up an export server” in Windows NT Help.

created with unregistered evaluation copy of HLP2RTF

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Managing Directory Replication  »Page 126

Setting Up an Export Server »Page 129

Managing Exported Subdirectories

By clicking Manage under Export Directories in the Directory Replication dialog box, you can manage certain features of subdirectory replication by the export server:

·   You can lock a subdirectory to prevent it from being exported to any import computers. For example, if you know a directory will be receiving a series of changes that you do not want partially replicated, you can put one or more locks on the subdirectory in the export path. Until you remove the lock or locks, the subdirectory will not be replicated. The date and time the lock was placed is displayed so that you know how long a lock has been in force.

·   When you stabilize a subdirectory, the export server waits two minutes after changes before exporting the subdirectory. The waiting period allows time for subsequent changes to take place so that all intended changes are recorded before being replicated.

·   You specify whether the entire subtree (the export subdirectory and all of its subdirectories) or just the first-level subdirectory in the export directory path is exported.

 

To manage locks, stabilization, and subtree replication for the subdirectories exported from an export computer, click Manage under Export Directories in the Directory Replication dialog box.

For information about how to manage export subdirectories, see “To Manage Locks, Stabilization, and Subtree Replication for Export Directories” in Server Manager Help.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Managing Directory Replication  »Page 126

Setting Up an Export Server »Page 129

Replicating Logon Scripts

Logon scripts are files that can be assigned to user accounts. Each time a user logs on, the assigned logon script is run. The logon script allows an administrator to affect the user’s environment without managing all aspects of it. When a server processes a logon request, the system locates the logon script by combining a file name specified in User Manager for Domains with a path specified in Server Manager.

If you use logon scripts in a domain that has a primary domain controller and at least one backup domain controller, you should replicate logon scripts among the domain controllers. Master copies of every logon script for a domain should be stored in one replication export directory of one server. This might be the primary domain controller, but it does not need to be. Copies of these master logon scripts should be replicated to each server that participates in authenticating logons for the domain. If this is done, only one copy of each logon script will need to be maintained, yet every server that participates in authenticating domain logons will have an available, identical copy of all user logon scripts.

By default, replication is configured so that Windows NT Server computers export subdirectories and logon scripts from the directory C:\systemroot\SYSTEM32 \REPL\EXPORT\SCRIPTS, and import subdirectories and logon scripts to the directory C:\systemroot\SYSTEM32\REPL\IMPORT\SCRIPTS. For the primary domain controller and each backup domain controller, the path to imported logon scripts must be entered in the Logon Script Path box of the Directory Replication dialog box.

 

Note  The logon script path cannot be administered for member servers running Windows NT Server or for computers running Windows NT Workstation computers. On these computers, store logon scripts in C:\systemroot\SYSTEM32\REPL\IMPORT\SCRIPTS or in subdirectories of that path.

 

For information about how to manage logon scripts, see “Setting the Logon Script Path” in Server Manager Help.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Managing Directory Replication  »Page 126

Setting Up an Import Computer

Both Windows NT Server and Windows NT Workstation computers can be set up as import computers. A computer running Windows NT Server that is configured as an export server can also be configured as an import computer.

Before you set up an import computer, you must assign a logon account to the Directory Replicator service of the import computer.

On the import computer you do not need to create the imported subdirectories. A subdirectory is automatically created the first time it is imported.

Use the Directory Replication dialog box to set up an import computer. The Windows NT Server version of the Directory Replication dialog box is slightly different from the Windows NT Workstation version of this dialog box. The Windows NT Workstation version contains only the items related to imported directories.

 

Tip  You can set up a server to replicate a directory tree to itself (from its export directory to its import directory). This replication can provide a local backup of the files, or you can use the import version of these files as another source for users to access, while preserving the export version of the files as a source master.

 

For more information, see “Managing import Replication” in Server Manager Help.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Managing Directory Replication  »Page 126

Setting Up an Import Computer »Page 131

Managing Locks and Viewing Import Subdirectory Status

You can use locks to prevent imports to subdirectories on an import computer. Import of a locked subdirectory to that import computer is prevented until the lock is removed. Locking a subdirectory on an import computer affects replication to only that computer, not to other import computers.

You can manage locks on subdirectories and also view the status of each subdirectory by clicking Manage under Import Directories in the Directory Replication dialog box.

The Status column can have one of four entries:

·   OK indicates that the subdirectory is receiving regular updates from an export server and that the imported data is identical to that exported.

·   No Master indicates that the subdirectory is not receiving updates. The export server might not be running, or a lock might be in effect on the export server.

·   No Sync indicates that although the subdirectory has received updates the data is not up-to-date. This could be due to a communications failure, open files on the import computer or export server, the import computer not having access permissions at the export server, or an export server malfunction.

·   No entry (blank) indicates that replication never occurred for that subdirectory. Replication might not be properly configured for this import computer, for the export server, or both.

 

The Last Update column shows the date and time of the latest change to the import subdirectory or to any of its subdirectories.

For more information, see “To view a list of, or manage locks for, import subdirectories” in Server Manager Help.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Managing Directory Replication  »Page 126

Replication of Multiple Directory Trees

Suppose you have a domain where you want to replicate two directory trees¾ one for logon scripts and one for other data. The groups of computers that need to import the two trees are different. The four domain controllers need the logon scripts. However, only two of the domain controllers and two Windows NT Workstation computers need to import the other data. The best solution is to set up different servers as the export servers of the scripts directory tree and the data directory tree.

Remember that a single export server has only one list of import computers to which it replicates. If you set up only a single export server for the two directories, it exports both directory trees to all import computers, even though not all import computers use both directory trees.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Managing Directory Replication  »Page 126

Replication Troubleshooting Tips

Directory replication problems can have a variety of causes. When the Replicator Service generates an error, you view the error in the Event Viewer. The Event Viewer displays information about the Status column in the Manage Import Directories dialog box and information about messages that appear while you are configuring directory replication servers.

The following sections describe some of the common problems encountered during directory replication;

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Managing Directory Replication  »Page 126

Replication Troubleshooting Tips »Page 133

Access Denied

If the Event Viewer shows “access denied” errors for the Directory Replicator service, be sure the service is configured to log on to a specific account and that the account used by the import computer’s Directory Replicator service has permission to read the files on the export computer.

The default permissions for an export directory grant Full Control to the Replicator local group. If Full Control permission is removed from the directory, exported files are copied to the import computers but receive the wrong permissions, and an access denied error is written to the event log. If necessary, click Permissions in the export directory’s Sharing tab to grant Full Control to the Replicator local group for the export directories.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Managing Directory Replication  »Page 126

Replication Troubleshooting Tips »Page 133

Exporting to Specific Computers

Be sure to specify export servers and import computers in the To List and From List, respectively, in the Directory Replication dialog box. If you do not, exporting will occur to all import computers in the local domain, and importing will occur from all export servers in the local domain.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Managing Directory Replication  »Page 126

Replication Troubleshooting Tips »Page 133

Lost Permissions on SYSTEM32\REPL\IMPORT

Do not use the Explorer or File Manager to examine permissions on the SYSTEM32\REPL\IMPORT directory. If you do, the special permissions initially set there can be lost. These initial permissions enable directory replication to work, and you do not need to change them.

created with unregistered evaluation copy of HLP2RTF

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Managing Directory Replication  »Page 126

Replication Troubleshooting Tips »Page 133

Replication to a Domain Name Over a WAN Link

Directory replication to a domain name does not always succeed when some or all replication import computers are located across a wide area network (WAN) bridge from an export server. When adding names to the export To List on an export server, and when adding names to the import From List on an import computer, specify the computer names (instead of or in addition to specifying the domain name) for those computers separated by a WAN bridge.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Assessing and Managing Resource Use

In Server Manager, use the Properties command to display a summary of connections and resource usage for the selected computer.

The Properties dialog box displays a usage summary for the computer.

Item

Description

Sessions

The number of users remotely connected to the computer

Open Files

The number of shared resources opened on the computer

File Locks

The number of file locks on open resources of the computer

Open Named Pipes

The number of named pipes open on the computer

 

For each resource use summary that you can view in Server Manager, you can intervene in a user’s session with the resource.

To administer a property associated with one of the five buttons at the bottom of the Properties dialog box, click the button.

Choose

To

Users

View a list of all the users who are connected to the computer over the network and the resources opened by a selected user. One or all of the users can be disconnected.

Shares

View a list of the computer’s shared resources and the users who are connected to a selected resource over the network. One or all of the users can be disconnected.

In Use

View a list of the open shared resources on the computer. One resource or all resources can be closed.

Replication

Manage directory replication for the computer and to specify the path to user logon scripts.

Alerts

View and manage the list of users and computers that are notified when administrative alerts occur on the computer.

 

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Assessing and Managing Resource Use »Page 134

Viewing or Disconnecting User Sessions

In Server Manager, you can view information about a computer by right-clicking the computer and selecting Properties. In the Computer Properties dialog box, you can click buttons to view users, shares, current remote connections, replication import and export servers, and to send administrative alerts.

Click the Users button in the Computer Properties dialog box to view all users connected (over the network) to the computer and the resources opened by a selected user. To display the User Sessions dialog box, double-click a computer name in the Server Manager window and then click Users.

In the User Sessions dialog box, you can disconnect one or all users.

 

Caution  To prevent data loss, always warn users before disconnecting them. (See “Sending a Message to Users” later in this chapter.)

 

 

Note  While you are remotely administering another computer, your user account is listed as a user connected to the IPC$ resource. It cannot be disconnected.

 

For more information, see “Managing Server Properties” and “Viewing User Sessions” in Server Manager Help.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Assessing and Managing Resource Use »Page 134

Viewing or Disconnecting Shared Resources

Use the Shared Resources dialog box to view the shared resources available on the selected computer (view the properties for the computer, and click Shares). You can see users who are connected over the network to a selected resource, and you can disconnect one or all users.

 

Note  While you are remotely administering another computer, your user account is listed as a connected user for the IPC$ share. It cannot be disconnected.

 

When you disconnect a selected user from shared resources or disconnect all users from shared resources, each user is disconnected from all shared resources on the computer, not just the resource shown in the Sharename list.

 

Caution  To prevent data loss, always warn users before disconnecting them. (See “Sending a Message to Users” later in this chapter.)

 

For more information, see “Viewing Shared Resources” in Server Manager Help.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Assessing and Managing Resource Use »Page 134

Viewing or Closing Resources In Use

You can view the list of resources that are open on a computer, and you can close a single resource or close all resources. When you close a resource, you disconnect the users who are connected.

Use the Open Resources dialog box to view and close resources (view the properties for the computer, and click In Use).

 

Item

Description

Open Resources

The total number of open resources on the computer

File Locks

The total number of file locks on open resources

Icon

A graphic representation of each listed resource:

 

A file

 

A named pipe

 

A print job in a print spooler

 

A resource of an unrecognized type

Opened By

The user name (or sometimes the computer name) of the user who opened the resource

For

The permission granted when the resource was opened

Locks

The number of locks on the resource

Path

The path of the open resource

 

In some cases, a print job is monitored as an open named pipe.

 

Note  While you are remotely administering another computer, your connection is displayed in the Open Resources dialog box as an open named pipe. It cannot be closed.

 

For more information, see “Viewing Resources In Use” in Server Manager Help.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Assessing and Managing Resource Use »Page 134

Sending a Message to Users

A message can be sent to all users who are connected to a computer using the Send Message command on the Computer menu in Server Manager. For example, you can do this before you disconnect one or more users or before you stop the Server service on that computer.

For a message to be sent and received, the Messenger service must be running on the computer sending the message and on the computers receiving the message.

For more information, see “Sending a Message to connected Users” in Server Manager Help.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Assessing and Managing Resource Use »Page 134

Managing Administrative Alerts

The Alerts dialog box displays and manages the list of users and computers that are notified when administrative alerts occur at the selected computer.

Administrative alerts are generated by the system and relate to server and resource use. They warn about security and access problems, user session problems, server shutdown because of power loss when the UPS service is available, and printer problems. For example, an alert is generated when disk space becomes low.

For alerts to be sent, the Alerter and Messenger services must be running on the computer originating the alert. For alerts to be received, the Messenger service must be running on the destination computer.

For more information, see “Managing Administrative Alerts”, “Starting and Stopping Services”, and “Configuring Service Startup” in Server Manager Help.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Assessing and Managing Resource Use »Page 134

Auditing Resource Use

Auditing files and directories on a server provides a history of their use. You can identify who took various types of actions with the files and directories and hold those users accountable for their actions. You can also audit printers.

The audit category File and Object Access creates a security event log entry each time a user in the audit list:

·   Accesses a directory or file that is set for auditing.

·   Uses a printer that is connected to the computer whose directories and files are being audited.

 

You can audit successful or failed actions, or both.

For information about auditing files and directories, see Chapter 9, “Monitoring Events.”

For information about auditing printers, see Chapter 5, “Setting Up Print Servers.”

For information about how to audit files and directories, see “To audit a file or directory”, “To remove file or directory auditing for a group or user” in Windows NT Help.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Assessing and Managing Resource Use »Page 134

Protecting Against Viruses and Trojan Horses

In today’s computing world, you must prevent intentional intrusions into your network that take the form of viruses and Trojan horses:

·   Viruses are programs that attempt to spread from computer to computer and either cause damage (by erasing or corrupting data) or annoy users (by printing messages or altering what is displayed on the screen).

·   Trojan horses are programs that masquerade as other common programs in an attempt to receive information. An example of a Trojan horse is a program that masquerades as a system logon screen to retrieve user names and password information. The writers of the Trojan horse can use this information later to break into the system.

 

By taking some precautions as a matter of course, you can go a long way toward preventing intrusions by viruses and Trojan horses.

created with unregistered evaluation copy of HLP2RTF

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Assessing and Managing Resource Use »Page 134

Protecting Against Viruses and Trojan Horses »Page 139

Preventing Virus Outbreaks

·   Educate your network users. Few realize that they can unwittingly bring viruses into the network by loading a program from a source such as an online bulletin board.

·   Have at least one commercial virus-detection program and use it to regularly to check your file servers for viruses. If possible, you should also make virus-detection software available to your users.

·   Set file permissions to make all applications available on network servers and Windows NT workstations read and execute only, thereby preventing them from being replaced by viruses.

·   Before putting a new application or file on the network, put it on a computer not attached to the network, and check it with your virus-detection software. You might want to also log on to this computer using an account with only guest access to the computer so that the program being tested will have only guest permissions and be unable to modify any important files.

·   Regularly back up the files on your file servers (and workstations, if possible) so that damage is minimized if a virus attack does occur. For information about backups, see Chapter 6, “Backing Up and Restoring Network Files.”

 

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Assessing and Managing Resource Use »Page 134

Protecting Against Viruses and Trojan Horses »Page 139

Preventing Trojan Horse Attacks

Windows NT Server provides an important safeguard against Trojan horse programs. Before a user can log on at a Windows NT Server or Windows NT Workstation computer, the user must type the secure attention sequence, CTRL+ALT+DEL. This series of keystrokes always displays the Windows NT operating system logon screen; it can never activate Trojan horse programs. Users are guaranteed to be providing their user name and password only to the operating system itself. To ensure effective security, you should educate your users to always type CTRL+ALT+DEL before logging on at a computer, even if the logon window already appears on the screen.

The secure attention sequence is also required before users can unlock locked workstations or change their passwords.

Another way to guard against Trojan horses is identical to a method for protecting against viruses. Make your applications read-and-execute-only so they cannot be replaced with programs that masquerade as the original program and steal information.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Configuring DCOM

In addition to supporting component object model (COM) for interprocess communication on a local computer, Windows NT Server now supports distributed component object model (DCOM). The DCOM Configuration tool can be used to configure 32-bit applications for DCOM communication over the network. Before you can use an application with DCOM, you must use this tool to set the application’s properties.

DCOM builds on remote procedure call (RPC) technology by providing a more scaleable, easier to use mechanism for integrating distributed applications on a network. A distributed application consists of multiple processes that cooperate to accomplish a single task. Unlike other interprocess communication (IPC) mechanisms, DCOM gives you a high degree of control over security features such as permissions and domain authentication. It can also be used to launch applications on other computers or to integrate Web browser applications that run on the ActiveX platform.

DCOM allows you to efficiently distribute processes across multiple computers so the client and server components of an application can be placed in optimal locations on the network. Processing occurs transparently to the user, so the user can access and share information without needing to know where the application components are located. If the client and server components of an application are located on the same computer, DCOM can be used to transfer information between processes. DCOM is platform independent and supports any 32-bit application that is DCOM-aware.

For example, your company’s payroll department might use an application with DCOM to print paychecks. When a payroll employee runs a DCOM-enabled client application on a desktop, the application starts a business rules server. The server application in turn connects to a database server in order to retrieve employee records such as salary information. The business rules server then transforms the payroll information into the final output and returns it to the client to print. Your application may support its own set of DCOM features. For more information about configuring your application to use DCOM, see your application’s documentation.

Visual Basic Enterprise Edition customers who are currently using Remote Automation can easily migrate their existing applications to use DCOM. For more information, see your Visual Basic documentation or visit the Visual Basic web site at www.microsoft.com/vbasic.

For more information about DCOM, see the Windows NT Server Resource Kit version 4.0.

 

 

CONCEPTS AND PLANNING

Chapter 4  Managing Shared Resources and Resource Security »Page 100

Configuring DCOM »Page 140

Setting Security on Applications

Once a DCOM-enabled application is installed, you can use the DCOM Configuration tool to:

·   Set the location of the application.

·   Set permissions on the server application by specifying which user accounts can or cannot access or start it. You can grant permissions that apply to all applications installed on the computer, or to only a particular application.

·   Set the user account (or identity) that will be used to run the server application. The client application uses this account to start processes and access resources on other computers in the domain. If the server application is installed as a service, you can run the application using the built-in System account or a Windows NT Server service account that you have created.

·   Control the level of security (for example, packet encryption) for connections between applications.

·   Disable DCOM so that it cannot be used for the computer or the application.

 

The computers running the client application and the server application must both be configured for DCOM by using the DCOM Configuration tool. On the computer running the client application, you must specify the location of the server application that will be accessed or started. For the server application, you must specify the user account that will have permission to access or start the application, and the user account that will be used to run the application.