Exercise 1: Create Shared Folders and Sample Web Content Note There are obviously many ways to create and share folders. In this situation, please use the methods described. 1. Open the command prompt.
2. Type the following commands:
net share News=c:\ContosoIntranetNews
3. Open Notepad and create a file with the text “Contoso Company News.” Save the file as “C:\ ContosoIntranetNews\Default.htm”, being certain to surround the name with quotation marks.
4. Add the following permission to the C:\ContosoIntranetNews folder: Managers: Allow Modify
5. In the C:\ContosoIntranetNews folder’s Properties dialog box, click the Web Sharing tab.
6. From the Share On drop-down list, choose Contoso. If you did not complete the exercises in Lesson 4, you will not have the Contoso Web site; choose the Default Web Site instead. Click Share This Folder and type the alias News. The default per-missions are adequate. Click OK.
Chapter 6 Files and Folders 6-49 Exercise 2: Optimize Intranet Access
In this exercise, you will confirm the functionality of the intranet and optimize its ease of use.
1. Open Internet Explorer and type the URL: http://server01.contoso.com/News.
2. You will be prompted for credentials. Authenticate as Administrator. The Contoso Company News page should appear.
3. Close Internet Explorer.
You are being prompted for credentials because Company News is not allowing anonymous access. When you create a virtual directory by using the Web Sharing tab, anonymous access is disabled by default.
4. Using IIS manager, open the properties of the News virtual directory.
5. Click the Directory Security tab and click Edit in the Authentication and Access Control frame.
6. Enable anonymous access.
7. Repeat steps 1 through 3 to verify that the change was effective.
Exercise 3: Confirm That Managers Can Modify Intranet Contents Note To simulate remote management of the intranet contents, it is important that you use the UNC path to the folders and files, as instructed. Do not use a local path. 1. Log off Server01 and log on again as the user Lorrin Smith-Bates, who is a member of the Managers group.
2. Open Notepad and create a document with the text “Good News Contoso!” Save the document as: “\\server01\news\goodnews.htm”, being certain to surround the name in quotation marks and to use the UNC path, not a local path, to the news folder.
3. Are you able to save the file?
If you followed the instructions of this Case Scenario fully, you should not be able to do so. Continue with the Troubleshooting Lab to identify and solve the problem you just encountered.
6-50 Chapter 6 Files and Folders Troubleshooting Lab Note This troubleshooting lab is designed to complement the preceding Case Scenario Exercise. It is recommended that you complete both exercises to gain the maximum learning from these hands-on experiences with Windows Server 2003 file system security. You must have IIS installed (see Lesson 4, Exercise 1) and have created the group and user accounts as described in this chapter’s “Before You Begin” section. You must also have completed at least Exercise 1 of the Case Scenario. Lorrin Smith-Bates calls the help desk and reports that he is unable to save documents to the intranet news folder. He is creating a Web page in Notepad and saving it to “\\server01\News\goodnews.htm” when the error occurs.
The folder is located at C:\ContosoIntranetNews and is shared as News, and is configured as a virtual directory, News, for the Contoso Web site. The error message he receives is an Access Denied message. That indicates that his machine is likely able to connect to the server, but that a permission or privilege of some kind prevents him from saving the file.
Log on to Server01 as Administrator to perform these troubleshooting steps.
Step 1: Confirm Group Membership
You are fairly confident that you made Lorrin a member of the Managers group, and that the Managers group has Modify permission to the C:\ContosoIntranetNews folder. How can you confirm Lorrin’s group membership?
The Dsget command, discussed in Chapter 3, can enumerate group memberships. Open a command prompt and type the command:
dsget user “CN=Lorrin Smith-Bates,OU=Employees,DC=Contoso,DC=com” -memberof -expand
You should see these groups listed, as well as other groups that may vary depending on which exercises from this book you have completed.
“CN=Project 101 Team,OU=Security Groups,DC=contoso,DC=com”
Chapter 6 Files and Folders 6-51 How else can you confirm Lorrin’s group membership? Open Active Directory Users And Computers and examine the Member Of property page of Lorrin’s Properties dialog box.
Step 2: Examine Effective Permissions
Explore the permission assigned to the C:\ContosoIntranetNews folder. You should see, in the Security tab and in the Advanced Security Settings dialog boxes, that Managers are granted Modify permission.
Click the Effective Permissions tab in the Advanced Security Settings dialog box and select Lorrin’s user account. Examine his effective permissions. The permissions should suggest that he is allowed to create files and write data in the folder.
Step 3: Evaluate the Situation
If Lorrin does have effective permissions that allow him to create files and write data, why is he receiving an Access Denied message? If you haven’t figured it out already, take a moment to review the Lesson Summaries after Lessons 1 and 4.
The problem might lie in other permissions assigned to the C:\ContosoIntranetNews folder. Share permissions, and Web site or virtual directory permissions define the max imum allowed access, so if one or more of those permissions were configured too restrictively, it could prevent Lorrin from fully using his NTFS Allow Modify permission.
When Lorrin was saving his Web page in Notepad, he was connecting to the server remotely. From the following list, identify the client and the service that were involved:
■ FTP Publishing Service ■ Worldwide Web Publishing Service ■ Telnet Service ■ File and Printer Sharing For Microsoft Networks ■ Internet browser client ■ FTP client ■ Telnet client ■ Client For Microsoft Networks
Lorrin is using the Client For Microsoft Networks service to connect to Server01’s File and Printer Sharing service. You can identify that by examining the path Lorrin speci fied to save the file: “\\server01\News\goodnews.htm.” It is a UNC path, which will connect using Microsoft networking.
6-52 Chapter 6 Files and Folders Knowing that, you can eliminate as a cause of the problem any permissions assigned to the Web site or to the virtual directory; those permissions apply only to connections from Web clients to the Web service.
That leaves one possible cause for permission problems: the Share permissions. The default share permissions in Windows Server 2003 allow the Everyone group only Read permission. Because share permissions define the maximum allowed access, they are overriding the folder’s NTFS Allow Modify permission.
Step 4: Solve the Problem
Modify the share permissions on C:\ContosoIntranetNews so that Everyone is allowed Full Control.
Now the business requirements for the intranet news site are that users should only be able to read documents. The default NTFS permission allows users to create files and folders and then, of course, as owners of those files and folders they can do whatever they please.
Lock down NTFS permissions on the folder so that Users have Read & Execute permission, without the special permissions (Create Files/Write Data; Create Folders/Append Data).
Confirm your actions by logging on as Scott Bishop. Scott should be able to see http://server01.contoso.com/News. If he connects to \\server01\News, he should not be able to create a new file or modify an existing file.
Then log on as Lorrin. Lorrin should also be able to see the intranet news site, but he should also be able to create and modify files in the \\server01\News share. You should be able to create the news document as described in Exercise 3 of the Case Scenario and then access that document at http://server01.contoso.com/News/goodnews.htm.
■ Windows Server 2003 provides new consoles and snap-ins to manage shared folders, audit policy, and IIS. Windows Explorer is still used, as well as the Shared Folder snap-in, to manage NTFS ACLs, although the ACL editor is significantly more powerful.
■ NTFS permissions can be allowed or denied; explicit or inherited. A Deny permission takes precedence over an Allow permission; and an explicit permission takes precedence over an inherited permission. The result is that an explicit Allow per-mission can override an inherited Deny permission.
■ Access granted by NTFS permissions may be further restricted by share permissions and IIS permissions on FTP sites, Web sites, virtual directories and documents. Whenever two permission types are assigned to a resource, such as share permissions and NTFS permissions, you must evaluate each set of permissions,
Chapter 6 Files and Folders 6-53 then determine which of the two sets is more restrictive. And that is the set that becomes effective.
■ The security descriptor of a file or folder also includes information about the object’s owner. The owner, as well as any user with Allow Change permissions, can modify the ACL. Ownership may be assumed by a user with the Allow Take Ownership permission; or may be transferred between users by anyone with the Restore Files And Directories user right.
■ The security descriptor also contains auditing entries which, when audit policy is enabled, directs the system to log the specified types of access for the specified users or groups.
Before taking the exam, review the key topics and terms that are presented below to help you identify topics you need to review. Return to the lessons for additional practice and review the “Further Readings” sections in Part 2 for pointers to more information about topics covered by the exam objectives.
■ Familiarize yourself with the tools that are used to configure shared folders, NTFS permissions, auditing and IIS. Spend some time with each snap-in, examining the properties that can be configured, and the role those properties play in managing files and folders.
■ Be fluent in the determination of effective permissions: the interaction of explicit, inherited, allowed, and denied permissions for multiple users, groups, computers, and logon types such as Interactive versus Network.
■ Know the three steps required to configure auditing, and the strategies you can use to determine what kind of auditing (success or failure) to engage for a particular goal.
■ Experience and understand the configuration of a Web site and virtual directory. If you are not experienced with IIS, be certain to implement the Practice in Lesson 4 as well as the Case Scenario and Troubleshooting Lab.
6-54 Chapter 6 Files and Folders Key Terms
Hidden share A shared folder can be hidden by appending a $ to its share name. Connections can be made to the share using the share’s UNC (for example, \\server01\docs$), but the share will not appear on browse lists. Windows Server 2003 creates hidden administrative shares, such as Admin$, Print$, and a hidden share for the root of each disk volume. Only administrators can connect to the hid-den administrative shares.
Inheritance By default, permissions assigned to a folder apply to the folder, its sub-folders and files. In addition, files and folders are configured by default to allow inheritable permissions from their parent folder or volume to propagate to their ACL. Through these two mechanisms, permissions assigned to a high-level folder are propagated to its contents.
Effective permissions Permissions can be allowed or denied, inherited or explicitly assigned. They can be assigned to one or more users, groups, or computers. The effective permissions are the overall permissions that result and determine the actual access for a security principal.
Ownership Each NTFS file or folder maintains a property that indicates the security principal that owns the resource. The owner is able to modify the ACL of the object at any time, meaning the owner cannot be locked out of the resource. Ownership can be taken and transferred based on the Take Ownership permission and the Restore Files And Directories user right, respectively.
The special accounts: Creator Owner, Network, and Interactive These security principals are dynamic, and represent the relationship between a user and a resource. When a user creates a file or folder, they are the Creator Owner of that resource, and any inheritable permissions on the parent folder or volume assigned to Creator Owner will be explicitly assigned to the user on the new object. Net-work and Interactive represent the connection state of the user—whether the user is connected to the resource from a remote client, or is logged on interactively to the computer that is maintaining the resource.
Audit Object Access policy This policy, available in the Local Security Policy of a standalone Windows Server 2003 computer, or in Group Policy Objects, deter-mines whether access to files, folders, and printers is registered in the Security log. When this policy is enabled, the Auditing Entries for each object determine the types of activities that are logged.
Virtual directory A virtual directory is an IIS object that allows a folder on any local or remote volume to appear as a subfolder of a Web site.
注册－收款工具那么多，为何选择Payoneer？ ｜ 为何申请Payoneer万事达预付卡+欧美日收款银行账号？
Payoneer有卡账户和无卡账户的区别 ｜ Payoneer个人账户注册申请教程 ｜ P卡公司帐户注册教程
Payoneer欧元帐户（虚拟卡） ｜ Payoneer英镑帐户 ｜ Payoneer日元帐户 ｜ 订购实体卡（P卡）
Payoneer卡年费啥时候扣？ ｜ Payoneer卡休眠和激活 ｜ P卡到期后如何更换？ ｜ 如何注销P卡？
官方－Payoneer秉承公正、公开、透明服务 ｜ Payoneer官方最新政策汇总 ｜ 官方客服联系方式
Payoneer官方费用表 ｜ 如何减少Payoneer的手续费？ ｜ 点此免除入账费 ｜ 点此降低提现费
跨境收款服务商拷问篇——Payoneer ｜ Payoneer客户答疑手册（FAQ） ｜ Payoneer手机App
收款－跨境电商/外贸收款方式对比 ｜ Payoneer可以错名收款吗？
Amazon亚马逊卖家设置Payoneer卡收款教程 ｜ Payoneer支持从美国电商平台Newegg收款
CJ联盟设置Payoneer卡收款 ｜ ClickBank联盟设置Payoneer收款 ｜ Amazon联盟设置P卡收款
Payoneer如何从东南亚电商平台Lazada收款 ｜ 如何在Lazada开店？
Payoneer如何从拉美电商平台Linio收款？ ｜ Payoneer绑定非洲电商平台Jumia收款
Payoneer如何从跨境移动电商Wish收款？ ｜ Wish模式正在改变电商格局
Payoneer支持从法国乐天Priceminister收款 ｜ 法国电商平台CDiscount对接Payoneer收款
Payoneer可接受个人与公司信用卡付款（请求付款） ｜ 关于Payoneer卡充值
从PayPal提现到Payoneer卡教程及手续费用 ｜ PayPal无法绑定并转账到Payoneer卡？
提现－从Payoneer卡提现到国内银行账户 ｜ Payoneer无法从Dating联盟收款并限制提现方式
用P卡在中国银行ATM机取款4000元 ｜ 用Payoneer卡在中国建设银行ATM机取款500元