« 上一篇下一篇 »

6-00 Chapter Summary

6-48 Chapter 6 Files and Folders Case Scenario Exercise Note This Case Scenario exercise is designed to prepare for and to complement the following “Troubleshooting Lab” section. It is recommended that you complete both exercises to gain the maximum learning from these hands-on experiences with Windows Server 2003 file system security. You must have IIS installed (see Lesson 4, Exercise 1) and have created the group and user accounts as described in this chapter’s “Before You Begin” section. Contoso, Ltd. wants to configure an intranet site for company and departmental news. The specifications call for the site to be easy to use by both employees and the managers, who will be responsible for updating the news documents. All employees will use the latest version of Internet Explorer to browse the intranet. Managers will use other tools to create Web pages.
Exercise 1: Create Shared Folders and Sample Web Content Note There are obviously many ways to create and share folders. In this situation, please use the methods described. 1. Open the command prompt.
2. Type the following commands:
md c:\ContosoIntranetNews
net share News=c:\ContosoIntranetNews
3. Open Notepad and create a file with the text “Contoso Company News.” Save the file as “C:\ ContosoIntranetNews\Default.htm”, being certain to surround the name with quotation marks.
4. Add the following permission to the C:\ContosoIntranetNews folder: Managers: Allow Modify
5. In the C:\ContosoIntranetNews folder’s Properties dialog box, click the Web Sharing tab.
6. From the Share On drop-down list, choose Contoso. If you did not complete the exercises in Lesson 4, you will not have the Contoso Web site; choose the Default Web Site instead. Click Share This Folder and type the alias News. The default per-missions are adequate. Click OK.
Chapter 6 Files and Folders 6-49 Exercise 2: Optimize Intranet Access
In this exercise, you will confirm the functionality of the intranet and optimize its ease of use.
1. Open Internet Explorer and type the URL: http://server01.contoso.com/News.
2. You will be prompted for credentials. Authenticate as Administrator. The Contoso Company News page should appear.
3. Close Internet Explorer.
You are being prompted for credentials because Company News is not allowing anonymous access. When you create a virtual directory by using the Web Sharing tab, anonymous access is disabled by default.
4. Using IIS manager, open the properties of the News virtual directory.
5. Click the Directory Security tab and click Edit in the Authentication and Access Control frame.
6. Enable anonymous access.
7. Repeat steps 1 through 3 to verify that the change was effective.
Exercise 3: Confirm That Managers Can Modify Intranet Contents Note To simulate remote management of the intranet contents, it is important that you use the UNC path to the folders and files, as instructed. Do not use a local path. 1. Log off Server01 and log on again as the user Lorrin Smith-Bates, who is a member of the Managers group.
2. Open Notepad and create a document with the text “Good News Contoso!” Save the document as: “\\server01\news\goodnews.htm”, being certain to surround the name in quotation marks and to use the UNC path, not a local path, to the news folder.
3. Are you able to save the file?
If you followed the instructions of this Case Scenario fully, you should not be able to do so. Continue with the Troubleshooting Lab to identify and solve the problem you just encountered.
6-50 Chapter 6 Files and Folders Troubleshooting Lab Note This troubleshooting lab is designed to complement the preceding Case Scenario Exercise. It is recommended that you complete both exercises to gain the maximum learning from these hands-on experiences with Windows Server 2003 file system security. You must have IIS installed (see Lesson 4, Exercise 1) and have created the group and user accounts as described in this chapter’s “Before You Begin” section. You must also have completed at least Exercise 1 of the Case Scenario. Lorrin Smith-Bates calls the help desk and reports that he is unable to save documents to the intranet news folder. He is creating a Web page in Notepad and saving it to “\\server01\News\goodnews.htm” when the error occurs.
The folder is located at C:\ContosoIntranetNews and is shared as News, and is configured as a virtual directory, News, for the Contoso Web site. The error message he receives is an Access Denied message. That indicates that his machine is likely able to connect to the server, but that a permission or privilege of some kind prevents him from saving the file.
Log on to Server01 as Administrator to perform these troubleshooting steps.
Step 1: Confirm Group Membership
You are fairly confident that you made Lorrin a member of the Managers group, and that the Managers group has Modify permission to the C:\ContosoIntranetNews folder. How can you confirm Lorrin’s group membership?
The Dsget command, discussed in Chapter 3, can enumerate group memberships. Open a command prompt and type the command:
dsget user “CN=Lorrin Smith-Bates,OU=Employees,DC=Contoso,DC=com” -memberof -expand
You should see these groups listed, as well as other groups that may vary depending on which exercises from this book you have completed.
“CN=Managers,OU=Security Groups,DC=contoso,DC=com”
“CN=Project 101 Team,OU=Security Groups,DC=contoso,DC=com”
“CN=Domain Users,CN=Users,DC=contoso,DC=com”
“CN=Print Operators,CN=Builtin,DC=contoso,DC=com”
“CN=Users,CN=Builtin,DC=contoso,DC=com”
Chapter 6 Files and Folders 6-51 How else can you confirm Lorrin’s group membership? Open Active Directory Users And Computers and examine the Member Of property page of Lorrin’s Properties dialog box.
Step 2: Examine Effective Permissions
Explore the permission assigned to the C:\ContosoIntranetNews folder. You should see, in the Security tab and in the Advanced Security Settings dialog boxes, that Managers are granted Modify permission.
Click the Effective Permissions tab in the Advanced Security Settings dialog box and select Lorrin’s user account. Examine his effective permissions. The permissions should suggest that he is allowed to create files and write data in the folder.
Step 3: Evaluate the Situation
If Lorrin does have effective permissions that allow him to create files and write data, why is he receiving an Access Denied message? If you haven’t figured it out already, take a moment to review the Lesson Summaries after Lessons 1 and 4.
The problem might lie in other permissions assigned to the C:\ContosoIntranetNews folder. Share permissions, and Web site or virtual directory permissions define the max imum allowed access, so if one or more of those permissions were configured too restrictively, it could prevent Lorrin from fully using his NTFS Allow Modify permission.
When Lorrin was saving his Web page in Notepad, he was connecting to the server remotely. From the following list, identify the client and the service that were involved:
■ FTP Publishing Service ■ Worldwide Web Publishing Service ■ Telnet Service ■ File and Printer Sharing For Microsoft Networks ■ Internet browser client ■ FTP client ■ Telnet client ■ Client For Microsoft Networks
Lorrin is using the Client For Microsoft Networks service to connect to Server01’s File and Printer Sharing service. You can identify that by examining the path Lorrin speci fied to save the file: “\\server01\News\goodnews.htm.” It is a UNC path, which will connect using Microsoft networking.
6-52 Chapter 6 Files and Folders Knowing that, you can eliminate as a cause of the problem any permissions assigned to the Web site or to the virtual directory; those permissions apply only to connections from Web clients to the Web service.
That leaves one possible cause for permission problems: the Share permissions. The default share permissions in Windows Server 2003 allow the Everyone group only Read permission. Because share permissions define the maximum allowed access, they are overriding the folder’s NTFS Allow Modify permission.
Step 4: Solve the Problem
Modify the share permissions on C:\ContosoIntranetNews so that Everyone is allowed Full Control.
Now the business requirements for the intranet news site are that users should only be able to read documents. The default NTFS permission allows users to create files and folders and then, of course, as owners of those files and folders they can do whatever they please.
Lock down NTFS permissions on the folder so that Users have Read & Execute permission, without the special permissions (Create Files/Write Data; Create Folders/Append Data).
Confirm your actions by logging on as Scott Bishop. Scott should be able to see http://server01.contoso.com/News. If he connects to \\server01\News, he should not be able to create a new file