« 上一篇下一篇 »

6-00 Chapter Summary

6-48 Chapter 6 Files and Folders Case Scenario Exercise Note This Case Scenario exercise is designed to prepare for and to complement the following “Troubleshooting Lab” section. It is recommended that you complete both exercises to gain the maximum learning from these hands-on experiences with Windows Server 2003 file system security. You must have IIS installed (see Lesson 4, Exercise 1) and have created the group and user accounts as described in this chapter’s “Before You Begin” section. Contoso, Ltd. wants to configure an intranet site for company and departmental news. The specifications call for the site to be easy to use by both employees and the managers, who will be responsible for updating the news documents. All employees will use the latest version of Internet Explorer to browse the intranet. Managers will use other tools to create Web pages.
Exercise 1: Create Shared Folders and Sample Web Content Note There are obviously many ways to create and share folders. In this situation, please use the methods described. 1. Open the command prompt.
2. Type the following commands:
md c:\ContosoIntranetNews
net share News=c:\ContosoIntranetNews
3. Open Notepad and create a file with the text “Contoso Company News.” Save the file as “C:\ ContosoIntranetNews\Default.htm”, being certain to surround the name with quotation marks.
4. Add the following permission to the C:\ContosoIntranetNews folder: Managers: Allow Modify
5. In the C:\ContosoIntranetNews folder’s Properties dialog box, click the Web Sharing tab.
6. From the Share On drop-down list, choose Contoso. If you did not complete the exercises in Lesson 4, you will not have the Contoso Web site; choose the Default Web Site instead. Click Share This Folder and type the alias News. The default per-missions are adequate. Click OK.
Chapter 6 Files and Folders 6-49 Exercise 2: Optimize Intranet Access
In this exercise, you will confirm the functionality of the intranet and optimize its ease of use.
1. Open Internet Explorer and type the URL: http://server01.contoso.com/News.
2. You will be prompted for credentials. Authenticate as Administrator. The Contoso Company News page should appear.
3. Close Internet Explorer.
You are being prompted for credentials because Company News is not allowing anonymous access. When you create a virtual directory by using the Web Sharing tab, anonymous access is disabled by default.
4. Using IIS manager, open the properties of the News virtual directory.
5. Click the Directory Security tab and click Edit in the Authentication and Access Control frame.
6. Enable anonymous access.
7. Repeat steps 1 through 3 to verify that the change was effective.
Exercise 3: Confirm That Managers Can Modify Intranet Contents Note To simulate remote management of the intranet contents, it is important that you use the UNC path to the folders and files, as instructed. Do not use a local path. 1. Log off Server01 and log on again as the user Lorrin Smith-Bates, who is a member of the Managers group.
2. Open Notepad and create a document with the text “Good News Contoso!” Save the document as: “\\server01\news\goodnews.htm”, being certain to surround the name in quotation marks and to use the UNC path, not a local path, to the news folder.
3. Are you able to save the file?
If you followed the instructions of this Case Scenario fully, you should not be able to do so. Continue with the Troubleshooting Lab to identify and solve the problem you just encountered.
6-50 Chapter 6 Files and Folders Troubleshooting Lab Note This troubleshooting lab is designed to complement the preceding Case Scenario Exercise. It is recommended that you complete both exercises to gain the maximum learning from these hands-on experiences with Windows Server 2003 file system security. You must have IIS installed (see Lesson 4, Exercise 1) and have created the group and user accounts as described in this chapter’s “Before You Begin” section. You must also have completed at least Exercise 1 of the Case Scenario. Lorrin Smith-Bates calls the help desk and reports that he is unable to save documents to the intranet news folder. He is creating a Web page in Notepad and saving it to “\\server01\News\goodnews.htm” when the error occurs.
The folder is located at C:\ContosoIntranetNews and is shared as News, and is configured as a virtual directory, News, for the Contoso Web site. The error message he receives is an Access Denied message. That indicates that his machine is likely able to connect to the server, but that a permission or privilege of some kind prevents him from saving the file.
Log on to Server01 as Administrator to perform these troubleshooting steps.
Step 1: Confirm Group Membership
You are fairly confident that you made Lorrin a member of the Managers group, and that the Managers group has Modify permission to the C:\ContosoIntranetNews folder. How can you confirm Lorrin’s group membership?
The Dsget command, discussed in Chapter 3, can enumerate group memberships. Open a command prompt and type the command:
dsget user “CN=Lorrin Smith-Bates,OU=Employees,DC=Contoso,DC=com” -memberof -expand
You should see these groups listed, as well as other groups that may vary depending on which exercises from this book you have completed.
“CN=Managers,OU=Security Groups,DC=contoso,DC=com”
“CN=Project 101 Team,OU=Security Groups,DC=contoso,DC=com”
“CN=Domain Users,CN=Users,DC=contoso,DC=com”
“CN=Print Operators,CN=Builtin,DC=contoso,DC=com”
“CN=Users,CN=Builtin,DC=contoso,DC=com”
Chapter 6 Files and Folders 6-51 How else can you confirm Lorrin’s group membership? Open Active Directory Users And Computers and examine the Member Of property page of Lorrin’s Properties dialog box.
Step 2: Examine Effective Permissions
Explore the permission assigned to the C:\ContosoIntranetNews folder. You should see, in the Security tab and in the Advanced Security Settings dialog boxes, that Managers are granted Modify permission.
Click the Effective Permissions tab in the Advanced Security Settings dialog box and select Lorrin’s user account. Examine his effective permissions. The permissions should suggest that he is allowed to create files and write data in the folder.
Step 3: Evaluate the Situation
If Lorrin does have effective permissions that allow him to create files and write data, why is he receiving an Access Denied message? If you haven’t figured it out already, take a moment to review the Lesson Summaries after Lessons 1 and 4.
The problem might lie in other permissions assigned to the C:\ContosoIntranetNews folder. Share permissions, and Web site or virtual directory permissions define the max imum allowed access, so if one or more of those permissions were configured too restrictively, it could prevent Lorrin from fully using his NTFS Allow Modify permission.
When Lorrin was saving his Web page in Notepad, he was connecting to the server remotely. From the following list, identify the client and the service that were involved:
■ FTP Publishing Service ■ Worldwide Web Publishing Service ■ Telnet Service ■ File and Printer Sharing For Microsoft Networks ■ Internet browser client ■ FTP client ■ Telnet client ■ Client For Microsoft Networks
Lorrin is using the Client For Microsoft Networks service to connect to Server01’s File and Printer Sharing service. You can identify that by examining the path Lorrin speci fied to save the file: “\\server01\News\goodnews.htm.” It is a UNC path, which will connect using Microsoft networking.
6-52 Chapter 6 Files and Folders Knowing that, you can eliminate as a cause of the problem any permissions assigned to the Web site or to the virtual directory; those permissions apply only to connections from Web clients to the Web service.
That leaves one possible cause for permission problems: the Share permissions. The default share permissions in Windows Server 2003 allow the Everyone group only Read permission. Because share permissions define the maximum allowed access, they are overriding the folder’s NTFS Allow Modify permission.
Step 4: Solve the Problem
Modify the share permissions on C:\ContosoIntranetNews so that Everyone is allowed Full Control.
Now the business requirements for the intranet news site are that users should only be able to read documents. The default NTFS permission allows users to create files and folders and then, of course, as owners of those files and folders they can do whatever they please.
Lock down NTFS permissions on the folder so that Users have Read & Execute permission, without the special permissions (Create Files/Write Data; Create Folders/Append Data).
Confirm your actions by logging on as Scott Bishop. Scott should be able to see http://server01.contoso.com/News. If he connects to \\server01\News, he should not be able to create a new file or modify an existing file.
Then log on as Lorrin. Lorrin should also be able to see the intranet news site, but he should also be able to create and modify files in the \\server01\News share. You should be able to create the news document as described in Exercise 3 of the Case Scenario and then access that document at http://server01.contoso.com/News/goodnews.htm.
Chapter Summary
■ Windows Server 2003 provides new consoles and snap-ins to manage shared folders, audit policy, and IIS. Windows Explorer is still used, as well as the Shared Folder snap-in, to manage NTFS ACLs, although the ACL editor is significantly more powerful.
■ NTFS permissions can be allowed or denied; explicit or inherited. A Deny permission takes precedence over an Allow permission; and an explicit permission takes precedence over an inherited permission. The result is that an explicit Allow per-mission can override an inherited Deny permission.
■ Access granted by NTFS permissions may be further restricted by share permissions and IIS permissions on FTP sites, Web sites, virtual directories and documents. Whenever two permission types are assigned to a resource, such as share permissions and NTFS permissions, you must evaluate each set of permissions,
Chapter 6 Files and Folders 6-53 then determine which of the two sets is more restrictive. And that is the set that becomes effective.
■ The security descriptor of a file or folder also includes information about the object’s owner. The owner, as well as any user with Allow Change permissions, can modify the ACL. Ownership may be assumed by a user with the Allow Take Ownership permission; or may be transferred between users by anyone with the Restore Files And Directories user right.
■ The security descriptor also contains auditing entries which, when audit policy is enabled, directs the system to log the specified types of access for the specified users or groups.
Exam Highlights
Before taking the exam, review the key topics and terms that are presented below to help you identify topics you need to review. Return to the lessons for additional practice and review the “Further Readings” sections in Part 2 for pointers to more information about topics covered by the exam objectives.
Key Points
■ Familiarize yourself with the tools that are used to configure shared folders, NTFS permissions, auditing and IIS. Spend some time with each snap-in, examining the properties that can be configured, and the role those properties play in managing files and folders.
■ Be fluent in the determination of effective permissions: the interaction of explicit, inherited, allowed, and denied permissions for multiple users, groups, computers, and logon types such as Interactive versus Network.
■ Know the three steps required to configure auditing, and the strategies you can use to determine what kind of auditing (success or failure) to engage for a particular goal.
■ Experience and understand the configuration of a Web site and virtual directory. If you are not experienced with IIS, be certain to implement the Practice in Lesson 4 as well as the Case Scenario and Troubleshooting Lab.
6-54 Chapter 6 Files and Folders Key Terms
Hidden share A shared folder can be hidden by appending a $ to its share name. Connections can be made to the share using the share’s UNC (for example, \\server01\docs$), but the share will not appear on browse lists. Windows Server 2003 creates hidden administrative shares, such as Admin$, Print$, and a hidden share for the root of each disk volume. Only administrators can connect to the hid-den administrative shares.
Inheritance By default, permissions assigned to a folder apply to the folder, its sub-folders and files. In addition, files and folders are configured by default to allow inheritable permissions from their parent folder or volume to propagate to their ACL. Through these two mechanisms, permissions assigned to a high-level folder are propagated to its contents.
Effective permissions Permissions can be allowed or denied, inherited or explicitly assigned. They can be assigned to one or more users, groups, or computers. The effective permissions are the overall permissions that result and determine the actual access for a security principal.
Ownership Each NTFS file or folder maintains a property that indicates the security principal that owns the resource. The owner is able to modify the ACL of the object at any time, meaning the owner cannot be locked out of the resource. Ownership can be taken and transferred based on the Take Ownership permission and the Restore Files And Directories user right, respectively.
The special accounts: Creator Owner, Network, and Interactive These security principals are dynamic, and represent the relationship between a user and a resource. When a user creates a file or folder, they are the Creator Owner of that resource, and any inheritable permissions on the parent folder or volume assigned to Creator Owner will be explicitly assigned to the user on the new object. Net-work and Interactive represent the connection state of the user—whether the user is connected to the resource from a remote client, or is logged on interactively to the computer that is maintaining the resource.
Audit Object Access policy This policy, available in the Local Security Policy of a standalone Windows Server 2003 computer, or in Group Policy Objects, deter-mines whether access to files, folders, and printers is registered in the Security log. When this policy is enabled, the Auditing Entries for each object determine the types of activities that are logged.
Virtual directory A virtual directory is an IIS object that allows a folder on any local or remote volume to appear as a subfolder of a Web site.

  还没注册Payoneer的朋友可免费申请一个,现在申请Payoneer可获得25美元奖励并且直接享受1.2%全包的优惠:不仅入账免费,全币种提现只收1.2%的费用,无汇损,当你累积收款100美元时将一次性获得25美元奖励。需要注意的是,如果你直接打开Payoneer官网进行注册,是没有上述优惠的,请务必打开【野猪尖的推荐链接】进行注册。Payoneer注册咨询QQ:2822129880

Payoneer

野猪尖的推荐链接https://www.payoneer.com/zh/znp (此地址要完整地复制,建议直接点击)

【Payoneer申请教程:个人账户企业账户订购Payoneer实体卡(P卡)

Payoneer注册与使用指南(包括P卡申请、Payoneer官方、手续费、收款、提现和消费):
注册-收款工具那么多,为何选择Payoneer? | 为何申请Payoneer万事达预付卡+欧美日收款银行账号
   Payoneer有卡账户和无卡账户的区别Payoneer个人账户注册申请教程P卡公司帐户注册教程
   Payoneer欧元帐户虚拟卡) | Payoneer英镑帐户Payoneer日元帐户订购实体卡(P卡
   Payoneer卡年费啥时候扣? | Payoneer卡休眠和激活P卡到期后如何更换? | 如何注销P卡

官方-Payoneer秉承公正、公开、透明服务Payoneer官方最新政策汇总官方客服联系方式
   Payoneer官方费用表如何减少Payoneer的手续费?点此免除入账费点此降低提现费
   跨境收款服务商拷问篇——PayoneerPayoneer客户答疑手册(FAQ)Payoneer手机App

收款-跨境电商/外贸收款方式对比Payoneer可以错名收款吗
   Amazon亚马逊卖家设置Payoneer卡收款教程Payoneer可提供亚马逊KYC审核所需银行账单
   Amazon亚马逊收款方式对比(Payoneer,World First,PingPong,美国/香港银行卡)
   CJ联盟设置Payoneer卡收款ClickBank联盟设置Payoneer收款Amazon联盟设置P卡收款
   Payoneer如何从东南亚电商平台Lazada收款如何在Lazada开店
   Payoneer如何从拉美电商平台Linio收款? | Payoneer绑定非洲电商平台Jumia收款
   Payoneer支持从美国电商平台Newegg收款
   Payoneer如何从跨境移动电商Wish收款? | Wish模式正在改变电商格局
   Payoneer支持从法国乐天Priceminister收款法国电商平台CDiscount对接Payoneer收款
   如何使用Payoneer请求付款?关于Payoneer卡充值
   从PayPal提现到Payoneer卡教程及手续费用PayPal无法绑定并转账到Payoneer卡

提现-从Payoneer卡提现到国内银行账户Payoneer无法从Dating联盟收款并限制提现方式
   用P卡在中国银行ATM机取款4000元用Payoneer卡在中国建设银行ATM机取款500元

消费-Payoneer为卖家提供更便捷的VAT缴费方案用Payoneer卡在GoDaddy买域名主机教程


人在做天在看,转载请以链接的形式注明本文地址
本文地址:http://www.zhaoniupai.com/blog/archives/217.html