« 上一篇下一篇 »

6-2++ Practice: Configuring File System Permissions

Lesson 2 Configuring File System Permissions 6-25 Practice: Configuring File System Permissions
In this practice, you will use the ACL editor to secure resources, evaluate effective per-missions and transfer ownership of files. Be certain that you have configured the user and group accounts outlined in this chapter’s “Before You Begin” section.
Exercise 1: Configuring NTFS Permissions
1. Open the c:\docs folder that was shared in Lesson 1’s practice.
2. Create a folder called Project 101.
3. Open the ACL editor by right-clicking Project 101, choosing Properties, and clicking the Security tab.
4. Configure the folder so that the folder allows the access outlined in the table below. This will require you to consider and configure, inheritance and permissions for groups.
Security Principal Access
Administrators Full Control
Users in the Project Can read data, add files and folders, and have full control of the files and 101 Team folders they create.
Managers Can read and modify all files, but cannot delete any files that they did not create. Managers should have full control of the files and folders they create.
System Services running as the System account should have full control.
When you believe you have configured correct permissions, click Apply and click Advanced. Compare the Advanced Security Settings dialog box to the dialog box shown in Figure 6-10.
To configure these permissions, you must disallow inheritance. Otherwise, all users, not just those in the Project 101 group, will be able to read files in the Project 101 folder. The parent folder, c:\docs, is propagating the Users: Allow Read & Execute per-mission. The only way to prevent this access is to deselect the Allow Inheritable Per-missions From The Parent… option. Notice that the requirements did not specify that you needed to prevent Users from reading, but it was also not indicated that Users required read access, and it is a security best practice to permit only the minimum required access.
6-26 Chapter 6 Files and Folders After disallowing inheritance, the Advanced Security Settings dialog box should look like the dialog box in Figure 6-10. Figure 6-10 The Permissions tab of the Advanced Security Settings dialog box The option to allow inheritance has been deselected and all permissions are shown as <not inherited>. Administrators, System, and Creator Owner have full control. Remember that when Creator Owner has full control, a user who creates a file or folder is given full control of that resource. The Project 101 group is listed as having a special permission entry. If you select that entry and click View/Edit, you will see the specific permissions assigned to the Project 101 group should match the dialog box shown in Figure 6-11. Figure 6-11 Special permissions for the Project 101 group
Lesson 2 Configuring File System Permissions 6-27 The Managers have Allow: Read, Write & Execute permission. This template includes the permissions to create files and folders and, like Project 101 team members, if a manager creates a resource, Managers are given the Creator Owner permissions for that resource. This permission set does not allow Managers to delete other users’ files. Remember that the Modify permissions template, which you did not assign, does include the Delete permission.
Exercise 2: Working with Deny Permissions
1. Assume a group of contractors is hired. All user accounts for contractors are members of the Project Contractors group, and do not belong to any other group in the domain. What must you do to prevent contractors from accessing the Project 101 folder you secured in the previous exercise?
Nothing. Because contractors do not belong to other groups in the domain, they do not have permissions given to them by the current ACL that would allow any resource access. It is therefore not necessary to deny permissions.
2. Assume that some user accounts, such as Scott Bishop’s account, belong to both the Project Contractors and the Engineers groups. What must be done to prevent access by contractors?
In this case, you must assign Deny permissions to the Project Contractors group. Because they will receive Allow permissions assigned to other groups, you must override those permissions with Deny permissions.
3. Configure the folder to Deny Project Contractors Full Control.
Exercise 3: Effective Permissions
1. Open the Advanced Security Settings dialog box for the Project 101 folder by opening the folder’s properties, clicking Security, then clicking Advanced.
2. Click Effective Permissions.
3. Select each of the following users and verify their permissions.
User Effective Permissions
Scott Bishop No permissions
Danielle Tiedt Traverse Folder / Execute File List Folder / Read Data Read Attributes Read Extended Attributes Create Files / Write Data Create Folders / Append Data Read Permissions
6-28 Chapter 6 Files and Folders (Continued) User Effective Permissions
Lorrin Smith-Bates Traverse Folder / Execute File List Folder / Read Data Read Attributes Read Extended Attributes Create Files / Write Data Create Folders / Append Data Write Attributes Write Extended Attributes Read Permissions
If these permissions do not match yours, there is either an error in the permission list (in which case, go back to Exercises 1 and 2) or in groups and group member-ship (in which case, see this chapter’s “Before You Begin” section). Correct any errors and reverify effective permissions until they match these.
Exercise 4: Ownership
1. Log on as Danielle Tiedt.
2. Open the shared folder by connecting to \\Server01\Docs.
3. Open the Project 101 folder and create a text file called Report.
4. Open the Advanced Security Settings dialog box for Report.
5. Confirm that all permissions are inherited from the parent folder. What differences are there in the ACL between this object and the Project 101 folder?
The Project 101 folder grants Full Control to Creator Owner. The Report file grants Full Control to Danielle. When she created the file, her SID was assigned the permissions granted to the special Creator Owner group. In addition, the Project 101 Team’s permission to Create Files and Create Folders is a folder permission, so it does not appear on the ACL of Report.
6. Log on as Administrator.
7. Open the Advanced Security Settings dialog box for Report.
8. Click Owner.
9. Confirm that Danielle is listed as the current owner.
10. Select your user account and click Apply. You are now the owner of the object.
11. A user with the Restore Files And Directories user right is able to transfer owner-ship to another user. Click Other Users Or Group and select Lorrin Smith-Bates. Once Lorrin’s account is displayed in the Change Owner To list, select it and click Apply.
12. Confirm that Lorrin is now the owner of the Report.
Lesson 2 Configuring File System Permissions 6-29 13. Do you think that Lorrin now has full control of the object? Why or why not? Do you think that Danielle will keep full control, or will her permissions change? Con-firm using the Effective Permissions page.
Lorrin does not have full control—only Modify permission. Lorrin is a member of the Managers group, which has Modify permission. The Full Control permission assigned to Creator Owner is only applied to a user when the user creates an object. Note Once an object has been created, changing ownership does not modify the ACL in any way. However, the new owner (or any user with Allow Change Permissions) can modify the ACL, as an additional step, to provide himself or herself with sufficient resource access.
Lesson Review
The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the “Questions and Answers” section at the end of this chapter.
1. What are the minimum NTFS permissions required to allow users to open documents and run programs stored in a shared folder?
a. Full Control
b. Modify
c. Write
d. Read & Execute
e. List Folder Contents
2. Bill complains that he is unable to access the department plan. You open the Security tab for the plan and you find that all permissions on the document are inherited from the plan’s parent folder. There is a Deny Read permission assigned to a group to which Bill belongs. Which of the following methods would enable Bill to access the plan?
a. Modify the permissions on the parent folder by adding the permission Bill:Allow Full Control.
b. Modify the permissions on the parent folder by adding the permission Bill:Allow Read.
c. Modify the permissions on the plan by adding the permission: Bill:Allow Read.
d. Modify the permissions on the plan by deselecting Allow Inheritable Permissions, choosing Copy, and removing the Deny permission.
6-30 Chapter 6 Files and Folders e. Modify the permissions on the plan by deselecting Allow Inheritable Permissions, choosing Copy, and adding the permission Bill:Allow Full Control.
f. Remove Bill from the group that is assigned the Deny permission.
3. Bill calls again to indicate that he still cannot access the departmental plan. You use the Effective Permissions tool, select Bill’s account, and the tool indicates that Bill is, in fact, allowed sufficient permissions. What might explain the discrepancy between the results of the Effective Permissions tool and the issue Bill is reporting?
Lesson Summary
■ NTFS permissions can be configured using the ACL editor, which itself has three dialog boxes: the Security tab, Advanced Security Settings, and Permission Entry For.
■ Permissions can be allowed or denied; explicit or inherited. A Deny permission takes precedence over an Allow permission; and an explicit permission takes precedence over an inherited permission. The result is that an explicit Allow permission can override an inherited Deny permission.
■ Inheritance allows an administrator to manage permissions from a single parent folder that contains files and folders that share common resource access requirements. A new object’s ACL will, by default, include the inheritable permissions from the parent folder.
■ It is possible to change the effect of inherited permissions on an object several ways. You can modify the original (parent’s) permission and allow the new per-mission to be inherited by the object; you can set an explicit permission on the object, which will take precedence over the inherited permission; or you can disallow inheritance on the object and configure an ACL with explicit permissions that define resource access.
■ The Effective Permissions tab of the Advanced Security Settings dialog box is a useful tool that provides an approximation of resource access for a user or a group by analyzing that account’s permissions as well as the permissions of groups to which that account belongs.
■ The owner of an object can modify the object’s ACL at any time. A user that is allowed Take Ownership permission may take ownership of the object, and administrators may take ownership of any object on the system. Administrators, Backup Operators, and other accounts that have been given the Restore Files And Directories user right can transfer ownership of a file or folder from the current owner to any other user or group.

  还没注册Payoneer的朋友可免费申请一个,现在申请Payoneer可获得25美元奖励并且直接享受1.2%全包的优惠:不仅入账免费,全币种提现只收1.2%的费用,无汇损,当你累积收款100美元时将一次性获得25美元奖励。需要注意的是,如果你直接打开Payoneer官网进行注册,是没有上述优惠的,请务必打开【野猪尖的推荐链接】进行注册。Payoneer注册咨询QQ:2822129880

Payoneer

野猪尖的推荐链接https://www.payoneer.com/zh/znp (此地址要完整地复制,建议直接点击)

【Payoneer申请教程:个人账户企业账户订购Payoneer实体卡(P卡)

Payoneer注册与使用指南(包括P卡申请、Payoneer官方、手续费、收款、提现和消费):
注册-收款工具那么多,为何选择Payoneer? | 为何申请Payoneer万事达预付卡+欧美日收款银行账号
   Payoneer有卡账户和无卡账户的区别Payoneer个人账户注册申请教程P卡公司帐户注册教程
   Payoneer欧元帐户虚拟卡) | Payoneer英镑帐户Payoneer日元帐户订购实体卡(P卡
   Payoneer卡年费啥时候扣? | Payoneer卡休眠和激活P卡到期后如何更换? | 如何注销P卡

官方-Payoneer秉承公正、公开、透明服务Payoneer官方最新政策汇总官方客服联系方式
   Payoneer官方费用表如何减少Payoneer的手续费?点此免除入账费点此降低提现费
   跨境收款服务商拷问篇——PayoneerPayoneer客户答疑手册(FAQ)Payoneer手机App

收款-跨境电商/外贸收款方式对比Payoneer可以错名收款吗
   Amazon亚马逊卖家设置Payoneer卡收款教程Payoneer支持从美国电商平台Newegg收款
   Amazon亚马逊收款方式对比(Payoneer,World First,PingPong,美国/香港银行卡)
   CJ联盟设置Payoneer卡收款ClickBank联盟设置Payoneer收款Amazon联盟设置P卡收款
   Payoneer如何从东南亚电商平台Lazada收款如何在Lazada开店
   Payoneer如何从拉美电商平台Linio收款? | Payoneer绑定非洲电商平台Jumia收款
   Payoneer如何从跨境移动电商Wish收款? | Wish模式正在改变电商格局
   Payoneer支持从法国乐天Priceminister收款法国电商平台CDiscount对接Payoneer收款
   Payoneer可接受个人与公司信用卡付款(请求付款)关于Payoneer卡充值
   从PayPal提现到Payoneer卡教程及手续费用PayPal无法绑定并转账到Payoneer卡

提现-从Payoneer卡提现到国内银行账户Payoneer无法从Dating联盟收款并限制提现方式
   用P卡在中国银行ATM机取款4000元用Payoneer卡在中国建设银行ATM机取款500元

消费-用Payoneer卡在GoDaddy买域名主机教程


人在做天在看,转载请以链接的形式注明本文地址
本文地址:http://www.zhaoniupai.com/blog/archives/222.html