In this practice, you will use the ACL editor to secure resources, evaluate effective per-missions and transfer ownership of files. Be certain that you have configured the user and group accounts outlined in this chapter’s “Before You Begin” section.
Exercise 1: Configuring NTFS Permissions
1. Open the c:\docs folder that was shared in Lesson 1’s practice.
2. Create a folder called Project 101.
3. Open the ACL editor by right-clicking Project 101, choosing Properties, and clicking the Security tab.
4. Configure the folder so that the folder allows the access outlined in the table below. This will require you to consider and configure, inheritance and permissions for groups.
Security Principal Access
Administrators Full Control
Users in the Project Can read data, add files and folders, and have full control of the files and 101 Team folders they create.
Managers Can read and modify all files, but cannot delete any files that they did not create. Managers should have full control of the files and folders they create.
System Services running as the System account should have full control.
When you believe you have configured correct permissions, click Apply and click Advanced. Compare the Advanced Security Settings dialog box to the dialog box shown in Figure 6-10.
To configure these permissions, you must disallow inheritance. Otherwise, all users, not just those in the Project 101 group, will be able to read files in the Project 101 folder. The parent folder, c:\docs, is propagating the Users: Allow Read & Execute per-mission. The only way to prevent this access is to deselect the Allow Inheritable Per-missions From The Parent… option. Notice that the requirements did not specify that you needed to prevent Users from reading, but it was also not indicated that Users required read access, and it is a security best practice to permit only the minimum required access.
6-26 Chapter 6 Files and Folders After disallowing inheritance, the Advanced Security Settings dialog box should look like the dialog box in Figure 6-10. Figure 6-10 The Permissions tab of the Advanced Security Settings dialog box The option to allow inheritance has been deselected and all permissions are shown as <not inherited>. Administrators, System, and Creator Owner have full control. Remember that when Creator Owner has full control, a user who creates a file or folder is given full control of that resource. The Project 101 group is listed as having a special permission entry. If you select that entry and click View/Edit, you will see the specific permissions assigned to the Project 101 group should match the dialog box shown in Figure 6-11. Figure 6-11 Special permissions for the Project 101 group
Lesson 2 Configuring File System Permissions 6-27 The Managers have Allow: Read, Write & Execute permission. This template includes the permissions to create files and folders and, like Project 101 team members, if a manager creates a resource, Managers are given the Creator Owner permissions for that resource. This permission set does not allow Managers to delete other users’ files. Remember that the Modify permissions template, which you did not assign, does include the Delete permission.
Exercise 2: Working with Deny Permissions
1. Assume a group of contractors is hired. All user accounts for contractors are members of the Project Contractors group, and do not belong to any other group in the domain. What must you do to prevent contractors from accessing the Project 101 folder you secured in the previous exercise?
Nothing. Because contractors do not belong to other groups in the domain, they do not have permissions given to them by the current ACL that would allow any resource access. It is therefore not necessary to deny permissions.
2. Assume that some user accounts, such as Scott Bishop’s account, belong to both the Project Contractors and the Engineers groups. What must be done to prevent access by contractors?
In this case, you must assign Deny permissions to the Project Contractors group. Because they will receive Allow permissions assigned to other groups, you must override those permissions with Deny permissions.
3. Configure the folder to Deny Project Contractors Full Control.
Exercise 3: Effective Permissions
1. Open the Advanced Security Settings dialog box for the Project 101 folder by opening the folder’s properties, clicking Security, then clicking Advanced.
2. Click Effective Permissions.
3. Select each of the following users and verify their permissions.
User Effective Permissions
Scott Bishop No permissions
Danielle Tiedt Traverse Folder / Execute File List Folder / Read Data Read Attributes Read Extended Attributes Create Files / Write Data Create Folders / Append Data Read Permissions
6-28 Chapter 6 Files and Folders (Continued) User Effective Permissions
Lorrin Smith-Bates Traverse Folder / Execute File List Folder / Read Data Read Attributes Read Extended Attributes Create Files / Write Data Create Folders / Append Data Write Attributes Write Extended Attributes Read Permissions
If these permissions do not match yours, there is either an error in the permission list (in which case, go back to Exercises 1 and 2) or in groups and group member-ship (in which case, see this chapter’s “Before You Begin” section). Correct any errors and reverify effective permissions until they match these.
Exercise 4: Ownership
1. Log on as Danielle Tiedt.
2. Open the shared folder by connecting to \\Server01\Docs.
3. Open the Project 101 folder and create a text file called Report.
4. Open the Advanced Security Settings dialog box for Report.
5. Confirm that all permissions are inherited from the parent folder. What differences are there in the ACL between this object and the Project 101 folder?
The Project 101 folder grants Full Control to Creator Owner. The Report file grants Full Control to Danielle. When she created the file, her SID was assigned the permissions granted to the special Creator Owner group. In addition, the Project 101 Team’s permission to Create Files and Create Folders is a folder permission, so it does not appear on the ACL of Report.
6. Log on as Administrator.
7. Open the Advanced Security Settings dialog box for Report.
8. Click Owner.
9. Confirm that Danielle is listed as the current owner.
10. Select your user account and click Apply. You are now the owner of the object.
11. A user with the Restore Files And Directories user right is able to transfer owner-ship to another user. Click Other Users Or Group and select Lorrin Smith-Bates. Once Lorrin’s account is displayed in the Change Owner To list, select it and click Apply.
12. Confirm that Lorrin is now the owner of the Report.
Lesson 2 Configuring File System Permissions 6-29 13. Do you think that Lorrin now has full control of the object? Why or why not? Do you think that Danielle will keep full control, or will her permissions change? Con-firm using the Effective Permissions page.
Lorrin does not have full control—only Modify permission. Lorrin is a member of the Managers group, which has Modify permission. The Full Control permission assigned to Creator Owner is only applied to a user when the user creates an object. Note Once an object has been created, changing ownership does not modify the ACL in any way. However, the new owner (or any user with Allow Change Permissions) can modify the ACL, as an additional step, to provide himself or herself with sufficient resource access.
The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the “Questions and Answers” section at the end of this chapter.
1. What are the minimum NTFS permissions required to allow users to open documents and run programs stored in a shared folder?
a. Full Control
d. Read & Execute
e. List Folder Contents
2. Bill complains that he is unable to access the department plan. You open the Security tab for the plan and you find that all permissions on the document are inherited from the plan’s parent folder. There is a Deny Read permission assigned to a group to which Bill belongs. Which of the following methods would enable Bill to access the plan?
a. Modify the permissions on the parent folder by adding the permission Bill:Allow Full Control.
b. Modify the permissions on the parent folder by adding the permission Bill:Allow Read.
c. Modify the permissions on the plan by adding the permission: Bill:Allow Read.
d. Modify the permissions on the plan by deselecting Allow Inheritable Permissions, choosing Copy, and removing the Deny permission.
6-30 Chapter 6 Files and Folders e. Modify the permissions on the plan by deselecting Allow Inheritable Permissions, choosing Copy, and adding the permission Bill:Allow Full Control.
f. Remove Bill from the group that is assigned the Deny permission.
3. Bill calls again to indicate that he still cannot access the departmental plan. You use the Effective Permissions tool, select Bill’s account, and the tool indicates that Bill is, in fact, allowed sufficient permissions. What might explain the discrepancy between the results of the Effective Permissions tool and the issue Bill is reporting?
■ NTFS permissions can be configured using the ACL editor, which itself has three dialog boxes: the Security tab, Advanced Security Settings, and Permission Entry For.
■ Permissions can be allowed or denied; explicit or inherited. A Deny permission takes precedence over an Allow permission; and an explicit permission takes precedence over an inherited permission. The result is that an explicit Allow permission can override an inherited Deny permission.
■ Inheritance allows an administrator to manage permissions from a single parent folder that contains files and folders that share common resource access requirements. A new object’s ACL will, by default, include the inheritable permissions from the parent folder.
■ It is possible to change the effect of inherited permissions on an object several ways. You can modify the original (parent’s) permission and allow the new per-mission to be inherited by the object; you can set an explicit permission on the object, which will take precedence over the inherited permission; or you can disallow inheritance on the object and configure an ACL with explicit permissions that define resource access.
■ The Effective Permissions tab of the Advanced Security Settings dialog box is a useful tool that provides an approximation of resource access for a user or a group by analyzing that account’s permissions as well as the permissions of groups to which that account belongs.
■ The owner of an object can modify the object’s ACL at any time. A user that is allowed Take Ownership permission may take ownership of the object, and administrators may take ownership of any object on the system. Administrators, Backup Operators, and other accounts that have been given the Restore Files And Directories user right can transfer ownership of a file or folder from the current owner to any other user or group.
注册－收款工具那么多，为何选择Payoneer？ ｜ 为何申请Payoneer万事达预付卡+欧美日收款银行账号？
Payoneer有卡账户和无卡账户的区别 ｜ Payoneer个人账户注册申请教程 ｜ P卡公司帐户注册教程
Payoneer欧元帐户（虚拟卡） ｜ Payoneer英镑帐户 ｜ Payoneer日元帐户 ｜ 订购实体卡（P卡）
Payoneer卡年费啥时候扣？ ｜ Payoneer卡休眠和激活 ｜ P卡到期后如何更换？ ｜ 如何注销P卡？
官方－Payoneer秉承公正、公开、透明服务 ｜ Payoneer官方最新政策汇总 ｜ 官方客服联系方式
Payoneer官方费用表 ｜ 如何减少Payoneer的手续费？ ｜ 点此免除入账费 ｜ 点此降低提现费
跨境收款服务商拷问篇——Payoneer ｜ Payoneer客户答疑手册（FAQ） ｜ Payoneer手机App
收款－跨境电商/外贸收款方式对比 ｜ Payoneer可以错名收款吗？
Amazon亚马逊卖家设置Payoneer卡收款教程 ｜ Payoneer支持从美国电商平台Newegg收款
CJ联盟设置Payoneer卡收款 ｜ ClickBank联盟设置Payoneer收款 ｜ Amazon联盟设置P卡收款
Payoneer如何从东南亚电商平台Lazada收款 ｜ 如何在Lazada开店？
Payoneer如何从拉美电商平台Linio收款？ ｜ Payoneer绑定非洲电商平台Jumia收款
Payoneer如何从跨境移动电商Wish收款？ ｜ Wish模式正在改变电商格局
Payoneer支持从法国乐天Priceminister收款 ｜ 法国电商平台CDiscount对接Payoneer收款
Payoneer可接受个人与公司信用卡付款（请求付款） ｜ 关于Payoneer卡充值
从PayPal提现到Payoneer卡教程及手续费用 ｜ PayPal无法绑定并转账到Payoneer卡？
提现－从Payoneer卡提现到国内银行账户 ｜ Payoneer无法从Dating联盟收款并限制提现方式
用P卡在中国银行ATM机取款4000元 ｜ 用Payoneer卡在中国建设银行ATM机取款500元