Wednesday, July 18, 2012

How to Manage Access to Shared Folders in Windows 7

Print Friendly and PDF

What does Authentication and Authorization mean?

  • Authentication: Authentication is when you provide some type of proof to access a computer or a computer resource, and the proof you provide verifies your identity. Usually you authenticate with your user id and password. If the infrastructure is critical, then a user id and password will not be enough and digital certificates are issued and verified by a Certification Authority. 
  • Authorization: Determining if you have the permission to access some particular type of resource.
  • Access: Determine what type of action, based on a permission level, that can be performed on a resource.

What is Windows Authentication?

  • Kerberos v5 Protocol: Windows 7 clients and Windows Server 2000 or later uses Kerberos as its default authentication method. Kerberos(protocol)
  • NTLM (NT Lan Manager): Used to provide backward compatibility with pre-Windows 2000. NTLM is a suite of Microsoft security protocols that provide authenticity, integrity, and confidentiality to users. NTLM
  • Certificates: Rely on a third party to verify who you are (PKI Infrastructure). Public-key_infrastructure.

What are the Authentication Features in Windows 7?

Smart Cards

·      Kerberos support for smart card logon
·      Encrypt using BitLocker Drive Encryption and the smart card option to unlock the drive
·      Document and email signing


  • WBF, Windows Biometric Framework provides support for fingerprint biometric devices. WBF makes it simpler for users and administrators to configure and control biometric devices on a local computer or in a domain.

Online Identity Integration

Group policy setting allows or prevents online ids from authenticating to the computers that you manage, Network security: Allow PKU2U authentication requests to this computer to use online IDs. The policy setting does not affect the ability of domain or local user accounts to log onto the computer. The feature complements the HomeGroup feature in Windows 7 by using online IDs to identify individuals within the network. Users in a small network can elect to share data, such as media files. To allow the authentication, the user must link their Windows user account to an online ID.
The policy setting is located in Local Computer Policy\Computer Configuration\Windows Settings\Security Options. In previous versions of Windows, the policy setting name is Network Security: Disable online identity usage in PKU2U.

Introducing Online Identity Integration


How to Manage File Access in Windows 7

What are NTFS Permissions?

NTFS file and folder permissions define the types of access granted to a user, group, or computer for a file or folder.  See: NTFS Permissions or Share and NTFS Permissions on a File Server

Permissions are granted by owners and by anyone anyone with permission to grant permissions. Normally, this includes administrators on the system. If you own an object, you can grant any user or security group any permissions on that object, including the permission to take ownership. 
Every container and object on the network has a set of access control information attached to it. Known as a security descriptor, this information controls the type of access allowed to users and groups. Permissions, which are defined within an object's security descriptor, are associated with, or assigned to, specific users and groups.
See:  See: 

See: Where Access Control Information Comes From 

Sometimes NTFS permissions are called local permissions, because they apply no matter how you access the file and are always in effect. The two types of NTFS permissions are:

  1. Standard: Basic permissions such as:
    • Read
    • Write
    • Modify
    • Full Control
  2. Special: Provides a finer degree of control to files and folders:
    • Read/Write Attributes 
    • Extended Attributes
    • Delete subfolders and files
    • Take Ownership and Synchronize.

Shared permissions only apply to your access to a file or folder based on a remote connection over a network share.

Note:  Even if you access a network share, the NTFS permissions still apply.

What is Permission Inheritance?

The two types of permissions are:
  1. Explicit permissions: Permissions set by default when the object is created or by user action.
  2. Inherited Permissions: Permissions propagated to objects from the parent object. Inherited Permissions

To decide whether folders or subfolders inherit permissions, configure Advanced Security Settings.

How Inheritance Affects File and Folder Permissions

Explicit permissions take precedence over inherited permissions, even inherited Deny permissions.

You can block inheritance and it will apply to the sub-folders below the folder you set to block inheritance.

See: How inheritance affects file and folder permissions

How Permissions work when Copying and Moving Files and Folders 

When you copy or move a file or folder to a different NTFS partition, the file or folder inherits permissions from the destination folder.

When you copy or move a file or folder within the same NTFS partition, the file or folder inherits permissions from the new parent folder. 

When moving (not copying) a file or folder that has explicitly assigned permissions (were not received by inheritance), the permissions are retained in addition to the new inherited permissions.

Effective Permissions?

Effective permissions are a file or folders’s combined permission set determined by Windows 7 when a file or folder contains both user and group permissions.

To determine effective permissions:
·                     User and group permissions are combined.
·                    Deny permissions override allow permissions.

The Effective Permissions feature:

  •                       Calculates and displays the permissions granted to user or group.
  •                       Determines all domain and local groups the user is a member of.
  •                      Takes into account permissions inherited from parent object.

Examples of Determining Effective Permissions

You have Folder1 and Folder2 is a sub-folder of Folder1.
Inside Folder1 is File1 and inside Folder2 is File2.

1   The Users group has Write permission for Folder1
     The Sales group has Read permission for Folder1.
a. If you have a user that is in both the Users group and the Sales group, what is the user permissions on Folder1? The user permissions would be Read and Write.

2   The Users group has Read permission for Folder1. 
     The Sales group has Write permission for Folder2.
a.  What are the user permissions for File1? The user permission would be Read. 
b.  What are the user permissions for File2The user permission would be Read and Write.

3   The Users group has Modify permission for Folder1
     File2 is available to the Sales group with Read permission.

                         a. What are the permissions for File2Because of inheritance, the user now has Modify permission on File2. You should now Block Inheritance on File2 so that the Sales group will retain the Read permissions on File2.  

see: View Effective Permissions on Files and Folders

Managing Shared Folders

A Shared folder is a folder that uses network access to get to the folder’s content.

You can share a folder, but not individual files. If you want to share the file, you must put it in a folder to be shared.

There are pre-created folders that can be shared called hidden shares.

The default shared permission is Full Control for the user that shared the folder.

Folders can be shared using:

Set Permissions on a Shared Resource

Methods of Sharing Folders

See: Shared Folders

·       Basic Sharing
o   Enables you to share folders quickly
o   Allows you to configure permissions (not as granular as NTFS permissions)
To share a folder using basic sharing, right-click the folder and click Share with
·       Advanced Sharing
o   Configure permissions, simultaneous connections, and caching options (for offline file sharing)
o   Choose the share name (if it ends with a $ sign, it becomes a hidden share)
To use Advanced Sharing to share a folder, right-click the folder, click Properties, then click the Sharing tab, and click Advanced Sharing
·       Public Sharing
o   Multiple default Public folders for each computer
o   Files shared with the same computer and network
o   Access controlled by permissions 
To share something, simply copy or move it into one of the public folders.

Combining NTFS and Share Permissions

Shared permissions cannot overwrite NTFS permissions.

If you have Full Control on a shared folder, and Read NTFS permissions, you still only have Read permissions on the share because of NTFS.

If you have Full Control NTFS permissions, and Read only on the share, then you only get Read effective permissions on the share while going through the network connection. But, if you log on locally, the share permissions are not evaluated. 

If you are a member of multiple groups and each group has a different set of share permissions, the effective share permissions will be the accumulated permissions of the groups.  The same thing will apply with NTFS. You take the accumulated permissions.

Remote desktop is the same as local desktop, no share permissions.

The Network and Sharing Center

A centralized location that provides services to view, configure, and troubleshoot network access and sharing related to network resources.  See: Network and Sharing Center Operations Guide. Access Network and Sharing Center by going to Windows Control Panel, or type "Network and Sharing Center" on the Start menu.

The Network and Sharing Center tools:
  • View a Network Map
  • Set Up a New Connection or Network
  • Change Advanced Sharing Options
  • Choose Homegroup and Sharing Options
  • Fix a Network Problem
Best Practices for Administering Network and Sharing Center

View a Network Map

View a Network Map graphically displays the computers and other network devices on your network. Network mapping uses Link-Layer Topology Discovery (LLTD) and the Function Discovery service in Windows to determine what devices are on the network and their interconnection. You must download and install the LLTD Responder component on Windows XP computers, in order to see the XP computers displayed on the Network Map.

View a Network Map shows the active network devices in local area network that you can configure or troubleshoot. You can view the path from your computer through the network and receive diagnostics to determine any connection problems you might be having.

To view the full map, click the See full map link. By default, the See full map option is disabled on domains for end-users, but is available for network administrators.

Your computer is always displayed in the upper-left corner and the other devices appear underneath.  Infrastructure components (hubs, switches. router) that connect devices together, are on the right and show lines the connections from the devices to the infrastructure components to other devices on the network.

Each device includes a description, icon, and the current connectivity state. Wireless connections show the wireless signal strength. Hover the mouse one the device for additional information, like the SSID.

Set Up a New Connection or Network

In the Network and Sharing Center, you can also customize the active network connections, by changing the description and icon of network components. Click View Status, as pictured above. note: You are able to change the network location profile to private or public to change the firewall and visibility settings for the particular network connection.

You can set up a new connection:
  • Connect to the Internet. Set up wireless, broadband, or dial-up connection to the Internet.
  • Set up a Network. Set up a new router or access point.
  • Set up a Dial-up Connection. Connect to Internet using a dial-up connection.
  • Connect to a Workplace. Set up a dial-up or VPN connection to your workplace.

Change advanced sharing settings

The Network and Sharing Center  has a Change advanced sharing settings link where you can enabled, disable, and change the behavior of network services. When you connect to a network, for the first time, you must choose a network location. When you choose the network location, this sets the firewall, security, and sharing settings for the type of network location that you chose to connect to, so you will have the appropriate security level. In Windows 7, you have the following network locations:
  • Home. A trusted home network, where you recognize all of the computers. Do not choose this location for public places. Network discovery is turned on for home networks. Network discovery allows other network users to see your computer.
  • Work. A trusted work network or small office, where you recognize all of the computers at your work network. Do not choose this location for public places. Network discovery is turned on by default, but you can't create or join a HomeGroup.
  • Public. Choose a Public location when you are in a public location, such as a coffee shop or airport. This keeps other computers from seeing your computer and helps to protect your computer from malicious software. Network discovery is turned off and HomeGroup is unavailable. In addition, choose this location if you connect to the Internet without a router or if you have a mobile broadband connection.  
note: If you know you won't share files or printers, the safest option is public network. 
note: Windows 7 is configured by default to have Windows Firewall with Advanced Security. If you use another firewall, it might interfere with Network Discovery and file-sharing features.


Choose home group and sharing options

The HomeGroup feature is available if a homegroup is defined on your network, or if you connected to a home group from a domain-joined computer. You can use HomeGroup to share pictures, music, video, documents, and printers, on your network between a group of computers. HomeGroup is password protected, so you can decide what is shared. You can also make your files "read only".

You can only create a HomeGroup on Windows 7 Home Premium, Professional, Ultimate, or Enterprise editions, but you can join a home group on any version of Windows 7.

Fix a Network Problem 

Using the Network troubleshooter in Windows 7

Use this feature to diagnose and repair network problems for the following network components:
  • Internet connections
  • Connections to shared folders
  • HomeGroup
  • Network adapter
  • Incoming connections
  • Printers

Configuring File Compression

NTFS file compression is used by NTFS to compress files, folders, and volumes.

Compression is used to save disk space and conserve bandwidth on the transmission of data.

System files and folders are not compressed.

Compression is an NTFS attribute.

New files created in a compressed folder are compressed by default.

The compression state of a folder, does not necessarily reflect the state of compression for the files contained within the folder. A folder can be compressed without compressing its contents. Some or all of the files in a compressed folder can be uncompressed. 

NTFS calculates the disk space based on the uncompressed file size. For example, if you only have 5 MB of space left, and you compress your files thinking you will get more space, the system still shows you only have 5 MB of space available.

Applications only see the uncompressed data when a compressed file is opened. When a compressed file is opened, it is automatically decompressed by Windows. Then, when it is closed, Windows automatically compresses the file again.

NTFS-compressed files and folders names are displayed in a different color.

NTFS-compressed files cannot be encrypted. 

Compressed files can slow some applications down. But, this is not such an issue today.

note: Use the compact command-line tool to manage NTFS compression.

Impact of Moving and Copying Compressed Files and Folders

If you copy a compressed file, the file inherits the compression settings of the folder you copy the file into.

If you move a compressed file within the same NTFS partition, the file settings of the folder stay the same.

If you move a compressed file to a different NTFS partition, it is the same as a copy, so the file inherits the compression settings of the folder you copy the file into.

If you move or copy to a FAT partition, file compression is not supported.

What are compressed (zipped) folders?

You can compress with the zip feature in both NTFS and FAT. It is not NTFS compression. It is a zipped compression.

note: Compressed (zipped) folders can be moved and copied without change between volumes, drives, and file systems. 

Compress and uncompress files (zip files)

No comments:

Post a Comment

"Comment As:" anonymous if you would rather not sign into an account!