Configure file system permissions: Verify effective permissions when granting permissions.
There are some very specific "best practices" that should be considered when granting permissions for Terminal Services:
1. Deny permissions should be used for certain special cases-to exclude a subset of a group that has Allowed permissions or to exclude one special permission when you have already granted full control to a user or group.
2. Rather than set individual permissions, use security templates whenever possible.
3. If possible, avoid changing the default permission entries on file system objects, particularly on system folders and root folders. Changing default permissions can cause unexpected access problems or reduce security.
4. Never deny the Everyone group access to an object. If you deny everyone permission to an object, that includes administrators. A better solution would be to remove the Everyone group, as long as you give other users, groups or computers permissions to that object.
5. Assign permissions to an object as high on the tree as possible and then apply inheritance to propagate the security settings through the tree. You can quickly and effectively apply access control settings to all children or a subtree of a parent object. By doing this, you gain the greatest breadth of effect with the least effort. The permission settings you establish should be adequate for the majority of users, groups and computers.
6. Privileges can sometimes override permissions. Privileges and permissions may disagree and you should know what happens if they do. Active Directory has its own set of best practices regarding permissions.
7. Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry. Explicit permissions take precedence over inherited permissions, even inherited Deny permissions.
Change ownership of files and folders: On Windows Server 2003, Administrators need to know how to take ownership of files and folders in order to repair or change them.
All Active Directory objects, files and folders have an owner. Owners have the right to control access permissions on the object. Ownership cannot be transferred by current owners to other users; however the user who current has ownership rights can give another user the right to take ownership. In simple terms-you cannot force ownership of a document, folder or printer onto another person. All you can do is offer ownership. The other user must be the one to take ownership.
NOTE: The exception to this rule is if the owner of the file or folder has the Restore Files and Directories privilege. A user who has that can double-click Other users and groups and choose any user or group to assign ownership to. Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data and gain ownership of system objects, only assign this user right to trusted users. Backup Operators, Server Operators and Administrators are groups that have this right by default.
The Windows Server 2003 Administrators have the built-in ability to take ownership of a file from the Take Ownership of files or other objects right. You can take ownership from within Windows Explorer. Find the file or folder you wish to take ownership of and right-click on the file, choose Properties, then select Security from the security tab. Select the Advanced tab then choose the Ownership tab.
The screen will show the current owner of the file or folder. To give Take Ownership rights to a user or group just click on the Other Users or Groups button and type the user or group name in the Enter the object name to select (examples). To change the owner to a user or group that is listed, click the new owner. All subfolders (if applicable) and objects in the tree can have their ownership changed by selecting the Replace owner on subcontainers and objects check box. Ownership can also be transferred by clients with the Restore files and Directories privilege by double-clicking the Other users and groups and then selecting a user or group to assign ownership. Or the Take ownership permission can be applied to clients.
Pop Quiz Questions:
1. When Terminal Server has been installed in Application mode, what are the two separate security modes available?
2. What are the three ways you can activate a license for Terminal Server?
3. What is an unwelcome side-effect if you assign Deny access to the Everyone group?
4. Which will take precedence-an inherited Deny permission or an explicit Allow permission?
5. What privilege must a user or group have in order to explicitly assign ownership to another user?
Pop Quiz Answers:
1. The two modes are Full Security which will provide the most security in the Windows Server 2003 environment, and Relaxed Security which is commonly used to allow legacy applications (pre-Windows 2000) to run. It allows the system registry to be edited.
2. The license can be activated by a Telephone, Web Browser or Automatic Activation.
3. By denying the Everyone group, you do, indeed, deny everyone-even the Administrators. A better choice is to remove the Everyone group from the permissions list and then specifically assign permissions to other users and groups.
4. Explicit permissions take precedence over inherited permissions, even inherited Deny permissions.
5. If the owner of a file or folder has the "Restore Files and Directories" privilege, they can assign ownership to another user. Backup Operators, Server Operators and Administrators, by default, have that privilege.
Troubleshoot access to files and shared folders:
Troubleshooting access to files and folders that are shared on Windows Server 2003 can sometimes be daunting. Table 2.4 shows some common problems, causes and solutions that uses could experience when accessing shared resources on a Windows Server 2003.
Problem Cause Solution: Shared Folders that are shared cannot be accessed by any client. Shared folder permissions are set incorrectly. Check the permissions to the folder for accuracy.
Folders that are shared cannot be accessed by any client. Possible network connection has been lost. Check and verify network connectivity on server and client machines.
Shared Files that are shared cannot be accessed by any client. Shared folder permissions are set incorrectly. Check the permissions to the file for accuracy.
Usually you want to also make certain the Everyone Group has not been denied access to files or folders.
The net share command, the net file (for machines running the server service only) command (which shows all open files on a machine) or the net session command may also be used at the command prompt to view information on shares or files. You must be a member of the local Administrators group for local computers or the Domain Administrators group for computers joined to the domain before these commands may be used. To view syntax for these commands open the command prompt and type:
• net share - net help share - this command will show the net share command syntax that can be used to troubleshoot shares.
• net file - net help file - share this command will show the net share command syntax that can be used to troubleshoot files.
• net session - net help session this will show the net session command syntax that can be used to show all open sessions on a computer .
The net session command can be used to view open sessions on a computer.
Using any or all of the methods above can typically assist you with troubleshooting client access to files and shared folders.
Deborah Timmons is a Microsoft Certified Trainer and Microsoft Certified Systems Engineer. She came into the Microsoft technical field after six years in the adaptive technology field, providing technology and training for persons with disabilities. She is the President and co-owner of Integrator Systems Inc.
- Article Word Count: 1222
- |
- Total Views: 76
- |
- permalink