Using Windows Server 2012 R2, you can control access to a file server to provide network users the access they need while protecting other files against possible intrusion and damage, whether deliberate or not. To implement this access control, Windows Server 2012 R2 uses permissions.
Permissions are privileges granted to specific system entities, such as users, groups, or computers, enabling them to perform a task or access a resource. For example, you can grant a specific user permission to read a file while denying that same user the permissions needed to modify or delete the file.
Windows Server 2012 R2 has several sets of permissions, which operate independently of each other. For the purpose of file sharing, you should be familiar with the operation of the following permission systems:
– Share permissions Control access to folders over a network. To access a file over a network, a user must have appropriate share permissions (and appropriate NTFS permissions if the shared folder is on an NTFS volume).
– NTFS permissions Control access to the files and folders stored on disk volumes formatted with the NTFS file system. To access a file, either on the local system or over a network, a user must have the appropriate NTFS permissions.
All these permission systems operate independently of each other and sometimes combine to provide increased protection to a specific resource. For network users to be able to access a shared folder on an NTFS drive, you must grant them both share permissions and NTFS permissions. As you saw earlier, you can grant these permissions as part of the share creation process, but you can also modify the permissions at any time afterward.
Understanding the Windows permission architecture
To store permissions, Windows elements have an access control list (ACL). An ACL is a collection of individual permissions in the form of access control entries (ACEs). Each ACE consists of a security principal (that is, the name of the user, group, or computer granted the permissions) and the specific permissions assigned to that security principal. When you manage permissions in any of the Windows Server 2012 R2 permission systems, you are actually creating and modifying the ACEs in an ACL.
To manage permissions in Windows Server 2012 R2, you can use a tab in the protected element’s Properties sheet, like the one shown in Figure 2-5, with the security principals listed at the top and the permissions associated with them at the bottom. Share permissions are typically found on a Share Permissions tab and NTFS permissions are located on a Security tab. All the Windows permission systems use the same basic interface, although the permissions themselves differ. Server Manager also provides access to NTFS and share
permissions by using a slightly different interface.
FIGURE 2-5 Configuring the Security tab of a Properties dialog boxFIGURE 2-5 Configuring the Security tab of a Properties dialog box
Understanding basic and advanced permissions
The permissions protecting a particular system element are not like the keys to a lock, which provide either full access or no access at all. Permissions are designed to be granular, enabling you to grant specific degrees of access to security principals.
To provide this granularity, each Windows permission system has an assortment of permissions you can assign to a security principal in any combination. Depending on the permission system with which you are working, you might have dozens of different permissions available for a single system element.
Windows provides preconfigured permission combinations suitable for most common access control tasks. When you open the Properties sheet for a system element and look at its Security tab, the NTFS permissions you see are called basic permissions. Basic permissions are actually combinations of advanced permissions, which provide the most granular control over the element.
Note:Prior to Windows Server 2012, basic permissions were known as standard permissions and advanced permissions were known as special permissions. Candidates for certification exams should be aware of these alternative terms.
For example, the NTFS permission system has 14 advanced permissions you can assign to a folder or file. However, there are also six basic permissions, which are various combinations of the 14 advanced permissions. You can also assign both types of permissions in a single ACE, combining a basic permission with one or more advanced permissions, to create a customized combination. In most cases, however, administrators work only with basic permissions. Many administrators rarely, if ever, have reason to work directly with advanced permissions.
If you find it necessary to work directly with advanced permissions, Windows makes it possible. When you click the Advanced button on the Security tab of any Properties sheet, an Advanced Security Settings dialog box appears, as shown in Figure 2-6, which enables you to access directly the ACEs for the selected system element. System Manager provides access to the same dialog box through a share’s Properties sheet.
FIGURE 2-6 The default settings of the Advanced Security Settings dialog box.
Allowing and denying permissions
When you assign permissions to a system element, you are, in effect, creating a new ACE in the element’s ACL. There are two basic types of ACE: Allow and Deny. This makes it possible to approach permission management tasks from two directions:
– Additive Start with no permissions and then grant Allow permissions to individual security principals to give them the access they need.
– Subtractive Start by granting all possible Allow permissions to individual security principals, giving them full control over the system element, and then grant them Deny permissions for the access you don’t want them to have.
Most administrators prefer the additive approach, because Windows, by default, attempts to limit access to important system elements. In a properly designed permission hierarchy, the use of Deny permissions is often unnecessary. Many administrators frown on their use, because combining Allow and Deny permissions in a hierarchy can make it difficult to determine the effective permissions for a specific system element.
The most important principle in permission management is that permissions tend to run downward through a hierarchy. This is called permission inheritance. Permission inheritance means that parent elements pass their permissions down to their subordinate elements. For example, when you grant Alice Allow permissions to access the root of the D drive, all the folders and subfolders on the D drive inherit those permissions, which means Alice can access them.
The principle of inheritance greatly simplifies the permission assignment process. Without it, you would have to grant individual Allow permissions to security principals for every file, folder, share, object, and key they need to access. With inheritance, you can grant access to an entire file system by creating one set of Allow permissions.
In most cases, whether consciously or not, system administrators take inheritance into account when they design their file systems and their Active Directory Domain Services OU structures. The location of a system element in a hierarchy is often based on how the administrators plan to assign and delegate permissions.
In some situations, an administrator might want to prevent subordinate elements from inheriting permissions from their parents. There are two ways to do this:
– Turn off inheritance When you assign advanced permissions, you can configure an ACE not to pass its permissions down to its subordinate elements. This effectively blocks the inheritance process.
– Deny permissions When you assign a Deny permission to a system element, it overrides any Allow permissions that the element might have inherited from its parent objects.
Understanding effective access
A security principal can receive permissions in many ways, and it is important for an administrator to understand how these permissions combine. The combination of Allow permissions and Deny permissions a security principal receives for a given system element—whether explicitly assigned, inherited, or received through a group membership—is called the effective access for that element. Because a security principal can receive permissions from so many sources, it is not unusual for those permissions to overlap. The following rules define how the permissions combine to form the effective access.
– Allow permissions are cumulative. When a security principal receives Allow permissions from more than one source, the permissions are combined to form the effective access permissions.
– Deny permissions override Allow permissions. When a security principal receives Allow permissions—whether explicitly, by inheritance, or from a group—you can override those permissions by granting the principal Deny permissions of the same type.
– Explicit permissions take precedence over inherited permissions. When a security principal receives permissions by inheriting them from a parent or from group memberships, you can override those permissions by explicitly assigning contradicting permissions to the security principal itself.
Of course, instead of examining and evaluating all the possible permission sources, you can just open the Advanced Security Settings dialog box and click the Effective Access tab. On this tab, you can select a user, group, or device and view its effective access, without accounting for group membership or while accounting for group membership.
Setting share permissions
In Windows Server 2012 R2, shared folders have their own permission system, which is independent from the other Windows permission systems. For network users to access shares on a file server, you must grant them the appropriate share permissions. By default, the Everyone special identity receives the Allow Read Full Control share permission to any new shares you create using File Explorer. In shares you create using Server Manager, the Everyone special identity receives the Allow Full Control share permission.
To modify the share permissions for an existing share by using File Explorer, you open the Properties sheet for the shared folder, select the Sharing tab, click Advanced Sharing, and then click Permissions to open the Share Permissions tab, as shown in Figure 2-7.
FIGURE 2-7 The Share Permissions tab for a shared folder
By using this interface, you can add security principals and allow or deny them the three share permissions. To set share permissions by using Server Manager, either while creating a share or modifying an existing one, use the following procedure.
1. In Server Manager, click the File and Storage Services icon and, in the submenu that appears, click Shares to open the Shares home page.
2. In the Shares tile, right-click a share and, from the shortcut menu, select Properties.
The Properties sheet for the share opens.
3. Click Permissions. The Permissions page opens.
4. Click Customize Permissions. The Advanced Security Settings dialog box for the share opens.
5. Click the Share tab to display the interface shown in Figure 2-8.
FIGURE 2-8 The Share tab of the Advanced Security Settings dialog box for a share in Server Manager
6. Click Add to open a Permission Entry dialog box for the share.
7. Click the Select A Principal link to display the Select User, Computer, Service Account, Or Group dialog box.
8. Type the name of or search for the security principal to whom you want to assign share permissions and click OK. The security principal you specified appears in the Permission Entry dialog box.
9. Select the type of permissions you want to assign (Allow or Deny).
10. Select the check boxes for the permissions you want to assign and click OK.
11. The new ACE you just created appears in the Advanced Security Settings dialog box.
NOTE: BYPASSING SHARE PERMISSIONS
Many file server administrators simply leave the Allow Full Control share permission to the Everyone special identity in place, essentially bypassing the share permission system, and rely solely on NTFS permissions for granular file system protection. NTFS permissions control access by both local and remote users, rendering share permissions redundant.
12. Click OK to close the Advanced Security Settings dialog box.
13. Click OK to close the share’s Properties sheet.
14. Close the Server Manager window.
Understanding NTFS authorization
The majority of Windows installations today use the NTFS file systems as opposed to FAT32. One of the main advantages of NTFS is that they support permissions, which FAT32 does not. As described earlier in this chapter, every file and folder on an NTFS drive has an ACL that consists of ACEs, each of which contains a security principal and the permissions assigned to that principal.
In the NTFS permission system, the security principals involved are users and groups, which Windows refers to by using security identifiers (SIDs). When a user attempts to access an NTFS file or folder, the system reads the user’s security access token, which contains the SIDs for the user’s account and all the groups to which the user belongs. The system then compares these SIDs to those stored in the file or folder’s ACEs to determine what access the user should have.
This process is called authorization.
Assigning basic NTFS permissions
Most file server administrators work almost exclusively with basic NTFS permissions because there is no need to work directly with advanced permissions for most common access control tasks.
To assign basic NTFS permissions to a shared folder, the options are essentially the same as with share permissions. You can open the folder’s Properties sheet in File Explorer and select the Security tab or you can open a share’s Properties sheet in Server Manager, as described in the following procedure.
1. In Server Manager, open the Shares home page.
NOTE: NTFS PERMISSIONS
NTFS permissions are not limited to shared folders. Every file and folder on an NTFS volume has permissions. Although this procedure describes the process of assigning permissions to a shared folder, you can open the Properties sheet for any folder in a File Explorer window, click the Security tab, and work with its NTFS permissions in the same way.
2. Open the Properties sheet for a share and click Permissions to open the Permissions page.
NOTE: NEW SHARE WIZARD
The New Share Wizard displays this same Permissions interface on its Specify Permissions to Control Access page. The rest of this procedure applies equally well to that page and its subsequent dialog boxes.
3. Click Customize Permissions to open the Advanced Security Settings dialog box for the share, displaying the Permissions tab, as shown in Figure 2-9. This dialog box is as close as the Windows graphical interface can come to displaying the contents of an ACL.
FIGURE 2-9 The Advanced Security Settings dialog box for a share in Server Manager
4. Click Add. This opens the Permission Entry dialog box for the share.
5. Click the Select A Principal link to display the Select User, Computer, Service Account, or Group dialog box.
6. Type the name of or search for the security principal to whom you want to assign NTFS permissions and click OK. The security principal you specified appears in the Permission Entry dialog box.
7. In the Type drop-down list, select the type of permissions you want to assign (Allow or Deny).
8. In the Applies To drop-down list, specify which subfolders and files should inherit the permissions you are assigning.
9. Select the check boxes for the basic permissions you want to assign and click OK. The new ACE you just created appears in the Advanced Security Settings dialog box.
10. Click OK twice to close the Advanced Security Settings dialog box and the Properties sheet.
11. Close the Server Manager window.
Assigning advanced NTFS permissions
In Windows Server 2012 R2, the ability to manage advanced permissions is integrated into the interface you use to manage basic permissions.
In the Permission Entry dialog box, clicking the Show Advanced Permissions link changes the list of basic permissions to a list of advanced permissions. You can then assign advanced permissions in any combination, just as you would basic permissions.
Combining share permissions with NTFS permissions
It is important for file server administrators to understand that the NTFS permission system is completel separate from the share permission system and that for network users to access files on a shared NTFS drive, the users must have the correct NTFS share permissions and the correct share permissions.Combining share permissions with NTFS permissions.
The share and NTFS permissions assigned to a file or folder can conflict. For example, if a user has the NTFS Write and Modify permissions for a folder but lacks the Change share permission, that user will not be able to modify a file in that folder.
The share permission system is the simplest of the Windows permission systems and it provides only basic protection for shared network resources. Share permissions provide only three levels of access, in contrast to the far more complex system of NTFS permissions.
Generally, network administrators prefer to use either NTFS or share permissions, not both.
Share permissions provide limited protection, but this might be sufficient on some small networks. Share permissions might also be the only option on a computer with FAT32 drives because the FAT file system does not have its own permission system.
On networks already possessing a well-planned system of NTFS permissions, share permissions are not really necessary. In this case, you can safely grant the Full Control share permission to Everyone and allow the NTFS permissions to provide security. Adding share permissions would complicate the administration process without providing any additional protection.
This article is a part of 70-410 Installing and Configuring Windows Server 2012 Prep course, more articles in this course are :