Servers5.1 - File and Folder Permissions Pt. II (Managing Folder and File Security)
Give a brief description of the NTFS/ReFS folder and file permission types seen below: 1) Full Control 2) Modify 3) Read and Execute 4) List Folder Contents 5) Read 6) Write 7) Advanced Permissions
1) Full control - users can read, add, executer, modify files, change permissions and attributes, take ownership. 2) Modify - users can read, add, delete, execute, and modify files; cannot change permissions or take ownership. 3) Implies the capabilities of both List folder contents and Read 4) Can list files in folder or switch to subfolder, though, cannot view file contents 5) Can view file contents as well as file and folder attributes and permissions 6) Write - Can create files, write to files, append data to files, create folders, and modify folder and file attributes; cannot delete files 7) Advanced permissions...
List some troubleshooting techniques for file or folder permissions?
1) Review permissions, and take into account inheritance for consideration. 2) Effective Access tab 3) Select user to review user account, then view effective access to view what the user has effective permissions for.
What are the four major permission systems?
1) Share permissions - access to folders over a network (via a server). 2) NTFS permissions - permissions on the file system. If you're accessing files directly AND, when you're coming across a network. 3) Registry permissions - Access to specific parts of the Windows registry 4) Active Directory Permissions - Access to specific parts of an Active Directory Domain Services (AD DS).
Where would an admin view and configure the DACL for a folder or file system on an NTFS or ReFS file system?
1) Windows File Explorer --> Properties --> Security Tab
When are permission-related problems most likely to occur?
After a file or folder is copied or moved.
What is an ACL's role regarding folder and file security?
An Access Control List (ACL) is used to modify who can see what from the admin's view. There are typically 2 types of ACL's: DACL & SACL.
Where is audit configuration stored? Additionally, where are audited events recorded?
Audit configuration is stored in the SACL on folder or file. Auditing events are stored within the Server 2019 Security log. Viewable via the Event Viewer tool.
POLL QUESTION: Which term refers to features of a folder or file that are used by a file system? A) Indexing B) Cache C) Attributes D) Metadata
C) Attributes - stored within the metadata
POLL QUESTION: Which term refers to a user or group that is listed within a DACL or SACL? A) Client for NFS B) Target C) Recovery Agent D) Security Principal
D) Security Principal
What is DACL commonly used for?
Discretionary Access Control List (DACL) is used to for permissions that have been given to user and group accounts. Also used to grant or deny access to the resource. System Access Control List (SACL) contains information that is used to audit access to the resource.
FILL IN THE BLANK: A user or group that is listed within a DACL or SACL is called a _______ _________.
Security Principal.
TRUE or False: Permissions are more efficient, from the administrator's perspective to delegate access to particular file, folders, etc.
TRUE
True or False: DACLs and SACLs are supported in both the NTFS and ReFS file systems.
TRUE
What is the name of the advanced permissions that if an admin is configured to have, they can change ownership of a given file/folder, namely to themselves?
Take Ownership advanced permission in advanced settings. OR, the full control permission (which includes the Take Ownership permission.
Why isn't auditing usually turned on by default?
That's a LOT of computing power that can take up a lot of disk space. Need to be very selective with choosing what logging objects we want to most oversee.
Who is usually listed as the default owner over a given resource?
The user who created the resource, file, folder, printer, is the owner of the resource by default.
By default do we whitelist new users (give them no permissions; add only what they need) or blacklist (give them all permissions; then take away what they don't need)?
We Whitelist them. It is easer to give users permissions rather than it is to take away existing permissions.
When would we want to enable file auding?
When we have financially sensitive information, such as those involving accounting and payroll.
Generally speaking, where would an admin go to, to edit the auditing policy?
Within a Group Policy object --> Within AD environment --> Default Domain Policy object settings Group Policy Management Editor
In NTFS and ReFS, if a user has access to a given file folder, will they also have access/permissions to the subfolders?
Yes. By default, they have permissions to the files that are inherited (subfolders). If we want to configure that, as an admin, we can disable inheritance within the advanced permissions.
