Managing Access to Resources

Overview of Managing Access to Resources

Many applications require authentication and authorization for managing access to shared data
and services (called resources). In many of these cases, it is also desirable to be able to group
individuals, and extend authorization in a way that groups can be granted access to resources.
This way, groups can be made the foundation of authorization, and while group populations may
vary with individuals joining or leaving the group, the authorization settings of resources do not
have to be changed. The functionality of managing users and groups always has a common set of
requirements.

However, individual applications often have different resources which should be access
controlled, and different access rights which should be managed.

Managing Access to Shared Folders

If you're a folder manager, you can control who has access to shared folders.

The instructions below will only work in Google Chrome or Firefox web browsers.

Approve or deny access requests

To approve or deny a staff member's access request, or to change someone's access level:

 Log in to Mstools with your UQ account username and password.

 Select 'File Serving'.
 Select 'Manage User Access'. Read the information on folder permissions.
 To approve or deny an access request, select 'Show New Requests'.
 To change a staff member's access level, select 'Show All Requests'.
 Select the request.
 Depending on the level of access you want to approve, select 'Read', 'Write' or 'Deny'
access.
 Select 'Update Access'.
 You will receive a message confirming the level of access you have approved.

Remove a staff member's access

If a staff member has changed positions and no longer requires access to a shared folder, follow
these steps to remove access:

 Log in to Mstools with your UQ account username and password.

 Select 'Manage User Access'. Read the information on folder permissions.
 Select 'Show All Requests'.
 Select the staff member's original folder access request.
 Select 'Deny'.

Page 1 of 11
  Select 'Update Access'.
 You will receive a message confirming the staff member's access has been removed.

Managing Access to Files and Folders Using NTFS Permissions

One of the most critical security concepts is permissions management: ensuring that proper
permissions are set with users that usually means knowing the difference between share and
NTFS permissions.

However, when NTFS and share permissions interact or when a shared folder is in a separate
shared folder with different share permissions, users might not be able to access their data or
they can get higher levels of access than security admins intend.

Here are key differences between share and NTFS permissions so you’ll know what to do.

Share and NTFS permissions function completely separately from each other, but ultimately
serve the same purpose: to prevent unauthorized access.

What is NTFS?

A file system is a way of organizing a drive, indicating how data is stored on the drive and what
types of information can be attached to files, such as permissions and file names.

NTFS (NT File System) stands for New Technology File System (NTFS). NTFS is the latest file
system that the Windows NT operating system uses for storing and retrieving files. Prior to
NTFS, the file allocation table (FAT) file system was the primary file system in Microsoft’s
older operating systems, and was designed for small disks and simple folder structures.

NTFS file system supports larger file sizes and hard drives and is more secure than FAT.
Microsoft first introduced NTFS in 1993 with the release of Windows NT 3.1. It is the file
system used in Microsoft’s Windows 10, Windows 8, Windows 7, Windows Vista, Windows
XP, Windows 2000, and Windows NT operating systems.

NTFS Permissions

NTFS permissions are used to manage access to the files and folders that are stored in NTFS file
systems.

To see what kind of permissions you will be extending when you share a file or folder:

 Right click on the file/folder

 Go to “Properties”
 Click on the “Security” tab
 All then you’ll navigate this window:

Page 2 of 11
Besides Full Control, Change, and Read that can be set for groups or individually, NTFS offer a
few more permission options:

Full control: Allows users to read, write, change, and delete files and subfolders. In addition,
users can change permissions settings for all files and subdirectories.

Modify: Allows users to read and write of files and subfolders; also allows deletion of the folder.

Read & execute: Allows users to view and run executable files, including scripts.

List folder contents: Permits viewing and listing of files and subfolders as well as executing of
files; inherited by folders only.

Read: Allows users to view the folder and subfolder contents.

Write: Allows users to add files and subfolders, allows you to write to a file.

If you’ve ever involved in permissions management within your organization, you’ll eventually
encounter ‘broken’ permissions. Rest assured, they’re repairable.
Page 3 of 11
Share Permissions

When you share a folder and want to set the permissions for that folder – that’s a share.
Essentially, share permissions determine the type of access others have to the shared folder
across the network.

To see what kind of permissions you will be extending when you share a folder:

 Right click on the folder

 Go to “Properties”
 Click on the “Sharing” tab
 Click on “Advanced Sharing…”
 Click on “Permissions”

And you’ll navigate to this window:

There are three types of share permissions:

Full Control: Enables users to “read,” “change,” as well as edit permissions and take ownership
of files.

Page 4 of 11
Change: Change means that user can read/execute/write/delete folders/files within share.

Read: Read allows users to view the folder’s contents.

A Caveat on Share Permissions

Sometimes, when you have multiple shares on a server which are nested beneath each other,
permissions can get complicated and messy.

For instance, if you have a “Read” folder in a subfolder share permission but then someone
creates a “Modify” share permission above it at a higher root, you may have people getting
higher levels of access than you intend.

There’s a way around this, which I’ll get to below.

How to Use Share and NTFS Permissions Together

One of the common questions that comes up when you’re configuring security is “what happens
when share and NTFS permissions interact with each other?”

When you are using share and NTFS permissions together, the most restrictive permission wins.

Consider the following examples:

If the share permissions are “Read”, NTFS permissions are “Full control”, when a user accesses
the file on the share, they will be given “Read” permission.

Managing NTFS Permissions and Share Permissions

If you find working with two separate sets of permissions to be too complicated or time
consuming to manage, you can switch to using only NTFS permissions.

When you look at the examples above, with just three types of permissions setting, shared folder
permissions provide limited security for your folders. Therefore, you gain the greatest flexibility
by using NTFS permissions to control access to shared folders.

Moreover, NTFS permissions apply whether the resource is accessed locally or over the network.

To do this, change the share permissions for the folder to “Full Control.”

You can then make whatever changes you want to the NTFS permissions without having to
worry about the share permissions interfering with your changes.

Page 5 of 11
 Determining Effective Permissions

What are Effective Permissions?

Effective Permissions, in Microsoft Windows family, is the cumulative permissions a user has
for accessing a resource based on his or her individual permissions, group permissions, and
group membership. The effective permissions a user experiences trying to access a file or folder
depends on the various permissions granted to the user expressly or by virtue of their
membership in a particular group. When a permissions conflict exists between one group and
another, or between the user and a group, rules are applied that resolve the issue.

When trying to determine the effective permissions you need to consider the following:

 Group Membership
 Inherited Permissions
 Nested groups
 Explicit deny permissions
 Local group membership

When you create a new file or folder, it will either take the operating systems defaults or inherit
permissions from a parent folder.

Seems straightforward right? Yes and No

Page 6 of 11
Depending on how your network shares are structured and how granular you get with access, it
can become a big tangled mess.

Managing Access to Shared Files Using Offline Caching

So far we've talked about sharing files over the network. But what happens when you need to
take some files with you? How about that long coast-to-coast flight you have next week couldn't
you use the time to work on your budget for the next fiscal year?

Obviously, servers aren't portable, but you conceivably will be setting up your file server so that
portable users for instance, those users with laptops will be able to take work home with them, or
on the road. Although end users could always manually copy the desired files directly to their
laptops, save them to diskette, or burn them on a CD, it can be tough to remember to make these
copies. And what happens when users have worked on the files on their laptops and reconnect to
the server? Which files have changed, and which have not?

This is where the Offline Files feature of Windows Server 2003 comes in handy. This feature
allows the user to specify either single files or a complete folder to be copied to a PC. The
Windows Server 2003 operating system manages these files and folders and synchronizes them
in the background so that the user will always have the most current version available.

The Offline Files feature works by reserving space on the client machine to store the offline files.
By default, this local cache will not exceed more than 10% of the space on the disk. The files are
not stored in a recognizable format, so you can't work with them directly.

The following caching options are available:

 Only the Files and Programs That Users Specify Will Be Available Offline The user must
manually select the items that they want stored in the local cache. This is the default.
 All Files and Programs That Users Open from the Share Will Be Automatically Available
Offline When this option is selected, as the user uses a file or program contained in the
share, it will be added to the user's local cache.
 Optimize for Performance This option will automatically cache all of the program files in
the share so that they will be run locally.
 Files and Programs from the Share Will Not Be Available Offline This option disables all
offline caching for the file share.

Using Offline Files is a two-step process. First the system administrator must verify that caching
is enabled on each shared folder that she wants to allow users to use with the offline files feature
(it should be enabled by default). Then the user needs to select the files and/or folders that he
wants to have available to him offline. In Step by Step 4.11, we will enable caching on a file
share on our Windows Server 2003 serve

Step by Step

Page 7 of 11
Enabling caching on a file share

1. On the test server, open the Computer Management MMC by clicking Start, All
Programs, Administrative Tools, and then Computer Management.
2. In the left pane of the Computer Management MMC, select Shared Folders, and then
click Shares.
3. In the right pane, right-click the share that you want to enable, and then click Properties
from the pop-up menu.
4. In the Properties dialog box, click the Offline Settings button.
5. From the Offline Settings dialog box, as shown in Figure 4.21, select one of the options
to cache the files in the folder.

6. Click OK twice to save your selections.

Note that the preceding steps, like most file management functions in Windows Server 2003, can
be performed on local shares via My Computer, Windows Explorer, or the Shared Folders snap-
in, or on remote shares via the Shared Folders snap-in.

The second step of this process is to select the files that you want cached. This step is
automatically performed for you if you selected the All Files and Programs That Users Open
from the Share Will Be Automatically Available Offline option whatever files you work with
will be downloaded to your cache.
However, if you need to select files or folders individually, open My Computer or Windows
Explorer on your workstation, right-click the files or folders, and select Make Available Offline,
as shown in Figure below

Page 8 of 11
After you select a file(s) the Offline Files Wizard appears and asks you whether you want to
automatically synchronize your files as you log on and off the network, as shown in Figure
below;

You can tell which files are marked as Offline Files by looking in the folder where they are
stored. They will be marked with the offline symbol as shown in Figure below;

Page 9 of 11
When the user is reconnected to the network, any changes made to the files while the user was
offline will be automatically synchronized with the files on the network. If for some reason, the
files on the network are newer than the files in the cache (if other users were working on them,
for example), the user will be prompted as to which version of the file to save, or both, if you
prefer.

The files are kept in sync by the Synchronization Manager. The Synchronization Manager is
responsible for comparing the items on the network to the items in your local cache and making
sure that the most current version is available both places. Synchronization Manager can be
configured to synchronize your files and folders at the following times:
 At configured intervals while your computer is idle
 At logon and logoff
 At configured intervals

You can configure Synchronization Manager separately for each resource.

Note: Synchronize Anytime

You can also synchronize your files anytime by selecting Tools, Synchronize from the menu of
My computer or Windows Explorer.

Synchronization Manager can be started by selecting Start, All Programs, Accessories,

Synchronize. The Synchronization Manager and the various options available via the different
tabs is shown in Figure below

Page 10 of 11
Note: Secure Your Files

Page 11 of 11