------------------------------------------------------------------- SearchWin2000's Security Tip -------------------------------------------------------------------- TODAY'S SECURITY TIP: Plan before you assign permissions ==================================================================== SPONSORED BY: NetIQ ==================================================================== Free Security Guide from NetIQ. Want to keep the bad guys out? Learn how by reading NetIQ's security guide, "Jack the Hacker Tells All: Insights into Security Dos and Don'ts." Learn security defenses, how to protect your organization and ways to respond to security threats before they become major incidents from Jack, the reformed hacker. Download now at http://www.netiq.com/sponsor/default.asp?318. ==================================================================== "Plan before you assign permissions" By Adesh Rampat All Windows 2000 administrators want to allow the right people access to the right information. To do that, you must understand the most basic form of security -- permissions. Most network administrators are already familiar with setting up permissions to files/folders. This article looks at some of the major issues you should consider when applying permissions to files/folders in order to ensure proper planning before you actually assign those permissions. One of the benefits of using Windows 2000 over Windows 98 or Me, for workstations as well as servers, is the ability to use file and folder permissions. To enable file and folder permissions, you need to use NTFS: they are not available on FAT. So when you upgrade to Windows 2000, if you are concerned about file/folder security you must convert that FAT partition to NTFS. This is normally done during the upgrade process. Use caution when applying the deny permission, because the deny permission takes precedence over any allow permission. All other permissions are cumulative or additive. For example, if a user has been assigned the "Read" permission to a file, but is also a member of a group that has been assigned the "Write" permission, the user's effective permission to the file is "Write." If, on the other hand, a user has been assigned the "Deny Write" permission, then that user will not be able to write to the file or folder, even if he/she also belongs to a group that has been assigned Full Control. To properly assign permissions: Calculate what permissions you are going to use for files/folders. Permissions for files/folders are "least restrictive." For example, Paul is a user that has been assigned Read permission to a file. He also is a member of the shipping group that was assigned Full Control to the same file. The result is that Paul's permission for the file will be Full Control, because the "least restrictive" permission will apply to users, and Full Control is less restrictive than Read. Then perform separate calculations for shares using the "least restrictive" rule. For example, the shipping folder is now shared. Paul is assigned change permission. The shipping group (of which Paul is a member) has been assigned Read Only permission. Based on the "least restrictive" rule this user now has Change permission to the shared folder. Permission for files and shares are always additive or least restrictive. What would Paul's effective permission be? It is the combined permission for Paul when he accesses files and folders within the shared folder. This is calculated using the most restrictive rule. So because Paul is accessing the file (for which he has Full Control) through the shared folder (for which he has Change permission), then his effective permission (combined permission) would be Change, since this is the most restrictive between the shared folder (Change) and the file permission (Full Control). Paul has Full Control for the file and Change permission for the share folder. Therefore Paul's effective permission is Change. -------------------------------------------------------------------- *What did you think of this tip? Do you have more ideas for setting permissions? Share your thoughts and ideas with your peers at our security forum: http://searchwindowsmanageability.discussions.techtarget.com/WebX?50@@.ee84c8a. -------------------------------------------------------------------- Adesh Rampat has 10 years experience with network and IT administration. He is a member of the Association of Internet Professionals, the Institute for Network Professionals and the International Webmasters Association. He has also lectured extensively on a variety of topics. ==================================================================== ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DID YOU LIKE THIS TIP? ==================================================================== We rely on your feedback! Whether you loved this tip or hated it, why not let us know? Rate it at http://www.searchWin2000.com/tip/1,289483,sid1_gci770597,00.html. Have additional comments? E-mail us at mailto:[EMAIL PROTECTED] to sound off. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ==================================================================== BONUS TIPS -------------------------------------------------------------------- For more technical advice, check out these user-submitted tips. Be sure to rate them, too! We count on your feedback to help us pick our monthly winners! Submit a tip of your own while you're there to become eligible for this month's prize - an iBOT Pro Firewire desktop video camera w/microphone! "Find deleted and unsaved files" by Rick Ziminski http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci770470,00.html "Print file search results" by Ryan Okumura http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci770471,00.html ==================================================================== FEATURED COURSE -------------------------------------------------------------------- "Windows 2000: Network--Designing Security Part 1(Sec. Planning)" Online Price: $149.95 Publisher Name: NETg Date published: Jan. 2001 Course Overview: This is the first course in a five-part series of the Microsoft Windows 2000 Network -- Designing Security curriculum which prepares participants for Microsoft Exam 70-220. This course provides participants with an opportunity to learn the Windows 2000 security model and technologies to plan for a secure enterprise network, creating and analyzing a network security plan, planning secure and effective strategies for creating security groups, delegating administration and placing and inheriting security policies. http://www.digitalguru.com/DigitalGuru/product_detail.asp?catalog%5Fname=CBT&product%5Fid=B610C2E515B2 ==================================================================== ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ FREE EXCHANGE NEWSLETTER ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SearchWin2000's Exchange tips draw off the knowledge of experienced users, authors and other experts to provide IT professionals with guidance in installing and administering Microsoft's Exchange Server. Get these useful tidbits from the pros to help you get the most out of your Exchange deployment from mastering the basics of messaging to measuring your Exchange server's performance and scalability. To begin receiving these Exchange tips, just click here: http://searchwin2000.techtarget.com/register/1,,sid1,00.html. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ==================================================================== If you would like to sponsor this or any TechTarget newsletter, please contact Mike Kelly at mailto:[EMAIL PROTECTED]. ==================================================================== If you no longer wish to receive this newsletter simply reply to this message with "REMOVE" in the subject line. Or, visit http://searchWin2000.techtarget.com/register and adjust your subscriptions accordingly. If you choose to unsubscribe using our automated processing, you must send the "REMOVE" request from the email account to which this newsletter was delivered. Please allow 24 hours for your "REMOVE" request to be processed.
