Shared folder security

- [Instructor] One of the important tasks that a SysAdmin has, is to understand how shared folders work when accessing data from users' computers. We see here a shared data folder and I'm going to right-click on it and I'm going to share it. So I'm going to go to Properties and there's a couple of different tabs we need to be concerned about. One is the Sharing tab and the other is the Security tab. If I go to the Sharing tab and click on Share, there's a simple share option. So it's going to default to the name of the folder as the share name, and then it's going to allow you a few different options: Read, Read/Write, or just Remove. We also see that the administrators have ownership as well. Instead of doing that, I like to use the advanced sharing because I have additional options. So I'll click on Shared this folder. I can actually change the name of the shared folder if I want to something other than the name of the folder. And if I want to, I can even add additional share names. So it can be accessed under different names with different permissions. Now, underneath that, we see limit the number of simultaneous users. Now that's set to a really high amount so if you're having bandwidth issues, you can lower that to a lower number if you'd like. Now I'm going to go to where it says permissions. And by default, it has everyone with read permissions. That's not as secure as saying domain users because domain users have to be authenticated whereas everyone does not. So I'm going to choose domain users, give them full access, and then take everyone and choose remove access. And click OK. And there's also this option that you see here for caching. And that allows users to download the files and folders. Even when they're offline, they can still access them. I don't need to do that so I'll click OK. Now I'm going to click on Security and click Edit. Now we see by default, the creator owner, the system administrators, they have some rights and users which comes from the Users folder you see here in active directory users and computers. So what I want to do is click Add and type in domain users once again. And click Check names. Click OK. And I'll give full access and click Apply. Now on the right-hand side, we see this little key that I created which is what's called effective permissions. And that's because permissions that are effective to users are a combination of the Sharing tab and the Security tab. So we add up these shared permissions, we add up the security permissions, and then we take the most restrictive of the two. So as an example, if I go back into Properties, we know that all domain users have full access and all security has access. So if we use our little key to the right here, we have full access on sharing, and we have full access on security. The restrictive of the two is still going to be full access. However, if I go into edit and change domain users on the security side and say you no longer have full access, you no longer have modify access, you only have read and execute list, and read and write. And I'll click OK. So now what permissions do we have? So we add up all the share permission side. Well, domain users have full access. So that's still the same. On the security side, we see that the users that are domain users, only have the ability to read and write for the most part. There's a couple of minor permissions as well. So now we take the most restrictive of the two and the most restrictive of the two is going to be that Security tab setup that I just did. Now we can test that if we like by clicking on the Advanced button. The Advanced button shows us effective access. So it actually does all the math for us if we're just not sure of what permissions a user is going to have. So I'll click on select a user. Now I've added any user named Jennifer so I'll go ahead and click check names and I'll select a device. And I'll say, it'll be the dc001 which is our server that we're on. And now click on View effective access. So we see the user does not have full control, does not have the ability to delete anything. However, all those different other rights that you see here are still available, and that's because I removed the full access. So it took the most restrictive of the tabs, the Sharing and the Security tab as expected. Let's take a look at another way that we can create a shared folder. I've created another folder called accounting but I haven't shared it yet. So now I'm going to go into Server Manager and I'm going to click on File and Storage Services and click Shares. I'm going to go up to where it says tasks and choose to create a new share. Now, I have several options. We see SMB Share Quick, Advanced, then we have application options, and then we also have NFS. NFS is for Linux computers to be able to access shares on a Windows server, so we don't need that here. An application share is specifically for an application such as Hyper-V and certain database types. We don't have that here. And if I want to choose advance, it does have some additional options but you have to install File Server Resource Manager in order to see all those options. Some of those options might include being able to block certain application types, such as .bat for batch files, it keeps them from actually being saved on any types of shares. And another option would be to limit the amount of data that a user can add into that share. I'm just going to choose the quick option and click Next. And I'm going to put in a custom path so I'll just browse to the folder that I just created. And it's called Accounting, select folder. Click Next. Once again, we see accounting on this server. Now here's where we have some additional options so let's take a look at those. By default, it allows caching of the share. So once again, it's going to allow the users to download the contents to their computers for offline access. And it allows encrypt data access if we check that box. So that will encrypt those particular files against unauthorized access. Another option is enable access-based enumeration and this option was not available along with the encrypt data access when we created the share using the other option. Now with this, using server manager to create a share, we see these two additional options we didn't see before. The enable access-based enumeration is a great feature because what it does is it keeps users who don't have access to the folders from being able to see those folders on the network. And the advantage to that is you're not going to have any users coming up to you saying, why don't I have access to this folder? I can see it. I double click on it. It says "Access Denied." So this will keep those users from even being able to see them. So click Next. Now we have the permissions. I'm going to click on Customized permissions. And once again, we have this Share tab and then it also shows us this Permissions tab. Now the Permissions tab is the same as the Security tab we saw when we right-clicked on the folder and chose Properties. So just treat that the same way as if it was called Security. Now we can add individual users by clicking Add, Select a principal. We can put in say, Matthew, which is another user I created. And we can add that user individually, if we like. And we'll just give Matthew the default rights that you see here and click OK. I can also go in and select a principal and type in the group called accounting. Now accounting has Matthew in it as well as Jennifer and Joshua. So it has three different people all in the group. But in this case, I'm going to say full control and click OK. Now I'll go to the Share tab. It says everyone, full control. Again, that's not safe. So I'll click on Edit, Select a principal, and type in domain users 'cause that way we get authentication. And click OK. Now we have domain users with full permission and we have the accounting group with full permission and Matthew who's a member of the accounting group has partial permissions. So I'll click Apply. So once again, if we go back to our key, we can see what the effective permissions should be. We add up all the shared permissions. Well, everyone who is a domain user has full control and we add up all the security permissions. The accounting group, and all the users in it, has full control, but Matthew has partial control. So what does Matthew end up having? Well, we need to add up all the security permissions. So the most permissive is going to be full control for Matthew. So Matthew has all shared permissions, all security permissions. Now we take the most restrictive of the two. Well, the most restrictive once again is full permissions. So Matthew and everyone in the accounting group are going to have full permissions. And that's how we calculate effective permissions. I'll click Next and Create for our shared folder and Close. Now let's just confirm that those shared folders are there. And there they are, accounting as well as shared data. Shared folder effective access will be an important part of SysAdmin skillset to ensure users have the correct access to resources.