Configuration and Sharing

Lab 2

Required:

  • Mastering Windows 2003
  • Access to internet

Disabling Shutdown Event Tracker

(this is the annoying thing that asks you WHY you're shutting down)

By default, Shutdown Event Tracker is enabled for all Windows Server 2003 operating systems and for Windows XP 64-Bit Edition Version 2003.

To disable Shutdown Event Tracker on all Windows Server 2003 operating systems and in Windows XP 64-Bit Edition Version 2003, disable the Display Shutdown Event Tracker policy by using Group Policy. To do this by using Local Group Policy, follow these steps:

  1. Launch Internet Explorer, browse to Google and type disable + shutdown + event + tracker in the search engine
  2. The first hit should walk you through disabling the event tracker.
  3. Tracker Shutdown
  4. Open the Group Policy Object Editor Console. Go to Start > Run, type gpedit.msc and press OK.
  5. Navigate to Computer Configuration > Administrative Templates > System and in the right hand pane, select the "Display Shutdown Event Tracker" setting.
    Group Policy Object Editor
  6. Double Click this setting to open the Properties page. You are now given the option to leave it in a default state of Not Configured, set it to Always Enabled, Enabled for Servers/Workstations (Windows XP Pro) or Disabled completely (as the image below demonstrates).
    Properties
    Note:
    When you enable the Group Policy for Server only, the Shutdown Event Tracker appears when you shut down a computer running Windows 2003, whereas for Workstation only, the Shutdown Event Tracker appears when a computer running Windows XP Professional is shut down.
  7. After you make the change to the Group Policy, open the Command Prompt and run the gpupdate /force command to refresh the policy and have your settings be applied straight away. Alternatively you can just restart the machine.
  8. When you next attempt to shutdown or restart the machine, the Shutdown event tracker will no longer be visible and the normal shutdown prompt will appear (as seen in the image below).
    ShutDown

Disabling Internet Explorer Security

(this is the 'security enhancement' for safe internet browsing which requires you to add every web site you wan to visit to you allow list)

  1. Click Start->Settings->Control Panel-Add/Remove Programs
  2. Click Windows Components.
  3. Uncheck the Internet Explorer Security.

Creating a Secondary Partition

(!!!if you have not already done so!!!)

  1. Right click on My Computer->Manage->Disk management
  2. Right Click on the free space and create a new primary partition using the remaining free space. It will launch a wizard to walk you though this process. Assign it a drive letter of e:
  3. Format this partition using NTFS and check the box to perform a Quick Format

Creating Boot and Recovery Disks

(****THIS CANNOT BE COMPLETED IN LAB. THIS IS FOR YOUR INFORMATION ONLY****)

  1. Go to page 1555, read and create an Automated System Recovery Disk (ASR).
    1. Run the Backup Utility found in Accessories/System Tools. On the first screen you will see buttons for three wizards: Backup Wizard, Restore Wizard and Automated System Recovery Wizard. Click the ASR button.
    2. Choose a backup location for a complete system state backup of your Computer. Do NOT choose the floppy disk, it won't fit. You need a sizeable space, choose the new partition you just created.
    3. After the Backup is finished, insert a blank, formatted floppy diskette in Drive A: and press OK when prompted to let the wizard copy files to the disk.
  2. What is the ASR used for? What does it copy?
  3. Continuing on page 1556 [there is a typo on that page. ORMAT is not a command. It should be FORMAT] create and test a boot floppy. Refer to the section that says to create a boot disk from another computer. Simply copy the three files (boot.ini, ntldr, ntdetect.com) to the diskette. How is this different then a normal Windows 95 boot diskette? What does this allow you to do?

How to set up Sharing

Sharing

You would think that it is a simple matter of right-clicking a folder or file and choosing sharing, but in Windows Server, there are more steps that you need to take to make sure that only the people that you want to share with have access, and that those who do have access have the right permissions. It is important if you are going to share your work that it is kept safe from being tampered with. So how do you accomplish this?

Shares are available for both the FAT file system and the NTFS file system, the difference is the level of security available, and what you can put restrictions on. A Share permission does not work on individual files, it is designed to work on shared folders. By default, the everyone group is granted read, so the first thing to do is at the very least remove the Everyone group and instead replace it the Authenticated Users with Read and Change as well as the Administrators Group with Full Control. To create a shared folder in Windows, you will need to be an Administrator, Server Operator, or Power User.

Share Properties

Share Permissions

The Share permissions are limited to Read, Change, and Full Control. These names are a little deceptive, because there is more allowed than you would expect. The permissions are as follows:

  • Read - Read files and folders and their attributes, run application files, and change folders that are contained in the shared folder.
  • Change - Create folders and add files. Change data and attributes in files and delete files and folders. The Change permission can also perform the same actions as the Read permission.
  • Full Control - This permission can allow the same functions of the other two permissions plus allowing changing if file permissions and gives the right to take ownership of files.

Share Permissions

So what you have control of are the level of permission, and to whom you grant those permissions. When you hit the Add button, you are taken to a screen that allows you to chose individuals and groups that are members of the Domain or Workgroup.

And removing the Everyone group (which includes anyone who has logged on, whether or not they are a member of the Domain or Workgroup), is simply a matter of selecting them from the list and hitting the delete button..

Remove Share permissions

Multiple Permissions

The thing that is most confusing about permissions is what happens when a user is a member of different groups that have different permissions? For example, if Sean is a member of the Editors Group, that has Change permissions to the Share folder, and he is also a member of the Executives group, that has Full Control of the Share folder. Which permission does Sean effectively have for the Share folder? In Share permissions, the permissions are cumulative with the most permissive permission as the effective permission. If you did not want Sean to have Full Control of this folder, you could choose deny under Full Control, because a Deny will override any other permission.

Some Caveats to Share Permissions

Share permissions only apply to those who are connecting over the network. Even if you have denied permission to a user, if they connect to the folder on the computer that the folder is being hosted from, they will have access locally.

The second caveat is that if you decided to deny a permission to the Everyone group, instead of deleting the group or granting a lesser permission, you will have denied anyone from having that permission. Remember, Deny will override any granted permissions. It is best to avoid the use of the Deny permission if possible. The one case where the Deny permission is helpful however, is if you want to assure that a given user will not gain access to a folder by becoming a member of a group that has access.

NTFS Permissions

Needless to say, you must be using the NTFS file system to be able to use NTFS permissions. You will have greater control with the NTFS system for many reasons, and in the area of permissions, NTFS allows you much more specific rights and denials that you can grant for access. NTFS permissions will apply whether the user connects over the network, or connects locally. NTFS permissions also allow you to set permissions on individual files, and those permissions can be different from the parent folder.

The permission levels in NTFS are narrower than the Share permissions, with 6 levels for folders and 5 levels for files. The file levels are as follows:

  • Read - Read the file and its ownership and attributes
  • Write - In addition to the Read permissions, the user can overwrite the file and change its attributes.
  • Read & Execute - In addition to the Read permissions, the user can run applications. In the folder permissions, this level can also traverse folders and list the folder contents.
  • Modify - In addition to the Read & Execute and Write permissions, the user can delete the file or folder.
  • Full Control - Take ownership and change permissions in addition to all of the other rights granted by all of the other levels.
  • List Folder Contents - Allows the user to list the folder and subfolder contents.

In order to access any folder or file on an NTFS, there must be a specific entry in the Access Control List that is stored on the NTFS partition. This is why the NTFS permissions apply even when the file is being accessed locally.

NTFS Permissions

You can have even more control over what permissions are granted if you click the Advanced Button. On the Advanced Properties page, click the View/Edit button to see the choices of special permissions available. The Advanced options subdivide the regular NTFS permissions so you could give a user the Read permission, but also allow the user to delete the file, so you can fine-tune the file to allow the exact access needed. This is not something that you can do in Share permissions.

Advanced NTFS Settings

Multiple NTFS Permissions and Inheritance

The cumulative rule in NTFS permissions work the same as the Share permissions except that in NTFS permissions, you can have a different set of permissions for the individual files. If a user has only Read permission for the folder, but has the Modify permission for a file in that folder, the file permission will override the folder permission. How can a file have a different permission than the parent folder?

Inheritance

If you want to have a different set of permissions for the files or sub-folders of the parent folder, you have a choice of allowing the file or sub-folder to keep what it has already inherited, or to remove all of the inherited permissions and give only the explicit permissions you want. The first step is to remove the checkmark next to "Inherit from parent the permission entries that apply to child objects. Include these entries with entries explicitly defined here".

Permissions Inheritance

When you do this, you will be given a warning, and a choice of copy or remove. They have very helpfully given an explanation of what these choices mean. To Copy means that the current permissions that have been inherited will be kept, and any changes to the parent from now on will not be inherited. To Remove means that none of the inherited permissions will be kept, and only those permissions that are explicitly applied to this object will be used. Again, if you find the everyone group, replace with Authenticated users and make sure Administrators have Full Control

The Bottom Line

You can choose to share a folder from any file system, FAT, FAT32, or NTFS in Windows. If you are sharing from a FAT or FAT32 partition, your choices for what kinds of permissions you place on the folders are limited to three choices, Read, Modify, or Full Control. If you truly want to secure your folders and files, you will want to have an NTFS file system on your partition, and have the far greater controls of the NTFS permissions. With NTFS you can specify the exact permissions for both folders and files, and choose whether they have the same permissions inherited from the parent to the child, or to have different permissions. Remember, permissions are cumulative, but a deny will always override an allow, and in NTFS, a file permissions will always override its folders' permissions.

Summary

This lab explains how to map network drives through the command line and login scripts.

How to connect to a share using the command line

  1. Open your command prompt. Click Start->Run->CMD->ENTER.
  2. At the command prompt type net use ? and hit <ENTER>. You should see the following.
    net use
  3. Create a folder and share called DOCUMENTS on your E: drive(secondary partition) you just created in this lab in the section Creating a Secondary Partition.
    1. Once the folder is created, you can share it by right mouse clicking on that folder and selecting Properties. Then click on the Sharing Tab. Click the radio button that says share this folder. By default, it will use the folder name as the share name.
      Share Permissions
    2. Click on the permissions button to manage the permissions using what you have learned above.
    3. Follow the same practice for the NTFS permissions on the security tab
  4. Note the UNC (Universal Naming Convention) syntax. \\Computername\sharename. Type the command:
    1. net use g: \\your computer name\your share name hit <enter>
    2. ie: net use g: \\SVRED5\documents /persistent:no
  5. The preceding command should create a g: drive on your server. If you made a syntax error, please try again. Otherwise, you should be able to maneuver to your g: and access any files there in.

Login Scripts

  1. Create a file in the share called login.bat.
    1. Open Notepad, and do a File Save As and save it as login.bat. Make sure you change the file type from txt files to all files. Not doing this will create a file called login.bat.txt
    2. Enter the command in step 4 to map multiple drive letters (they must be unique) to your existing share in the file login.bat. (see example below)
      login.bat
    3. You have just created a login script to be used later.

Back to Top