File AccessFile Access

Windows File SystemsWindows File Systems

• Three main file systemsThree main file systems• File Allocation Table (FAT)File Allocation Table (FAT)• FAT32FAT32• NTFSNTFS

• Final choice of system depends on Final choice of system depends on • How the system will be usedHow the system will be used• Whether there are multiple operating systemsWhether there are multiple operating systems• Security requirementsSecurity requirements

• NTFS is highly recommendedNTFS is highly recommended

FATFAT

• Old…….Used by MS-DOSOld…….Used by MS-DOS• Supported by all versions of Windows sinceSupported by all versions of Windows since• Traditionally limited to partitions up to 2 GBTraditionally limited to partitions up to 2 GB

• Windows Server 2003 version supports partitions up to Windows Server 2003 version supports partitions up to 4 GB4 GB

• LimitationsLimitations• Small partition sizesSmall partition sizes• No file system security featuresNo file system security features• Disk space usage is poorDisk space usage is poor

FAT32FAT32

• An updated FAT file systemAn updated FAT file system• Supports partition sizes up to 2 TBSupports partition sizes up to 2 TB• Not supported by NT V.4Not supported by NT V.4• Supported by Windows 2000 and upSupported by Windows 2000 and up• Does not provide advanced security featuresDoes not provide advanced security features

• Cannot configure permissions on file and folder Cannot configure permissions on file and folder resourcesresources

NTFSNTFS

• Introduced with Windows NT operating systemIntroduced with Windows NT operating system• Current version (version 5)Current version (version 5)

• Windows NT 4.0Windows NT 4.0

• Windows 2000Windows 2000

• Windows XPWindows XP

• Windows Vista & 7Windows Vista & 7

• Windows Server 2003 & 2008Windows Server 2003 & 2008

• Supports partition sizes of up to 16 Exabytes (EB)Supports partition sizes of up to 16 Exabytes (EB)

NTFS (cont.)NTFS (cont.)

• Advantages of NTFSAdvantages of NTFS• Greater scalability and performanceGreater scalability and performance

• Support for Active Directory Support for Active Directory

• Security permissions on individual files and foldersSecurity permissions on individual files and folders

• Support for compression and encryptionSupport for compression and encryption

• Disk quotas for individual usersDisk quotas for individual users

• Remote StorageRemote Storage

• Recovery logging of disk activitiesRecovery logging of disk activities

Shared FoldersShared Folders

• Shared folderShared folder• A resource made available through a network to A resource made available through a network to

authorized clientsauthorized clients

• Permissions required for creating, reading, modifyingPermissions required for creating, reading, modifying

• Groups that can create shared folders:Groups that can create shared folders:• AdministratorsAdministrators

• Server OperatorsServer Operators

• Power Users (only on member servers)Power Users (only on member servers)

Windows ExplorerWindows Explorer

• Available since Windows 95 Available since Windows 95 • Create, maintain, and share foldersCreate, maintain, and share folders• Folders can be on any drive connected to the Folders can be on any drive connected to the

computercomputer• Folders are shared in Windows Explorer by Folders are shared in Windows Explorer by

accessing the Sharing tab of folder’s propertiesaccessing the Sharing tab of folder’s properties

Windows Explorer (cont.)Windows Explorer (cont.)

Windows Explorer (cont.)Windows Explorer (cont.)

• Shared name of folder does not have to be the Shared name of folder does not have to be the same as the actual file namesame as the actual file name

• Hand icon used to indicate shared statusHand icon used to indicate shared status• To make Shared folders hidden from My Network To make Shared folders hidden from My Network

Places and Network Neighborhood, place a dollar Places and Network Neighborhood, place a dollar sign ($) after name, e.g., Sales$sign ($) after name, e.g., Sales$

Windows Explorer (cont.)Windows Explorer (cont.)

Computer ManagementComputer Management

• Computer Management console allows you to Computer Management console allows you to share, monitor, or stop sharing folders for local share, monitor, or stop sharing folders for local and remote computersand remote computers

• The Share Folder Wizard is used to create folders The Share Folder Wizard is used to create folders in the Shared Folders section of Computer in the Shared Folders section of Computer Management.Management.• It provides preconfigured and manual It provides preconfigured and manual

permissionspermissions• All users have read-only accessAll users have read-only access• Administrators have full access; others have Administrators have full access; others have

read-only access, orread-only access, or• Administrators have full access; others have Administrators have full access; others have

read and write accessread and write access

Computer ManagementComputer Management

Managing Shared FoldersManaging Shared Folders

• A shared folder has a discretionary access control A shared folder has a discretionary access control list (DACL)list (DACL)• DACL contains a list of user or group references that DACL contains a list of user or group references that

have been allowed or denied permissionshave been allowed or denied permissions• Each reference is an access control entry (ACE)Each reference is an access control entry (ACE)• DACL is accessed from Permissions button on Sharing DACL is accessed from Permissions button on Sharing

tab of folder’s propertiestab of folder’s properties

• Permissions only apply to network users, not those Permissions only apply to network users, not those logged on directly to local machinelogged on directly to local machine

Managing Shared Folders Managing Shared Folders (cont.)(cont.)

Managing Shared Folders Managing Shared Folders (cont.)(cont.)

• To deny access to a user or groupTo deny access to a user or group• Windows does not include a No Access share Windows does not include a No Access share

permissionpermission

• You must explicitly deny access to each individualYou must explicitly deny access to each individual

• Default permission is read access for Everyone Default permission is read access for Everyone groupgroup• Should be immediately addressed when a share is Should be immediately addressed when a share is

createdcreated

• All contained objects inherit folder permissions All contained objects inherit folder permissions

NTFS PermissionsNTFS Permissions

• NTFS permissions are configured via the Security NTFS permissions are configured via the Security tabtab

• NTFS permissions are cumulativeNTFS permissions are cumulative• Denial of access always overrides permitted Denial of access always overrides permitted

accessaccess• NTFS folder permissions are inherited unless NTFS folder permissions are inherited unless

otherwise specifiedotherwise specified• NTFS permissions can be set at file or folder levelNTFS permissions can be set at file or folder level

NTFS Permissions (cont.)

• A new ACE has the default permissionsA new ACE has the default permissions• Read or Read and Execute for filesRead or Read and Execute for files

• List Folder Contents for foldersList Folder Contents for folders

Special PermissionsSpecial Permissions

• Special permissions can provide more or less Special permissions can provide more or less access than standard permissionsaccess than standard permissions

• Special permissions are accessed from the Special permissions are accessed from the Advanced button in the Security tab on Properties Advanced button in the Security tab on Properties dialog boxdialog box

• Permission Entry dialog box enables assignment Permission Entry dialog box enables assignment of permissions and control of inheritance settingsof permissions and control of inheritance settings

Special Permissions (cont.)Special Permissions (cont.)

Special Permissions (cont.)Special Permissions (cont.)

• Inheritance settingsInheritance settings• This folder onlyThis folder only

• This folder, subfolders, and files (This folder, subfolders, and files (defaultdefault))

• This folder and subfoldersThis folder and subfolders

• This folder and filesThis folder and files

• Subfolders and files onlySubfolders and files only

• Subfolders onlySubfolders only

• Files onlyFiles only

Special NTFS Permissions (continued)

Effective PermissionsEffective Permissions

• Permissions that actually apply to a user can be Permissions that actually apply to a user can be the result of membership in multiple groupsthe result of membership in multiple groups

• There is an Effective Permissions tab in Advanced There is an Effective Permissions tab in Advanced Security Settings dialog box for resourceSecurity Settings dialog box for resource• Shows specific permissions for a user or groupShows specific permissions for a user or group

Determining Effective Permissions (continued)

Shared Folder & PermissionsShared Folder & Permissions

• NTFS permissions can be combined with share NTFS permissions can be combined with share permissions permissions • When accessing a share across a network, if both apply, When accessing a share across a network, if both apply,

Windows will use the most restrictiveWindows will use the most restrictive

• When accessing a file locally, only NTFS permissions When accessing a file locally, only NTFS permissions applyapply

Converting FAT Partitions to Converting FAT Partitions to NTFSNTFS

• Use NTFS for greatest security of partitions and Use NTFS for greatest security of partitions and volumesvolumes

• A Command-line utility, CONVERT, is available A Command-line utility, CONVERT, is available that will convert FAT or FAT32 partitions and that will convert FAT or FAT32 partitions and volumes to NTFSvolumes to NTFS

• All existing files and folders are retainedAll existing files and folders are retained• CONVERT cannot work in reverse to convert CONVERT cannot work in reverse to convert

NTFS to FAT or FAT32NTFS to FAT or FAT32