Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.

Guide to Operating System Security

Chapter 5

File, Directory, and Shared Resource Security

2 Guide to Operating System Security

Objectives

Implement directory, folder, and file security Configure shared resource security, using

share permissions in Windows 2000/XP/2003 Use groups to implement security Troubleshoot security


Directory, Folder, and File Security (Continued)

Access control lists (security descriptors) associate users and groups with specific access capabilities

ACL components Discretionary access control list (DACL) System access control list (SACL)


Directory, Folder, and File Security (Continued)

Categories of information in an ACL User accounts that can access the object Rights and permissions that determine level of

access Ownership of the object Whether specific events associated with an object

are to be audited


Windows 2000/XP/2003 Folder and File Security

Use attributes and permissions – related to file system used with the OS

NTFS is better than FAT16 or FAT32 Able to set standard and special permissions Supports use of EFS Enables disk quotas to be set


Configuring Folder and File Attributes

Attributes in FAT16, FAT32, and NTFS are stored as header information

Attributes available in FAT16/FAT32-formatted disks Read-only Hidden Archive


Configuring Folder and File Attributes


NFTS Security Attributes

Read-only Hidden Archive Index Compress Encrypt


NFTS Security


Configuring Folder and File Permissions

Use Add and Remove buttons on folder properties Security tab to change which users and groups have permission

Modify existing permissions by clicking on the group and checking or removing checks in Allow and Deny columns


Configuring Folder and File Permissions


Folder and File Permissions Supported by NTFS


Configuring Inheritable Permissions


UNIX and Linux Directory and File Security (Continued)

Permissions Read (r) Write (w) Execute (x)

Special permissions for executable programs Set User ID (SUID) Set Group ID (SGID)


UNIX and Linux Directory and File Security (Continued)

Permissions criteria Ownership (o) Group membership (g) Other (o) All (a)

Use chmod command to set up permissions Symbolic format Octal format

Use chown command to change ownership


Viewing Permissions Settings


Red Hat Linux 9.x System Directories


NetWare 6.x Directory and File Security

Access controlled through: Attributes associated with files and directories Access rights granted to trustees


NetWare Directory Attributes


NetWare File Attributes (Continued)


NetWare File Attributes (Continued)


NetWare Directory Attributes


NetWare Access Rights


NetWare Access Rights


NetWare Trustee Rights


Mac OS X Folder and File Security

Ways to configure file and folder permissions Command-line commands Set Get Info properties of a file


Using Command-Line Commands in Mac OS X


Configuring Ownership & Permission for a Mac OS x File


Mac OS X Get Info Folder and File Permissions


Shared Resource Security

Sharing or accessing resources – directories, folders, files, and printers – over a network Windows 2000/XP/2003 Red Hat Linux 9.x NetWare 6.x Mac OS X


Sharing Resources in Windows 2000/XP/2003

Use share permissions Protecting a shared folder

Full Control Change Read

Protecting a shared printer


Protecting a Shared Folder


Protecting a Shared Printer

Print Manage Documents Manage Printers Special Permissions

Read Change Take Ownership


Sharing Resources inRed Hat Linux 9.x

Enable access through: Telnet and FTP

• Use with Secure Shell capabilities Network File System (NFS)

Protecting directory resources Protecting printer resources

Queue-based printing Novell Distributed Print Services (NDPS)


Sharing Resources in NetWare 6.x

Protecting directory resources Mapping and search mapping

• Protects through attributes and trustee access rights

Protecting printer resources


NetWare Drive Mappings


Sharing Resources inMac OS X

Enable access through System Preferences Protecting a shared folder Protecting a shared printer


Using Security Groups

Group together accounts that have similar characteristics

Eliminates repetitive steps in managing user and resource access


Using Groups inWindows 2000/XP/2003

Related to concept of scope of influence Types; used for security and distribution

groups Local Domain local Global Universal


Implementing Local Groups

Used to manage resources in Windows 2000/XP Professional


Implementing Local Groups


Implementing Domain Local Groups

Used when Active Directory is deployed Used to manage resources in a domain Give access to global groups from the

same/other domains access to those resources


Implementing Domain Local Groups


Implementing Global Groups

Intended to contain user accounts from single domain

Can be set up as member of a domain local group in same or other domain


Implementing Global Groups


Implementing Universal Groups

Spans domains and trees within a Windows Active Directory forest


Guidelines for Using Groups

Global groups Hold accounts as members

Domain local groups Provide access to resources in a specific domain

Universal groups Provide extensive access to resources


Using Groups inRed Hat Linux 9.x

Assign each group a unique group identification number (GID)

Assign permissions to access resources to the group


Using Groups in NetWare 6.x

Create groups with ConsoleOne tool Configure trustee access rights for the group Assign accounts to the group Assign specific login script to the group


Using Groups in Mac OS X

Automatically managed and assigned by the operating system


Troubleshooting Security

Windows XP Professional and Windows Server 2003 View the effective permissions

NetWare 6.x View the effective rights


Viewing Effective Rights in NetWare 6.x


Summary

How to configure directory, folder, and file security for Windows 2000/XP/2003,Linux 9.x, Netware 6.x, and Mac OS X

How to fine-tune security for common and unique circumstances

Specialized share permissions for Windows-based systems; used when folders are shared across a network through FAT16/32 and NTFS

continued…


Summary

How to configure and use security groups to manage access to shared resources

How to use effective permissions and effective rights tools in Windows XP/2003 andNetWare 6.x to ensure that directory, folder, and file security is properly set and that there are no security holes

Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.

Documents

security nfts security

security folder

security directory

file security access

security unix

security objectives

security chapter

file permissions slide