Lecture 9: More Access Control and PermissionsNetwork Design & Administration

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Registry Keys

• Registry Keys are the entities used to store information about a Windows PC.• They are used for:• Hardware information• OS information• Non-OS programs• Users• Preferences

2

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Registry Structure and Use• The registry is separated into Hives:• HKEY_CLASSES_ROOT

• For installed apps – file associations, etc.

• HKEY_CURRENT_USER • Specific settings for current user. e.g. printer settings.

• HKEY_LOCAL_MACHINE• General to all users. E.g. driver versions.

• HKEY_USERS• Details of all user profiles keys that can access machine.• Current_User is a partial list of information.

• HKEY_CURRENT_CONFIG• Generated at boot time to give information on local machine configuration.

3

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Registry Entries• For a registry entry

to be modified, the program or user has to be allowed to change it!

• Here we see the Administrators group given Full Control over this sub-key (via inheritance)

4

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Registry Permissions• Can see similarities and

differences between these and NTFS permissions.

• Different set of standard and special permissions.

• Again, inheritance can be allowed or stopped, and deny/allow priority applies.

5(Note: Write DAC = ability to change ACL for key)

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Why of interest in a network?

• Various programs may need to run on a server.• Those programs must have appropriate access

to registry keys.• If users want applications installed locally,

problems can occur if the registry keys do not have the appropriate ACL’s set.

6

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Active Directory Object PermissionsVery different again to NTFS and Registry. e.g. -• Create child• Delete child• Standard delete• Delete tree• Read property• Write property

• Microsoft recommend not changing.• If changed, performance can be lost due amount of

information transmitted around network. 7

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Microsoft File Shares

• Allow network clients to actually see folders on a server remotely.• Some shares are created automatically due to the role of

a server. e.g. NETLOGON share created when becomes a domain controller.• Shares can be hidden by appending $ to name (so how

do users find it?)

8

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Who can create file system shares?• Depends on role of machine and therefore

security risks associated with doing it:• Domain Controller – Administrators, Server

Operators, Enterprise Admins, Domain Admins groups only.• Domain Member Server or Workstation -

Administrators, Server Operators, Power Users groups only.• Workgroup or Standalone computer (?) -

Administrators, Power Users groups only. 9

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Creating a share using the MMC Shared Folders Snap-in

10

Net

wor

k D

esig

n &

Adm

inist

ratio

n

File share permissions

• They differ from NTFS.• Much coarser grain – no special permissions.• Change in Share Permissions is not the same as

Modify in NTFS in the delete area.• When Share and NTFS permissions both present,

resultant applied is the most restrictive.• Do not apply to locally logged on users. (e.g.

physically local or by Terminal Server)

11

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Limitations / Problems• Limited scope - Can be applied only to folders and only when

connecting to the share.• Lack of flexibility - Permissions applied to the share apply to all

levels below.• No replication - Share permissions are not replicated by domain

controller.• No resiliency - Share permissions cannot be backed up or

restored via Domain Controller.• Fragility - Shares (and therefore share permissions) are lost

when a folder is moved or renamed.• No auditing possible.• Do not show up in Effective Permissions tab – Need to be looked

at independently then considered with NTFS permissions to give resultant most restrictive .

12

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Printer Server Topologies

• For cost effectiveness, want multiple users to access a single printer.• What are the options?• Locally Attached Printers• Network Attached Printers• Logical printer on every client workstation• Logical Printer – object used by operating system to

represent physical device. Contains settings, defaults, drivers and other properties.

• Print server• Print server – receives jobs from clients, stores them in

a print queue and sends 1 by 1 to physical printer,

13

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Locally Attached Printer[1]

• Physical security issues (printer has to be close to server).• When printer share is created the attached server functions as

the print server.14

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Network attached printer, with logical printer in every client[1]

15

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Problems…

• Each user sees only own jobs – not rest of queue (may be lots waiting ahead!)• Admins cannot manage print queue or

implement advanced features.• Error messages only appear to user machine.• If driver update required, has to be done on each

client.• Print processing not offloaded to server.

16

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Network attached printer, with print server[1]

17

• Advantages…?

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Old UNIX/Linux permissions

• Each file has a set of bits that specify its permissions for 3 classes of user:• Owner, Group Owner, Everyone Else

• Owner is special, and can totally limit access.• Each class has 3 bits: (r) Read, (w) Write, (x) Execute• These are expressed as rwx if allowed or a – if not

allowed• e.g. rwxr-xr-x means owner allowed all 3, but all others

only allowed read and execute.• Super user (root access) can do anything even if not

owner. 18

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Modern UNIX/Linux permissions

• Now support ACLs (partly for compatibility with Windows via SAMBA).• Still based on read, write, execute (not as fiddly

as Windows NTFS, so SAMBA has to ‘translate’ between them)• ACL’s allow rwx to be set for multiple groups and

specific users.

19

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Next Time & references

• Keeping systems up to date.• Hotfixes vs. Service Packs.• Managing/automating processes.

• [1] MOAC 290 chapter 10

20