Chapter 5 File and Print Sharing, Security, Permissions, and Windows Printing

Objectives

  • Describe how Windows implements file and print sharing.
  • Secure access to files with permissions.
  • Create file shares.
  • Describe Work Folders.
  • Configure and manage Windows printing.

An Overview of File and Printer Sharing

  • File and print sharing functions are in the File and Storage Services role.
  • Windows clients access shared files and printers by using Server Message Block (SMB).
    • SMB is a client/server Application-layer protocol that provides network file sharing, network printing, and authentication.
    • A common variation of SMB is Common Internet File System (CIFS).
  • Windows Server 2012/R2 also supports Network File System (NFS).
    • NFS is the native sharing protocol in UNIX and Linux OSs.
    • Server for NFS is a role service found under File and Storage Services.
      • It needs to be installed in order to support clients using the NFS protocol.
  • Windows shares printers using the SMB protocol but also supports other protocols, such as:
    • LPR/LPD
    • Internet Printing Protocol (IPP)

Securing Access to Files with Permissions

  • Two ways to secure files:
    • Share permissions
    • NTFS permissions
  • Permissions specify which users can access a file system object and what users can do with that object.
  • Share permissions apply when using a network to access shared files.
  • NTFS permissions always apply whether accessing network shares or local files.

Security Principals

  • Three types of objects (security principals) can be assigned permission to access the file system:
    • Users
    • Groups
    • Computers
  • An object’s security settings have three components that make up its security descriptor:
    • Discretionary access control lists
    • Object owner
    • System access control list

Security Principals - DACL, ACE, Owner, SACL

  • Discretionary access control list (DACL) - a list of security principals; each has permissions that define access to an object.
  • Access control entry (ACE) - an entry in a discretionary access control list.
  • Object owner - usually the user account that created the object or a group or user who has been assigned ownership of the object.
  • System access control list (SACL) - a file system component that defines the settings for auditing access to an object.

How Permissions Are Assigned

  • Users can be assigned permission to an object in four ways:
    • The user creates the object
    • The user’s account is added to the object’s DACL
      • This method is called explicit permission
    • A group the user belongs to is added to the object’s DACL
      • Also considered explicit permission
    • Permission is inherited from the DACL of a parent object the user or group account has been added to
      • This method is called inherited permission

Share Permissions

  • Share permissions apply to folders and files accessed across the network.
  • Can’t be configured on individual files.
  • Three share permissions:
    • Read
    • Change
    • Full Control
  • Generally, the default share permission is Read for Everyone.

NTFS Permissions

  • NTFS permissions can be configured on folders and files.
    • Folders have 6 permissions and 14 special permissions.
    • Files have 5 permissions and 13 special permissions.
  • NTFS standard permissions:
    • Read
    • Read & Execute
    • List folder contents
    • Write
    • Modify
    • Full

File and Folder Ownership

  • Every file system object (files and folders) has an owner.
  • An object owner is granted certain implicit permissions.
  • A user can become the owner of a file system object in three ways:
    • Create the file or folder
    • Take ownership of a file or folder
    • Assigned ownership

NTFS Permission Inheritance

  • By default, initial permissions are set at the root of a volume.
    • All folders and files in the volume inherit these settings unless configured otherwise.
  • Subfolders and files are configured to inherit permission by default.
    • Permission inheritance can be disabled, if needed.
  • To disable permission inheritance, open the Advanced Security Settings dialog box for an object and click the Disable inheritance button.

Effective Access

  • Effective access - the access a security principal has to a file system object when taking sharing permissions, NTFS permissions, and group memberships into account.
  • The Advanced Security Settings dialog box has an Effective Access tab.
    • You can select a user or group to see its access to a file or file or folder.

Copying and Moving Files and Folders

  • Rules to keep in mind when copying or moving files and folders within or between volumes:
    • A file or folder copied within the same NTFS volume or to a different NTFS volume inherits permissions from the destination folder.
    • A file or folder moved within the same NTFS volume retains its original permissions.
    • A file or folder moved to a different NTFS volume inherits the destination folder’s permissions.
    • A file or folder moved from a FAT or FAT32 volume to an NTFS volume inherits the destination folder’s permissions.
    • A file or folder moved or copied from an NTFS volume to a FAT or FAT32 volume loses all permission settings because FAT/FAT32 volumes don’t support permissions.

Creating Windows File Shares

  • Folders in Windows Server 2012/R2 can be shared only by members of the Administrators or Server Operators groups.
  • Methods to configure folder sharing:
    • Simple file sharing
    • Advanced Sharing dialog box
    • Shared Folders snap-in
    • File and Storage Services
    • Share and Storage Management

Using Deny in an ACE

  • The Deny permission should be used cautiously and only for exceptions.
  • As a rule, a Deny permission overrides an Allow permission.
  • Exception: If the Deny permission is inherited from a parent object, and the Allow permission is explicitly added to the object’s DACL, the Allow permission takes precedence.

Creating Shares with File and Storage Services

  • Create shares and set a number of sharing options with the New Share Wizard, in the File and Storage Service role.
  • 5 options for setting the share profile:
    • SMB Share - Quick
    • SMB Share - Advanced
    • SMB Share - Applications
    • NFS Share - Quick
    • NFS Share - Advanced
  • You can set the following additional options for an SMB share:
    • Enable access-based enumeration - shows only the files and folders to which a user has at least Read permission.
    • Allow caching of share - enables or disables offline files (also known as “client-side caching”).
    • Encrypt data access - retrieving files from the share is encrypted to prevent someone from using a network sniffer to view the contents of files as they are transferred across the network.

Creating and Managing Shares at the Command Line

  • Shared folders can be created and managed with the net share command or PowerShell cmdlets.
  • net share commands:
    • net share MyDocs=D:\\\Documents - creates a share named MyDocs, using the D:\Documents folder.
    • net share MyDocs - lists information about the MyDocs share.
    • net share MyDocs /delete - deletes the MyDocs share.
    • net share - lists shares on the computer.

Default and Administrative Shares

  • Administrative shares - hidden shares created by Windows that are available only to members of the Administrators group:
    • Admin$ - provides network access to the Windows folder on the boot volume
    • Drive$ - drive represents the drive letter of a disk volume (example: C$)
    • IPC$ - IPC means interprocess communications
  • Domain controller have all of the above, plus:
    • NETLOGON - used for storing default user profies
    • SYSVOL - used by Active Directory for replication

Managing Shares with the Shared Folders Snap-in

  • Use the Shared Folders snap-in to:
    • Create, delete, and monitor shares
    • View open files
    • Monitor and manage user connections or sessions
  • The Shared Folders snap-in has the following subnodes:
    • Shares - view all shares, their path, and how many clients are connected to each share
    • Sessions - lists users who have a network connection to the server
    • Open Files - lists files that network users have open

Accessing File Shares from Client Computers

  • For shared resources to be useful, users must know how to access them.
  • Common methods of accessing shared folders:
    • UNC path
    • Active Directory search
    • Mapping a drive
    • Browsing the network

Working with Disk Quotas

  • Disk quotas - an option on NTFS volumes that enables administrators to limit how much disk space a user can occupy.
  • Quotas are configured in the Quota tab of an NTFS volume’s Properties dialog box.
  • Options for setting quotas:
    • Enable quota management - must check this box in order for quotas to be enabled on the volume.
    • Deny disk space to users exceeding quota limit - prevents users from saving files when their limit is exceeded.
    • Do not limit disk usage - no disk limits are set, but the system tracks usage for each user.
    • Limit disk space to - specify maximum amount of space users can occupy
    • Log event when a user exceeds their quota limit - creates an entry in the event log when a user exceeds their quota limit.
    • Log event when a user exceeds their warning level - creates an entry in the event log when users exceed their warning levels.
    • Quota Entries - clicking this opens the Quota Entries window
  • Quotas can be enabled on a per-volume basis and all file types are treated the same way.

Working with Shadow Copies

  • Shadow copies - allows users to access previous versions of files in shared folders and restore files that have been deleted or corrupted.
    • Enables users to compare newer versions of files with older versions to see what has changed
  • Windows allocates space on the same volume where shadow copies are enabled
  • Volumes used heavily for sharing files should be configured to use a different volume for storing shadow copies.
    • Use the Settings dialog box to change the location
  • When the disk space allocated for shadow copies reaches the specified limit:
    • Older shadow copies are deleted
  • Maximum number of previous versions that are kept is 64
  • Shadow copies use the Volume Shadow Copy Service (VSS)
    • Introduced in Windows Server 2003
    • Enables shadow copies and allows copying files that are open, which allows making backups of files and applications without taking them offline

Work Folders

  • Work Folders - A role service that allows users to synchronize documents between company file servers and mobile devices
    • Not enabled by default and can only be used with Windows 8.1 and Windows RT 8.1 clients
  • Work Folders supports the following:
    • Files can be accessed while offline with automatic synchronization to company file servers when online
    • Files can be encrypted on the server while being copied between devices
    • Security policies can be used to force data encryption and to enforce password and device screen lock requirements
    • High-availability methods, such as failover clustering, are supported
  • Work Folders isn’t a collaboration service
    • There is no public Work Folder or a Work Folder that can be accessed by a group of users
  • Work Folder requirements:
    • A Windows Server 2012 R2 server that acts as the Work Folders host server
    • An NTFS volume for file storage
    • A server certificate for each Work Folders host server
    • Client devices must run Windows 8.1 or 8.1 RT
    • Client devices must have at least 6 GB free space
  • To install, use the Add Roles and Features function in Server Manager
    • File and Storage Services, File and iSCSI Services

Windows Printing

  • Components of a shared printer:
    • Print device - physical print device, two basic types:
      • Local print device
      • Network print device
    • Printer - the icon in the Printers folder that represents print devices
    • Print Server - a Windows computer that’s sharing a printer
    • Print queue - a storage location for print jobs awaiting printing

Print Servers

  • Windows Server 2012/R2 print server functions:
    • Access Control - control who can print to a printer and who can manage print jobs and printers
    • Printer pooling - a single printer represents two or more print devices
    • Printer Priority - two or more printers can represent a single print device
    • Print job Management - pause, cancel, restart, reorder, and change preferences on print jobs
    • Availability control - configure print servers so that print jobs are accepted only during certain hours
  • Printer Pooling - a single printer is defined on the print server
    • The printer is connected to two or more print devices on separate ports
    • Print jobs are sent to the print device that is least busy
  • Printer Priority - Printer can be assigned different priorities so that jobs sent to the higher priority printer are sent to the print device first

Configuring a Print Server

  • To configure a Windows Server 2012/R2 system as a print server you need to share a printer
  • The Sharing tab in a printer’s Properties dialog box provides the following options:
    • Share this printer
    • Share name
    • Render print jobs on client computers
    • List in the directory
    • Additional Drivers
  • The Advanced tab of a print server’s Properties dialog box provides more options for controlling the print server:
    • Always available / Available from
    • Priority
    • Driver
    • Spooling options
    • Hold mismatched documents
    • Print spooled documents first
    • Keep printed documents
    • Enable advanced printing features
    • Printing Defaults
    • Print Processor
    • Separator Page

Printer Permissions

  • Access to printers is controlled much like access to folders and files
  • No permission inheritance for printers
  • Three standard permissions:
    • Print
    • Manage printers
    • Manage documents
  • In addition, there are 6 special permissions

Managing Print Documents

  • Manage each document in the print queue by right-clicking the document
  • You can take the following actions on a document:
    • Pause
    • Resume
    • Restart
    • Cancel
    • Properties
  • Managing print documents with PowerShell commands:
    • Get-PrintJob - lists current print jobs for a specified printer
    • Suspend-PrintJob - pauses a print job
    • Resume-PrintJob - resumes a print job
    • Restart-PrintJob - restarts a print job
    • Remove-PrintJob - cancels a print job

Solving Print Queue Problems

  • Common printing problem: print jobs stuck in the print queue
  • Solution: cancel or restart the print job
  • If the above solution does not work: cancel the job that’s trying to print and do one of the following:
    • Open the Services control panel and restart the Print Spooler service
    • Enter net stop “print spooler” and then enter net start “print spooler” at the command prompt
    • Enter Stop-Service Spooler and then enter Start-Service Spooler at the command prompt

Remote Desktop Printing

  • Remote Desktop Protocol (RDP) uses the Easy Print printer driver to allow local printing during a RDP sessions
  • When a client connected to a computer via RDP and want so print:
    • A list of available printers includes printers connected to the RDP host and those connected to the client computer
    • Those connected to the client computer show the printer name followed by “redirect”

Print Management with the Print and Document Services Role

  • Print and Document Services role is not necessary to create printer shares or manage the print server
    • However, it provides many options for managing a print server and additional ways to share printers
  • Must also install the Print Server role service
    • Allows the installation of three other role services: Distributed Scan Server, LPD Service, and Internet Printing
  • After the Print and Document Service role is installed, the Print Management console is available from the Tools menu in Server Manager
  • Using Print Management, you can view status information and manage all printers and print servers on the network
  • Tasks you can perform:
    • Install a new printer
    • Share a printer
    • Migrate printers
    • Deploy printers with Group Policy
    • List or remove printers from Active Directory
    • Display printers based on a filter

Branch Office Direct Printing

  • Branch Office Direct Printing - a feature available with the Print and Document Services role
    • Allows clients to print directly to a network-attached printer without the job having to go through the print server
  • To enable, use the Print Management console or PowerShell cmdlets
    • Set-Printer -name PrinterName -ComputerName PrintServerName -RenderingMode BranchOffice

Summary

  • File and print sharing functions are in the File and Storage Services role.
  • There are two types of permissions to restrict access to files and folders: share and NTFS.
  • Three types of objects can be assigned permission to access the file system: users, groups, and computers.
  • Permissions are assigned in four ways: user creates an object, the user account is added to the DACL, a group the user belongs to is added to the DACL, and permission is inherited.
  • The File Server role service is required to share folders.
  • You should use Deny permission only when you need to create an exception to an Allow permission.
  • Client computers access shared folders: using the UNC path, through and Active Directory search, mapping a drive, and browsing the network.
  • Disk quotas are used to restrict how much space a user’s files can occupy on a server.
  • Shadow copies are enabled on an entire volume and allows users to access previous versions of files.
  • Work Folders is a role service that allows users to synchronize documents between company file servers and mobile devices.
  • Windows Server 2012/R2 offers advanced features for managing shared printers and making printing easy and convenient for users.
  • The Print and Document Services role includes the Print Management snap-in, which can be used to managed multiple printers and print servers.