Chapter 5 File and Print Sharing, Security, Permissions, and Windows Printing

Objectives

• Describe how Windows implements file and print sharing.
• Secure access to files with permissions.
• Create file shares.
• Describe Work Folders.
• Configure and manage Windows printing.

An Overview of File and Printer Sharing

• File and print sharing functions are in the File and Storage Services role.
• Windows clients access shared files and printers by using Server Message Block (SMB).
  • SMB is a client/server Application-layer protocol that provides network file sharing, network printing, and authentication.
  • A common variation of SMB is Common Internet File System (CIFS).
• Windows Server 2012/R2 also supports Network File System (NFS).
  • NFS is the native sharing protocol in UNIX and Linux OSs.
  • Server for NFS is a role service found under File and Storage Services.
    • It needs to be installed in order to support clients using the NFS protocol.
• Windows shares printers using the SMB protocol but also supports other protocols, such as:
  • LPR/LPD
  • Internet Printing Protocol (IPP)

Securing Access to Files with Permissions

• Two ways to secure files:
  • Share permissions
  • NTFS permissions
• Permissions specify which users can access a file system object and what users can do with that object.
• Share permissions apply when using a network to access shared files.
• NTFS permissions always apply whether accessing network shares or local files.

Security Principals

• Three types of objects (security principals) can be assigned permission to access the file system:
  • Users
  • Groups
  • Computers
• An object’s security settings have three components that make up its security descriptor:
  • Discretionary access control lists
  • Object owner
  • System access control list

Security Principals - DACL, ACE, Owner, SACL

• Discretionary access control list (DACL) - a list of security principals; each has permissions that define access to an object.
• Access control entry (ACE) - an entry in a discretionary access control list.
• Object owner - usually the user account that created the object or a group or user who has been assigned ownership of the object.
• System access control list (SACL) - a file system component that defines the settings for auditing access to an object.

How Permissions Are Assigned

• Users can be assigned permission to an object in four ways:
  • The user creates the object
  • The user’s account is added to the object’s DACL
    • This method is called explicit permission
  • A group the user belongs to is added to the object’s DACL
    • Also considered explicit permission
  • Permission is inherited from the DACL of a parent object the user or group account has been added to
    • This method is called inherited permission

Share Permissions

• Share permissions apply to folders and files accessed across the network.
• Can’t be configured on individual files.
• Three share permissions:
  • Read
  • Change
  • Full Control
• Generally, the default share permission is Read for Everyone.

NTFS Permissions

• NTFS permissions can be configured on folders and files.
  • Folders have 6 permissions and 14 special permissions.
  • Files have 5 permissions and 13 special permissions.
• NTFS standard permissions:
  • Read
  • Read & Execute
  • List folder contents
  • Write
  • Modify
  • Full

File and Folder Ownership

• Every file system object (files and folders) has an owner.
• An object owner is granted certain implicit permissions.
• A user can become the owner of a file system object in three ways:
  • Create the file or folder
  • Take ownership of a file or folder
  • Assigned ownership

NTFS Permission Inheritance

• By default, initial permissions are set at the root of a volume.
  • All folders and files in the volume inherit these settings unless configured otherwise.
• Subfolders and files are configured to inherit permission by default.
  • Permission inheritance can be disabled, if needed.
• To disable permission inheritance, open the Advanced Security Settings dialog box for an object and click the Disable inheritance button.

Effective Access

• Effective access - the access a security principal has to a file system object when taking sharing permissions, NTFS permissions, and group memberships into account.
• The Advanced Security Settings dialog box has an Effective Access tab.
  • You can select a user or group to see its access to a file or file or folder.

Copying and Moving Files and Folders

• Rules to keep in mind when copying or moving files and folders within or between volumes:
  • A file or folder copied within the same NTFS volume or to a different NTFS volume inherits permissions from the destination folder.
  • A file or folder moved within the same NTFS volume retains its original permissions.
  • A file or folder moved to a different NTFS volume inherits the destination folder’s permissions.
  • A file or folder moved from a FAT or FAT32 volume to an NTFS volume inherits the destination folder’s permissions.
  • A file or folder moved or copied from an NTFS volume to a FAT or FAT32 volume loses all permission settings because FAT/FAT32 volumes don’t support permissions.

Creating Windows File Shares

• Folders in Windows Server 2012/R2 can be shared only by members of the Administrators or Server Operators groups.
• Methods to configure folder sharing:
  • Simple file sharing
  • Advanced Sharing dialog box
  • Shared Folders snap-in
  • File and Storage Services
  • Share and Storage Management

Using Deny in an ACE

• The Deny permission should be used cautiously and only for exceptions.
• As a rule, a Deny permission overrides an Allow permission.
• Exception: If the Deny permission is inherited from a parent object, and the Allow permission is explicitly added to the object’s DACL, the Allow permission takes precedence.

Creating Shares with File and Storage Services

• Create shares and set a number of sharing options with the New Share Wizard, in the File and Storage Service role.
• 5 options for setting the share profile:
  • SMB Share - Quick
  • SMB Share - Advanced
  • SMB Share - Applications
  • NFS Share - Quick
  • NFS Share - Advanced
• You can set the following additional options for an SMB share:
  • Enable access-based enumeration - shows only the files and folders to which a user has at least Read permission.
  • Allow caching of share - enables or disables offline files (also known as “client-side caching”).
  • Encrypt data access - retrieving files from the share is encrypted to prevent someone from using a network sniffer to view the contents of files as they are transferred across the network.

Creating and Managing Shares at the Command Line

• Shared folders can be created and managed with the net share command or PowerShell cmdlets.
• net share commands:
  • net share MyDocs=D:\\\Documents - creates a share named MyDocs, using the D:\Documents folder.
  • net share MyDocs - lists information about the MyDocs share.
  • net share MyDocs /delete - deletes the MyDocs share.
  • net share - lists shares on the computer.

Default and Administrative Shares

• Administrative shares - hidden shares created by Windows that are available only to members of the Administrators group:
  • Admin$ - provides network access to the Windows folder on the boot volume
  • Drive$ - drive represents the drive letter of a disk volume (example: C$)
  • IPC$ - IPC means interprocess communications
• Domain controller have all of the above, plus:
  • NETLOGON - used for storing default user profies
  • SYSVOL - used by Active Directory for replication

Managing Shares with the Shared Folders Snap-in

• Use the Shared Folders snap-in to:
  • Create, delete, and monitor shares
  • View open files
  • Monitor and manage user connections or sessions
• The Shared Folders snap-in has the following subnodes:
  • Shares - view all shares, their path, and how many clients are connected to each share
  • Sessions - lists users who have a network connection to the server
  • Open Files - lists files that network users have open

Accessing File Shares from Client Computers

• For shared resources to be useful, users must know how to access them.
• Common methods of accessing shared folders:
  • UNC path
  • Active Directory search
  • Mapping a drive
  • Browsing the network

Working with Disk Quotas

• Disk quotas - an option on NTFS volumes that enables administrators to limit how much disk space a user can occupy.
• Quotas are configured in the Quota tab of an NTFS volume’s Properties dialog box.
• Options for setting quotas:
  • Enable quota management - must check this box in order for quotas to be enabled on the volume.
  • Deny disk space to users exceeding quota limit - prevents users from saving files when their limit is exceeded.
  • Do not limit disk usage - no disk limits are set, but the system tracks usage for each user.
  • Limit disk space to - specify maximum amount of space users can occupy
  • Log event when a user exceeds their quota limit - creates an entry in the event log when a user exceeds their quota limit.
  • Log event when a user exceeds their warning level - creates an entry in the event log when users exceed their warning levels.
  • Quota Entries - clicking this opens the Quota Entries window
• Quotas can be enabled on a per-volume basis and all file types are treated the same way.

Working with Shadow Copies

• Shadow copies - allows users to access previous versions of files in shared folders and restore files that have been deleted or corrupted.
  • Enables users to compare newer versions of files with older versions to see what has changed
• Windows allocates space on the same volume where shadow copies are enabled
• Volumes used heavily for sharing files should be configured to use a different volume for storing shadow copies.
  • Use the Settings dialog box to change the location
• When the disk space allocated for shadow copies reaches the specified limit:
  • Older shadow copies are deleted
• Maximum number of previous versions that are kept is 64
• Shadow copies use the Volume Shadow Copy Service (VSS)
  • Introduced in Windows Server 2003
  • Enables shadow copies and allows copying files that are open, which allows making backups of files and applications without taking them offline

Work Folders

• Work Folders - A role service that allows users to synchronize documents between company file servers and mobile devices
  • Not enabled by default and can only be used with Windows 8.1 and Windows RT 8.1 clients
• Work Folders supports the following:
  • Files can be accessed while offline with automatic synchronization to company file servers when online
  • Files can be encrypted on the server while being copied between devices
  • Security policies can be used to force data encryption and to enforce password and device screen lock requirements
  • High-availability methods, such as failover clustering, are supported
• Work Folders isn’t a collaboration service
  • There is no public Work Folder or a Work Folder that can be accessed by a group of users
• Work Folder requirements:
  • A Windows Server 2012 R2 server that acts as the Work Folders host server
  • An NTFS volume for file storage
  • A server certificate for each Work Folders host server
  • Client devices must run Windows 8.1 or 8.1 RT
  • Client devices must have at least 6 GB free space
• To install, use the Add Roles and Features function in Server Manager
  • File and Storage Services, File and iSCSI Services

Windows Printing

• Components of a shared printer:
  • Print device - physical print device, two basic types:
    • Local print device
    • Network print device
  • Printer - the icon in the Printers folder that represents print devices
  • Print Server - a Windows computer that’s sharing a printer
  • Print queue - a storage location for print jobs awaiting printing

Print Servers

• Windows Server 2012/R2 print server functions:
  • Access Control - control who can print to a printer and who can manage print jobs and printers
  • Printer pooling - a single printer represents two or more print devices
  • Printer Priority - two or more printers can represent a single print device
  • Print job Management - pause, cancel, restart, reorder, and change preferences on print jobs
  • Availability control - configure print servers so that print jobs are accepted only during certain hours
• Printer Pooling - a single printer is defined on the print server
  • The printer is connected to two or more print devices on separate ports
  • Print jobs are sent to the print device that is least busy
• Printer Priority - Printer can be assigned different priorities so that jobs sent to the higher priority printer are sent to the print device first

Configuring a Print Server

• To configure a Windows Server 2012/R2 system as a print server you need to share a printer
• The Sharing tab in a printer’s Properties dialog box provides the following options:
  • Share this printer
  • Share name
  • Render print jobs on client computers
  • List in the directory
  • Additional Drivers
• The Advanced tab of a print server’s Properties dialog box provides more options for controlling the print server:
  • Always available / Available from
  • Priority
  • Driver
  • Spooling options
  • Hold mismatched documents
  • Print spooled documents first
  • Keep printed documents
  • Enable advanced printing features
  • Printing Defaults
  • Print Processor
  • Separator Page

Printer Permissions

• Access to printers is controlled much like access to folders and files
• No permission inheritance for printers
• Three standard permissions:
  • Print
  • Manage printers
  • Manage documents
• In addition, there are 6 special permissions

Managing Print Documents

• Manage each document in the print queue by right-clicking the document
• You can take the following actions on a document:
  • Pause
  • Resume
  • Restart
  • Cancel
  • Properties
• Managing print documents with PowerShell commands:
  • Get-PrintJob - lists current print jobs for a specified printer
  • Suspend-PrintJob - pauses a print job
  • Resume-PrintJob - resumes a print job
  • Restart-PrintJob - restarts a print job
  • Remove-PrintJob - cancels a print job

Solving Print Queue Problems

• Common printing problem: print jobs stuck in the print queue
• Solution: cancel or restart the print job
• If the above solution does not work: cancel the job that’s trying to print and do one of the following:
  • Open the Services control panel and restart the Print Spooler service
  • Enter net stop “print spooler” and then enter net start “print spooler” at the command prompt
  • Enter Stop-Service Spooler and then enter Start-Service Spooler at the command prompt

Remote Desktop Printing

• Remote Desktop Protocol (RDP) uses the Easy Print printer driver to allow local printing during a RDP sessions
• When a client connected to a computer via RDP and want so print:
  • A list of available printers includes printers connected to the RDP host and those connected to the client computer
  • Those connected to the client computer show the printer name followed by “redirect”

Print Management with the Print and Document Services Role

• Print and Document Services role is not necessary to create printer shares or manage the print server
  • However, it provides many options for managing a print server and additional ways to share printers
• Must also install the Print Server role service
  • Allows the installation of three other role services: Distributed Scan Server, LPD Service, and Internet Printing
• After the Print and Document Service role is installed, the Print Management console is available from the Tools menu in Server Manager
• Using Print Management, you can view status information and manage all printers and print servers on the network
• Tasks you can perform:
  • Install a new printer
  • Share a printer
  • Migrate printers
  • Deploy printers with Group Policy
  • List or remove printers from Active Directory
  • Display printers based on a filter

Branch Office Direct Printing

• Branch Office Direct Printing - a feature available with the Print and Document Services role
  • Allows clients to print directly to a network-attached printer without the job having to go through the print server
• To enable, use the Print Management console or PowerShell cmdlets
  • Set-Printer -name PrinterName -ComputerName PrintServerName -RenderingMode BranchOffice

Summary

• File and print sharing functions are in the File and Storage Services role.
• There are two types of permissions to restrict access to files and folders: share and NTFS.
• Three types of objects can be assigned permission to access the file system: users, groups, and computers.
• Permissions are assigned in four ways: user creates an object, the user account is added to the DACL, a group the user belongs to is added to the DACL, and permission is inherited.
• The File Server role service is required to share folders.
• You should use Deny permission only when you need to create an exception to an Allow permission.
• Client computers access shared folders: using the UNC path, through and Active Directory search, mapping a drive, and browsing the network.
• Disk quotas are used to restrict how much space a user’s files can occupy on a server.
• Shadow copies are enabled on an entire volume and allows users to access previous versions of files.
• Work Folders is a role service that allows users to synchronize documents between company file servers and mobile devices.
• Windows Server 2012/R2 offers advanced features for managing shared printers and making printing easy and convenient for users.
• The Print and Document Services role includes the Print Management snap-in, which can be used to managed multiple printers and print servers.