Microsoft Azure AZ-800 — Section 19: Configure Windows Server storage Part 6

153. Implementing Windows file permissions

So, I want to show a little demonstration now of working with Windows Permissions on our file system, so first thing I have to do is open up File Explorer and go to my C drive and it’s going to create a folder called sales data.

OK. And from there, we will just create a text file here called Docs.

OK? Or actually just doc.

OK. And so from there, you know, I’m going to look at the permissions of it. I’m going to right click here and go to properties. And first of all, look at the security Tab. We can see that we have various objects that are on this. This called an access control list and the entries that you see on the access controls. ACL are called aces or a.c.e, which is access control entries. You have the creator owner who created the file or folder, which in my case is me of the system, which has full control automatically. You have the administrators group which has full control and then you have users which users have read and execute list, folder contents and read.

OK, now also, in a lot of cases and on a client operating system, there may also be another group called authenticated users. The authenticated user group usually gets a written execute, and they are usually tied to the domain in just itself. But on a local machine, the users group will just indicate a local. The local user is not part of the domain. In my case, I’m doing this on a domain controller, So, it’s actually showing this from that perspective.

OK.

So to change permissions, I can actually click Edit. And then from there I can specify what I want my users to have. I want to add additional users or groups I can. Ultimately, though, the permissions kind of work like this.

So let’s look at the users group right now and right out of the gate, you’re going to notice that it’s great out. The checkbox is here, great out, although I can’t deny and I can give additional permissions.

So the reason is great out is because by default, all files and folders will inherit their parents permission.

Now, in the case of the cells data folder, because it’s on the router of the C drive, it’s inheriting from the C Drive.

So, if we want to change that, we can. We can go right here and go to the properties of the folder again, go to the advanced cyber security and then advanced. And then from there you can say disable inheritance.

Now, if you say disable inheritance is going to give you a couple of options, one is to convert inherited regressions into explicit permission.

So, it basically means that it’s going to make it where these permissions are no longer inherited from the parent, but you can change them so these copies down the permissions and then you can change them to whatever you want and they’ll take effect. Or you can remove removal. Just wipe the slate clean and clear off the ACL. I’m going to say Convert, OK, and then I’m going to hit OK, and you’ll notice now if I click Edit, I am able to go through here and change the permissions.

So, for example, if I get full control, full control allows the user to pretty much do anything they want. They can read, write, execute, delete data. They can delete subfolders and files. They can take ownership of people’s data if they want. Especially, that’s good. If a user gets deleted, you need to take ownership of their data. You can also set permissions by doing that. If you have permission, you have full control. You can set permissions as well.

So, if we take all that away and we give. Modify, that’s the next step down. Modify could do everything at full control and do, except you can’t take ownership. You can’t change permissions. And you also can’t delete subfolders and files. You can delete a folder if it’s empty, but you cannot delete anything that’s not empty.

OK, that’s the way that that works. All right, so, we take away those permissions. We’ll give read next Cute read and execute gives three permissions read execute list folder contents and read, read and execute gives you the ability to read and execute execuTable files that are in this folder.

So, if there was like an easy file or an MSI file or a batch file or something like that, a calm file, you would be able to execute that with the read and execute.

Now the difference between reading, execute and read is read gives you the ability to read documents so you can’t execute any execuTable.

Sorry, if I took away, read and execute and just left read there, then you would be able to read documents, but you wouldn’t be able to execute any execuTables.

Now you also have list folder contents as well. This lets you see the contents of a folder.

OK, so the final one is right now there’s a misconception about right. Right does not also give you read. A lot of people think that, but it does not right gives you ability to write state of it, not read data. I had talked to a guy one time, an error in a school system. He gave me a great illustration of when they use this in the school system. He said that if the school system, they have a bunch of computer labs and in the computer labs, the teachers have a teacher in-box folder. The students using the computer lab have a folder on their desktop that says Inbox for the teacher. And basically, each student is given right access to the folder, but not read access so, they can save their work into the teacher’s folder, but they can’t go in there and see other people’s work.

So that’s a good example of this. It’s not something that you would commonly do, but yes, you can do that. Special permission involves setting advanced permissions so you can set more granular permissions by going in here and clicking edit on something and then clicking on Show Advanced so you can add additional a little bit more granular on the permissions like folder to version, which lets you pass through a folder you don’t have access to get to a folder you do have access to.

OK. All right, so let’s let’s set a few things up here. I am going to go to my server manager. I’m going to go to ols ADM’s and feature or sorry at anatomy users computers.

So Active Directory users computers. And let’s create a user. And I’m going to right click sales here. I got a little container called sales organizational unit called sales. I’m going to create a user named John Smith. All right. John Smith. Let’s say John Smith, too, I think I’ve already got a John Smith, we’re going to play around role John Smith too. All right.

OK. And then from there, we’re going to do search. You can create a couple of groups, So, we’re going to right click and say, Group, create a group called sales. All right. I’m going to also create a group called marketing. And I’m going to create a group called Managers now, John Smith, we’re pretending like John Smith is a member of all three groups because John Smith is a sales marketing manager.

OK, so there’s two ways to put the user in the group. You can double click on the user and just go over here to where it says members of. Right, right up here. Our member of and you can add the three groups right there so their sales will add marketing and we’ll add managers.

OK, so he’s now a member of all three. The other way you could have done that is just double click on the group, go to members and do it that way. Of course, you can also do all that through PowerShell as well, but not get into that right now.

OK, so now what I’m going to do.

So John Smith is a member of all three of those. That’s great. He’s also a member of domain users. I’m going to go over here to File Explorer and I’m going to right click the folder. And at that point, I’m going to go right here and go to the security Tab. And we’re going to edit and we’re going to add, we’re going to add all three groups. We’re going to add sales, we’re going to give sales, modify permissions. We’re going to add marketing and we’re going to give marketing, read and execute, which will give it read and execute. List folder contents are read. And then we’re going to add the managers group and we’re going to give managers full control.

OK.

So managers have been given full control now, and we’re going to get rid of the users group because we don’t want just anybody. Having access will leave the system and creator owner as well as the administrators.

OK, so now what I want to show you is we’re going to click OK? All right. We’ve done that and we’re going to go down here to advanced. And we’re going to click effective access and we’re going to click select the user and we’re going to add John Smith. Actually, you know what? I just realized I did that with. I need to go back through here and. Fine, that user, because I had to John Smith, right there we go.

So there we are. We have John Smith and John Smith to this the John Smith we want right here.

OK, so, we got that John Smith.

Now let’s click. If everything worked properly, permissions are cumulative, right? So, if you think about it, the sales group was given. Modify marketing was given. Read next Cute and then managers was given full control. You add all that together, you should get full control. And there you go. As you can see, full control. All right.

So, it did work like it’s supposed to.

Now the other thing to consider is the sharing Tab. If you go to sharing and you click advanced sharing, you share this out. You click permissions. Everyone has read right now. A John Smith was to cross the network and access this through the network. He would only have read.

OK, so what we can do to change that is we can add sales. Let’s give sales change. Let’s give marketing read and let’s give managers change. And then at that point, we remove everyone. Let’s put the administrators in there as well, right, and give them full control. Other than that, at this point, we apply that. John Smith would now have the equivalent of modify. However, let’s go back over to security. Click Advanced. Good effective access. And let’s find John Smith again. All right. The right John Smith, in my case, because I had to. This guy here click, OK. All right and click the effective access. He still has full control. Why is that? Because the effective Access Tab only shows you in terms of permissions, it does not show you share permissions.

So keep that in mind when you’re working with permissions. But understand that it’s the most restrictive that would apply.

So since you would end up with change over here, it changes the equivalent of modify. Therefore, if John Smith was to cross the network and access to the cells folder over the network, the equivalent access he would have would be modify. All right. Hopefully, that gives you a better understanding and permissions my recommendation for you now. Why don’t you just encourage you to just try it out, test out yourself, see it with your own eyes and get a good feel for it?

Related posts:

  1. Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 12
  2. Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 23
  3. Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 44
  4. Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 55
  5. Microsoft Azure AZ-800 — Section 15: Manage IP addressing in on-premises and hybrid scenarios Part 2
  6. Microsoft Azure AZ-800 — Section 18: Configure and manage Windows Server file shares Part 3
  7. Microsoft Azure AZ-800 — Section 5: Create and manage AD DS security principals Part 2
  8. Microsoft Azure AZ-800 — Section 7: Implement and manage hybrid identities Part 6
  9. Review of Top 5 Java Certifications of 2020
  10. What IT Certifications Can Boost Your Career Potential and Lead to 5 Easiest IT Jobs in 2020?