Tuesday, February 1, 2011

Managing Data Access Using Windows Server 2008 R2 Shares

Providing access to data stored on a Windows Server 2008 R2 server can be very simple to configure using Windows shares. Existing folders and entire drives can be shared with a few clicks, but understanding who can access that data is critical to security and, in some cases, licensing. Server shares are accessed using the UNC or Universal Naming Convention of \\server\sharename. Administrators can configure a few different settings when creating or updating shares. Share options or features include the following:

» Determining whether the share will be visible or hidden, based on the share name

» Setting the description of the share

» Configuring the type of share; if Server for NFS is installed, there will be two options

» Configuring the number of simultaneous connections allowed through the share

» Configuring the cache or offline sync settings of the share

» Enabling or disabling BranchCache

» Configuring access-based enumeration to control folder and file visibility based on NTFS permissions

» Configuring NTFS permissions on the folder or volume hosting the file share

» Configuring share permissions to manage whether users can read, change, or have full control over a share

Because sharing can be performed for CD drives, DVD drives, and FAT and NTFS volumes, the configurable share permissions are limited to Full Control, Change, and Read. Full Control permissions allow users to manage all data and to reset permissions. Change allows users to manage all data and Read only allows users to read the data. Because share permissions are not very granular, folder shares should be created only on NTFS volumes, when possible, to increase the security of data.

When shares are created on NTFS volumes, both the Share and NTFS folder and file permissions are applied to the user. Windows Server 2008 R2 will combine the permissions, and the most restrictive permissions will apply. For example, if a folder located at c:\users is shared and testuser1 is granted Read permission at the share and Change or Modify permissions on the NTFS folder, testuser1 will only have Read permission when accessing the data across the network through the share. If testuser1 logs on to the system console and accesses the c:\users folder directly, testuser1 will have Change or Modify permissions.

Source of Information : Sams - Windows Server 2008 R2 Unleashed

No comments: