Securing Resources

You can control the access that users have to files, directories, and shares on Advanced Server computers.

Directories and files can be secured by setting permissions on them. Every permission that you set specifies the access that a group or user can have to the directory or file. For example, when you set Read permission for the group called Coworkers on the file MY_IDEAS.DOC, the users in that group can display the file's data and attributes, but they cannot change the file or delete it.

Advanced Server offers a set of standard permissions that you can set on directories and files. The standard permissions for directories are No Access, List, Read, Add, Add & Read, Change, and Full Control. The standard permissions for files are No Access, Read, Change, and Full Control.

Standard permissions are groups of individual permissions. When you set a standard permission, the abbreviations for the individual permissions are displayed beside the standard permission. For example, when you set the standard permission Read on a file, the abbreviation RX appears beside it.

Individual permissions and their abbreviations are as follows:

Read (R)	Write (W)	Execute (X)
Delete (D)	Change Permissions (P)	Take Ownership (O)

In addition to setting standard permissions, you can set special access permissions which allow you to define custom sets of individual permissions.

To work effectively with Advanced Server security, keep the following points about setting permissions in mind:

Users cannot use a directory or file unless they have been granted permission to do so or belong to a group that has permission to do so.
Permissions are cumulative except that the No Access permission overrides all other permissions. For example, if the Coworkers group has Write permission for a file while the Finance group has only Read permission and John is a member of both groups, John will be granted Read & Write permissions. However, if you change the Finance group's permission for the file to No Access, John will not be able to use the file even though he is a member of a group that has access to it.
When you create files and subdirectories in a directory, they inherit permissions from the directory. For example, if you add a file to a directory that allows the coworkers group Write permission and a finance group Read permission, the same permissions will apply to the file.
The user who creates a file or directory is the owner of that file or directory. The owner can control access to the file or directory by changing the permissions set on it. Users who are members of the Administrators group always can take ownership of a file or directory.
The easiest way to administer security is by setting permissions for groups, not individual users. Typically, a user needs access to many files. If the user is a member of a group that has access to the files, you can terminate the user's access by removing the user from the group rather than changing the permissions on each of the files. Note that setting permission for an individual user does not override the access granted to the user through groups to which the user belongs.

For more information about permissions, see Chapter 3, "Working With User and Group Accounts."




	NOTE: When you copy files or directories, security permissions set on them are discarded in addition to ownership and auditing information. The files inherit a new set of permissions from the directory into which they have been copied. If the new directory does not specify permissions for files, only a file's owner (the person who copied the file) will have permission to use the file.

How Advanced Server Permissions Work

Advanced Server offers a set of standard permissions that you can set on files and directories in Advanced Server volumes. These standard permissions offer combinations of specific types of access called individual permissions.

Standard permissions for directories and files and their meanings are shown in the following tables, along with descriptions of each standard permission.

In the first column of the first table (Directory Permissions), the first set of permissions applies to the directory itself; the second set of permissions applies to the files that are present in the directory when you assign the permissions (if the Replace Permissions on existing files option is enabled) and to all of the files that will be created in this directory after the permissions are set.

Table 5-1 Standard Permissions for Advanced Server Directories and Files

Permissions	Meaning
Directory:
No Access (None) (None)	User cannot access the directory in any way, even if the user is a member of a group that has been granted access to the directory.
List (RX) (Not Specified)	User can only list the files and subdirectories in this directory and change to a subdirectory of this directory. User cannot access files in this directory.
Read (RX) (RX)	User can read the contents of files in this directory and run applications in the directory.
Add (WX) (Not Specified)	User can add files to the directory but cannot read the contents of current files, change them, or list files.
Add & Read (RWX) (RX)	User can add files to the directory and read current files but cannot change files.
Change (RWXD) (RWXD)	User can read and add files and change the contents of current files.
Full Control (All) (All)	User can read and change files, add new ones, change permissions for the directory and its files, and take ownership of the directory and its files.
File:
No Access	User cannot access the file in any way, even if the user is a member of a group that has been granted access to the file.
Read (RX)	User can read the contents of the file and run it if it is an application.
Change (RWXD)	User can read, modify, and delete the file. If the file is an application, the user can run it.
Full Control (All)	User can read, modify, delete, set permissions for, and take ownership of the file. If the file is an application, user can run it.

Individual permissions and their abbreviations are as follows:

Read (R)	Write (W)	Execute (X)
Delete (D)	Change Permissions (P)	Take Ownership (O)

When you set a standard permission, the abbreviations for the individual permissions appear beside the standard permission. For example, when you set the standard permission Read on a file, the abbreviation RX appears beside it.

In addition to setting standard permissions, you can set special access permissions. Special access permissions allow you to define a custom set of individual permissions for directories and files. For information about special access permissions, see "Setting Customized 'Special Access' Permissions" later in this chapter.

To work effectively with Advanced Server security, keep the following points in mind when setting file permissions :

The No Access permission overrides all other permissions. However, you can grant a group access to a file while using the No Access permission to prevent access to a subgroup or individual who is a member of that group. For example, suppose Jane is a member of Coworkers and Coworkers has the Change permission for a file. If you then set the No Access permission for Jane for the file, Jane will be unable to use the file even though she is a member of a group that can access the file.
Note that you do not have to assign No Access to every user or group that you want to prevent from accessing a file or directory. You can prevent a user from accessing a file or directory just by not granting the user (or any groups the user is a member of) any permissions for it.
By default, new files and new subdirectories inherit permissions from the directory in which they are created. For example, if you add a file to a directory where the Coworkers group has Change permission and the Finance group has Read permission, those same permissions will apply to the file.
When you change the permissions on an existing directory, you choose whether to apply the changes to all files and subdirectories in the directory.
The user who creates a file or directory is the owner of that file or directory. The owner can control access to the file or directory by changing the permissions set on it.
The easiest way to administer security is by setting permissions for groups rather than individual users. Typically, a user needs access to many files. If the user is a member of a group that has access to the files, you can end the user's access by removing the user from the group rather than changing the permissions on each of the files. Setting permissions for an individual user does not override the access granted to the user through groups to which the user belongs.

Taking Ownership of Files and Directories

Every file and directory on a volume has an owner. The owner controls how permissions are set on the file or directory and can grant permissions to others.

When a file or directory is created, the person creating the file or directory automatically becomes its owner. It is expected that administrators will create most files on network servers, such as when they install applications on the server. Therefore, most files on a server will be owned by administrators, except for data files created by users and files in users' home directories.

Ownership can be transferred in the following ways:

The current owner can grant the Take Ownership permission to other users, allowing those users to take ownership at any time.
An administrator can take ownership of any file on the computer. For example, if an employee leaves the company suddenly, the administrator can take control of the employee's files.




	NOTE: Although an administrator can take ownership, the administrator cannot transfer ownership to others. This restriction keeps the administrator accountable.

For more information, see "To take ownership of files or directories" in Windows NT Help.

You also can take file ownership by using the net perms command. For more information, type net help perms at the Advanced Server command prompt.

Setting Permissions on Advanced Server Volumes

When you set permissions on directories and files in Advanced Server, you control directory and file access in the following ways:

Local groups, global groups, and individual users in the domain containing the server.
Global groups and individual users in domains that this domain trusts.
The special identities Everyone, System, Network, Interactive, and Creator Owner.

You can grant permissions to the built-in local groups (such as Administrators and Domain Users) and to any groups you create in the domain

Special Identities

Everyone represents all current and future users of the network, including guests and users from other domains. You can assign Everyone permissions for both directories and files. System represents the operating system of the local computer. System is initially granted permissions for several system directories when Advanced Server/9000 is installed, and you should not revoke these permissions. Usually, you do not have to grant permissions to System for any file or directories you create unless a system service needs to access them. Network represents all current and future users accessing this file or directory over the network. Interactive is the opposite — it represents any user who accesses the file or directory while working at the server itself. For example, while CristalW accesses a file over the network (while working at her own workstation), she has any permissions assigned to Network. (Interactive has no meaning in Advanced Server because interactive logons are not allowed.) You can set Creator Owner permissions only on directories. Creator Owner represents users who subsequently create files and directories in the current directory. If you set Creator Owner permissions on a directory, anyone who creates a file or subdirectory there is automatically granted the permissions you gave to Creator Owner for that file or subdirectory.

Default Directory Permissions

When a new subdirectory or file is created in an Advanced Server volume, you can set its permissions. If you do not set permissions, the new subdirectory or file inherits the permissions of the directory that contains it.

In the event that you inadvertently alter any of the default Advanced Server permissions, you can overwrite the default permissions into an existing Access Control List database by running the acladm command as root. For more information about this command, type man acladm at the Advanced Server/9000 command prompt.

Setting Permissions on Directories

When you first display a directory's permissions, the Directory Permissions dialog box shows the permissions that the directory inherited from the directory containing it. The Name box shows the groups and users for whom permissions have been set.




	NOTE: To change permissions on the directory, you must be the owner of the directory or have been granted permission to do so by the owner.

If you have selected multiple directories, permissions are shown only if they are the same for all of the directories. You can change permissions, add a group or user to the list, or remove a group or user from the list.

Setting permissions on a directory controls what users can do in that directory. When you set directory permissions, you are setting permissions on the directory and by default on all of the files that exist in the directory. Existing subdirectories and their files are not changed unless you specify to change them. When you create new files and new subdirectories, they inherit their permissions from the directory.

In some cases, directory permissions for a group or user are not passed on to subdirectories. This occurs, for example, when a group or user has been granted permissions through the CREATOR OWNER special group. Permissions that will not be inherited by subdirectories are marked with an asterisk, for example (All)*.

When you set a standard permission, two sets of individual permissions are displayed next to it: the permissions set on the directory and the permissions set on files in the directory. For example, when you set Add & Read permission on a directory, you see (RWX), signifying Read, Write, and Execute permissions on the directory, and (RX), signifying Read and Execute permission on its files.

Permissions on files in a directory can be set to Not Specified. This means that by default no permissions will be set for that user or group to the files that are present in the directory or that are created after setting this permission. A group or user cannot use files in the directory unless access is granted by another method such as setting permissions that grant access on individual files.

When you are setting permissions on a directory, you can use the CREATOR OWNER special group to allow users to control only the subdirectories and files that they create within the directory. Permissions set on CREATOR OWNER are transferred to the user who creates a directory or file within the directory. To change permissions on the directory, you must be the owner of the directory or have been granted permission to do so by the owner.




	NOTE: Groups or users granted Full Control permission on a directory can delete files in that directory regardless of which permissions protect the files.

You also can set permissions on directories by using the net perms command. For more information, type net help perms at the Advanced Server/9000 command prompt.

Setting Permissions on Files

When you first display a file's permissions, the File Permissions dialog box shows the permissions that the file inherited from the directory containing it. The Name box shows the groups and users for whom permissions have been set on the file. If you have selected multiple files, permissions are shown only if they are the same for all of the files.




	NOTE: To change permissions on the file, you must be the owner of the file or have been granted permission to do so by the owner.

You also can set permissions on files using the net perms command. For more information, type net help perms at the Advanced Server/9000 command prompt.

Strategies for Using File Permissions

Observe the following guidelines when setting file permissions:

Grant permissions to groups, not individual users.
Create local groups and assign permissions to them rather than assigning permissions directly to global groups.
When you create and share a file or directory on a server, grant Full Control to the Administrators local group. This ensures that all administrators of that domain can change permissions for and otherwise administer the file or directory in the future.

For more information about strategies for using groups and users, see Chapter 3, "Working With User and Group Accounts."

Example for Setting Up File Permissions

Suppose you need to set file permissions on a server used by a small department. The file server includes an applications directory, home directories for each of the department's users, a public directory where users can share files, and a drop directory where users can file confidential reports that only the group manager can read.

In the applications directory, make all executable programs read-only to all users, to prevent viruses. You also can grant individual Change Permissions (P) permission to members of the Administrators group so that administrators can give themselves Write permission when it is time to update an application. Giving members of the Administrators group Write permission initially provides less virus protection than giving them Change permission and forcing them to change permissions before updating the application.

If none of your applications need to write any files (such as initialization setting files) in their own directories, you should make all the directories containing applications read-only.

For home directories, give each user Full Control over his or her own directory and do not give anyone permissions for any other directory.

For the public directory, give all users Change permission which lets them read and write to the directory. Change is more appropriate than Full Control because Full Control allows users to set permissions for the public directory and to take owner ship of it.

To create a drop directory, grant Users or Everyone Add permission for the directory, and give Change permission to the manager who is to read the files in the directory.

Give access to system files or directories only to members of the Administrators or Server Operators groups.

Setting Customized "Special Access" Permissions

Generally, the standard directory and file permissions are all you need to secure directories and files. However, you can create a custom set of permissions by using special access permissions. A special access permission is a combination of individual permissions that you can set on directories and files. When you set special access permissions on a directory, the permissions affect only the directory.

For information about setting special access permissions, see "To set special access permissions" in Windows NT Help.

You also can set special access permissions using the net perms command. For more information, type net help perms at the Advanced Server/9000 command prompt.

Setting Permissions on Shared Directories

Permissions set on shared directories are called share permissions and they determine who can use shared directories over the network and in what manner.

When a directory is shared, file and directory permissions apply to users accessing the shared directory over the network, in addition to share permissions. Therefore, share permissions are not critical to the security of Advanced Server directories.

When you share a directory, you can grant each group and user one of four types of permissions for the share and all of its subdirectories and files: Full Control, Change, Read, or No Access.

To secure shared directories effectively, keep the following points in mind:

To work with shared directory permissions, you must be logged on as a member of the Administrators or Server Operators group.
The default permission on a newly-created share is Full Control for Everyone.
Permissions set through a shared directory are effective only when the directory is accessed over the network.
Permissions set through a shared directory apply to all files and subdirectories in the shared directory.
Permissions set through a shared directory operate in addition to permissions set on the directory itself.

Use the Access Through Share Permissions dialog box to change permissions for the listed groups and users and to modify the permissions list.

For information about managing share permissions, see "To set, view, change, or remove permissions through a shared directory" in Windows NT Help.

You also can set permissions on shared directories using the net perms command. For more information, type net help perms at the Advanced Server/9000 command prompt.

Setting Permissions on Printers

Printer permissions specify the type of access a user or group has to use the printer. The printer permissions are No Access, Print, Manage Documents, and Full Control.




	NOTE: If you are the owner of the printer or have Full Control permission, you can set and change printer permissions.

For information about setting print permissions, see Chapter 6, "Setting Up Print Servers," and "To limit access to a shared printer" in Windows NT Help.

You also can set permissions on network printers using the net perms command. For more information, type net help perms at the Advanced Server/9000 command prompt.