Microsoft Exam  70-290 – Access to Resources

Managing and Maintaining a Microsoft Windows Server 2003 Environment.  Study Guide

2. Managing and Maintaining Access to Resources

 

TrainSignal - Windows Server 2008 AdminWindows Server 2008 Enterprise Admin

Train Signal have an excellent Windows Server 2008 course.  You get over 70 hrs instruction with Ed Liberman and Ben "Coach" Culbertson.  Try their step-by-step videos and master Windows Server 2008 Enterprise Admin.

The package includes the Transcender exams, which are the key to gaining the coverted Microsoft Certified IT Professional certification.  However, the course also builds practical experience so that you can manage your network effectively once you complete the course.

Watch a Demo of Train Signal’s MCITP course

Share Permissions

The difference between permissions and rights is this: permissions are assigned to objects such as files or printers; while rights are assigned to users or groups and affect the whole machine, for example the right to change the system time.

You can publish shares using Active Directory Users and Computers.  The idea is for the administrators can find these shares no matter which server the shares are based.

The basic share permissions are: Read, Change and Full Control.

Learn this rule which sums up a user�s access to a file or folder is: ‘The effective permissions are the most restrictive between share permissions and NTFS permissions’.

  • Share permissions apply only when folder is accessed across the network.
  • Share permissions are lost if a folder is moved or even renamed.
  • Everyone group has by default Read only share permission.
  • Deny permissions take precedence over allow permissions.
  • Explicit NTFS permissions override inherited permissions.
  • From Properties of parent folder you can set overriding of child files and folders permissions.

 

NTFS permissions are retained in backup of a data volume.  In addition NTFS permissions can be audited, replicated and can be configured remotely with Windows Explorer.

Share permissions are not included in a backup or restore of a data volume.

Share permissions cannot be replicated through replication service (FRS), neither can they be audited.

You can add the special accounts to ACL (Interactive, Network, Terminal Server Users).

Changes toGroup membership only apply after a user logs, what I mean is that they are not effective immediately, if the membership is changed, the user needs to logon off and logon again.

The NTFS permission =Modify WILL allow you to delete files or folders.

With disk quotas, remember that it is theOwnership who gets charged disk space usage.

To transfer ownership you have to be a member of Administrators group, have Take Ownership permission, or have Restore Files And Directories user rights (GPO).

You cannot share a folder on a remote system using Windows Explorer.  What you need to share folders on another machine is the Shared Folders snap-in.

Hidden share ends with a dollar $.Only administrators can connect to the administrative shares, which are hidden from normal view with the $, for example C$, admin$.

Takeown is a command-line tool administrator can use to restore object ownership.

Encrypted file or folder cannot be moved or copied to another computer. Cipher is a command-line you can use to automate EFS tasks.

General Group Policies

Remember that there is a Domain Controller Group policy as well as a default Domain policy. On stand-alone server Local Security Policy is the equivalent of Domain Controller Security Policy on a domain controller.

To enable auditing you have to set Audit Object Policy.

Gpupdate replaces Secedit (W2K) as the command to refresh security settings.

IIS (Internet Information Server)

IIS is not installed by default, you need IIS for SUS and for internet printing.To backup or restore IIS you must backup or restore the metabase (XML document).

HTTP uses port 80 and FTP port 21.

You can create a Web virtual directory on an NTFS drive by right-clicking a folder and choosing Web Sharing tab from Properties.

Basic authentication requires that a user have a local or domain user account; credentials are transmitted in clear text.

Digest authentication is like Basic authentication with enhanced credentials protection on network; requires HTTP 1.1.

Advanced Digest authentication in IIS works only when the user is part of an AD; it stores user credentials on domain controller; it requires user to be using IE5+ and HTTP 1.1.

Integrated Windows authentication provides credentials hashing before sending across the network.

Certificate authentication adds SSL security; you have to install and configure Certificate Services.

.NET Passport authentication uses SSL, HHTP redirects, cookies, Jscript and strong symmetric key encryption.

FTP has only Anonymous and Basic (Windows based) authentication.

IIS directory permissions are: Read (default), Write, Script Source Access, Directory Browsing.

Like folders, permissions of a Web folder are the more restrictive of NTFS and IIS permissions.

Remote Connections

Remote Assistance requires both computers be running Windows XP or Server 2003. To allow user connect via Remote Desktop, add the user to the Remote Desktop Users group. The person in trouble can ask for help through Windows Messenger, e-mail, or through transferred file.

Terminal Services and Remote Desktop capability are now default components of Server 2003; you no longer have to install Terminal Services as you did in Windows 2000. Turn on remote access to computer using Control Panel\System (Remote tab).

Remote Desktop for Administration allows only two users to connect (active and disconnected sessions count). The permission to logon with Remote Desktop is only granted to Administrators by default.  However it can be granted to others through membership of the Remote Desktop Users group

Remote Desktops snap-in is available on Windows XP by installing Admin Pack from Server 2003 CD (i386 folder).

You can also install Remote Desktop Web Connection Utility (as addition to IIS) to allow administering through web.

The Terminal Services Manager in the Administrative tools is the utility for administering TS user sessions.To change the properties of TS connection you must be a member of Administrators group.

Group Policy overrides Terminal Services utilities or clients settings.

The Instant Messenger Service relies upon port 1863 being open.

When using firewall (hardware) to allow Remote Assistance from outside the firewall you have to open port 3389.

You have 120-day evaluation period for trying TS role before you must install and configure the TS licensing component.

TrainSignal - Windows Server 2008 AdminWindows Server 2008 Enterprise Admin

Train Signal have an excellent Windows Server 2008 course.  You get over 70 hrs instruction with Ed Liberman and Ben "Coach" Culbertson.  Try their step-by-step videos and master Windows Server 2008 Enterprise Admin.

The package includes the Transcender exams, which are the key to gaining the coverted Microsoft Certified IT Professional certification.  However, the course also builds practical experience so that you can manage your network effectively once you complete the course.

Watch a Demo of Train Signal’s MCITP course

 

 

Which group cannot be assigned NTFS permissions in a Window 2003 native domain?
Local
Domain Local
Distribution
Universal
Global

Free sample exam