Configure data access and protection

1. Understanding and configuring NTFS Permissions

NTFS involves the actual file system. So you'll notice I have the C drive here. If I right click the C drive and I go to Properties, you'll be able to see that the type of filesystem is NTFS, which stands for New Technology File System. It's not all that new. It's over 20-something years old now, but they haven't proved over the years that it's the most common type of file system that we use in a Windows environment. So the file system is going to help us manage different folders and files and all that good stuff. Okay, so let's say that I was to create a folder called Sales Data. So I'm just going to go right here. I'm going to go to the Home tab. I'm going to click on New Folder. I'm going to call this Sales Data, all right? And then at that point, I could go to that folder. Maybe I've got some important data inside that folder. Maybe I've got, I don't know, a text file or something like that. Let's put a text file in here. We'll call it stats. Okay? So I've got a folder or a file called Statsin here that maybe contains some important data to Salespeople.all right? So if I go back over here to the Sales Data folder, I want to protect that folder. I want to specify who can get access to that folder and all that. So to do that, I'm just going to go to the properties of that folder. I could right click it, or I could click the Home tab and then go to Properties. Okay? And then from there, you're going to notice some different tabs here. The tab I want to focus on right now is called Security. That is the tab where NTFS permissions are managed. Now this actual screen you see here is a permission list and it's known as an ACL, an Access Control list. This access control list allows me to set permissions. Now in order for me to do that, I have to click Edit. all right? And now I can go through and I can edit the permissions on this access control list. I also want you to notice that you'll notice that the permissions here are greyed out. This is an indication that these are inherited permissions. That means that the Sales Data folder has actually inherited permissions from the C drive. Okay? So I'm going to turn off Inheritance, all right? So I'm going to cancel this. I'm going to click Advanced, and then you'll see Disable Inheritance. all right? So I'm going to go ahead and do that. I'm going to click okay. Now if Iedit, you'll notice they are not greyed out. Okay? So from there, if I wanted to, I could go and I could start adding groups. With groups, I can add the bulk of users. the majority of users Just like I mentioned in my drawing, I can assign a bunch of users at one time and give them access to this resource if I want. Now, I do want to point out that there are already some user groups that are on this list. I have the authenticated user group. This represents all users that are part of the Microsoft domain, okay? And then I've got one called Users that is actually local users on the machine. So there's a difference between authenticated users and the users group, okay? The Authenticated Users are going to represent users in the domain. The users group is going to represent local users just on this one machine. Notice that the Authenticated Users Group has modified,which means they can read, write, and execute. They can even delete files. They cannot delete subfolders in this folder, but they can delete files in the folder if they want, okay? And then the users group just read. So, notice they just have read access. They don't actually have the ability to change anything. Administrators, of course, have full control, and the operating system also has full control, okay? I could also, if I wanted to, add domain admins from the domain and give them full control. I could also apply all that if I wanted, okay? But let's say that I wanted to give salespeople the ability to modify this data, so I could click add, and I'm going to type in sales group from the domain and put that in. And I'm now given the sales group. I'm going to give them modify privileges. But first, let me clarify something. I want to clarify what these different permissions do. So if I give you full control, then you can pretty much do anything you want. You can read, write, execute, and delete the data. You can change permission. You can take ownership of other people's data if you want to. Okay, full control is something that you generally only give to admins. So I could also more likely say, if salespeople needed to be able to modify this data, you'd give them the modification. That will let you do everything full control can do. But you can't take ownership, you can't change permissions, and you can't delete do everything fuNow if you give Read and Execute, you'll notice they'll get Read and Execute list folder contents and Read. Read and Execute lets them read and execute programs. List folder contents means they can see the contents in the folder and then read documents. A lot of people don't know the difference between reading and execute and read.Read and Execute lets you execute programmes like exefiles and all that are in this folder. Read will let you read documents that are in this folder. There's a difference. If you just want people to be able to read documents, you would just give them read permission, okay? List the folder contents again. Let them see the contents of the folder. If I did not want somebody to be able to execute programs, I could just give them the list of folder contents and read. Then, lastly, you've got what's called write write permissions.We'll let you write to the database that's in the folder here. This is interesting, though. If you give write permission but not read access, they can't actually open the folder and see what's in it. They can only write to the folder. So, oddly enough, you could drag and drop documents into that folder, but you couldn't open it up and look at what's in there. I was talking to a guy one time that worked with the school system, and he was telling me that he used this. He actually gave each teacher in this school's computer labs an inbox folder, and they gave the students computers with the ability to write to the folder but not read it. So students could do their work in the computer lab and drag and drop it into the teacher's inbox folder over the network. And it worked really well. That's an example that's sort of like a lockbox type scenario. Okay, so those are your permissions. I'm going to modify, okay? Of course I'm going to allow it. I could deny it. I don't want to deny it. I'm going to allow it. But then also, I don't want other people to have access. I don't want just regular users to have access. So I'm going to remove them. And I don't want authenticated users. I'm going to remove them. Keep in mind, if I denied these people, as opposed to just removing them off the list, that would be a problem. See, the way that permissions work, if you're in one group that says you're allowed to do something,and you're in another group that says you're denied the ability to do something, then you're denied. So the salespeople are also authenticated users. So if you denied authenticated users and allowed sales,then it would end up denying your users. You could be in a thousand groups that say you're allowed to do something. If you're in one group, you're denied. Okay? So I'm going to remove that authenticated users group, okay? Now here's the other thing I can do, all right? I want you to understand that users can be members of different groups, and I want you to understand how that applies to things. So imagine if I had the marketing group, and imagine if you had a user that was in both marketing and applies toI'm going to take away sales. I'm going to give the salespeople the ability to read, and I'm going to give the marketing people the ability to write. So what would be their permissions if you had a user? Let's say you had a user named JohnSmith and John Smith was part of sales and marketing. What would be his permission? Well, it'd be both. He'd get both. It's cumulative. A lot of people think the least restrictive is the most restrictive. It's cumulative. I always use the analogy that if you're in the sales department and I say you can eat apples,and then you have a marketing department and I say marketing people can eat oranges. But what if you're a member of both sales and marketing? You're allowed to eat apples and oranges. Okay, I could also add managers to this. Let's say you have a manager. Oops, it does help if you spell that correctly. Let's say I have a manager group and I give the managers the ability to do modifications. Okay, well, guess what, if you're in all three groups, it's cumulative. You get to do all of those things. So managers get everything. If sales people can eat apples, marketing people can eat oranges, and managers can eat pineapple, Well, guess what, if you're in all three of those groups, you can eat apples, oranges, and eat apples, markLet's say that in sales you're allowed to eat apples. In marketing, you're allowed to eat oranges but you're denied the permission to eat apples. And then in the manager's group, you can eat everything. Well, guess what, you're not going to get to eat eatoranges or you're not going to get to eat apples. Because if you're in all three groups, if you're denied permission, denying will always overrule and allow. Okay, so I'm going to draw this out for you as well, help you visualise this a little bit better so that you understand. But I would want to remove everybody else from the list, add the groups that I want on the list,and give them the privileges that they this a litSo to help you understand permission a little better,I want to draw something out for you here. Now, the way I recommend you do it, and this is even if you are taking the exam and you are writing this on a little notepad they give you for the exam, will help you visualise what's going on with permission. So what I always recommend is creating a little table,and this is what the little table looks like that I usually use when I try to visualise this. So I will have one column here called Object,and that's where your group or your user account is going to be listed in this list here. And then I'm going to have another one called NTFS for NTFS permissions. And I'll get to this last column later. Okay, so imagine I've got a user who is a member of the sales group, and the user is also a member of the marketing group, and the user is also a member of the managers group. Okay? So you've got a user who is a member of all three of these groups, and you're trying to help understand what permissions you're going to ng group,So let's say that in NTFS you've given sales the ability to read and execute, and in marketing you've given the marketing group the ability to just read documents. They don't get the ability to execute programs. I just read And then the managers have been given a modification. Okay, well, remember, when it comes toNTFS permissions, if you're just dealing withNTFS, it's NTFS plus NTFS equals cumulative. So if there's ever a conflict between one NTFS permission and another, it's cumulative. So if you add all these together, if you think about it like this, read and execute plus read and modify, well, you're going to get all of these. Of course, you could just simply say "modify," because "modify" already has all these privileges already.That would be effective permission. Unless there was a deny involved. It's always going to be a cumulative effect when you're adding these permissions up. It doesn't matter how I rearrange these. I can rearrange these permissions any way I want, and it's always going to be a cumulative effect. Okay? All right. So think about it like that. NTFS plus NTFS equals cumulative. Okay, I'm going to expand on this coming up here a bit later.

2. Creating Shared Folders and setting share permissions

Okay, so now that we've got an understanding of the NTFS permissions, I'd like to now show you about sharing out folders. So, right now, if someone wanted to access this Sales Data folder across the network, it wouldn't be possible. Okay? So, for example, if I jump over to this other machine here and I try to connect across the network, I can do that in various ways. One of the easiest ways to open up File Explorer is to type in Backslashnyc Co One and hit Enter. I have a folder called "Administration Shared Out." But that sales data folder is not shared out. So if I wanted to connect to that SalesData folder across the network, I would need to make sure that it was shared out. To do that, you can do basic sharing by right clicking and saying "Give access to." But I'm going to tell you the right way to do it and a generally more advanced way that's going to give you the most features. The way that Microsoft is generally going to want you to do it They're going to want you to click on it and then go to the properties of it. You can either right click it or if you go over here to Home, you can click Properties and get there, then click on the Sharing tab instead of the Security tab. This time, if you click Share,it's just the basic sharing method. Again, you're going to want to go with Advanced Sharing. So I'm going to click that and I'm going to click Share this folder. Okay, Then I can select the name of the share that people will see when they connect to it. Keep in mind that if you wanted, you could put a dollar sign after it. That makes it a hidden share, which means somebody has to type the exact name in order to get to it. I'm not going to do that though. I'm going to make it available. Okay, And then, by default, Windows Ten only allows you to have a maximum of 20. This is not a server. They don't want you to use it as a server. So they only have a maximum of 20 connections at a time. You could lower that number if you wanted to. Okay, From there I can set permissions on it, which the access control is for sharing. I'm just going to click real quick. Okay, click close. And now I'm going to jump over to that other machine here and we're going to refresh the screen and notice that it shows up, so I can go in there and all that and I can try to delete this data if I want and notice that it won't let me delete the data. That's because of the permissions. So if I jump back over to that other machine, here's the folder again. Okay, so if we go to the properties, we go to sharing, advanced sharing permissions. Notice the permission. So the permissions and share permissions are very basic compared to NTFS. You have full control, which is sort of the equivalent of full control. In NTFS, you have Change, which is the equivalent of Modify on NTFS, and you have Read, which is the equivalent of Read and Execute, which also gives you the ability to read and execute list folder contents and read So they're very basic. But guess what? The permissions work exactly the same. If there's a conflict, it's cumulative. So if there's a conflict between your share permissions and you're just talking sharepermissions, it's going to be cumulative. So if I was to add another group to this, for example, and I added Sales, and I only gave Sales readwell, because a user is both in Sales and part of the Everyone group, then they would get full control. But I don't want everybody to have access. So maybe I removed the everyone group. I'm going to give administrators access to administrators,I'm going to give domain admins something like that, full control, all that. The sales people are going to get the ability to change the data if I want. Maybe I'll let marketing people read permission, okay? At that point, now that I've done that andapplied that, I've officially set up Share permissions, okay? Of course, now there's another predicament. I've now shared this folder out, set it up so that somebody could actually remote into it, like from here,and view the data, view what's in it. There's nothing in the file at the moment,but what happens when there's a conflict? Notice I was able to delete it this time because I have admin rights over it. Right, but what happens if there's a conflict between NTFS and Share? So that's going to get explained next to you.

3. Understanding conflictions between NTFS and Shared permissions

Okay? So now that we understand what share permissions are, I want to add share permissions into my drawing, and we're going to learn how things are going to work out, okay? So, share permission, this is going to be my other little column here called Share. Now, I want to tell you that when it comes to conflicts with shared permissions, it's the same thing. It's a cumulative effect. So, share plus share equals cumulative. all right? The permissions are named a little differently, but it's the same thing. So if I gave sales change permissions and I gave marketing read permissions and I gave managers full control permissions, then you would add all that up together, okay? Change plus reading plus full control equals, well, fullcontrol, because full control can do everything, can it? It gets everything. So that would be if you had a user who was a member of all three of these groups, they would be there for effective permission. If you had had a user that was just a member of these two groups, then this would have been the effective permission, okay? Same thing if you had a user who was a member of sales and a manager. You'd still get full control. Okay? But what happens when you have users who are members of these groups and you have conflicts between NTFS and Share? So is that possible? Yes, it's definitely possible. And we have to think about that. Okay? So imagine this situation here. Let's say that sales have been read and executed, okay? And marketing has been given a read, and then managers have been given a modify, okay? So this gets really complex because you have to think, well, wait a minute. Now, I'm not dealing with just one access control list. I'm dealing with two. I'm dealing with the NTFSaccess control list and share. So what will my effective permissions be for this user? And that's, of course, if the user is a member of all three groups. So let's say you had a user, let's say John Smith here, and John Smith is a member of all three of these groups. Let me just draw this little line to indicate that he's part of all three groups. You have John Smith, who belongs to all three groups. What will his effective permission be? Okay, well, I'm going to tell you this is the way it works, okay? When NTFS conflicts with share permissions, the most restrictive setting will get applied. the most restrictive that will be used Now, here's the problem with that. Most people look at this little table and they'll say, "Well, the most restrictive one on the table is reading." Reading is going to restrict you more than any of the other permissions. So there's your effective permission. But I'm going to tell you right now, you got it wrong. If this was a test question and you said that it was read, you got it wrong. Here's what you do. Here's the secret: Go down my little chart. Start with this column and add them up. Then add these up and then add them together. Okay? So think about it. Let's do that. Read and execute, plus read and modify. The effective permission, because it's cumulative,is going to be modified. right? Now do this column. Change plus reading plus full control equals full control. Now add up the last one, the most restrictive one. Full control and modification. What's more restrictive, modified or full control? Modify And there is your effective permission. So don't just look at the screen and say, "Well,the most restrictive one is going to be the answer." You have to work it out like this. Here's another thing I want to warn you about. These are the permissions listed at the bottom. Here's a rule of thumb for you: These bottom two permissions will only take effect and only happen if the user is connected over the network to the resource. Okay? So if this John Smith person was accessing this folder over the network, then you would definitely focus on all three rules. But if the user was sitting locally at the computer and accessing the resource,then you can just ignore these altogether. The only thing you need to focus on is this one column right here. You can ignore the share permissions altogether. If they're not accessing this across the network,then you would only focus on this. This is why, in the IT world, the general rule of thumb is to make the NTFS more restrictive than the Share. Because that way, no matter what, the user is always going to end up with the same permissions. Okay? All right, so that hopefully gives you a good visualization. You can use this little chart if you're taking the exam and you're writing this on your little scratch pad or whatever they give you. You can jot this information down in a question and it will really help you visualise things. Okay? Now I want to show you one more thing that will allow you to essentially tell what effective permissions somebody's going to help you vSo now, looking back here at this ACL,I want to show you how to view the effective access privileges of a user. So I've got a user who's named John Smith. And John Smith is a member of sales, marketing, and management. Okay? So he's a member of all three groups. Sales has read and executed the folder contents list, while marketing has only read and then modified it. Okay? So if I click Advanced, I can go to the Effective Access tab here and I can click Select a User and I can type John Smith. We can look at his privileges now by clicking Effective View and Effective Access. As you can see, he doesn't have full control. He has all these privileges. He does not have delete, subfolders, file, change permission, or take ownership, which are all permissions that the modifiedprivileges do not give you, as you can see, everything that modification would give you. So that shows you right there. If I wanted, I could jump over to mydomain controller and I could remove if I clicked on John Smith. I could remove him out of these groups,and he would no longer have those privileges. Okay? So you now have a good understanding of effective access to be able to calculate what those privileges are, and hopefully you have a much better foundation for understanding permissions and the Windows environment.

4. Configuring Disk Quotas to conserve disk space

And I could go to my C drive right there. Okay? Let's say I want to configure this quota on my C drive. So I'm just going to go through the properties of my C drive, OK? And then you're going to notice that I have a tab called the Quota Tab. I click on the "quota" tab. I can click show quota settings and you'll see that I can enable quotas. Here you'll notice that quotas are not turned on by default. If I wanted to turn them on, I could say "enable quote of management okay." And I still need to apply this before it's actually going to get turned on. Let me zoom in on this for you a little bit. all right? Here is the option that says "limit disc space now guys, it is the future here." This is not the 80s. We're probably going to want to give users more than one k of disc space. I'm going to give my users two gigabytes of disc space. We're going to say that maybe our users need to be able to store documents and things and all that good stuff on their machine, and they shouldn't go more than two gigs because it's just documents, right? So anything they store on the machine will be tied to their account and it will keep track of that space. And at two gigs, at that point,they would be exceeding their limit. Now, if you did want to drive your users absolutely crazy,you could leave the warning level set to one k.So every time they store anything, it's going to pop a warning message up. You're running out of space. OK, we probably don't want to do that. Let's set the warning level. We're going to set it to 1.7 gigs. So when they get to 1.7 gigs, it's going to warn them that they are running out of space. Okay? Now, I've got here, I've got a login event when a user exceeds the quota limit. Login event when the user exceeds the warning limit. That means it's going to put something in the event log to show that this person has exceeded both their warning limit and their quota limit. Okay? Now, if I apply this, I want you to look at this little red light here. I'm just going to hit "apply" and I'm going to click "OK." And you're going to see that it's going to turn from red to yellow to green, oddly enough, okay? Once it's green, it officially means that it's on. But here's the weird thing. I've done this, but ultimately this is not going to stop the user from doing anything in terms of storing data. They're going to get to 1.7 gigs, and it's going to warn them that they're running out of space. They're going to get past two gigs, and it's just going to say you exceeded your quota. It's not going to stop them because this is called a soft quota. If you want the quota to be what is called a "hard quota". You can select this option right here, and at that point,it will now force them to stop at two gigs. Okay, so that's how that's going to work. Now, what if you had some users that you needed to limit even more, or users that you wanted to limit even less? Maybe I've got a person named JaneDoe who is sometimes going to use this machine. She's not an administrator, but she is an IT person that maybe does help desk or something. And I need to limit Jane Doe less. So I could go here to quota entries. Open that up. Let me zoom out here for you. Open that up a little bit, and then from there, I can click on a new quota entry, putting in the name of the user Jane Doe. And then if I wanted, I could now say, "Do not limit disc usage for Jane Doe," which means, do not limit disc usage for Jane Doe, sodo not limit disc usage for Jane Doe.Or if I wanted to limit Jane Doe more, I could. I'm not going to, but I'm going to say do not limit. So we click okay. All right. At that point, we've now set a quota for Jane Doe,and Jane Doe would not be limited like our other users. Okay? And that should give you guys an understanding of how this quote is work.One thing I did want to mention is that in command prompt, if I open up a command prompt, there is a command that you can actually use for working with quotas. The command is called the FS util command. all right? So I'm just going to pop in the command prompt here, and then I'll show you real quick. fsutil. So zoom in on that for you. So the FS util command, if you hit enter on that,you can see that it does a bunch of things. Of course, one of the things being quotaright here, all right, so you can actually do quota management using a command prompt. Write a script if you need it, too. You can also manage quotas through PowerShell as well.

ExamSnap's Microsoft MD-100 Practice Test Questions and Exam Dumps, study guide, and video training course are complicated in premium bundle. The Exam Updated are monitored by Industry Leading IT Trainers with over 15 years of experience, Microsoft MD-100 Exam Dumps and Practice Test Questions cover all the Exam Objectives to make sure you pass your exam easily.