Introduction

Now that you ve secured the Active Directory database and created an efficient group structure for your organization in Chapter 8, Securing Active Directory, the next step is to actually secure the files and folders themselves. Windows permissions are discretionary, which means that users with the Change Permissions or Full Control permissions or users who have ownership of a file or folder can change its permissions to their heart s content. With this in mind, you should design a permission scheme that will provide sufficient access for end users to do their jobs, but not unnecessary permissions that might affect the security of your overall network.

Windows Server 2003 establishes a default permission structure when you first install the operating system, but you might need to change these defaults to meet your needs. In this chapter, we examine some common risks that can affect your file shares, such as data corruption caused by viruses or security breaches arising from incorrectly assigned permissions. Then, we ll look at ways to design a permission structure for the files and folders in a large, multiserver environment, as well as best practices for securing the Windows Registry.

An advance in Windows 2000 gave users the ability to encrypt files on a hard drive using the Encrypted File System (EFS). EFS combines public key cryptography (using Certificate Services) with 3DES encryption to allow users and administrators to extend file security beyond NTFS permissions. This feature has been expanded and improved in Windows Server 2003, including the...