Step 5. To add a quota entry, click Quota > New Quota Entry, type the username to whom the quota will apply in the Select Users dialog box, and then click OK. Then in the Add New Quota Entry dialog box (see Figure 14- 5), select Limit Disk Space To, specify the desired limit and warning levels, and then click OK. Repeat as needed to add quotas for other users.
Figure 14-5. Add New Quota Entry Dialog Box Enabling You to Add a Disk Quota for a Single User
Step 6. After making any changes and closing the Quota Entries dialog box, click OK or Apply. A Disk Quota message box (see Figure 14-6) warns you that the disk will be rescanned and that this may take several minutes.
Figure 14-6. Warning That the Disk Volume Will Be Rescanned to Update Disk Usage Statistics
Step 7. Click OK to close this message box and start the scan.
Table 14-2 describes the options that are available on the Quota tab of the disk’s Properties dialog box mentioned in Step 3.
Table 14-2. Disk Quota Configuration Options
Option Description
Enable Quota Management
Enables quota management and enables the other options so that you can configure them.
Deny Disk Space to Users Exceeding Quota Limit
When users exceed their quota, they receive an Out of Disk Space message and they cannot write further data.
Do Not Limit Disk Usage
Select this option when you do not want to limit the amount of disk space used.
Limit Disk Space
To Configures the disk space limit per user.
Set Warning Level To
Configures the amount of disk space that a user can write before receiving a warning.
Log Event When a User Exceeds Their Quota Limit
Writes an event to the Windows system log on the computer running disk quotas whenever a user exceeds her quota limit.
Log Event When A User Exceeds Their Warning Level
Writes an event to the Windows system log on the computer running disk quotas anytime a user exceeds his quota warning level, not his actual quota.
When the disk quota system is active, a user checking the properties of the volume where it is enabled sees only the amount of space permitted on the quota; the available space is the permitted space minus the space already used. If a user tries to copy a file that is larger than the allowed space, he receives a message that the file cannot be copied. In addition, an event is written to the Event log if you have selected the appropriate check box
described in Table 14-2. You can view usage statistics by clicking the Quota Entries button.
Note
You can enable quotas only on volumes formatted with the NTFS file system.
Only administrators can enable quotas, but they can permit users to view quota settings.
Some Guidelines for Using Quotas
The following are a few guidelines for using disk quotas:
• When installing applications, use the default Administrator account rather than your own user account. That way, the space used by the applications will
not be charged against your quota if you have one.
• If you want to use disk quotas only to monitor disk space usage, specify a soft quota by clearing the Deny Disk Space to Users Exceeding Quota Limit check box in File Explorer. That way, users are not prevented from saving important data.
• Set appropriate quotas on all volumes that a user can access. Provide warnings to the users, and log events when they exceed their quota limit and/or warning level.
• Be aware that use of hard quotas might cause applications to fail.
• Monitor space used and increase the limits for those users who need larger amounts of space.
• Set quotas on all shared volumes, including public folders and network servers, to ensure appropriate use of space by users.
• If a user no longer stores files on a certain volume, delete her disk quota entries. You can do this only after her files have been moved or deleted, or after someone has taken ownership of them.
Note
You should be aware that NTFS file compression actually has no particular effect on the amount of quota space available to such a user. Disk quotas are calculated based on the amount of space occupied by uncompressed folders and files, regardless of whether files are compressed or not compressed.
Configuring Object Access Auditing
Users on a network are naturally curious about the myriad of volumes, folders, and files that they find. They like to "poke around" to see what's there. And some can have malicious thoughts, so sensitive information might
be accessed, modified, or even deleted. Corporate security policies generally stipulate that records must be kept of who attempts to access or modify such sensitive information. For this purpose, Microsoft has included object access auditing in its operating systems ever since the early days of Windows NT.
Object access is just one kind of a large list of events that Windows enables you to audit. Windows enables you to audit user access to files, folders, and printers by configuring the Audit policy for the local computer. If you need to audit computers that are members of an AD DS domain, you can configure the Group Policy in the domain or OU that contains these computers.
Otherwise, you can configure the Local Group Policy setting for object access auditing. We discussed auditing in more detail in Chapter 12,
"Managing Mobile Devices."
To configure object access auditing, you must configure two pieces of information:
• Enable success or failure auditing for object access.
• Specify the folders, files, or printers for which access is to be audited.
Enabling Object Access Auditing
Use the following procedure to enable object access auditing on a Windows 10 computer:
Step 1. From the Search box or Cortana, type gpedit.msc into the text box and select Edit Group Policy from the results. This opens the Local Group Policy Editor MMC snap-in.
Step 2. Navigate to the Computer Configuration \Windows Settings\Security Settings\Local Policies\Audit Policy node. You receive the series of policy options shown in Figure 14-7.
Figure 14-7. Audit Policy Subnode in the Local Group Policy Editor
Enabling You to Audit Several Types of Actions on your Windows 10 Computer
Step 3. Double-click Audit Object Access. You receive the Audit Object Access Properties dialog box shown in Figure 14-8.
Figure 14-8. Enabling Auditing to Trigger an Event Log Entry When an Action Has Completed Successfully, or Has Failed, or Both
Step 4. To audit successful and/or failed attempts at accessing files, folders, or printers, select Success and/or Failure as required. Select the Explain tab of the Properties dialog box to obtain more information on what the setting does.
Step 5. Click OK or Apply.
Note
Additional audit policies are available in the Advanced Audit Policy subnode of Group Policy, available from the Computer Configuration\Windows
Settings\Security Settings\Local Policies\Audit Policy node. For more
information on advanced audit policy settings as a whole, refer to "Advanced
Security Audit Policy Settings" at https://technet.microsoft.com/en- us/itpro/windows/keep-secure/advanced-security-audit-policy-settings.
Specifying Objects to Be Audited
To track object access or directory service access, you must configure the system access control list (SACL) for each required object. Use the following procedure:
Step 1. In File Explorer, right-click the required file, folder, or printer and choose Properties.
Step 2. Select the Security tab of the object's Properties dialog box.
Step 3. Click Advanced to open the Advanced Security Settings dialog box, and then select the Auditing tab.
Step 4. You are warned that you must be an administrator or have the appropriate privileges to view the auditing properties of the object. Click Continue to proceed, and then click Yes in the UAC prompt if you receive one.
Step 5. Click Add to display the Auditing Entry dialog box. To add users or groups to this dialog box, click Select a Principal.
Step 6. Type the required user or group into the Select User or Group dialog box, and then click OK.
Step 7. On the Auditing Entry dialog box that appears (see Figure 14-9), select the types of actions you want to track, and then click OK.
Figure 14-9. Configuring the SACL for a User or Group
Step 8. The completed auditing entries appear in the Advanced Security Settings dialog box, as shown in Figure 14-10. Click OK twice to close these dialog boxes.
Figure 14-10. Advanced Security Settings Dialog Box Displaying Information on the Types of Object Auditing Actions That Have Been Specified
After you have configured object access auditing, attempts to access audited objects appear in the Security Log, which you can view from Event Viewer in the Administrative Tools folder. For more information on any audited event, right-click the event and choose Event Properties. For more information on Event Viewer and viewing the logs it contains, refer to Chapter 19, "Monitoring and Managing Windows."
Tip
Ensure that the security log has adequate space to audit the events that you configure for auditing, because the log can fill rapidly. The recommended size is at least 128 MB. You should also periodically save the existing log to a file and clear all past events. If the log becomes full, the default behavior is that the oldest events will be overwritten (and therefore lost). You can also
configure the log to archive when full and not to overwrite events, but new events will not be recorded. Loss of recorded events could be serious in the case of high-security installations.
Note
You can also use the Auditpol.exe command-line tool to perform audit policy configuration actions. For information on the subcommands available for this command, open a command prompt and type auditpol /?. For additional information on this command, refer to "Auditpol" at
http://technet.microsoft.com/en-us/library/cc731451.aspx. The information refers to Windows 8.1 and Windows Server 2012, but no changes to the auditpol command were made for Windows 10.
Configuring Shared Resources
Sharing is a basic concept of networking in any computer environment.
Simply put, sharing means making resources available on a network.
Typically, this means a folder on one computer is made accessible to other computers that are connected to the first computer by a network. The purpose of sharing folders is to give users access to network applications, data, and user home folders in one central location. You can use network application folders for configuring and upgrading software. This serves to centralize administration because applications are not maintained on client computers.
Data folders allow users to store and access common files, and user home folders provide a place for users to store their own personal information. You can also share other resources, such as printers, so that users can print to a printer not directly attached to their computer.
You can share folders according to either or both of two file-sharing models:
• Public Folder Sharing: The simplest means of sharing folders, this model involves the use of a shared folder located within each of the Windows libraries. However, you cannot limit access to items in these public folders;
you can only enable or disable public folder sharing for all libraries from the Advanced Sharing Settings dialog box in the Network and Sharing Center, previously introduced in Chapter 6, "Windows 10 Networking."
• Standard Folder Sharing: Enables you to utilize a standard set of permissions that determine user access to files and folders across the network, in a similar fashion to that used in previous Windows versions.
More secure than public folder sharing, you can enable or disable standard folder sharing on a per-computer basis.
Using the Network and Sharing Center to Configure File Sharing
As introduced in Chapter 6, the Network and Sharing Center enables you to perform actions related to sharing of resources on your computer with others on the network. Click Change Advanced Sharing Settings to obtain the Advanced Sharing Settings dialog box shown in Figure 14-11. Among other networking options, you can specify the file-sharing options described in the list that follows.
Figure 14-11. Advanced Sharing Settings Dialog Box Enabling You to Configure Several Global File and Folder Sharing Settings
• File and Printer Sharing: Enables the Standard Folder Sharing model, thereby allowing others on the network to access shared files on your computer and print from printers attached to your computer.
• Public Folder Sharing: Enables the Public Folder Sharing model, thereby
allowing others on the network to access files in your Public folders of each Windows library (Documents, Pictures, Videos, and Music).
• Media Streaming: Enables others on the network to access shared music, pictures, and videos on the computer and enables your computer to access these types of shared information on the network.
• File Sharing Connections: Enables you to select the level of encryption used to protect file sharing connections. You should keep the default of 128- bit encryption selected unless you need to share files with devices that
understand a lower level of encryption only.
Sharing Files, Folders, and Printers
Shared folders are folders on the local hard drive that other users on a
network can connect to. For the exam, it is critical that you understand how to manage and troubleshoot connections to shared resources, how to create new shared resources, and how to set permissions on shared resources. The process that Windows 10 uses to share folders is that an administrator selects a folder, regardless of its location in the local folder hierarchy, and shares it through the Sharing tab of the folder’s Properties dialog box.
Administrators may find that the Computer Management snap-in is helpful in file and folder security management. To open this snap-in in Windows 10, right-click Start and choose Computer Management from the menu that appears. You can also open Computer Management from within
Administrative Tools, which is found in the System and Security category of Control Panel. If you have enabled the Administrative Tools feature on the Start menu, click the tile for Computer Management from this location. To manage file and folder security, expand the Shared Folders node in the left pane. Select the Shares subnode to see the shared folders, as shown in Figure 14-12. The hidden administrative shares are followed by a dollar sign ($) and cannot be modified. From the remaining shared folders, select one to double- click and view the security settings on the folder.
Figure 14-12. Viewing Shares on Your Computer from the Shared Folders Node of the Computer Management Snap-In
Aside from the default administrative shares, there are no folders that are automatically shared with the network. To share files with other users across the network, you must manually do so for each folder containing the files that you want to share. To share a folder with other network users, you can open any File Explorer window and then use the following procedure:
Step 1. In a File Explorer window, navigate to the folder, right-click it, select Share With, and then click Specific People. The File Sharing dialog box opens, as shown in Figure 14-13.
Figure 14-13. File Sharing Dialog Box Enabling You to Choose Those You Want to Share a File With
Step 2. Type the name of a user with whom you want to share the folder, and then click Add. The name appears in the Name list with a default permission level of Read (for example, Sally Sue in Figure 14-13).
Step 3. To share with another user, repeat Step 2 as many times as required.
When finished, click Share. If you receive a User Account Control (UAC) prompt, click Yes.
Step 4. When the file is shared, you receive a message informing you that your folder is shared. This message enables you to email the link to the users
with whom you shared the folder or copy it to other programs or documents.
Click Done.
To add people to the sharing list, repeat this procedure and select Change Sharing Permissions from the File Sharing dialog box. Then type the name of the required user and click Add. To remove a shared folder, right-click the folder and select Share With > Stop Sharing.
Configuring Shared Folder Permissions
Windows 10 shares folders to others as Read, which means that the users you specify can view but not modify available files. The Advanced Sharing
feature in Windows 10 enables you to modify these properties when necessary.
When granting full access to your local files to other users across a network, your computer becomes vulnerable to both unintentional and intentional attacks. Not only can the data be viewed for malicious purposes, such as corporate spying, it can be altered or destroyed on purpose or accidentally.
For this reason alone, you should always grant the most restrictive
permissions necessary for a network user to conduct work on those files.
Granting just enough permission without being too lenient requires careful consideration. If you are too stringent, users can’t get their jobs done. If you are too lenient, the data is at risk.
Use the following procedure to modify shared folder properties:
Step 1. In a File Explorer window, right-click the shared folder and choose Properties.
Step 2. Click the Sharing tab (see Figure 14-14).
Figure 14-14. Sharing Tab of a Folder’s Properties Dialog Box Enabling You to Modify Shared Folder Properties
Step 3. Click Advanced Sharing. If you receive a UAC prompt, click Yes.
The Advanced Sharing dialog box shown in Figure 14-15 appears. This dialog box provides you with the shared folder options introduced in Table 14-3.
Figure 14-15. Advanced Sharing Dialog Box Enabling You to Configure Several Properties of Shared Folders
Table 14-3. Shared Folder Options in Windows 10
Option Description
Share This
Folder Click to start sharing the folder.
Share Name
This is the folder name that remote users will employ to connect to the share. It will appear in a user's File Explorer window, or the user can access it by typing \\computername\sharename at the Run command. (Press the Windows key +R to open the Run command, or select it from the Start right-click menu.)
Comments
This information is optional and identifies the purpose or
contents of the shared folder. The comment appears in the Map Network Drive dialog box when remote users are browsing shared folders on a server.
User Limit
This sets the number of remote users who can connect to a shared resource simultaneously, reducing network traffic. For Windows 10, the limit is 20 (it was 10 on Windows Vista and older client versions of Windows).
Permissions
Permissions can be assigned to individual users, groups, or both.
When a folder is shared, you can grant each user and each group one of the three types of permissions for the share and all of its subdirectories and files, or choose to specifically deny them those permissions.
Caching Enables offline access to a shared folder.
Step 4. To add an additional share name, click Add under the Share Name section. (If this command button is dimmed, ensure that the Share This
Folder option is selected and click Apply.) An additional share name enables users to access the shared folder under this name.
Step 5. To change the maximum number of simultaneous users, type the required number or use the arrows to select a number. This number cannot be higher than 20 on a Windows 10 computer.