by MS
Table 9-1 lists status message you might see for disks. You'll also find a diagnosis and suggested corrective action in the Resolution column.
Table 9-1: Understanding and Resolving Disk Status Issues
Status
Description
Resolution
Online
The normal disk status. It means the disk is accessible and doesn't have problems. Both dynamic disks and basic disks display this status.
The drive doesn't have any known problems. You don't need to take any corrective action.
Online (Errors)
I/O errors have been detected on a dynamic disk.
You can try to correct temporary errors by right-clicking the disk and choosing Reactivate Disk. If this doesn't work, the disk might have physical damage or you might need to run a thorough check of the disk.
Offline
The disk isn't accessible and might be corrupted or temporarily unavailable. If the disk name changes to Missing, the disk can no longer be located or identified on the system.
Check for problems with the drive, its controller, and cables. Make sure that the drive has power and is connected properly. Use the REACTIVATE DISK command to bring the disk back online (if possible).
Foreign
The disk has been moved to your computer but hasn't been imported for use. A failed drive brought back online might sometimes be listed as Foreign.
Right-click the disk and choose Import Foreign Disks to add the disk to the system.
Unreadable
The disk isn't accessible currently, which can occur when disks are being rescanned. Both dynamic and basic disks display this status.
With FireWire/USB card readers, you might see this status if the card is unformatted or improperly formatted. You might also see this status after the card is removed from the reader. Otherwise, if the drives aren't being scanned, the drive might be corrupted or have I/O errors. Rightclick the disk and choose Rescan Disk (on the Action menu) to try to correct the problem. You might also want to reboot the system.
Unrecognized
The disk is of an unknown type and can't be used on the system. A drive from a non-Windows system might display this status.
If the disk is from another operating system, don't do anything. You can't use the drive on the computer, so try a different drive.
Not Initialized
The disk doesn't have a valid signature. A drive from a non-Windows system might display this status.
If the disk is from another operating system, don't do anything. You can't use the drive on the computer, so try a different drive. To prepare the disk for use on Windows Vista, right-click the disk and choose Initialize Disk.
No Media
No media has been inserted into the CD-ROM or removable drive, or the media has been removed. Only CD-ROM and removable disk types display this status.
Insert a CD-ROM, a floppy disk, or a removable disk to bring the disk online. With FireWire/USB card readers, this status is usually but not always displayed when the card is removed.
Table 9-2 lists status messages you might see for volumes. You'll also find a diagnosis and suggested corrective action in the Resolution column.
Table 9-2: Understanding and Resolving Volume Status Issues
Status
Description
Resolution
Failed
An error disk status. The disk is inaccessible or damaged.
Ensure that the related dynamic disk is online, and, as necessary, rightclick the disk and choose Reactivate Disk. Right-click the volume and choose Reactivate Volume. For a basic disk, you might need to check the disk for a faulty connection.
Formatting
A temporary status that indicates the volume is being formatted.
The progress of the formatting is indicated as the percent complete, unless the Perform A Quick Format option was chosen.
Healthy
The normal volume status.
The volume doesn't have any known problems. You don't need to take any corrective action.
Healthy (At Risk)
Windows had problems reading from or writing to the physical disk on which the dynamic volume is located. This status appears when Windows encounters errors.
Right-click the disk and choose Reactivate Disk. If the disk continues to have this status or has this status periodically, the disk might be failing and you should back up all data on the disk.
Healthy (Unknown Partition)
Windows does not recognize the partition. This can occur because the partition is from a different operating system or is a manufacturer-created partition used to store system files.
No corrective action is necessary.
Initializing
A temporary status that indicates the disk is being initialized.
The drive status should change after a few seconds.
Unknown
The volume cannot be accessed. It might have a corrupted boot sector.
The volume might have a boot sector virus. Check it with an up-to-date antivirus program. If no virus is found, boot from the Windows Vista CD-ROM and use the Recovery Console FIXMBR command to fix the master boot record.
Chapter 10: Managing File Security and Resource Sharing
Whether you are using Microsoft Windows Vista in a domain or a workgroup, few aspects of the operating system are more important than file security and sharing. File security and file sharing are so interconnected that it is hard to talk about one without talking about the other. File security protects important data on your systems by restricting access as appropriate. File sharing enables you to share data so that it can be accessed by other users.
File Security and Sharing Options
For all computers running Windows Vista, two factors control your file security and sharing options: disk format and computer settings. The format of the local disk that you are working with determines the file security options that are available. Local disks can be formatted as file allocation (FAT; FAT16/FAT32) or NT file system (NTFS). The security options on FAT and NTFS volumes differ greatly.
FAT With FAT, you have very limited control over file access. Files can be marked only as read-only, hidden, or system. Although these flags can be set on files and folders, anyone with access to the FAT volume can override or change these settings. This means there are no safeguards for file access or deletion. Any user can access or delete any file without restriction.
NTFS With NTFS, you can control access to files and folders by assigning permissions that specifically allow or deny access. Permissions can be set for individual users and for groups of users. This gives you very granular control over file and folder access. For example, you could specify that users in the Sales Managers group have full control over a folder and its files, but users in the Sales Reps group have no access to the folder whatsoever.
Unlike earlier Windows releases, Windows Vista enables you to share individual files as well as folders and all their contents. The settings on a computer determine the way files can be shared. Windows Vista supports two file-sharing models:
Standard (in-place) file sharing Enables you to share files from any folder on your computer. Two sets of permissions are used to determine who has access to shared files: access permissions (discussed in the "Controlling Access to Files and Folders with NTFS Permissions" section of this chapter) and share permissions (discussed in the "Sharing Files and Folders over the Network" section of this chapter). Share permissions and access permissions together enable you to control who has access to shared files and the level of access assigned. You do not need to move the files you are sharing.
Public folder sharing Enables you to share files from a computer's %SystemDrive%UsersPublic folder. Access permissions on the Public folder determine which users and groups have access to publicly shared files as well as what level of access those users and groups have. When you copy or move files to the Public folder, access permissions are changed to match th
at of the Public folder. Some additional permissions are added as well. For more information, see the "Using and Configuring Public Folder Sharing" section in this chapter.
Security
With standard file sharing, local users don't have automatic access to any data stored on a computer. Local access to files and folders is fully controlled by the security settings on the local disk. If a local disk is formatted with FAT, you can use the read-only, system, or hidden flags to help protect files and folders, but you cannot restrict access. If a local disk is formatted with NTFS, you can control access by allowing or denying access to individual users and groups of users.
With public file sharing, files copied or moved to the Public folder are available to anyone who logs on locally regardless of whether he or she has a standard user account or an administrator user account on the computer. Network access can be granted to the Public folder. Doing so, however, makes the Public folder and its contents open to everyone who can access the computer over the network.
Unlike Windows XP, where only one sharing model can be used at a time, Windows Vista computers can use either or both sharing models at any time. The key restriction on how sharing can be used comes from the Prevent Users From Sharing Files Within Their Profiles setting in Group Policy. This setting, found under User ConfigurationAdministrative TemplatesWindows ComponentsNetwork Sharing, controls whether sharing is allowed within any folders associated with user profiles and primarily the %SystemDrive%Users folder. Keep the following in mind when working with the Prevent Users From Sharing Files Within Their Profiles setting:
When this setting is Not Configured, the default state, users are allowed to share files within their profile with other users on their network, provided that a user with administrator privileges on the computer opts in for file sharing. To opt in for file sharing, all an administrator has to do is share a file within his or her profile.
When this setting is Enabled, users cannot share files within their profile using the Sharing Wizard, and the Sharing Wizard will not create shares within the %SystemDrive%Users folder.
When this setting is Disabled, as might be necessary to override an inherited Enabled setting, users are allowed to share files within their profile with other users on their network, provided that a user with administrator privileges on the computer opts in for file sharing. To opt in for file sharing, all an administrator has to do is share a file within his or her profile.
To configure the Prevent Users From Sharing Files Within Their Profiles setting in Group Policy, follow these steps:
Access Group Policy for the system, site, domain, or organizational unit (OU) you want to work with. Next, access the Network Sharing node through User ConfigurationAdministrative TemplatesWindows ComponentsNetwork Sharing.
Double-click Prevent Users From Sharing Files Within Their Profiles. This opens a Properties dialog box, as shown in Figure 10-1.
Figure 10-1: Use Group Policy to configure file sharing from within user profiles.
On the Setting tab, select Not Configured, Enabled, or Disabled as appropriate and then click OK.
Although it is tempting to use public file sharing, most organizations—even small businesses—should encourage the use of standard file sharing for all company files and data. Simply put, standard file sharing offers more security and better protection, and, rather than opening the floodgates to data, closes the doors and blocks access appropriately. Increasing security is essential to protecting one of the most valuable assets of any organization—its data.
Share permissions are only used when a user attempts to access a file or folder from a different computer on the network, whereas access permissions are always used whether the user is logged on to the console or using a remote system to access the file or folder over the network. When data is accessed remotely, first the share permissions are applied, and then the access permissions are applied.
In many ways, this means file access permissions and standard file sharing permissions are like wrappers around your data. File access permissions, the first wrapper, protect your data with regard to local access. If a user logs on to a system locally, file access permissions can allow or deny access to files and folders. File sharing permissions, the second wrapper, are used when you want to allow remote access. If a user accesses data remotely, file sharing permissions allow or deny initial access, but because your data is also wrapped in a file security blanket, the user must also successfully pass the file access permissions before working with files and folders.
Controlling Access to Files and Folders with NTFS Permissions
NTFS permissions are always evaluated when a file is accessed. NTFS permissions are fairly complex, and to understand their management, you need to understand the following:
Basic permissions What the basic permissions are and how they are used
Special permissions What the special permissions are and how they are used
Ownership What is meant by file ownership and how file ownership is used
Inheritance What is meant by inheritance and how inheritance is used
Effective permissions How to determine the effective permissions on files
Understanding and Using the Basic Permissions
In Windows Vista, the owner of a file or a folder has the right to allow or deny access to that resource, as do members of the Administrators group and other authorized users. Using Windows Explorer, you can view the currently assigned basic permissions by right-clicking a file or a folder, selecting Properties on the shortcut menu, and then selecting the Security tab in the Properties dialog box.
As shown in Figure 10-2, the Group Or User Names list shows all the users and groups with permissions set for the selected resource. If you select a user or a group in this list, the assigned permissions are shown in the Permissions For list. If permissions are shaded (unavailable), as shown in the figure, it means they have been inherited from a parent folder. Inheritance is covered in detail in the "Applying Permissions Through Inheritance" section of this chapter.
Figure 10-2: The Security tab shows the currently assigned basic permissions.
Working with and Setting Basic Permissions
All permissions are stored in the file system as part of the access control list (ACL) assigned to a file or a folder. As described in Table 10-1, six basic permissions are used with folders and five are also used with files. Although some permissions are inherited based on permissions of a parent folder, all permissions are defined explicitly at some level of the file system hierarchy.
Table 10-1: Basic File and Folder Permissions
Permission
Description
Full Control
Grants the user or group full control over the selected file or folder and permits reading, writing, changing, and deleting files and subfolders. A user with Full Control over a folder can change permissions, delete files in the folder regardless of the permission on the files, and can also take ownership of a folder or a file. Selecting this permission selects all the other permissions as well.
Modify
Allows the user or group to read, write, change, and delete files. A user with Modify permission can also create files and subfolders but cannot take ownership of files. Selecting this permission selects all the permissions below it.
Read & Execute
Permits viewing and listing files and subfolders as well as executing files. If applied to a folder, this permission is inherited by all files and subfolders within the folder. Selecting this permission selects the List Folder Contents and Read permissions as well.
List Folder Contents (folders only)
Similar to the Read & Execute permission but available only for folders. Permits viewing and listing files and subfolders as well as executing files. Unlike Read & Execute, this permission is inherited only by subfolders but not by files within the folder or subfolders.
Read
Allows the user or group to view and list the contents of a folde
r. A user with this permission can view file attributes, read permissions, and synchronize files. Read is the only permission needed to run scripts. Read access is required to access a shortcut and its target.
Write
Allows the user or group to create new files and write data to existing files. A user with this permission can also view file attributes, read permissions, and synchronize files. Giving a user permission to write to but not delete a file or a folder doesn't prevent the user from deleting the folder or file's contents.
Equally as important as the basic permissions are the users and groups to which you assign those permissions. If a user or a group whose permissions you want to assign is already selected in the Group Or User Names list on the Security tab, you can modify the assigned permissions using the Allow and Deny columns in the Permissions For list. Select check boxes in the Allow column to add permissions, or clear check boxes to remove permissions.
To expressly forbid a user or a group from using a permission, select the appropriate check boxes in the Deny column. Because denied permissions have precedence over other permissions, Deny is useful in two specific scenarios:
If a user is a member of a group that has been granted a permission, you don't want the user to have the permission, and you don't want to or can't remove the user from the group, you can override the inherited permission by denying that specific user the right to use the permission.
If a permission is inherited from a parent folder and you'd rather a user or a group not have the inherited permission, you can override the allowed permissions (in most cases) by expressly denying the user or group the use of the permissions.
