NTFS Security Not Transferred When Copying Files

When copying files from one server to another, the NTFS security ACLs on them are not transferred, and the files inherit the permissions of the destination folder.  If the permissions are simple, and set at just one level at the top of the folder hierarchy, it’s not a big deal to just set them again manually.  But if you have multiple folder levels of settings that may or may not be the same, or if you have particularly sensitive data and you want to be sure the security of that data is maintained, here is what you can do.

1.        Transfer the files over using whatever file copy utility you like.  I like RichCopy, which is just a nice, GUI front-end to robocopy.

2.       Even though you have avoided using the command-line for the transfer itself, you are still going to have to use it now to get the file/folder security settings moved over.  For each folder that you transferred using Richcopy, run the following command from the source server:

robocopy "X:\sharedfolder" "\\servername\newshare"  /E /COPYALL /SEC /XC /XN /XO /R:1 /W:0

The "/xc /xn /xo" part of the command excludes files from being copied over again.  The “/E /COPYALL /SEC” switches actually re-sync all the security settings for all the files/folders, so they end up matching the security that is set on the source.

(Robocopy is part of the Server 2003 Resource Kit)

Posted via email from Aaron Johnstone

Configure Cisco ASA remote access VPN to use RADIUS

This article will help with setting up a Cisco ASA 5500-series firewall to use RADIUS to query a Microsoft Windows Active Directory domain controller to authenticate users who are connecting in using the Cisco VPN client.

1. Install the Internet Authentication Service (IAS) Windows component

2. Open the IAS console

3. Add the Cisco ASA as a RADIUS client

4. Edit the remote access policy in the IAS console as needed; enable “Unencrypted authentication (PAP, SPAP)” on the Authentication tab of the profile

5. Connect to your ASA (assuming you are using the ASDM)

6. Go to the Properties tab, then to AAA Setup à AAA Server Groups

7. Create new server group

8. Add a server to the group

9. Test the authentication

10. Go into your VPN settings on the ASA (General à Tunnel Group à properties of the remote access VPN)

11. Go to the General à Authentication tab and change the Authentication Server Group property to the new AAA Server Group that you just created

12. Check the box to enable LOCAL authentication if the server group fails

13. Test it with an Active Directory user account from outside using the Cisco VPN client

How to create a DFS replica in Server 2000

When you are creating a DFS replica of a shared folder to a new location:

Create a shared folder on the destination server

Right-click on the share in the DFS management tool and choose Add Replica…

Select the shared folder you just created

Configure the replication to happen automatically.

After you have created the replica, right click on the new replica and TAKE IT OFFLINE until the replication has completed.  This is the most important step.  If you leave it online, users can and will get directed to the new location, which will appear to be missing files/folders.

Once you are satisfied that the replication is complete (i.e. the size of the folder on both servers and the number of files and folders match), then you can bring the new replica online.

Posted via email from Aaron Johnstone