To install click the Add extension button. That's it.

The source code for the WIKI 2 extension is being checked by specialists of the Mozilla Foundation, Google, and Apple. You could also do it yourself at any point in time.

4,5
Kelly Slayton
Congratulations on this excellent venture… what a great idea!
Alexander Grigorievskiy
I use WIKI 2 every day and almost forgot how the original Wikipedia looks like.
What we do. Every page goes through several hundred of perfecting techniques; in live mode. Quite the same Wikipedia. Just better.
.
Leo
Newton
Brights
Milds

Virtual International Authority File

From Wikipedia, the free encyclopedia

Virtual International Authority File
VIAF Screenshot 2012
Screenshot 2012
Acronym VIAF
Introduced August 6, 2003 (2003-08-06)
Managing organisation OCLC
Example 106965171
Website viaf.org

The Virtual International Authority File (VIAF) is an international authority file. It is a joint project of several national libraries and operated by the Online Computer Library Center (OCLC).[1]

YouTube Encyclopedic

  • 1/5
    Views:
    220 614
    16 489
    1 977
    42 399
    3 319
  • Windows File Server
  • Creating and Using File Plans
  • Canada Lecture: The Demographic Profile of First Nations in Canada
  • Watch how to recover deleted files after asteroid apocalypse
  • Remove United States Courts Virus Step by Step

Transcription

In this section I will look at how to configure a file server. Pretty much in any environment that you are using Windows serveR2008 in you are going to need a file server. This may be anything from basic file sharing to advanced enterprise wide solutions. Firstly I will look at NTFS file permissions. NTFS file permissions provide basic security for your files. They decide who has access and who does not. Windows offers a lot of features with file permissions including easy administration through the use of groups. Next I will look a file sharing permissions. File share permission determine what a user can and can’t do when they are connected to a share. When combined with NTFS permissions it is important to understand what access the end user will get. With Windows serveR2008 comes a new role called the file server role. The file server role adds a lot of new features to your file server. Without the role you can perform a lot of basic file sharing, but with the role installed makes administration of your server a lot easier. Next I will look at offline files. Offline files allows your users to access files from the network while they are not connected to the network. This is a really useful feature for network users. Finally I will look at encryption. Encryption allows your users to scramble any file on your hard disk making it impossible for a 3rd party to use. If you decide to use encryption you should consider using a data recovery agent. A data recovery agent allows you to de crypt your users files in case of an emergency. When you format your hard drive with NTFS you get access to a lot of features including file permissions. NTFS file permissions determine what level of access your users have to your files and folders. Before you can see any files in a directory you need to have permission to list folder contents. Having this permission does not mean that you have access to any files or folders under that directory. Having list folder contents permission means that you can only view what files and folders are under that folder. If you want your users to be able to access files or folders you need to change their permission level to read. The level of read permission, as the name suggests allows the user to read a file and its contents. If the file is an executable you will need to set the file permissions to the next permission level read and execute. If the file is an executable this setting allows the user to execute the file. In order to write to the file, you need the write permission. Having the write permission only gives you access to write to a file and thus does not give you the read permission. It also does not give you delete permission. It may seem strange to isolate permissions like these, but in the real world you may need to set up unusual permissions for special needs. For example, just say you wanted to set up an electronic suggestions box. You want people to be able to add their suggestions to the suggestion box but once they are added you do not want them removed. This would be the same as a real life suggestion box, drop box or ballot box with a padlock on it. The user only has access to write, but cannot read anything that they have submitted. They however can keep writing to anything they have write access to. The next permission is modify. The modify permission includes all of the above permissions and the ability to delete. The last of the general permissions is full control. Full control allows you to do everything listed above and also allows you to change permissions. In most cases the permissions listed should suit your needs. When you look at permissions in more detail, you will find that the permissions listed here are actually a subset of what Microsoft calls special permissions. When you set special permissions, this allows you more granular control over your permissions. If you look at the read permission list above, you will see there are actually four special permissions. These are, read data, read attributes, read extended attributes and read permissions. With special permissions you could give a user write access to a file but remove the ability for the user to change the attributes of that file which you can do with the standard write permission. In most cases the standard permissions will suit your needs. The NTFS file system supports inheritance. Inheritance means that permissions from the folder above are inherited by the folders below. As shown in this example, all the folders below the root folder will inherit the permissions from the folder above. I’m also free to add additional permissions. For example I could add the write permission to this folder giving everyone read and write access to that folder or even add specific groups or users. If you need to, you can block inheritance and assign your own permissions. When you choose to disable inheritance, you can either copy the existing permissions or start a fresh. When you start working with permissions you undoubtedly will also be working with multiple groups. With the NTFS file system, permissions are always accumulative. If a user was a member of multiple groups, like in this example a member of three different groups, the combined permissions for the user would be modify. In simple terms, Windows goes through the access list until it finds an allow permission. If Windows find a deny permission, the user is denied access. In other words, deny always wins. To achieve this, Windows always sorts access lists so that the deny permission comes first. This will be done completely transparent to the user, as an administrator you simply have to remember deny always wins. Even though the deny permission is available, you should be hesitant to use it. Consider this example. You have a folder that the sales and marketing groups need access to. The sales group needs to be able to make changes to files while the marketing group only needs to read the files. Later on it is decided that the marketing group no longer needs access. In order to achieve this, you change the allow permission to deny. This creates a problem. There are some users that are members of both the sales and marketing group. Those that are members of the sales group have been denied access to the files. In this scenario, it is best to simply just remove the access. Removing access for the marketing group means that the marketing group will no longer have access. Any user that is a member of both groups will still have access. You can see from this example that in most cases you can achieve the same result without having to use the deny permission. If the administrator was a member of a group that have the deny permission set you could potentially block the administrator from accessing the file. To accommodate this, Windows allows the owner to change permissions. The owner is determined by who originally created the file or folder. Having said this, administrators can take ownership without requiring permissions. Once the administrator takes ownership, they can assign whatever permission to the file that they wish. Since the owner can change permissions on a file, it is always a good idea to give users modify or change access where possible. This prevents the user from being able to changing the permissions of the file and locking themselves out of the file or locking the administrator out. To understand NTFS Permissions better, I will now go to my Windows serveR2008 R2 computer. First of all, I will open Windows Explorer and go to my D Drive and create a folder called NTFS demo. In this folder I will create a file called demo file. If I go to the properties of the file and then select the security tab, you will notice down the bottom all the NTFS permissions that I talked about earlier. You will also notice that I cannot edit any of them. To edit the permissions I need to press the edit button. You can see the permissions are in grey and cannot be changed. This is because the permissions are inherited. From the dialog however I could add deny permissions if I wanted to. I can’t change the inherited permissions from this dialog, however I can add additional users or groups. For example I could add everyone and allocate permissions to it. So you can see, when permissions are inherited you can add deny existing permissions if they don’t already exist or add additional permissions, however from this dialog you cannot change the inherited permissions. If I cancel out of here, if you want to make additional changes, you can press the button advanced. From here you can see the current list of permissions and if they are inherited or not. To make changes I need to press the button change permissions. On this screen I can determine whether I want to inherit permissions or not. If de select the tick box, include inheritable permissions from this object’s parent, permissions will no longer be inherited. I will now be given the option to either add or remove the permissions. Pressing remove will effectively remove all inherited permissions from the file. If I press the add button, this effectively copies the existing inherited permissions. You can see now that the existing permissions have been kept but are no longer being inherited from the parent. In some versions of Windows the previous dialog will have copy instead of add. Effectively what the dialog is doing is adding the inherited permissions to whatever permission are already set on the file. If I press the edit button, you can see a comprehensive list of all the permissions. The 4 permissions that are currently selected map to read and execute permissions on the previous screen. If I wanted to give the user delete access to the file but did not want to give them write access, I could select the permission delete. If I go back to the previous screen, you will notice that the permission has changed to special. If I now exit out of this dialogue and select the tab effective permissions. I can enter in a user and clearly find out what permissions a user or group have. For example, just say you are entering the local users group, you can now see what access the local users group has. This is a good tool for troubleshooting. If I select the tab owner you can see who currently is the owner of this file. Remember, whoever is the owner can change the permissions of the file to whatever they like. If I press the button edit, I can change the owner of the file. If I select other uses or groups, I can change the owner to one that is not listed for example the system user. That about covers it for file level security, if I now cancel out and go back to my d drive and select properties for the folder NTFS demo. If I select the security tab and go back into the advanced options, press edit and then edit the permissions for one of the entries in the access list. You will notice that at the top I can set inheritance. This can be anything from no inheritance, to inherit down to files in that folder all the way down to all subfolders and files. If I go back to the previous screen, you will also notice an option replace all child objects permissions with inheritable permissions from the object. What this effectively means is, the files and folders under this folder will be reset. If I go into the owners tab and press edit, you will notice a similar option, replace owner on sub containers and objects. This is very useful for troubleshooting. If you have trouble accessing files and folders, doing a mass owner replacement, followed by resetting the NTFS permissions will allow you to access all files and folders under this folder. That wraps it up for NTFS permissions. After you configure your NTFS permissions you may decide that you want to share the folder. you need to determine what permissions that share folder will have. There are three basic permissions that you can assign to any shared folder. Depending on what version of Windows you are running will determine what these shared permission are called. The classic permissions are, read, change and full control. The read permission essentially means you only have read access to the shared folder. The change permission means you can read and write to files and folders on the share. Full control means you can read and write as well as change permissions and take ownership of files. Having said this, when you combine NTFS and share permissions together, the most restrictive permission is used. You may have full control to the share, but if the NTFS permission are set to read, you still will not be able to write to the file. The reverse also applies. If the file share is set to read and the files to full control, the user will only have read access to the file. Just remember, most restrictive permission always applies. In some of the dialog boxes and wizards in Windows serveR2008 R2, Microsoft has changed these share permissions to the following. Read, read, write and owner. These essentially are mapped to the classic permissions of read, change and full control. If you’re using Windows serveR2008, these permissions may appear as, reader, contributor or co-owner. Regardless of what Microsoft decides to call these, they still perform the same function. Now let’s have a look at how to share folders in Windows. To share a folder by using simple file sharing, open Windows Explorer, select the folder you want to share, right-click on it and select properties. To share the folder, press the button share. From here I can decide which user I want to have access to the file share, for example I can add everyone if I wanted everyone to have access. Notice that everyone has now been added with the permission level of read. If I have a closer look at the permissions, you can see that administrators have the permissions set as owner. This is basically the same as full control. For any other user I can set the permissions to read or read and write. On Windows serveR2008 this permission level would be called reader, contributor and co-owner. Once I press share, the share will be created. On the last screen you can see the UNC path of the share that has been created. If I now complete the wizard, I can select the option advanced sharing. In advanced sharing I can perform additional customizations like adding additional share names to this folder by pressing the add button. I could also limit the number of users that can access the share. In the comments section, I can add a description for the share making it easier for users to work out what data is stored in a share. If I select the button permissions, I can change the share permissions for that share. Note on this particular dialog, the permissions are referred to as the classic names, full control, change and read. Those familiar with previous Windows operating systems will be familiar with these share permissions. The file server role in Windows serveR2008 gives you additional features for your file server and also includes additional administration options. The file server role includes additional options in server manger to manage your file shares. You could of course do some of administration through Windows explorer, but the file server role has additional features like the ability to generate reports. The reporting tool allows you to work out how much hard drive space on your server is being used by what. You will find the reports really useful if you decide to install quotas. Quotas are part of the file server role. I won’t talk too much about them now as I will go into more detail about them in a later video. The file server role also includes a feature called file screening. File screening allows you to block certain files from being copied onto your file shares. For example you could block users from saving mp3 files to the file server. With Windows ServeR2008 R2 comes a new feature called file classification. File classification allows you to apply certain actions to certain files. For example, based on the file content Windows can automatically decide where to store the file. For example, the file could be store on a more expensive SAN or if the file was considered less valuable stored on less reliable form of storage. For example you may want to store backup files on storage that is not fault tolerance while it is being transferred to tape. If the storage was to fail the backup files could be re-created. Your mission critical files would be stored on your SAN. Now let’s have a look at how to use the file server role. To install the file services role, launch server manager, select roles from the left-hand side and then select add roles from the right-hand side. The file server component is part of the file services role. Once I select file services and move on, I will be presented with all the components of the file services role. Notice on this screen there are a lot of different components that are part of the file server role. For basic Windows files sharing you only need to select file server. The Distributed file system I will cover in a later video. File Server Resource Manager is used with quotas. I will cover quotas in a later video. Services for network file systems, better known as NFS, is a file sharing system used by alternative operating systems, usually Unix based systems. Window search service is used by Windows to create a catalog of all the files stored on a server. By using this catalog Windows can perform user searches a lot faster. Windows ServeR2003 file services have compatibility options so looking at files it is possible if Windows serveR2003 is used on your network. The last option branch cache for network files is a new feature in Windows serveR2008 R2 and Windows 7. Branch cache for network files is a system that transfers files over a WAN and caches them on the local computer. The system allows for compression and encryption over your WAN network. When used on your network, Branch Cache will cache files on the local network server and thus preventing them from being copied over the network by multiple client computers. For file sharing I only need the file server component so I can select only that component and proceed straight to the end of the wizard. The wizard usually takes a couple of minutes to install the role but I have accelerated time to the end so we don’t have to wait. If I now go into server manager you will see that a new section that has been added called share and storage management. You will notice that in the middle I have a list of all the shares that are currently created. If I right click on share and storage management I can select the option provision share. Provision share gives you a lot more options than the advanced option of file sharing in Windows explorer. You can see at the bottom the wizard tells you if shadow copies are being used, if indexing is set up and if the folder is on a high availability cluster. This wizard is aimed at administrators who have a complex environment. If you just want simple file sharing, you can use Windows explorer based file sharing to set up your file sharing. On this screen you can change the NTFS permissions for the folder by selecting the edit permissions button. Of course you could always change the permissions at any time using Windows explorer. In this case I will leave the permissions as they are and move on. On this screen you can select how you want to share the folder. SMB or server message blocks simply means using Windows file sharing to share the folder. Also I can change the share name here so it is different from the folder name. You will also notice the section below currently grayed out relating to NFS. If you have Unix based clients connecting to your server, you may need to enable this setting. On the SMB settings screen, I can enter in a description for the file share if I wish. The rest of the options are available by pressing the advanced button. In the advanced screen I can select the number of users that are allowed to connect to this share. With the speed of computers and networking nowadays, you will find it rare that you will need to enable such an option but it is there if you need it. The option enable access based enumeration means that if the user does not have access to a folder it will not be displayed. This is a good option to have on if you have a users folder shared out with hundreds of users home directories on it. With enumeration switched on, the users will not see all the other user home directories that they do not have access to. Moving on to the next screen, I can now set the SMB permissions. Notice the default permission gives everyone read only access. This includes the administrator. In most cases this probably won’t be what you want, but I guess Microsoft makes this the default to try to keep the system as safe as possible. The next option gives administrators full control while giving the other users read access. If I was creating a read only share I would select this option so I can still make changes as an administrator if I needed to. The next option gives administrators full control and regular users the ability to read and write. This would be the option you would most likely select to create a general share for your users. The last option allows you to set custom permissions. In this case I will select the third option as I want all users to be able to write to the folder and give administrators full control. On the following screen, you can configure DFS options. I will cover DFS in a later video so I will skip this section. On this screen you can review your options you have selected before continuing and creating the share. Once the share is created, I can press close and be taken back into server manager. Offline files allow clients to work with an offline copy of a file. It does this by saving a local cached copy from the network share. Any changes to these files are synchronized to the server. If you have used offline files before in Windows XP, you may remember the system as a simple system that allows you to access files when not connected to the network and then syncs the changes back again when you reconnect. Offline files are very noticeable to the user and not very transparent. Offline files in window serveR2008 allowing users to choose files to make available offline. You have the option to disconnect from the server at any time and run off the local copy. Windows will take care of keeping the offline file up to date and also copy any changes back to the network. Synchronizing will also keep track of any files that have been deleted. If the file is deleted in the offline copy or the network copy, when a sync is performed, the other copy will also be deleted. Synchronization for off-line files is now performed by the sync center. This is the same software that can sync your music files to your iPod, your address book to your P D A or cell phone. This makes it a little less confusing for the end user and also places all synchronization tasks in the same place. Offline files are also good for slow links. Windows will detect a slow link like a dial up or VPN connection and change to the off line copy. With offline files you can also choose when to perform a synchronization. Lastly offline files now support branch Cache. Branch cache is a new feature in Windows server 2000 R2 and Windows 7. Branch cache allows files to be cached between sites separated by a WAN link. If for example you have two users accessing the same file over a WAN link from a network share, Branch Cache will keep a cache copy of the file on the local server. When the second user attempts to access the file, the file will be retrieved from the servers cache rather than from the network. Branch Cache also offers improvements to copying files over the network. It supports SMB, HTTP, HTTPS and IP sec. When transferring data over the network it can be compressed and encrypted and use a protocol that may already be allowed through your firewalls. Let’s have a look at how to configure and use offline files. Before I start looking at off-line files, I will first install the component branch Cache for network files as it adds some features to off-line files. To do this, run server manager and then expand down to file services. Since the file services role is already installed, I need to add the branch cache component by scrolling down and selecting add role services. From here I can select the component branch cache for network files. The install is quite a simple one and does not take long to complete. Once its completed I will close server manager and open Windows Explorer. From here, I will select properties for the directory dep data and go into the sharing tab. Now access the options that relate to off-line files by selecting the button advanced sharing. Once I choose to share the folder, I am able to press the button cache. This will give you the options that relate to off-line files. In this dialog, the first option allows the end-user to decide which files they wish to make available off-line. If you are using branch cache for network files on your network, you can enable it here. The next option switches off off-line files. This means the user will not be able to make any files or folders from this share available off line. When you have file shares that have a lot of data that is changing by multiple users, you will want to turn off off-line files to prevent replication conflicts. The second option makes all files that the user accesses available off line. The optimized for performance tick box, only applies to operating systems before Windows Vista. When you tick this ticked box, operating systems like Windows XP will automatically cache executables and other programs to make running them in the future a lot faster. In this case I will select the default option so I can manually set which files and folders I want to make available off-line and also enable branch cache. Before I share the folder, I need to make sure the permissions are set correctly. If I select permissions you will see that everyone has read only access. For offline files to work the user must have at least change permissions. I will now exit out so the folder will be shared. Now that the folder is shared I will switch to my Windows 7 computer. To demonstrate off-line files, the first thing that I am going to do on my Windows 7 computer is map a shared drive. To do this, I will open Windows Explorer and then press the alt key to display the menu. From the menu, I will select tools and then select the option map network drive. In the path, enter in the location of the share that I created a moment ago. Once I’ve mapped the share drive, I can select it in Windows Explorer, right-click it and select - make available off-line. This will start the sync Center which will copy the files to the local hard drive. To open the sync Center, all I need to do is press the alt key and from the tools menu select open sync Center. The sync Center is responsible for replicating changes to or from the local computer to the network. If you want to change the settings for off-line files, select the option for sync center manage off-line files. The first option in off-line files allows you to disable off-line files completely. The next option allows you to open the sync Center. To get to the settings we came through sync Center, however if you opened these settings from the control panel you may want to access the sync Center through this button. The last option, view your off-line files, when selected will show you all the off-line files that are currently cache on your local computer. You can see here that if I select mapped network drives, I can see all the files that have been cached from the drive that I just mapped. If I now close out of here and go back to my off-line file settings and select the tab this usage. This will show us how much hard disk space off-line files is using. "All offline files" refers to the total amount of drive space being used for off-line files. Temporary files refers to temporary files that offline files need to operate. When you modify a file, this is usually placed in the temporary files until a file sync is done with the server. If you want to change the amount of space used by off-line files you can press the change limits button. As you can see this is based on a percentage of disk space. The last option allows you to delete temporary files. You should only use this option when troubleshooting and after being sure you have copied all your changes to the network. If I select the tab encryption, I can choose whether my off-line files will be encrypted. Encrypting off-line files will put some more load on your computer with the extra processing required to encrypt and decrypt files, but it does protect off-line files from being read by someone without your username and password. On the network tab, you can determine how often off-line files will check the connection to see if it is a slow connection. Since I’m currently directly connected to the network, the option is grayed out. This option allows off-line files to test for a slow network connection and if one is detected, off-line files will switch to its local version rather than pulling the files over a slow link. You can set how often off-line files will check to see how slow the link is. If I now exit out of the settings, you can see in the sync center after I select the option refresh, my network drive has appeared. If I want to force a resynchronization, I can right click on the partnership and select sync offline files. I can also right-click on the partnership and select schedule for offline files. If I have multiple partnerships, I can configure different schedules for each partnership. Once I have chosen which partnership I want to make a schedule for, I can then decide if I want to perform a sync at certain times or when a particular event occurs. I can choose particular events such as logging on, when the computer is idle, when I lock my computer or even when I unlock my computer. if I select the bottom all options, I have some additional options. I can also stop the sync if the computer stops being idle or start running off batteries. In this particular case, I will just select the option to sync when I logon. On the last screen I can set up the name for my new schedule. In recent years, Microsoft has made a lot of improvements to off-line files. If I go back to Windows Explorer and go into my mapped network drive. You will notice at the top of Windows Explorer I have the option to work off-line. This forces Windows to use the off-line copy, you can see down the bottom the status is now off line. If I now open one of my test documents and edit it, I am editing the off-line copy. Just for the sake of demonstrating off-line files, I will now switch back to my server and edit the file on the server. This means the copy on the server will be different to the copy stored in off-line files. If I now switch back to my Windows 7 computer and then select the option work online, I can now connect back up to my file server. Notice also the option in Windows Explorer allowing me to sync up this folder at any time. I did not receive any feedback about the sync process, but if I go to the sys tray and select sync center I can get more information. Your notice here that there was one synchronization conflict. This was caused by the file on the server and the local computer being different. If I select the option view sync conflicts, you can see all the synchronization conflicts. If I select the sync conflict and double-click it I can decide what to do. Firstly I can select keep this version. This will keep the version on the local computer and delete the one on the server. The second keep this version option will keep the version on the server. The last option allow you to keep both versions, if you are not sure which version you should keep you should select this option. Both files will then be available on the file share. You can then open either version. If for example you had a document in which two people had made changes to it, keeping both versions will allow you to open both versions at once, work out what changes were made, copy and paste the changes and then delete one of the versions. Microsoft have made a lot of improvements to off-line files since it was first introduced in Windows XP. With the sync center you will find that offline files run in the background and in most cases will be transparent to the user. If you choose which files to make off-line wisely you should not have too many replication conflicts. Home drives for example are a good choice to make available offline as the data is generally only changed by one user. Global drives that are used by many users may not be a good choice to make available offline. If your network drives contain files that are changed by many users often this can lead to many synchronization conflicts. Remember though, you can decide which files to make available offline and which ones to leave on the server. Choosing wisely may help reduce your replication conflicts. The encrypting file systems or EFS, is a method of encrypting files and folders on your hard disk. You can use EFS to encrypt any file or folder on your hard disk. EFS protects your hard disk from off line attacks. An off line attack is when the hard disk is accessed when the operating system is not running. When this occurs an attacker can successful bypass any NTFS permissions placed on the hard disk. An attacker could achieve this by booting your computer from a bootable CD or DVD or removing the hard disk and placing it in anther computer. Once the hard disk is being accessed by anther operating system the hacker can copy any file that they like. This is where EFS comes into play. If you encrypt your data, the hacker will not be able to read the data using an offline attack. With EFS you could encrypt all your documents and all your data files. If you are accessing documents regularly you want the encryption and decryption to be very fast. If EFS imposed too much of a performance penalty, it would not be usable for day-to-day activities. To make EFS fast, EFS uses a symmetric key. A symmetric key system uses one key for encryption and decryption. This has the advantage of making it very fast and a good choice for file systems. The problem with this system is, if you lose the key you will no longer be able to access your files. in order to ensure that you will be able to decrypt your files, you should backup your key, also the administrator should have access to the key. This potentially means, multiple copies of the key need to be made and imposes a security risk. Anyone who obtains a copy of this key can decrypt all your encrypted files. To help protect your key, Windows uses asymmetric keys. Asymmetric keys means using a public and private key. Using the asymmetric key system, allows the symmetric key be encrypted. If a hacker was to obtain the symmetric encrypted key, they would not be able to be used to decrypt your files. To understand this process better consider this. You have an emergency access key that you place inside a locked box. This is common practice with lifts. You want the emergency access person to have access to the lift motor room, but it is impossible to give every lift technician a copy of the key. Each lift technician has a key which will open the locked box. This ensures that only authorized people have access and also protects the master key. Let’s have a look at how to encrypt files using EFS. In order to perform this encryption demo, I have logged in as the user John Doe. First of all, let’s have a look at what certificates are available for John Doe. To do this, run mmc from the start menu and add the certificates snap in. This will show me all the certificates that I currently use for the user John Doe. If I expand into personal your notice that there are currently no certificates installed for John Doe. Once I start using EFS you will see that a certificate will be created for John Doe. If I now open Windows Explorer and go to my D drive and then to the user home directories. Your notice the John Doe has his own home directory with a folder called personal. In the personal folder there is a file called CV. If I want to encrypt this file, all I need to do is select the properties for that file, select the option advanced and then select the ticked box encrypt contents to secure data. Notice also that if I compress contents to save disk space the file is no longer encrypted. With NTFS you can choose to compress or encrypt your files but you cannot do both. If I now apply the changes and exit out of the properties, I have a dialogue asking if I want encrypt only this file or the full directory. If you select the option to encrypt the parent folder, the files currently in the folder will be encrypted and any new files that are added to that directory. Your will notice now in Windows Explorer the file name has changed to a green color indicating that the file is encrypted. If I now go back into the certificates snap and perform a refresh. You will notice that a certificate has been created for John Doe that will be used with EFS. On the network I do not have a certificate authority, so you will notice that the certificate has been issued by John Doe. What this means is the certificate is what is called a self signed certificate. Self signed certificates are considered the weakest kinds of certificates because they are signed by the user or local computer and not by a trusted authority. If I scroll to the right, you can see the intended purpose of the certificate is for the encrypted file system or EFS. If I now go back into Windows Explorer and open the properties for the file and select advanced. Your will notice now that I can press the details button. You can list who has access to the file. At the top of the screen you have the user John Doe and at the bottom of the screen you can see that Windows has automatically created a recovery certificate. If I were to login as the administrator for this domain, I would be able to use this recovery certificate to access the file. In a moment I will go into how to use the data recovery agent so don’t worry too much about it at the moment. Notice also the option backup keys. This allows me to export my keys for use on another computer or simply for backup purposes. It is important to backup your keys because if you lose them you will not be able to access your files. Remember also, if I was to delete this user the certificate would also be deleted with the user. Even if I created another user with the same name, I will not be up to access the encrypted files without the certificate. If I select the option add, I can add additional users who will be able to access this file. If I select the option find user and then add the CEO, your will notice I will get an error message saying that the certificate to the CEO could not be found. This is the because you can only add users that have already used EFS. If I now do a ctrl atl delete and switch to the CEO account and login, once I am logged in I will be able to create a certificate that can be use with EFS. The simplest way to create a certificate is simply to encrypt a file using Windows Explorer as I just did with the user John Doe. However an alternative way is to open up a command prompt and run the command cipher with the slash k switch. This will create a certificate that I can use with EFS. Once the certificate is created, I can log out the CEO. Once the CEO is logged out I can switch back to the user John Doe. Once I am logged back in as John Doe I can now cancel out of the add user screen and press add again to refresh it. Your will notice now that I can add the CEO. The CEO and John Doe will now be able to access the encrypted file. Remember that with encrypted files, the key is what allows the user to access the file. Think of this key as a password. Without the key you can’t access the file. The certificates that you can see here for John Doe and the CEO only allow these account to access to the key to decrypt the files. If the key is lost, for example the user account is deleted, the files will no longer be able to be accessed. To help prevent this from happening Windows has the Data recovery Agent. The data recovery agent put simply is a user or users that can read encrypted data files. The concepts behind EFS can be difficult to understand. To understand how EFS Works with the recovery agent, let’s go through a pictorial representation of EFS from start to finish Utilizing the data recovery agent. First of all you have your confidential file that you want to protect. In order to do this, the file is encrypted with a symmetric key. A symmetric key simply means the same key is used to encrypt as is to decrypt. You don’t want to lose the key and you want the key to be associated with the file so Windows stores the symmetric key in the file header. The problem occurs in that you want to safeguard this key. Anyone who get’s access to this file can now access the key and decrypt the file. To safeguard the file you need to also safeguard the key. To do this, EFS uses public keys and private keys. In our previous example, John Doe has a public and private key. These were created when we first encrypted a file. If you had a certificate authority or C A on your network, the user would get their certificate from a "C A". in order to safeguard the key, John Doe’s public key is used to encrypt the symmetric key. If a third party was now to get access to the file they would not be able to get the symmetric key without John Doe’s private key. If you decide to allow another user to access the file, for example the CEO. Windows would add another symmetric key to the file. The second copy of the symmetric key, would also need to be encrypted by using the CEO’s public key. Once the key is encrypted, only the CEOs private key can be used to access the symmetric key. This approach does present a problem if John Doe and the CEO left the company. If both their user accounts were to be deleted than access to the semantic key would be lost as their private keys attached to their user account would be lost to. To overcome this, a DRA or even multiple DRA’s are created. In the header of the file, another copy of the symmetric key is created and encrypted with the public key of the DRA. The DRA’s normally have access to all encrypted files in the network. Because of this, they normally are attached to an account that is only used in emergencies. In some companies, they may go even so far as to have half of the DRA password known by two separate people. Unless both people agree to enter in half the password, the DRA account cannot be used. Now that you understand EFS and the Data recovery agent, let’s have a look how to set up a DRA on your network. On my domain, I have created a user called DRA and logged onto a Windows 7 computer. To safeguard the keys used with the data recovery agent, companies will set up at specific computer that the DRA user will be used on. This computer will generally be secured and the files that need to be decrypted will be brought to that computer. This ensures that the de encryption keys are secure. To create a certificate to be used with the data recovery agent, I need to open a command prompt and run the cipher command. You will notice that if I run the cipher command with the slash question mark switch, this will list all the different options the cipher command has. Using the cipher command you can also decryption encrypt files making it useful for use in batch files. To export a certificate for the DRA, use the command cipher with the slash R switch. I will store the certificate on my Z drive which is mapped to a file share on one of my servers which I will be up to access later on. Once I enter in password the certificate will exported. Now that I have exported the certificate, I will switch to my domain controller to create a group policy for my domain for the data recovery agent. From my domain controller, I will open the start menu and then open group policy management. I want this DRA to affect every computer on my domain so I will edit the default domain policy. The settings for EFS are under computer settings, policies, Windows settings, security settings and finally public-key policies. You will see here the folder “encrypting file system”. Your will also notice that a data recovery agent has already been created for the administrator account. If you want to add an additional data recovery agent, right-click on encrypting file system and select the option add data recovery agent. From the wizard, I can select the option browse folders and browse to the file share for that certificate that I exported earlier. Because this is a self signed certificate, I will get an error message saying that Windows cannot verify the certificate is still valid. Notice also I have the option "browse directory". If I store the certificate in active directory, I could use this to find the certificate. Once I finish the wizard, the new data recovery agent will be added. If you want to change any options for EFS on your network, to access these you need to right-click encrypting file system and select properties. Your notice that I can either enable or disable EFS. if you are not planning on using EFS you should disable it to stop users encrypting their files by mistake and then not being able to access the data. In this case I will leave it enabled. The option for Elliptic Curve Cryptography is a new feature for Windows serveR2008 R2 and Windows 7. The default will use it only when available otherwise it will use the older algorithms. Down the bottom you have some more options you can use to configure EFS. If I now close group policy, the new data recovery agent that I’ve just configured will be used on every computer in my domain. To demonstrate this, I will now switch back to my Windows 7 computer. The first thing that I will do is run g p update with the force switch to ensure that group policy has been updated on this computer. Once group policy has been updated, I will get a message asking me to reboot the computer. I don’t need to reboot the computer to demonstrate the group policy settings that I just configured. If I now open Windows Explorer and browse to my documents. I can select the properties for my documents, go back into advanced and select the option to encrypt. When I exit out, I will accept the option to apply changes to this folder, subfolder and files. Once all the changes have been made in the files encrypted, if I now go back into the properties for my documents. Select the advanced button you will notice that the details button is grayed out. This illustrates an important fact about EFS. You can only add additional users to files. You cannot add additional users to folders. To find out if the data recovery agent has been added, I need to exit out of here and go into the properties for one of the files and then select advanced. You will notice now the details button is not grayed out and if selected, down the bottom my data recovery agent has been added. It does take a bit of work to add a data recovery agent, but it is better to take this time then risk not being able to access your files. In summary, remember when dealing with NTFS permissions, deny always wins and you should only use it when you really have to. In most cases, removing some of the permissions will achieve the same effect. If you cannot access a file, the owner can change the permissions. If you are the administrator, you can always take ownership and change the permissions. When you are using file sharing and NTFS together the most restrictive set of permissions wins. Even if you are a domain admin, if the shared is set to read only, you won’t be able to make any changes. If you decide to use EFS, make sure that you backup your keys and keep them safe. You should consider setting up an DRA. I once had an end-user encrypted files in an attempt to make them safe. As a result he was the only one who could access these files. It was lucky that we discovered this otherwise he may have left the company and following company procedure we would have deleted his user account. Once these user account was deleted all those files that he encrypted but not be accessible. The best thing to do if you don’t want your users to encrypted files is simply to switch EFS off. This prevents your users creating any files that you cannot access. If you want to make sure your network is secure, take some time to make sure your NTFS and share permissions are set correctly.

Contents

History

Discussion about having a common international authority started in the late 1990s. After a series of failed attempts to come up with a unique common authority file, the new idea was to link existing national authorities. This would present all the benefits of a common file without requiring a large investment of time and expense in the process.[2]

The project was initiated by the US Library of Congress (LC), the German National Library (DNB) and the OCLC on August 6, 2003. The Bibliothèque nationale de France (BnF) joined the project on October 5, 2007.

The project transitioned to being a service of the OCLC on April 4, 2012.[3]

The aim is to link the national authority files (such as the German Name Authority File) to a single virtual authority file. In this file, identical records from the different data sets are linked together. A VIAF record receives a standard data number, contains the primary "see" and "see also" records from the original records, and refers to the original authority records. The data are made available online and are available for research and data exchange and sharing. Reciprocal updating uses the Open Archives Initiative Protocol for Metadata Harvesting (OAI-PMH) protocol.

The file numbers are also being added to Wikipedia biographical articles and are incorporated into Wikidata.[4][5]

VIAF clusters

VIAF's clustering algorithm is run every month. As more data are added from participating libraries, clusters of authority records may coalesce or split, leading to some fluctuation in the VIAF identifier of certain authority records.[6]

Participating libraries and organizations

English Wikipedia entry name Identifier Native-language name Location Country
Bibliotheca Alexandrina EGAXA Arabic: مكتبة الإسكندرية Alexandria Egypt
Biblioteca Nacional de Chile BNCHL Spanish: Biblioteca Nacional de Chile Santiago Chile
Biblioteca Nacional de España BNE Spanish: Biblioteca Nacional de España Madrid Spain
Biblioteca Nacional de Portugal PTBNP Portuguese: Biblioteca Nacional de Portugal Lisbon Portugal
Bibliothèque et Archives nationales du Québec B2Q French: Bibliothèque et Archives nationales du Québec Quebec Canada
Bibliothèque nationale de France BnF French: Bibliothèque nationale de France Paris France
Bibliothèque Nationale du Royaume du Maroc (BNRM) MRBNR Arabic: المكتبة الوطنية للمملكة المغربية
French: Bibliothèque nationale du Royaume du Maroc
Rabat Morocco
Biografisch Portaal BPN Dutch: Biografisch Portaal The Hague Netherlands
British Library London England
Danish Agency for Culture and Palaces Danish: Kulturstyrelsen Copenhagen Denmark
Danish Bibliographic Centre DBC Danish: Dansk BiblioteksCenter Ballerup Denmark
German National Library (DNB) GND German: Deutsche Nationalbibliothek Frankfurt Germany
International Standard Name Identifier[7] ISNI London United Kingdom
Israel Museum Hebrew: מוזיאון ישראל Jerusalem Israel
Istituto Centrale per il Catalogo Unico ICCU
SBN
Italian: Istituto Centrale per il Catalogo Unico Rome Italy
Lebanese National Library LNL Arabic: المكتبة الوطنية Beirut Lebanon
Library and Archives Canada LAC French: Bibliothèque et Archives Canada Ottawa, Ontario Canada
Library of Congress
NACO consortium (Name Authority Cooperative Program)[8]
LCCN Washington, D.C. United States
National and University Library in Zagreb NSK Croatian: Nacionalna i sveučilišna knjižnica u Zagrebu Zagreb Croatia
National and University Library of Slovenia Slovene: Narodna in univerzitetna knjižnica Ljubljana Slovenia
National Central Library NCL
CYT
Chinese: 國家圖書館 Taipei Taiwan
National Diet Library NDL Japanese: 国立国会図書館 Tokyo
Kyoto
Japan
National Institute of Informatics NII
CiNii
Japanese: 国立情報学研究所 Tokyo Japan
National Library Board NLB Singapore
National Library of Australia NLA Canberra Australia
National Library of Catalonia BNC Catalan: Biblioteca de Catalunya Barcelona Spain
National Library of Estonia ERRR Estonian: Eesti Rahvusraamatukogu Tallinn Estonia
National Library of Ireland N6I Irish: Leabharlann Náisiúnta na hÉireann Dublin Ireland
National Library of Israel NLI Hebrew: הספרייה הלאומית Jerusalem Israel
National Library of Korea KRNLK Korean: 국립중앙도서관 Seoul Korea
National Library of Latvia LNB Latvian: Latvijas Nacionālā bibliotēka Rīga Latvia
National Library of Luxembourg BNL Luxembourgish: Nationalbibliothéik Lëtzebuerg
French: Bibliothèque nationale de Luxembourg
Luxembourg City Luxembourg
National Library of Mexico BNM Spanish: Biblioteca Nacional de México Mexico City Mexico
National Library of the Netherlands NTA Dutch: Koninklijke Bibliotheek The Hague Netherlands
National Library of New Zealand Wellington New Zealand
National Library of Norway BIBSYS
W2Z
Norwegian: Nasjonalbiblioteket Trondheim Norway
National Library of Poland NLP Polish: Biblioteka Narodowa Warsaw Poland
National Library of Scotland Scottish Gaelic: Leabharlann Nàiseanta na h-Alba
Scots: Naitional Leebrar o Scotland
Edinburgh Scotland
National Library of South Africa Afrikaans: Staats-Bibliotheek der Zuid-Afrikaansche Republiek Cape Town
Pretoria
South Africa
National Library of Sweden SELIBR Swedish: Kungliga biblioteket - Sveriges nationalbibliotek Stockholm Sweden
National Library of Wales Welsh: Llyfrgell Genedlaethol Cymru Aberystwyth Wales
National Library of the Czech Republic NKC Czech: Národní knihovna České republiky Prague Czech Republic
National Széchényi Library NSZL Hungarian: Országos Széchényi Könyvtár Budapest Hungary
Perseus Project PERSEUS Medford, Massachusetts United States
RERO (Library Network of Western Switzerland) RERO German: Westschweizer Bibliothekverbund
French: Réseau des bibliothèques de Suisse occidentale
Italian: Rete delle bibliotheche della Svizzera occidentale
Martigny Switzerland
Russian State Library RLS Russian: Российская государственная библиотека Moscow Russia
Système universitaire de documentation SUDOC French: Système universitaire de documentation France
Syriac Reference Portal SRP Nashville, Tennessee United States
Swiss National Library SWNL German: Schweizerische Nationalbibliothek
French: Bibliothèque nationale suisse
Italian: Biblioteca nazionale svizzera
Romansh: Biblioteca naziunala svizra
Berne Switzerland
Narodowy Uniwersalny Katalog Centralny, NUKAT (pl) NUKAT Polish: Narodowy Uniwersalny Katalog Centralny Poland
Union List of Artist NamesGetty Research Institute ULAN
JPG
Los Angeles, California United States
United States National Agricultural Library NALT Beltsville, Maryland United States
United States National Library of Medicine Bethesda, Maryland United States
Vatican Library BAV Latin: Bibliotheca Apostolica Vaticana Vatican City
Vlaamse openbare bibliotheken (VLACC): Bibnet (nl) VLACC Dutch: Vlaamse Centrale Catalogus Brussels Belgium
Wikidata WKP Berlin, Germany International

Libraries added for testing purposes

English Wikipedia entry name Identifier Native-language name Location Country
National and University Library of Iceland (NULI) UIY Icelandic: Háskólabókasafn Reykjavík Iceland
National Library of Brazil BLBNB Portuguese: Biblioteca Nacional do Brasil Rio de Janeiro Brazil

See also

References

  1. ^ Kelley, Michael; Schwartz, Meredith (2012). "VIAF service transitions to OCLC". Library Journal. Media Source Inc. 137 (8): 16.  closed access publication – behind paywall
  2. ^ O'Neill, Edward T. (12 August 2016). "VIAF: Origins" (Video presentation). Authority Data on the Web, a Satellite Meeting of the 2016 IFLA World Library and Information Congress. OCLC. 
  3. ^ Murphy, Bob (4 April 2012). "Virtual International Authority File service transitions to OCLC; contributing institutions continue to shape direction through VIAF Council" (Press release). OCLC. Dublin, OH. 
  4. ^ Klein, Max; Renspie, Melissa (7 December 2012). "VIAFbot Edits 250,000 Wikipedia Articles to Reciprocate All Links from VIAF into Wikipedia". OCLC. 
  5. ^ Klein, Maximilian; Kyrios, Alex (14 October 2013). "VIAFbot and the Integration of Library Data on Wikipedia". The Code4Lib Journal (22). ISSN 1940-5758. 
  6. ^ Hickey, Thomas B.; Toves, Jenny A. (July 2014). "Managing Ambiguity In VIAF". D-Lib Magazine. Corporation for National Research Initiatives. 20 (7/8). doi:10.1045/july2014-hickey. 
  7. ^ MacEwan, Andrew (12 August 2016). "ISNI and VIAF" (Video presentation). Authority Data on the Web, a Satellite Meeting of the 2016 IFLA World Library and Information Congress. OCLC. 
  8. ^ "NACO - Name Authority Cooperative Program". Library of Congress. 

External links

This page was last edited on 12 September 2018, at 21:05
Basis of this page is in Wikipedia. Text is available under the CC BY-SA 3.0 Unported License. Non-text media are available under their specified licenses. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc. WIKI 2 is an independent company and has no affiliation with Wikimedia Foundation.