Access Control Lists and NTFS Permissions INFO333 – Lecture Mariusz Nowostawski Noria Foukia

Content Understanding Permissions Access Control Lists Permissions NTFS Permissions

Understanding Permissions File system permissions Share permissions Active Directory permissions Registry permissions

Access Control Lists (1) Access Control (AC) = Process determining who can access resources in an NW environment –physical access, logon access, file access, printer access, share access, and so on ← security issue WIN95/Win98: if you can power on the C and interact with the keyboard and mouse. No native logon or file access at the local C → anyone in C full access to any data WINNT/WIN2000/WINXP: require logon access before anyone can access resources of the computer With NTFS, file access became more managed.

Access Control Lists (2) Each resource has ACL controlling its access Discretionary ACL –part of ACL grant/deny permission to Us & Gs –Only owner can change permissions System ACL –Part that specifies what events can be audited: access, logon, shutdown AC Entry belong to ACL SID of U, C or G + mask = action that are granted/denied/audited

Access Control Lists (3) Access Control Process Opening a file → number activities in the background to determine if U should be able to access file/open/save changes U double-clicks a file in Window Explorer, the local C builds access token to send to server hosting file, contain user SID from U NW account + group SID for each of groups to which UA belongs + SID of C the user logged on to + other information

Access Control Lists (4) When S receives request + access token, compares information in the token to the ACLs for the object. S examines each of the ACEs in the DACL for requested file and compares those ACEs to each of the SIDs in the access token If no ACEs in ACL of file match up with any of information in access token user’s request denied If one of ACEs matches with one of components in the token, access is granted, and file open on screen In addition, S checks the access token against SACL to determine if audit events need be triggered If no ACEs in SACL match any items in the access token, then no audit events occur

Permissions Different permissions setting on various objects Permission settings work together or come into conflict with each other – File-level permissions (NTFS Security) – Shared-folder permissions – Active Directory permissions

NTFS Permissions (1) As administrator, NTFS permissions on files and folders Even though permissions are similar for both, there are some key differences when these permissions applied to files and not to folders When permissions applied to folder, they apply to files within folder as well –Ex: To give a group access to write to a particular file in folder, but not all files in folder, assign the Write permission to the specific file

NTFS Permissions (2) Practice: A well-planned directory structure allow assign folder permissions at high level of directory structure, with other permissions changes further down in directory structure to minimum –apply permissions to a specific file only when access to file significantly different from other files in that folder –Sometimes might be better to relocate files to different folder where appropriate permissions can be assigned to parent folder

NTFS Permissions (3)

NTFS Permissions (4) NTFS permissions file or folder can be assigned to any AD object commonly U and C object Best way assign and manage access to files and folders: assigning rights to group objects Exception for user home directory: directly to user object Security permissions are cumulative: U belonging to different Gs has all the permissions of Gs

NTFS Permissions (5) Assigning Folder Permissions: Right-click the folder and select Sharing and Security Administrators global group has rights to this folder CREATOR OWNER and SYSTEM groups also have permissions

NTFS Permissions (6) Assigning File Permissions: right-click on file, no Sharing item in context menu No CREATOR OWNER No all (same) list of permissions Accounting group, grayed-out here → parent folder and cannot be changed directly

NTFS Permissions (7) Denying File Permissions Deny permission to restrict access: permission overrides all other permissions explicitly assigned or applied in cumulative way: deny the least restrictive permission necessary and be careful with Administrators and Users groups Administrators group: if deny Full Control to Administrators group to folder and no other group had Full Control access to that folder → lose capability to do any further management on folder from any level Users group: if deny permissions on any folder, deny access to every account on the system, including administrators

NTFS Permissions (8) NTFS Special Permissions = more specific permission: by Advanced button in the Permissions window In example: CREATOR OWNER: permissions assigned here only permissions identified for that group are Special Permissions Like SYSTEM group, CREATOR OWNER group is special system-level group cannot have members added to or removed from it CREATOR OWNER group always has Full Control special permissions applied unless specifically excluded (see next slide)

NTFS Permissions (9)

NTFS Permissions (10) Ownership of Files and Folders File/folder created, U object created it becomes owner User object will always have full control over the file it created File owner’s capability to full control over file governed via CREATOR OWNER G: default, CREATOR OWNER group has full control over certain files through special permissions If CREATOR OWNER group Full Control permissions identified in folder, users have full access only to files they created in folder Administrators in domain can take ownership of files and folders → the creator of file no longer has full control on file because removes user created file from CREATOR OWNER group for that file, and that user’s access to file reverts to default access he/she has based on the folder permissions

NTFS Permissions (11) Copying Modifying Files/Folders File is copied or moved? Destination is an NTFS? –Files and folders that are moved or copied to non-NTFS volumes lose all permissions. Destination is on same volume as the original location?

NTFS Permissions (12) Copying Files/Folders to NTFS volume U must have permission to create files in the destination location When file is copied, it is created as new object in the destination, and the U object that copied the file becomes owner of the newly created item

NTFS Permissions (13) Moving Files/Folders (F/F) U moving F/F must have permissions to create objects in new location + permission delete objects from original location F/F created in destination owned by U object moves it, and original F/F deleted from original location NTFS permissions that will be assigned to the file or folder in the new location are detailed in next slide

NTFS Permissions (14) Destination Permissions Objects moved Objects retain their original NTFS permission within same in the new location NTFS volume Objects moved inherit the permissions of the new location to different NTFS volume Objects

References Managing and Maintaining Microsoft Windows Server 2003 Environment: Craig Zacker, Microsoft Academics Course – Microsoft Press