Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control Lists and NTFS Permissions INFO333 – Lecture 4 2010 Mariusz Nowostawski Noria Foukia.

Published byDaniella Leonard Modified over 9 years ago

Similar presentations

Presentation on theme: "Access Control Lists and NTFS Permissions INFO333 – Lecture 4 2010 Mariusz Nowostawski Noria Foukia."— Presentation transcript:

1 Access Control Lists and NTFS Permissions INFO333 – Lecture 4 2010 Mariusz Nowostawski Noria Foukia

2 Content Understanding Permissions Access Control Lists Permissions NTFS Permissions

3 Understanding Permissions File system permissions Share permissions Active Directory permissions Registry permissions

4 Access Control Lists (1) Access Control (AC) = Process determining who can access resources in an NW environment –physical access, logon access, file access, printer access, share access, and so on ← security issue WIN95/Win98: if you can power on the C and interact with the keyboard and mouse. No native logon or file access at the local C → anyone in C full access to any data WINNT/WIN2000/WINXP: require logon access before anyone can access resources of the computer With NTFS, file access became more managed.

5 Access Control Lists (2) Each resource has ACL controlling its access Discretionary ACL –part of ACL grant/deny permission to Us & Gs –Only owner can change permissions System ACL –Part that specifies what events can be audited: access, logon, shutdown AC Entry belong to ACL SID of U, C or G + mask = action that are granted/denied/audited

6 Access Control Lists (3) Access Control Process Opening a file → number activities in the background to determine if U should be able to access file/open/save changes U double-clicks a file in Window Explorer, the local C builds access token to send to server hosting file, contain user SID from U NW account + group SID for each of groups to which UA belongs + SID of C the user logged on to + other information

7 Access Control Lists (4) When S receives request + access token, compares information in the token to the ACLs for the object. S examines each of the ACEs in the DACL for requested file and compares those ACEs to each of the SIDs in the access token If no ACEs in ACL of file match up with any of information in access token user’s request denied If one of ACEs matches with one of components in the token, access is granted, and file open on screen In addition, S checks the access token against SACL to determine if audit events need be triggered If no ACEs in SACL match any items in the access token, then no audit events occur

8 Permissions Different permissions setting on various objects Permission settings work together or come into conflict with each other – File-level permissions (NTFS Security) – Shared-folder permissions – Active Directory permissions

9 NTFS Permissions (1) As administrator, NTFS permissions on files and folders Even though permissions are similar for both, there are some key differences when these permissions applied to files and not to folders When permissions applied to folder, they apply to files within folder as well –Ex: To give a group access to write to a particular file in folder, but not all files in folder, assign the Write permission to the specific file

10 NTFS Permissions (2) Practice: A well-planned directory structure allow assign folder permissions at high level of directory structure, with other permissions changes further down in directory structure to minimum –apply permissions to a specific file only when access to file significantly different from other files in that folder –Sometimes might be better to relocate files to different folder where appropriate permissions can be assigned to parent folder

11 NTFS Permissions (3)

12 NTFS Permissions (4) NTFS permissions file or folder can be assigned to any AD object commonly U and C object Best way assign and manage access to files and folders: assigning rights to group objects Exception for user home directory: directly to user object Security permissions are cumulative: U belonging to different Gs has all the permissions of Gs

13 NTFS Permissions (5) Assigning Folder Permissions: Right-click the folder and select Sharing and Security Administrators global group has rights to this folder CREATOR OWNER and SYSTEM groups also have permissions

14 NTFS Permissions (6) Assigning File Permissions: right-click on file, no Sharing item in context menu No CREATOR OWNER No all (same) list of permissions Accounting group, grayed-out here → parent folder and cannot be changed directly

15 NTFS Permissions (7) Denying File Permissions Deny permission to restrict access: permission overrides all other permissions explicitly assigned or applied in cumulative way: deny the least restrictive permission necessary and be careful with Administrators and Users groups Administrators group: if deny Full Control to Administrators group to folder and no other group had Full Control access to that folder → lose capability to do any further management on folder from any level Users group: if deny permissions on any folder, deny access to every account on the system, including administrators

16 NTFS Permissions (8) NTFS Special Permissions = more specific permission: by Advanced button in the Permissions window In example: CREATOR OWNER: permissions assigned here only permissions identified for that group are Special Permissions Like SYSTEM group, CREATOR OWNER group is special system-level group cannot have members added to or removed from it CREATOR OWNER group always has Full Control special permissions applied unless specifically excluded (see next slide)

17 NTFS Permissions (9)

18 NTFS Permissions (10) Ownership of Files and Folders File/folder created, U object created it becomes owner User object will always have full control over the file it created File owner’s capability to full control over file governed via CREATOR OWNER G: default, CREATOR OWNER group has full control over certain files through special permissions If CREATOR OWNER group Full Control permissions identified in folder, users have full access only to files they created in folder Administrators in domain can take ownership of files and folders → the creator of file no longer has full control on file because removes user created file from CREATOR OWNER group for that file, and that user’s access to file reverts to default access he/she has based on the folder permissions

19 NTFS Permissions (11) Copying Modifying Files/Folders File is copied or moved? Destination is an NTFS? –Files and folders that are moved or copied to non-NTFS volumes lose all permissions. Destination is on same volume as the original location?

20 NTFS Permissions (12) Copying Files/Folders to NTFS volume U must have permission to create files in the destination location When file is copied, it is created as new object in the destination, and the U object that copied the file becomes owner of the newly created item

21 NTFS Permissions (13) Moving Files/Folders (F/F) U moving F/F must have permissions to create objects in new location + permission delete objects from original location F/F created in destination owned by U object moves it, and original F/F deleted from original location NTFS permissions that will be assigned to the file or folder in the new location are detailed in next slide

22 NTFS Permissions (14) Destination Permissions Objects moved Objects retain their original NTFS permission within same in the new location NTFS volume Objects moved inherit the permissions of the new location to different NTFS volume Objects

23 References Managing and Maintaining Microsoft Windows Server 2003 Environment: Craig Zacker, Microsoft Academics Course – Microsoft Press

Download ppt "Access Control Lists and NTFS Permissions INFO333 – Lecture 4 2010 Mariusz Nowostawski Noria Foukia."

Similar presentations

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
When you combine NTFS permissions and share permissions the most restrictive effective permission applies. For example, if you share a folder and assign.

When you combine NTFS permissions and share permissions the most restrictive effective permission applies. For example, if you share a folder and assign.
1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.

1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.
1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.

1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
1 File systems security: Shared folders & NTFS permissions, EFS (Week 6, Monday 2/12/2007) © Abdou Illia, Spring 2007.

1 File systems security: Shared folders & NTFS permissions, EFS (Week 6, Monday 2/12/2007) © Abdou Illia, Spring 2007.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
MIS 431 - Chapter 51 Chapter 5 – Managing File Access MIS 431 Created Spring 2006.

MIS Chapter 51 Chapter 5 – Managing File Access MIS 431 Created Spring 2006.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Administering Active Directory

Administering Active Directory
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Lesson 4: Configuring File and Share Access

Lesson 4: Configuring File and Share Access
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

Similar presentations

Ads by Google