Access Control Lists and NTFS Permissions

INFO333 – Lecture 42010

Mariusz NowostawskiNoria Foukia

Content

• Understanding Permissions• Access Control Lists• Permissions• NTFS Permissions

Understanding Permissions

• File system permissions• Share permissions• Active Directory permissions• Registry permissions

Access Control Lists (1)• Access Control (AC) = Process determining who

can access resources in an NW environment

– physical access, logon access, file access, printer access, share access, and so on ← security issue

• WIN95/Win98: if you can power on the C and interact with the keyboard and mouse. No native logon or file access at the local C → anyone in C full access to any data

• WINNT/WIN2000/WINXP: require logon access before anyone can access resources of the computer

• With NTFS, file access became more managed.

Access Control Lists (2)• Each resource has ACL controlling its access

• Discretionary ACL

– part of ACL grant/deny permission to Us & Gs

– Only owner can change permissions

• System ACL

– Part that specifies what events can be audited: access, logon, shutdown

• AC Entry belong to ACL

• SID of U, C or G + mask = action that are granted/denied/audited

Access Control Lists (3)

Access Control Process

• Opening a file → number activities in the background to determine if U should be able to access file/open/save changes

• U double-clicks a file in Window Explorer, the local C builds access token to send to server hosting file, contain user SID from U NW account + group SID for each of groups to which UA belongs + SID of C the user logged on to + other information

Access Control Lists (4)

• When S receives request + access token, compares information in the token to the ACLs for the object. S examines each of the ACEs in the DACL for requested file and compares those ACEs to each of the SIDs in the access token

• If no ACEs in ACL of file match up with any of information in access token user’s request denied

• If one of ACEs matches with one of components in the token, access is granted, and file open on screen

• In addition, S checks the access token against SACL to determine if audit events need be triggered

• If no ACEs in SACL match any items in the access token, then no audit events occur

Permissions

• Different permissions setting on various objects

• Permission settings work together or come into conflict with each other– File-level permissions (NTFS Security)– Shared-folder permissions– Active Directory permissions

NTFS Permissions (1)• As administrator, NTFS permissions on files

and folders

• Even though permissions are similar for both, there are some key differences when these permissions applied to files and not to folders

• When permissions applied to folder, they apply to files within folder as well

– Ex: To give a group access to write to a particular file in folder, but not all files in folder, assign the Write permission to the specific file

NTFS Permissions (2)

• Practice: A well-planned directory structure allow assign folder permissions at high level of directory structure, with other permissions changes further down in directory structure to minimum– apply permissions to a specific file only when

access to file significantly different from other files in that folder

– Sometimes might be better to relocate files to different folder where appropriate permissions can be assigned to parent folder

NTFS Permissions (3)

NTFS Permissions (4)• NTFS permissions file or folder can be

assigned to any AD object commonly U and C object

• Best way assign and manage access to files and folders: assigning rights to group objects

• Exception for user home directory: directly to user object

• Security permissions are cumulative: U belonging to different Gs has all the permissions of Gs

NTFS Permissions (5)

• Assigning Folder Permissions: Right-click the folder and select Sharing and Security

• Administrators global group has rights to this folder• CREATOR OWNER and SYSTEM groups also have permissions

NTFS Permissions (6)

• Assigning File Permissions: right-click on file, no Sharing item in context menu

• No CREATOR OWNER• No all (same) list of permissions• Accounting group, grayed-out here → parent folder and cannot be changed directly

NTFS Permissions (7)

Denying File Permissions

• Deny permission to restrict access: permission overrides all other permissions explicitly assigned or applied in cumulative way: deny the least restrictive permission necessary and be careful with Administrators and Users groups

• Administrators group: if deny Full Control to Administrators group to folder and no other group had Full Control access to that folder → lose capability to do any further management on folder from any level

• Users group: if deny permissions on any folder, deny access to every account on the system, including administrators

NTFS Permissions (8)

• NTFS Special Permissions = more specific permission: by Advanced button in the Permissions window

• In example: CREATOR OWNER: permissions assigned here only permissions identified for that group are Special Permissions

• Like SYSTEM group, CREATOR OWNER group is special system-level group cannot have members added to or removed from it

• CREATOR OWNER group always has Full Control special permissions applied unless specifically excluded (see next slide)

NTFS Permissions (9)

NTFS Permissions (10)Ownership of Files and Folders• File/folder created, U object created it becomes

owner• User object will always have full control over the

file it created• File owner’s capability to full control over file

governed via CREATOR OWNER G: default, CREATOR OWNER group has full control over certain files through special permissions

• If CREATOR OWNER group Full Control permissions identified in folder, users have full access only to files they created in folder

• Administrators in domain can take ownership of files and folders → the creator of file no longer has full control on file because removes user created file from CREATOR OWNER group for that file, and that user’s access to file reverts to default access he/she has based on the folder permissions

NTFS Permissions (11)

Copying Modifying Files/Folders• File is copied or moved?• Destination is an NTFS?

– Files and folders that are moved or copied to non-NTFS volumes lose all permissions.

• Destination is on same volume as the original location?

NTFS Permissions (12)

• Copying Files/Folders to NTFS volume

• U must have permission to create files in the destination location

• When file is copied, it is created as new object in the destination, and the U object that copied the file becomes owner of the newly created item

NTFS Permissions (13)

Moving Files/Folders (F/F)

• U moving F/F must have permissions to create objects in new location + permission delete objects from original location

• F/F created in destination owned by U object moves it, and original F/F deleted from original location

• NTFS permissions that will be assigned to the file or folder in the new location are detailed in next slide

NTFS Permissions (14)

Destination Permissions

Objects moved Objects retain their original NTFS permissionwithin same in the new locationNTFS volume

Objects moved inherit the permissions of the new locationto different NTFS volume Objects

References

• Managing and Maintaining Microsoft Windows Server 2003 Environment: Craig Zacker, Microsoft Academics Course – Microsoft Press