IT tutorials
 
Windows
 

Windows 8 : Working with file systems (part 1) - Security within the file system

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
10/10/2014 9:19:12 PM

Security within the file system

One of the primary focuses of the NTFS file system is security. People who use Windows have at one time or another tried to open a file on the network and received an Access Denied message for that particular file. NTFS security enables administrators to ensure that only those who have permission to access certain files and locations can access them.

File system security within NTFS is an ongoing process because in many circumstances, security might need to be modified to meet the needs of an organization. The original configuration for a department’s files can change over time, and NTFS must change with it.

NTFS assigns security through access control lists (ACLs); these lists contain access control entries (ACEs) that determine which entities have a certain type of access to a portion of the file system.

Access control lists can be one of two types:

  • Discretionary Access Control Lists (DACLs) These lists identify the entities that are allowed or denied access to a securable object within the file system.

  • System Access Control Lists (SACLs) These lists enable administrative logging of access attempts.

DACLs are the lists that determine whether your access to a file or folder is allowed or denied, whereas SACLs are the lists that help administrators monitor your access to those files.

The following example should help make DACLs a bit easier to understand.

Johanna and Mikhail are members of the operations group for City Power & Light. The operations group maintains files and folders of all the information needed to ensure that field maintenance crews and other teams have the information they need in the event of a power emergency. The operations group is a general collection of team members who help manage field maintenance teams. Operations team members must be able to read, write, and edit folders and files within the Operations folder, which lives on the City Power & Light company file server.

Other departments, such as customer care, need to view certain information regarding the field maintenance teams but do not edit it, whereas some departments might not need any access to the operations data.

With NTFS, configuring this access is easily achievable by using the built-in security provided by DACLs.

Figure 1 shows the default security information for the Operations folder. A few groups and other entries are added by default when a folder or file is created. These include:

  • Authenticated Users This group includes any users who have authenticated (signed in to) a domain in which the computer managing this object is a member, or the local computer if it is not a domain member. If access to a resource is not needed by any user account that has signed in, this group should be removed.

  • System This group is built in for the computer itself. The computer needs access to the objects on the system for management purposes. This group should not be removed.

  • Administrators This is a built-in group containing designated administrators for this computer. This group should not be removed.

  • Users This group includes users of the local computer or a domain in which this computer is a member and provides the members access to the object. If not all users of a computer or domain need access to this file or folder, this group should be removed.

Security configuration for the Operations folder

Figure 1. Security configuration for the Operations folder

Additional groups or even individual users can be added to the DACLs for any object contained within the NTFS file system. Adding and removing entries for a specific object and child objects beneath it are the basis for controlling security within the NTFS file system.

For the operations group example, Figure 1 shows that the Operations folder currently has only the built-in groups defined for its security.

To ensure that the operations group has all the security needed to manage its departmental folder, the group would be added to the DACL for the Operations folder object. To add the operations group, complete the following steps:

  1. Browse to the Operations folder.

  2. Press and hold or right-click the folder.

  3. Select Properties.

  4. Select the Security tab.

  5. Tap or click Edit.

  6. In the Permissions For Operations dialog box, tap or click Add.

  7. In the Select Users Or Groups dialog box, type the name of the user or group to add; in this case, type Operations.

    Note

    LOCATIONS AND ENVIRONMENTS

    Ensure that the location for the group is correct for your environment. If you are working in a domain environment, the location should be set to that of your domain.

  8. Tap or click Check Names to verify the names of the groups or user accounts you have added.

  9. Tap or click OK in the Select Users Or Groups dialog box.

  10. To allow the ability to read, write to, and modify the Operations folder, select the check box next to Modify under the Allow column heading.

  11. Tap or click OK to apply these settings to the folder and save the DACL.

Important

THE DENY PERMISSION OVERRIDES OTHER PERMISSIONS

Discretionary access lists are very specific for the Deny permission. If you specify that a group or user account is denied access to an object, that user account or members of that group will not have access to that object regardless of the permissions granted to any other groups with access to that object. If you are explicitly denied access to an object, you will not have access to the object. Use Deny permissions with caution.

Common collections of permissions make managing access to file system objects easier to understand. The common permission sets are:

  • Full Control Allows complete access to objects, including management permissions and the ability to take ownership of an object.

  • Modify Allows editing, visibility, and deletion of objects (assumes Read & Execute, List Folder Contents, Read, and Write permissions).

  • Read & Execute Allows other object types such as application files to be opened or executed (assumes Read permission).

  • List Folder Contents Allows items within folders to be viewed (assumes Read and Read & Execute permissions).

  • Read Allows file and folder objects to be opened.

  • Write Allows creation and editing of objects.

  • Special Permissions Contains any combination of permissions that an administrator wants. This group of permissions is managed by clicking the Advanced button on the Security tab.

Although these groupings comprise common permission sets, you can see the entire list of available permissions by tapping or clicking the Advanced button. In the Advanced Security Settings dialog box, the currently assigned permissions for the object are displayed, as shown in Figure 2.

Advanced Security Settings

Figure 2. Advanced Security Settings

If you need to configure additional advanced permissions, tap or click the Add button in this dialog box to open the Permission Entry dialog box for the selected object. Here you can manage both basic and advanced permissions for the object. The Permission Entry dialog box is shown in Figure 3.

Permission Entry dialog box for basic and advanced permissions editing

Figure 3. Permission Entry dialog box for basic and advanced permissions editing

A principal is a user account or group to which security and permissions can be assigned. To configure permissions from the Permission Entry dialog box, complete the following steps:

  1. Tap or click the Select A Principal link at the top of the dialog box.

  2. Type the account or group name with which you want to work and tap or click Check Names to verify that the account exists.

  3. Tap or click OK to add the selected account or group as the security principal.

  4. Select the type of permission to assign, Allow or Deny, by using the Type list.

  5. Specify the objects to which this permission will apply by using the Applies To list; the following options are available for folder objects:

    • This Folder Only

    • This Folder, Subfolders, And Files

    • This Folder And Subfolders

    • This Folder And Files

    • Subfolders And Files Only

    • Subfolders Only

    • Files Only

If you are applying permissions to individual files, the Permission Entry dialog box appears slightly different. You can select either basic permissions or advanced permissions. To select permissions for files, select the check boxes for the permissions to assign. The basic permissions for files are as follows:

  • Full Control

  • Modify

  • Read & Execute

  • Read

  • Write

Advanced Permissions include the following:

  • Full Control

  • Traverse Folder/Execute File

  • List Folder/Read Data

  • Read Attributes

  • Read Extended Attributes

  • Create Files/Write Data

  • Create Folder/Append Data

  • Write Attributes

  • Write Extended Attributes

  • Delete

  • Read Permissions

  • Change Permissions

  • Take Ownership

In Advanced Permissions, some of these options are selected by default because advanced permissions are combined to create the basic permission sets.

Note

DOCUMENT PERMISSIONS TO AVOID POTENTIAL PROBLEMS

Working with permissions can be an interesting project. Because it is possible to isolate any user completely, including administrators, from files and folders, be very deliberate when considering permissions. Taking notes about current permissions and the permissions being assigned is a good idea until you become accustomed to working with permissions and fully understand the effect they can have on objects.

 
Others
 
- Windows 8 : Managing disks and storage (part 5) - Using Microsoft Drive Optimizer to organize data - The DiskPart utility
- Windows 8 : Managing disks and storage (part 4) - Using Microsoft Drive Optimizer to organize data - Check Disk (chkdsk)
- Windows 8 : Managing disks and storage (part 3) - Using Microsoft Drive Optimizer to organize data
- Windows 8 : Managing disks and storage (part 2) - Disk Defragmenter and Disk Cleanup
- Windows 8 : Managing disks and storage (part 1) - Using disk management
- Windows 8 : Sharing printers - Configuring shared printers, Configuring printing permissions
- Windows 8 : Sharing files and folders (part 6) - Understanding NTFS permissions - Identifying permissions, Taking ownership of a resource
- Windows 8 : Sharing files and folders (part 5) - Understanding NTFS permissions - Creating advanced security settings
- Windows 8 : Sharing files and folders (part 4) - Understanding NTFS permissions - Modifying file or folder permissions
- Windows 8 : Sharing files and folders (part 3) - Sharing a folder
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
Facebook
 
Technology FAQ
- IIS Web site works in all browsers except Safari on Mac
- notification
- alternative current in to a pc
- parse url in JavaScript
- Dual WAN on a Fortigate 60
- Should Sys Admins (Domain Admins) also have user accounts?
- DR solution for data warehouse
- C# Creating Plugins
- SCCM 2007 collection by OU not showing all pc's
- Email account got spoofed?
programming4us programming4us