Security within the file system
One of the primary focuses of the NTFS file system is security.
People who use Windows have at one time or another tried to open a file
on the network and received an Access Denied message for that
particular file. NTFS security enables administrators to ensure that
only those who have permission to access certain files and locations
can access them.
File system security within NTFS is an ongoing process because in
many circumstances, security might need to be modified to meet the
needs of an organization. The original configuration for a department’s
files can change over time, and NTFS must change with it.
NTFS assigns security through access control lists (ACLs); these lists contain access control entries (ACEs) that determine which entities have a certain type of access to a portion of the file system.
Access control lists can be one of two types:
-
Discretionary Access Control Lists (DACLs)
These lists identify the entities that are allowed or denied access to a securable object within the file system.
-
System Access Control Lists (SACLs) These lists enable administrative logging of access attempts.
DACLs are the lists that determine whether your access to a file or
folder is allowed or denied, whereas SACLs are the lists that help administrators monitor your access to those files.
The following example should help make DACLs a bit easier to understand.
Johanna and Mikhail are members of the operations group for City
Power & Light. The operations group maintains files and folders of
all the information needed to ensure that field maintenance crews and
other teams have the information they need in the event of a power
emergency. The operations group is a general collection of team members
who help manage field maintenance teams. Operations team members must
be able to read, write, and edit folders and files within the
Operations folder, which lives on the City Power & Light company
file server.
Other departments, such as customer care, need to view certain
information regarding the field maintenance teams but do not edit it,
whereas some departments might not need any access to the operations
data.
With NTFS, configuring this access is easily achievable by using the built-in security provided by DACLs.
Figure 1 shows the default
security information for the Operations folder. A few groups and other
entries are added by default when a folder or file is created. These
include:
-
Authenticated Users
This group
includes any users who have authenticated (signed in to) a domain in
which the computer managing this object is a member, or the local
computer if it is not a domain member. If access to a resource is not
needed by any user account that has signed in, this group should be
removed.
-
System This group
is built in for the computer itself. The computer needs access to the
objects on the system for management purposes. This group should not be
removed.
-
Administrators This is a built-in group containing designated administrators for this computer. This group should not be removed.
-
Users This group
includes users of the local computer or a domain in which this computer
is a member and provides the members access to the object. If not all
users of a computer or domain need access to this file or folder, this
group should be removed.
Additional groups or even individual users can be added to the DACLs for any object contained within the NTFS file system. Adding and removing entries for a specific object and child objects beneath it are the basis for controlling security within the NTFS file system.
For the operations group example, Figure 1 shows that the Operations folder currently has only the built-in groups defined for its security.
To ensure that the operations group has all the security needed to
manage its departmental folder, the group would be added to the DACL
for the Operations folder object. To add the operations group, complete
the following steps:
-
Browse to the Operations folder.
-
Press and hold or right-click the folder.
-
Select Properties.
-
Select the Security tab.
-
Tap or click Edit.
-
In the Permissions For Operations dialog box, tap or click Add.
-
In the Select Users Or Groups dialog box, type the name of the user or group to add; in this case, type Operations.
Note
LOCATIONS AND ENVIRONMENTS
Ensure that the location for the group is correct for your
environment. If you are working in a domain environment, the location
should be set to that of your domain.
-
Tap or click Check Names to verify the names of the groups or user accounts you have added.
-
Tap or click OK in the Select Users Or Groups dialog box.
-
To allow the ability to read, write to, and modify the Operations
folder, select the check box next to Modify under the Allow column
heading.
-
Tap or click OK to apply these settings to the folder and save the DACL.
Important
THE DENY PERMISSION OVERRIDES OTHER PERMISSIONS
Discretionary
access lists are very specific for the Deny permission. If you specify
that a group or user account is denied access to an object, that user
account or members of that group will not have access to that object
regardless of the permissions granted to any other groups with access
to that object. If you are explicitly denied access to an object, you
will not have access to the object. Use Deny permissions with caution.
Common collections of permissions make managing access to file system objects easier to understand. The common permission sets are:
-
Full Control Allows complete access to objects, including management permissions and the ability to take ownership of an object.
-
Modify Allows
editing, visibility, and deletion of objects (assumes Read &
Execute, List Folder Contents, Read, and Write permissions).
-
Read & Execute Allows other object types such as application files to be opened or executed (assumes Read permission).
-
List Folder Contents Allows items within folders to be viewed (assumes Read and Read & Execute permissions).
-
Read Allows file and folder objects to be opened.
-
Write Allows creation and editing of objects.
-
Special Permissions
Contains any combination of permissions that an administrator wants.
This group of permissions is managed by clicking the Advanced button on
the Security tab.
Although these groupings comprise common permission sets, you can see the entire list of available permissions by tapping or clicking the Advanced button. In the Advanced Security Settings dialog box, the currently assigned permissions for the object are displayed, as shown in Figure 2.
If you need to configure additional advanced permissions, tap or click the Add button in this dialog box to open the Permission
Entry dialog box for the selected object. Here you can manage both
basic and advanced permissions for the object. The Permission Entry
dialog box is shown in Figure 3.
A principal is a user account or group to which security and permissions can be assigned. To configure permissions from the Permission Entry dialog box, complete the following steps:
-
Tap or click the Select A Principal link at the top of the dialog box.
-
Type the account or group name with which you want to work and tap or click Check Names to verify that the account exists.
-
Tap or click OK to add the selected account or group as the security principal.
-
Select the type of permission to assign, Allow or Deny, by using the Type list.
-
Specify the objects to which this permission will apply by using the
Applies To list; the following options are available for folder objects:
-
This Folder Only
-
This Folder, Subfolders, And Files
-
This Folder And Subfolders
-
This Folder And Files
-
Subfolders And Files Only
-
Subfolders Only
-
Files Only
If you are applying permissions to individual files, the Permission
Entry dialog box appears slightly different. You can select either
basic permissions or advanced permissions. To select permissions for
files, select the check boxes for the permissions to assign. The basic
permissions for files are as follows:
-
Full Control
-
Modify
-
Read & Execute
-
Read
-
Write
Advanced Permissions include the following:
-
Full Control
-
Traverse Folder/Execute File
-
List Folder/Read Data
-
Read Attributes
-
Read Extended Attributes
-
Create Files/Write Data
-
Create Folder/Append Data
-
Write Attributes
-
Write Extended Attributes
-
Delete
-
Read Permissions
-
Change Permissions
-
Take Ownership
In Advanced Permissions, some of these options are selected by
default because advanced permissions are combined to create the basic permission sets.
Note
DOCUMENT PERMISSIONS TO AVOID POTENTIAL PROBLEMS
Working with permissions can be an interesting project. Because it
is possible to isolate any user completely, including administrators,
from files and folders, be very deliberate when considering
permissions. Taking notes about current permissions
and the permissions being assigned is a good idea until you become
accustomed to working with permissions and fully understand the effect
they can have on objects.
