it103 microsoft windows xp/os chap07

11

CONFIGURING AND MANAGING NTFS SECURITY

Chapter 7

Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY 2

OVERVIEW

Understand the structure of NTFS security

Control access to files and folders by using permissions

Optimize access to files and folders by using NTFS best practices

Audit NTFS security

Troubleshoot access to files and folders


Definition of ACL

Access Control Lists (ACLs)

A list of security protections that applies to an object. (An object can be a file, process, event, or anything else having a security descriptor.) There are two types of access control list, discretionary and system.


Definition of ACE

Access Control Entries (ACEs)

An entry in an access control list (ACL). An ACE contains a set of access rights and a security identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited.


Definition of SID

Security Identifier (SID)

A data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an account's SID rather than the account's user or group name.


MASTER FILE TABLE (MFT)


MFT – More Detail

The previous slide depicts the MFT in NTFS.

It is a common misconception that security descriptors (ACLs) reside in the MFT. Beginning with NTFS 5, they are stored in a separate metadata file ($Secure) in the NTFS volume.

This provides, in essence, single-instance storage of ACLs so they can be reused wherever the same permissions are applied.


MFT – More Detail (cont)

This allows one security descriptor to be used for every folder and file in a folder tree that has the same permissions.

The result is a great savings in space formerly required to store an ACL for each file and folder in the tree. These security descriptors are referenced in the MFT record as a security index value ($SII).


SECURITY DESCRIPTORS


Security descriptors

Security descriptors, stored in the $Secure metadata file, contain the ACLs for files and folders.

When a user wants to open a file, the user’s application packages a request containing the requested operation and the user’s access token. This is compared with the ACL for the requested resource; if the user has the required permissions, the operation is allowed.


ACCESS CONTROL LISTS (ACLs)

Store access control entries (ACEs)

Assigned to security descriptor for file system object

Evaluated to control access to objects

There are two types of ACLs: Discretionary ACL (DACL): control

permissions

System ACL (SACL): control auditing


ACCESS CONTROL ENTRIES (ACEs)

Stored in ACLs (which are collections of ACEs, grouped by resource)

Consist of user or group SIDs with permission entries

Can be set for Allow, Deny, or Audit

Allow and Deny ACEs can exist in the same ACL

Audit ACEs are kept in SACLs

Deny ACEs override Allow ACEs


ACE – more detail

ACEs are the basic building blocks of NTFS security.

They map user or group identities with assigned permissions and control file system security auditing by listing which file system operations will be audited for the assigned object.


‘Allow’ ACE’s & ‘Deny’ ACE’s

Allow - they define which operations are allowed on an object for the specified user or group.

Deny - they define which operations are specifically denied. Deny ACEs always override Allow ACEs and are used to define exceptions to the general Allow rules for the object. Basically: more restrictive over-rules


‘Audit’ ACE’s

Audit ACEs are stored in SACLs (System ACL) to define which operations will be audited by file system auditing.

Audit entries are added to the system’s Security event log when audited operations are performed.


STANDARD NTFS PERMISSIONS


SPECIAL PERMISSIONS


PERMISSION INHERITANCE

Subfolders and files inherit permissions

Inheritance can be blocked

Blocking required for new permissions


A little more detail…

Permissions are inherited by all subfolders and files unless they are prevented or blocked.

When blocking inheritance, you can copy existing permissions or remove all permissions and start anew.

Only by blocking inherited permissions can you modify the permissions of a folder.


COPYING OR MOVING NTFS OBJECTS


…A little more detail…

When you move or copy files or folders, the only time permissions are preserved without the aid of Xcopy.exe is when the object is moved within an NTFS volume.

In all other operations, the object inherits permissions from the destination folder (even when the permissions are “None” in the case of a FAT volume).


PLANNING NTFS PERMISSIONS

Consolidate data

Assign permissions to folders

Assign most restrictive permissions possible

Use groups for permission assignment

Avoid excessively blocking inheritance

Avoid the Deny ACE



By using these best practices (from the previous slide), students can plan effective permission policies for their folders.

By consolidating data that requires like permissions into folders and assigning permissions to groups of users, you can greatly simplify the process of assigning permissions.


ASSIGNING STANDARD PERMISSIONS


ASSIGNING SPECIAL PERMISSIONS


WHY CAN’T I CHANGE PERMISSIONS FOR THIS FOLDER?


Answer:

When permissions are inherited, you must block inheritance to apply new permissions to a folder.

You do this in the Advanced Security Settings dialog box.


TAKING OWNERSHIP OF FILES



If a user is not the owner of a folder or does not have at least Read permission to it, that person cannot see what permissions have been assigned.

If the person is an administrator, then that person must take ownership of the folder in order to be able to set permissions on it.


CACLS.exe?

Change Access Control Lists

It is a powerful command-line tool that you can use to change ACLs for a folder or multiple folders.

It is especially effective for automating periodic permission changes, such as locking users out of a folder during backups or special processing.


CACLS.EXE


CACLS Examples

CACLS <foldername> Lists permissions

CACLS <foldername> /G Adminisrators:F Removes all permissions and assigns Full Control to

Administrators

CACLS <foldername> /E /G Users:R Grants Users Read permission without modifying other

permissions

CACLS <foldername> /E /R Users Revokes access to Users


MULTIPLE NTFS PERMISSIONS

Sum of all ACEs for user or group

Most lenient permission is the effective permission

Deny overrides all


VIEWING EFFECTIVE PERMISSIONS


AUDITING NTFS ACCESS


Who should have what permissions?


SUMMARY

NTFS permissions work only on NTFS volumes.

Security descriptors are stored in the $Secure file.

ACLs list ACEs assigned to an object.

ACEs map users or groups to permissions.

Permissions are inherited by default.

Effective permissions are the sum of ACEs.


SUMMARY (CONTINUED)

Ownership cannot be “given.”

Deny ACEs override all other ACE types for a particular permission.

Avoid the Deny ACE to limit complexity.

it103 microsoft windows xp/os chap07

Technology

managing ntfs security

security descriptors

aces chapter

ntfs objects chapter

security descriptors

ntfs volume

list of security protections

security index value