In any system based on Windows NT technologies, there are special network resources. The names of some resources end with the $ symbol; such network resources use " network" or when opening server resources using the command " \\<имя сервера>" will not be visible. However, if you specify the full UNC name of the network resource, you can see the data located in it.
Let's list these resources:
- resource of the form " \\<имя сервера>\admin$" (for example, \\DC1\admin$ ) - intended for remote computer administration; the path always corresponds to the location of the folder in which the Windows system is installed; only group members can connect to this resource Administrators, Archive operators And Server Operators ;
- resource of the form " \\<имя сервера>\< буква диска>$ " (for example, \\DC1\C$ ) - the root folder of the specified drive; only group members can connect to network resources of this type on a Windows server Administrators, Archive operators And Server Operators; on computers running Windows XP Professional and Windows 2000 Professional, group members can connect to such resources Administrators And Archive operators ;
- resource " \\<имя сервера>\IPC$" (for example, \\DC1\IP$ ) - used for remote administration;
- resource " \\<имя сервера>\NETLOGON" (for example, \\DC1\NETLOGON) - used only on domain controllers; scripts (scripts) for user login, compatible with previous versions of Microsoft operating systems, are stored in this network folder;
- resource " \\<имя сервера>\SYSVOL" - used only on domain controllers; the file part of group policies is stored in this network folder;
- resource " \\<имя сервера>\PRINT$" - a resource that supports shared printers; in particular, drivers for shared printers are stored in this folder.
You can view a complete list of resources provided by this server for sharing in the " Shared folders", In chapter " Shared Resources" (Fig. 8.35):
Rice. 8.35.
In the same section of this snap-in, you can disable resources from sharing on the network, change network permissions, and create new network resources.
In addition to special network resources with the $ symbol at the end of the resource name, granted to groups with high authority, this symbol can be used to grant access to any other resource that is granted network access by the administrator himself. In this case, the network resource will also be hidden during normal network browsing, but will be accessible by specifying the full UNC name, and access can be allowed to those user groups that need this resource.
NTFS Permissions
We emphasize once again that network permissions only apply when accessing resources over the network. If the user is logged in locally, access can now only be controlled using NTFS permissions. On a volume (partition) with the FAT system, the user will have full access to the information on this volume.
NTFS permissions can be set by opening Properties folder or file and go to the " Safety " (Security). As can be seen in Fig. 8.36, the set of NTFS permission types is much richer than the set of network permissions.
Rice. 8.36.
On an NTFS volume, you can assign the following types of permissions to folders:
- Full access ;
- Change ;
- Read and Execute ;
- List of folder contents ;
- Reading ;
- Record ;
- Special permissions.
There is no view for files " Reading the contents of a folder ".
If you click on the "Permissions" button Additionally", then you can fine-tune permissions.
NTFS permissions can be obvious or inherited. By default, all folders or files inherit the permissions of that container object ( parent object) in which they are created. Using legacy permissions makes access control work easier. If an administrator needs to change access rights for a folder and all its contents, then it is enough to do this for the folder itself and the changes will automatically affect the entire hierarchy of subfolders and documents. In Fig. 8.36. it is clear that the group " Administrators"has inherited type permissions" Full access" for folder Folder1. And in Fig. 8.37. it is shown that the group " Users" has a set of explicitly assigned permissions:
Rice. 8.37.
You cannot change inherited permissions. If you click on the " Additionally", then you can cancel inheritance of permissions from the parent object. In this case, the system will offer two options for canceling inheritance: either copy the previous inherited permissions in the form of explicit permissions, or delete them completely.
Mechanism for applying permissions
In paragraph 8.1 it was said that each file is a set of attributes. The attribute that contains information about NTFS permissions is called access control list (ACL, Access Control List). The ACL structure is shown in table. 8.4. Each entry in the ACL is called access control element (ACE, Access Control Entry).
The table lists user, group, or computer account security identifiers (SIDs) and their corresponding permissions. In Figures 8.36 or 8.37, instead of SIDs, the names of users and groups included in the ACL are shown. Section 4 stated that when a user logs onto the network (when he registers in a domain), the domain controller sends an access token containing the SIDs of the user himself and the groups of which he is a member to the current user session on the computer. When a user attempts to perform an action on a folder or file (and requests some type of access to an object), the system matches the security identifiers in the user's access token with the security identifiers contained in the object's ACL. If certain SIDs match, the user is granted the appropriate permissions to access the folder or file.
Note that when an administrator changes a user's group membership (includes a user in a new group or removes a user from a group), the user's access token does NOT automatically change. To obtain a new access token, the user must log out and log back in. Then he will receive a new access token from the domain controller, reflecting the change in user group membership
Procedure for applying permissions
The principle of applying NTFS permissions to access a file or folder is the same as for network permissions:
- first, prohibitions on any types of access are checked (if there are prohibitions, then this type of access is not allowed);
- then the set of permissions is checked (if there are different types of permissions for a user and groups to which this user belongs, then the total set of permissions is applied).
But for NTFS permissions the scheme becomes a little more complicated. Permissions are applied in the following order:
- explicit prohibitions;
- explicit permissions;
- inherited inhibitions;
- inherited permissions.
If the user SID or group SIDs of which the user is a member are not specified in either explicit or inherited permissions, then access to the user will be denied.
Ownership of a folder or file
The user who created the folder or file is Owner of this object. Object owner has the rights to change NTFS permissions for this object, even if it is denied other types of access. The current owner of an object can be seen by opening Properties object, then the bookmark " Safety", then clicking the " button Additionally" and going to the bookmark " Owner" (Fig. 8.38):
Rice. 8.38.
Attention! System administrator may change owner object by selecting a new owner from the list offered in this window or from the full list of users (by clicking the " Other users or groups"). This feature is provided to administrators in order to restore access to an object in the event of loss of access due to incorrectly assigned permissions or deletion of an account that had exclusive access to this object (for example, the only employee who had access to the file left, the administrator deleted it account, as a result of which access to the file was completely lost, the only way to restore access is to transfer ownership of the file to the administrator or a new employee acting as the dismissed employee).
Sharing Network and NTFS Permissions
When accessing file shares hosted on an NTFS volume over the network, a combination of network and NTFS permissions are applied to the user.
When accessing over a network, network permissions are first calculated (by summing the permissions for the user and the groups the user belongs to). NTFS permissions are then also calculated by summing. The resulting effective permits granted for that particular property will be minimum from calculated network and NTFS permissions.
Control access using groups
User groups are created specifically to more effectively manage access to resources. If you assign access rights to each resource for each individual user, then, firstly, this is very labor-intensive work, and secondly, it becomes difficult to track changes in access rights when a user changes his position in a department or moves to another department.
Let us repeat the material from Section 4. For more effective access control, the following scheme for organizing access provision is recommended:
- user accounts ( accounts) are included in global domain groups ( global groups) in accordance with the staffing structure of the company/organization and the responsibilities performed;
- global groups are included in domain local groups or local groups on some server ( domain local groups, local groups) in accordance with the required access rights for a particular resource;
- the appropriate local groups are assigned the necessary permissions ( permissions) to specific resources.
This scheme, based on the first letters of the objects used, received an abbreviated name AGLP (A counts G local groups L local groups P permissions). With this arrangement, if a user is promoted or demoted or transferred to another department, there is no need view all network resources, access to which needs to be changed for this user. It is enough to change accordingly user membership in global groups, and access rights to network resources for this user will change automatically.
Let us add that in the main mode of operation of the Active Directory domain (modes " Windows 2000 basic" or " Windows 2003") with the advent of nesting of groups and universal groups, the scheme AGLP modified into the circuit AGG...GULL...LP.
In the previous lecture we talked about network security and the concept of permissions, but it's worth returning to this now, since permissions are only available on NTFS hard drives. In this section we will talk about the capabilities of NTFS to protect your files from prying eyes. Unlike the FAT system, access to shared resources cannot be enabled or disabled. NTFS provides a level of granularity that allows only those you want access to and filters out everyone else.
Permissions for an individual user
Before discussing permissions for users and groups, as well as files themselves, it is important to review the basics of how permissions work. First we'll show you what inheritance is, and then we'll look at a tool in Windows XP Professional that should help you, but can become a stumbling block if you don't understand its features.
Inheritance
There may be only a couple of users on the network, or there may be thousands. By setting custom permissions on NTFS volumes and folders, this task can be relatively simple in a six-person organization. As noted in Chapter 9, as an organization begins to grow, dividing users into specific groups makes managing permissions much easier.
You should first create a set of permissions for a specific group, such as engineers. In this case, when a new engineer appears in the organization, he is automatically added to this group. At the same time, permissions for this group are inherited.
Note. Inheritance also applies to other objects on an NTFS volume. For example, if you set permissions on a specific folder and then create a subfolder within it, the inheritance right frees you from creating a new set of permissions for that subfolder because it inherits the permissions of the parent folder.
If you believe that a group of engineers needs to issue or renew a specific permit, it is easy to do so. Once changed (which we'll talk about later in this lecture), the new permission is assigned to each member of that group.
On the other hand, a particular engineer may need permission that others do not need. You can, by logging into the engineering group, make changes necessary for this user, and he will receive a new permission that will not be inherited by him by belonging to this group. In this case, the permission will not apply to other group members.
New to Windows XP Professional is simple file sharing. This feature is enabled when you install Windows XP Professional for the first time or when you share a volume or folder. To enable more user access control tools, simple file sharing must be disabled.
You may wonder why simple file sharing is needed if this feature must be disabled. Only to facilitate the process of sharing files and folders. With simple file sharing enabled, there aren't many configurations for how users can access files, printers, etc. This provides an easy way to share files. However, if you want to control who can access files, simple file sharing should be disabled. To do this, follow these steps.
- Select Start\My Computer, then click Tools and select Folder Options.
- In the Folder Options dialog box, click the View tab.
- Scroll through the list of settings in the Advanced Settings window and either check or clear the Use simple file sharing checkbox.
- Click on OK.
Note. Disabling simple file sharing alone will prevent you from setting file permissions. You should also place all your files and folders on an NTFS volume or partition.
Permissions for folders and volumes
Permissions control what a user or group can do with an object on the network or on their local computer. Permissions are only supported when simple file sharing is disabled and on an NTFS hard drive. B lists the permissions assigned to folders, and B lists the permissions to assign to files.
| Table 10.2. Folder Permissions | ||
| Permission | ||
| Change Permissions | Change folder permissions. | |
| Create Files | Create new files in this folder. | |
| Create Folders | Create subdirectories in this folder. | |
| Delete | Deleting a folder. | |
| Delete subfolders and files | Deleting files and subdirectories even if you don't have permission to create them. | |
| List Folder | View the contents of a folder. | |
| Read Attributes | View folder attributes. | |
| Read Permissions | View folder permissions. | |
| Take Ownership | Assigning another user's rights to own a folder. | |
| Traverse Folder | Open a folder to view subdirectories and parent folders. | |
| Write Attributes | Making changes to folder properties. | |
| Table 10.3. File Permissions | ||
| Permission | Allows or denies this action | |
| Append Data | Adding information to the end of a file without changing existing information. | |
| Change Permissions | Making changes to file permissions. | |
| Delete | Deleting a file. | |
| Execute File | Run the program contained in the file. | |
| Read Attributes | View file attributes. | |
| Read Data | View file contents. | |
| Read Permissions | View file permissions. | |
| Take Ownership | Assigning ownership rights to this file from another owner. | |
| Write Attributes | Changing file attributes. | |
| Write Data | Changing the contents of the file. | |
Create and manage permissions
By creating permissions for individual files, folders, and NTFS volumes, you can take advantage of many more security options than the FAT file system offers. The Properties tab of the selected folder or volume includes a Security tab. By clicking on it, you can see a number of options to control access.
To configure permissions for a given folder or volume, follow these steps.
- Specify the volume or folder for which you are going to set permissions.
- Right-click on it and select Properties.
- Select the Security tab.
Note. If the NTFS volume is shared, you must set permissions through the Security tab rather than using the Permissions button on the Sharing tab.
In the properties window that appears, you will see two windows. The top window contains a list of users and groups (). At the bottom is a list of user permissions that can be set and adjusted. Again, this tab is only available for NTFS volumes.
Rice. 10.7. Security Tab of the Properties Dialog Box
By clicking on a specific user or group, you can set permissions for them in the lower window. The following permissions are available.
- Full Control. Allows a user or group to read, create, modify, and delete files.
- Modify. Allows users to delete files and folders, make changes to permissions, or take ownership of a file or folder from another user.
- Read&Execute. Allows users to read and run files without making changes to the contents of the shared volume or folder.
- List Folder Contents. Allows users to view the contents of folders.
- Read. Allows users to view the contents of a volume or folder. They can also open files, but are not allowed to save changes.
- Write. Allows users to write to folders or volumes, but prevents them from opening files or viewing a list of files.
- Special permissions. By clicking the Advanced button, you can apply special permissions.
Limiting the number of users
Depending on the size and structure of your organization, you may not be able to allow everyone to access the same volume at the same time. If you need to set a limit on the number of users who can simultaneously access a volume or folder, open the Permissions dialog box and select the Sharing tab (Figure 10.8).
In the User limit section, specify one of the following options.
- Maximum allowed Allow access for the maximum number of network users.
- Allow this number of users Allow access only for the specified number of users.
More details about permissions can be found in chapter. 9.
NTFS Permissions(NTFS permissions) are a set of special extended attributes of a file or directory (folder) set to restrict user access to these objects. They are only available on volumes where the NTFS file system is installed. Permissions provide flexible protection because they can be applied to both directories and individual files; they apply both to local users (working on computers where protected folders and files are located) and to users connecting to resources over the network.
Not to be confused permissions With rights. These are completely different concepts; More details about this are written in the subsection “Windows NT/2000/XP Security Model”. Unfortunately, in technical literature and in everyday life these terms are often confused. The source of this is primarily the translation errors of the original English-language materials.
NTFS permissions serve primarily to protect resources from local users working on the computer on which the resource resides. However, they can also be used for remote users connecting to a shared folder over a network. Obviously, in this case, users are subject to two mechanisms for restricting access to resources: first, network, and then local, file. Therefore, the resulting access permissions will be determined as the minimum of the network and file permissions. It must be said here that the resulting network permissions to access resources that a user will have while working on the network are calculated as the maximum permissions in the list of access permissions, since a user can be a member of several groups that are mentioned in the list. The same is true for NTFS permissions: the user has the maximum permissions listed in the access control list, and only the No Access permission can override all other permissions.
NTFS permissions provide highly selective protection: you can set different permissions for each file in a folder. For example, one user can be allowed to read and change the contents of a file, another can only read, and a third can be denied access altogether. Note, however, that it is strongly recommended that you set permissions on ACLs using user group accounts rather than individual user accounts.
Each file object has a so-called access mask(access mask). Access mask includes standard(standard), specific(specific) and generic(generic) access rights.
□ Standard access rights define operations that are common to all protected objects.
□ Specific access rights indicate the basic rights specific to file objects. For example, the specific rights Read_Data, Write_Data and Append_Data allow you to read data, write information and, accordingly, add data to a file. Read_Attributes, Write_Attributes rights
and Read_EA, Write_EA allow, respectively, to read or write attributes or extended attributes of a file or directory. Finally, a specific access right such as Execute allows you to launch a file for execution.
□ Generic access rights are used by the system; they define combinations of standard and specific rights. For example, the generic_Read access right applied to a file includes the following specific and standard rights: Read_Control, File_Read_Data, File_Read_Attributes, File_Read_EA, Synchronize.
So, NTFS permissions are represented differently in the Windows NT 4.0 operating systems and the Windows 2000/XP family of systems. These differences primarily concern the interface, that is, the Explorer program displays differently those permissions that are actually assigned to a file object in the form of access permissions and are processed at the program level. Permissions in Windows 2000/XP are closer to the specific, standard, and generic permissions we discussed above, but they are not as useful for controlling access to files as Windows NT 4.0 permissions.
Laboratory work No. 2
Topic: Using techniques for working with the NTFS file system. Assigning access permissions to files and folders.
Lead time:2 hours
Target : Learn how to set NTFS permissions for files and folders for individual users and groups in the Windows 7 operating system, as well as troubleshoot resource access problems.
Theoretical information
Understanding the use of NTFS permissions
NTFS permissions allow you to explicitly specify which users and groups have access to files and folders and what operations they are allowed to perform on the contents of those files or folders. NTFS permissions apply only to volumes formatted using the NTFS file system. They are not available for volumes that use the FAT or FAT32 file systems. NTFS security is effective whether the user is accessing a file or folder located on the local computer or on a network.
The permissions you set for folders are different from the permissions you set for files. Administrators, file or folder owners, and users with Full Control permission have the right to assign NTFS permissions to users and groups to control access to those files and folders. Access Control List
Stored in NTFS access control list (access control list - ACL) for every file and folder on an NTFS volume. This list shows the users and groups that have permissions set on the file or folder, as well as the permissions that were assigned. In order for a user to access a resource, there must be an entry in the ACL called access control list element (access control entry - ACE) for this user or the group to which he belongs. This entry will assign the requested access type (for example, Reading) to the user. If there is no matching ACE in the ACL, the user will not be able to access the resource.
Multiple NTFS permissions
You can set multiple permissions for a user and all groups of which he is a member. To do this, you must understand the rules and priorities by which multiple permissions are assigned and combined in NTFS and the inheritance of NTFS permissions.
Effective permissions. Effective user permissions for a resource are the collection of NTFS permissions that you assign to an individual user and all groups to which that user belongs. If a user has Read permission on a folder and is part of a group that has Write permission on the same folder, then that user has both permissions.
Setting NTFS permissions and special permissions
You should follow certain guidelines when setting NTFS permissions. Set permissions based on the needs of groups and users, which includes allowing or preventing subfolders and files contained in the parent folder from inheriting permissions from a parent folder.
If you take a little time to plan your NTFS permissions and follow a few planning principles, you will find that permissions are easy to manage.
To simplify the administration process, group files into the following types of folders: application folders, data folders, personal folders. Centralize public and private folders on a separate volume that does not contain operating system files or other applications. By doing this, you will receive the following benefits:
You can set permissions only for folders, not individual files;
Simplify your backup process because you don't have to back up app files and keep all your public and private folders in one place.
· Set only the required access level for users. If you need to read a file, set the user's Read permission for that file. This will reduce the chance of the user accidentally changing a file or deleting important documents and application files.
· Create groups according to the type of access the group members need, then set the appropriate permissions for the group. Assign permissions to individual users only when necessary.
· When setting permissions to work with data or application files, set the Read and Execute permission for the User groups ateliers and Administrators. This will prevent application files from being accidentally deleted or damaged by viruses or users.
· When setting permissions for shared data folders, assign Read/Execute and Write permissions to the Users group and Full Control permission to the Creator-Owner group. By default, the user who created the document is also its owner. The owner of a file can give another user permission to own the file. The user who accepts such rights in this case becomes the owner of the file. If you set the Read/Execute and Write permission to the Users group and the Full Control permission to the Creator-Owner group, then users will be able to read and edit documents created by other users, as well as read, edit, and delete files and folders that they create.
The following situation is illustrated: User1 has Write permission to the Data folder. He is also a member of the Everyone group, which has Read permission. Therefore, User1's actual permission will be a combination of Read and Write permissions, but only for the Data folder.
Unlike share permissions, NTFS permissions do not grant access to subfolders of the Data folder.
Example ntfs permissions for a file
The following situation is illustrated: User1 has Read and Write permissions on the File1 file in the Data folder. In addition, he is a member of the Sales group, which has a different permission for the Data folder - Read. As a result, User1 will have permission to read the Data folder and to read and write to File1, because NTFS file permissions take precedence over folder permissions.
NTFS permissions provide strong protection for folders and files located on Windows NT File System (NTFS) volumes.
NTFS permissions for folders and files apply both to users directly working on the computer and to those accessing protected computer objects over the network.
As with share permissions, a user can obtain NTFS permission either directly or by being a member of one or more groups that have permission.
Like share permissions, the actual NTFS permissions for a user are a combination of the permissions of the user and the groups of which the user is a member. The only exception to this rule is the No Access permission, which overrides all other permissions.
Unlike share permissions, NTFS permissions can be different for a folder and the file(s) within it.
NTFS permissions on a file take precedence over permissions on the folder that contains it.
Access rights and ntfs permissions
Share permissions on NTFS volumes work in conjunction with file and folder permissions. In this lesson, you will learn how to protect disk resources by combining NTFS permissions and access rights.
Basic information
In order for users to access disk resources over the network, the folders containing these resources must be shared. These folders can be protected by assigning appropriate access rights to users and groups. However, shared resource permissions provide only limited protection because they:
provide the same level of access to all folders and files located in the shared folder;
do not protect the resource from the local user;
cannot be used to protect individual files.
If the shared folder is on an NTFS volume, you can use NTFS permissions to change or deny user access to folders and files located on the shared folder. Using NTFS permissions and permissions provides the highest level of security.
Here's the simplest way to combine NTFS permissions and permissions: Keep the default Full Control permission assigned to the Everyone group, and assign individual group and user accounts NTFS permissions to specific folders and files in the shared folder.
When combining access rights and NTFS permissions, access is always determined by the strictest restriction. For example, if a folder has Full Control permission and NTFS Read permission, the resulting permission will be the more restrictive Read.
The following situation is illustrated: User1 has Read access to the Public Data share on Computer1 (when connected over a network) and has NTFS Full Control permission to File A of that folder. As a result, User1 will have read-only access to File A, since Read is a stricter restriction. User2's access to File B is also read-only, since the NTFS Read permission and the Read access right lead to the same restrictions.
When User1 works on Computer1, he does not have access rights to the "Public Data" folder. However, the NTFS permissions (full control for file A and read-only access for file B) remain in effect. If User1 connects to this shared folder, he, like User1, will receive read-only rights.
