Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IT103 Microsoft Windows XP/OS Chap07

810 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

IT103 Microsoft Windows XP/OS Chap07

  1. 1. CONFIGURING AND MANAGING NTFS SECURITY Chapter 7
  2. 2. OVERVIEW <ul><li>Understand the structure of NTFS security </li></ul><ul><li>Control access to files and folders by using permissions </li></ul><ul><li>Optimize access to files and folders by using NTFS best practices </li></ul><ul><li>Audit NTFS security </li></ul><ul><li>Troubleshoot access to files and folders </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  3. 3. Definition of ACL <ul><li>Access Control Lists (ACLs) </li></ul><ul><li>A list of security protections that applies to an object. (An object can be a file, process, event, or anything else having a security descriptor.) There are two types of access control list, discretionary and system. </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  4. 4. Definition of ACE <ul><li>Access Control Entries (ACEs) </li></ul><ul><li>An entry in an access control list (ACL). An ACE contains a set of access rights and a security identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited. </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  5. 5. Definition of SID <ul><li>Security Identifier (SID) </li></ul><ul><li>A data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an account's SID rather than the account's user or group name. </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  6. 6. MASTER FILE TABLE (MFT) Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  7. 7. MFT – More Detail <ul><li>The previous slide depicts the MFT in NTFS. </li></ul><ul><li>It is a common misconception that security descriptors (ACLs) reside in the MFT. Beginning with NTFS 5, they are stored in a separate metadata file ($Secure) in the NTFS volume. </li></ul><ul><li>This provides, in essence, single-instance storage of ACLs so they can be reused wherever the same permissions are applied. </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  8. 8. MFT – More Detail (cont) <ul><li>This allows one security descriptor to be used for every folder and file in a folder tree that has the same permissions. </li></ul><ul><li>The result is a great savings in space formerly required to store an ACL for each file and folder in the tree. These security descriptors are referenced in the MFT record as a security index value ($SII). </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  9. 9. SECURITY DESCRIPTORS Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  10. 10. Security descriptors <ul><li>Security descriptors, stored in the $Secure metadata file, contain the ACLs for files and folders. </li></ul><ul><li>When a user wants to open a file, the user’s application packages a request containing the requested operation and the user’s access token. This is compared with the ACL for the requested resource; if the user has the required permissions, the operation is allowed. </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  11. 11. ACCESS CONTROL LISTS (ACLs) <ul><li>Store access control entries (ACEs) </li></ul><ul><li>Assigned to security descriptor for file system object </li></ul><ul><li>Evaluated to control access to objects </li></ul><ul><li>There are two types of ACLs: </li></ul><ul><ul><li>Discretionary ACL (DACL): control permissions </li></ul></ul><ul><ul><li>System ACL (SACL): control auditing </li></ul></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  12. 12. ACCESS CONTROL ENTRIES (ACEs) <ul><li>Stored in ACLs (which are collections of ACEs, grouped by resource) </li></ul><ul><li>Consist of user or group SIDs with permission entries </li></ul><ul><li>Can be set for Allow, Deny, or Audit </li></ul><ul><li>Allow and Deny ACEs can exist in the same ACL </li></ul><ul><li>Audit ACEs are kept in SACLs </li></ul><ul><li>Deny ACEs override Allow ACEs </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  13. 13. ACE – more detail <ul><li>ACEs are the basic building blocks of NTFS security. </li></ul><ul><li>They map user or group identities with assigned permissions and control file system security auditing by listing which file system operations will be audited for the assigned object. </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  14. 14. ‘ Allow’ ACE’s & ‘Deny’ ACE’s <ul><li>Allow - they define which operations are allowed on an object for the specified user or group. </li></ul><ul><li>Deny - they define which operations are specifically denied. Deny ACEs always override Allow ACEs and are used to define exceptions to the general Allow rules for the object. </li></ul><ul><ul><li>Basically: more restrictive over-rules </li></ul></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  15. 15. ‘ Audit’ ACE’s <ul><li>Audit ACEs are stored in SACLs (System ACL) to define which operations will be audited by file system auditing. </li></ul><ul><li>Audit entries are added to the system’s Security event log when audited operations are performed. </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  16. 16. STANDARD NTFS PERMISSIONS Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  17. 17. SPECIAL PERMISSIONS Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  18. 18. PERMISSION INHERITANCE <ul><li>Subfolders and files inherit permissions </li></ul><ul><li>Inheritance can be blocked </li></ul><ul><li>Blocking required for new permissions </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  19. 19. A little more detail… <ul><li>Permissions are inherited by all subfolders and files unless they are prevented or blocked. </li></ul><ul><li>When blocking inheritance, you can copy existing permissions or remove all permissions and start anew. </li></ul><ul><li>Only by blocking inherited permissions can you modify the permissions of a folder. </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  20. 20. COPYING OR MOVING NTFS OBJECTS Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  21. 21. … A little more detail… <ul><li>When you move or copy files or folders, the only time permissions are preserved without the aid of Xcopy.exe is when the object is moved within an NTFS volume. </li></ul><ul><li>In all other operations, the object inherits permissions from the destination folder (even when the permissions are “None” in the case of a FAT volume). </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  22. 22. PLANNING NTFS PERMISSIONS <ul><li>Consolidate data </li></ul><ul><li>Assign permissions to folders </li></ul><ul><li>Assign most restrictive permissions possible </li></ul><ul><li>Use groups for permission assignment </li></ul><ul><li>Avoid excessively blocking inheritance </li></ul><ul><li>Avoid the Deny ACE </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  23. 23. … A little more detail… <ul><li>By using these best practices (from the previous slide), students can plan effective permission policies for their folders. </li></ul><ul><li>By consolidating data that requires like permissions into folders and assigning permissions to groups of users, you can greatly simplify the process of assigning permissions. </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  24. 24. ASSIGNING STANDARD PERMISSIONS Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  25. 25. ASSIGNING SPECIAL PERMISSIONS Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  26. 26. WHY CAN’T I CHANGE PERMISSIONS FOR THIS FOLDER? Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  27. 27. Answer: <ul><li>When permissions are inherited, you must block inheritance to apply new permissions to a folder. </li></ul><ul><li>You do this in the Advanced Security Settings dialog box. </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  28. 28. TAKING OWNERSHIP OF FILES Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  29. 29. … A little more detail… <ul><li>If a user is not the owner of a folder or does not have at least Read permission to it, that person cannot see what permissions have been assigned. </li></ul><ul><li>If the person is an administrator , then that person must take ownership of the folder in order to be able to set permissions on it. </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  30. 30. CACLS.exe? <ul><li>Change Access Control Lists </li></ul><ul><li>It is a powerful command-line tool that you can use to change ACLs for a folder or multiple folders. </li></ul><ul><li>It is especially effective for automating periodic permission changes, such as locking users out of a folder during backups or special processing. </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  31. 31. CACLS.EXE Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  32. 32. CACLS Examples <ul><ul><li>CACLS <foldername> </li></ul></ul><ul><ul><ul><li>Lists permissions </li></ul></ul></ul><ul><ul><li>CACLS <foldername> /G Adminisrators:F </li></ul></ul><ul><ul><ul><li>Removes all permissions and assigns Full Control to Administrators </li></ul></ul></ul><ul><ul><li>CACLS <foldername> /E /G Users:R </li></ul></ul><ul><ul><ul><li>Grants Users Read permission without modifying other permissions </li></ul></ul></ul><ul><ul><li>CACLS <foldername> /E /R Users </li></ul></ul><ul><ul><ul><li>Revokes access to Users </li></ul></ul></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  33. 33. MULTIPLE NTFS PERMISSIONS <ul><li>Sum of all ACEs for user or group </li></ul><ul><li>Most lenient permission is the effective permission </li></ul><ul><li>Deny overrides all </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  34. 34. VIEWING EFFECTIVE PERMISSIONS Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  35. 35. AUDITING NTFS ACCESS Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  36. 36. Who should have what permissions? Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  37. 37. SUMMARY <ul><li>NTFS permissions work only on NTFS volumes. </li></ul><ul><li>Security descriptors are stored in the $Secure file. </li></ul><ul><li>ACLs list ACEs assigned to an object . </li></ul><ul><li>ACEs map users or groups to permissions . </li></ul><ul><li>Permissions are inherited by default. </li></ul><ul><li>Effective permissions are the sum of ACEs. </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
  38. 38. SUMMARY (CONTINUED) <ul><li>Ownership cannot be “given.” </li></ul><ul><li>Deny ACEs override all other ACE types for a particular permission. </li></ul><ul><li>Avoid the Deny ACE to limit complexity. </li></ul>Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY

×