Lecture 9 further permissions

Lecture 9:
More Access Control
and Permissions
Network Design & Administration

Registry Keys
• Registry Keys are the entities used to store
information about a Windows PC.
• They are used for:
• Hardware information

• OS information
• Non-OS programs
• Users
• Preferences

2

Registry Structure and Use
• The registry is separated into Hives:
• HKEY_CLASSES_ROOT
• For installed apps – file associations, etc.

• HKEY_CURRENT_USER
• Specific settings for current user. e.g. printer settings.
• HKEY_LOCAL_MACHINE
• General to all users. E.g. driver versions.
• HKEY_USERS
• Details of all user profiles keys that can access machine.
• Current_User is a partial list of information.
3
• HKEY_CURRENT_CONFIG
• Generated at boot time to give information on local machine configuration.

Registry Entries
• For a registry entry
to be modified, the
program or user has
to be allowed to
change it!

• Here we see the
Administrators
group given Full
Control over this
sub-key (via
inheritance)

4

Registry Permissions
• Can see similarities and
differences between
these and NTFS
permissions.
• Different set of standard

and special permissions.
• Again, inheritance can
be allowed or stopped,
and deny/allow priority
applies.

(Note: Write DAC = ability to change ACL for key) 5

Why of interest in a network?
• Various programs may need to run on a server.
• Those programs must have appropriate access
to registry keys.
• If users want applications installed locally,

problems can occur if the registry keys do not
have the appropriate ACL’s set.

6

Active Directory Object
Permissions
Very different again to NTFS and Registry. e.g. -
• Create child
• Delete child
• Standard delete

• Delete tree
• Read property
• Write property
• Microsoft recommend not changing.
• If changed, performance can be lost due amount of
information transmitted around network. 7

Microsoft File Shares
• Allow network clients to actually see folders on a server
remotely.
• Some shares are created automatically due to the role of
a server. e.g. NETLOGON share created when becomes a

domain controller.
• Shares can be hidden by appending $ to name (so how
do users find it?)

8

Who can create file system
shares?
• Depends on role of machine and therefore
security risks associated with doing it:
• Domain Controller – Administrators, Server
Operators, Enterprise Admins, Domain Admins

groups only.
• Domain Member Server or Workstation -
Administrators, Server Operators, Power Users
groups only.
• Workgroup or Standalone computer (?) -
Administrators, Power Users groups only. 9

Creating a share using the
MMC Shared Folders Snap-in

10

File share permissions
• They differ from NTFS.
• Much coarser grain – no special permissions.
• Change in Share Permissions is not the same as

Modify in NTFS in the delete area.
• When Share and NTFS permissions both present,
resultant applied is the most restrictive.
• Do not apply to locally logged on users. (e.g.
physically local or by Terminal Server)
11

Limitations / Problems
• Limited scope - Can be applied only to folders and only when
connecting to the share.
• Lack of flexibility - Permissions applied to the share apply to
all levels below.
• No replication - Share permissions are not replicated by

domain controller.
• No resiliency - Share permissions cannot be backed up or
restored via Domain Controller.
• Fragility - Shares (and therefore share permissions) are lost
when a folder is moved or renamed.
• No auditing possible.
• Do not show up in Effective Permissions tab – Need to be
looked at independently then considered with NTFS 12
permissions to give resultant most restrictive .

Printer Server Topologies
• For cost effectiveness, want multiple users to
access a single printer.
• What are the options?
• Locally Attached Printers

• Network Attached Printers
• Logical printer on every client workstation
• Logical Printer – object used by operating system to
represent physical device. Contains settings, defaults,
drivers and other properties.
• Print server
• Print server – receives jobs from clients, stores them 13
in a print queue and sends 1 by 1 to physical printer,

Locally Attached Printer[1]

• Physical security issues (printer has to be close to server).
• When printer share is created the attached server functions as 14
the print server.

Network attached printer, with
logical printer in every client[1]

15

Problems…
• Each user sees only own jobs – not rest of queue
(may be lots waiting ahead!)
• Admins cannot manage print queue or
implement advanced features.

• Error messages only appear to user machine.
• If driver update required, has to be done on each
client.
• Print processing not offloaded to server.
16

Network attached printer, with
print server[1]

17

• Advantages…?

Old UNIX/Linux permissions
• Each file has a set of bits that specify its permissions for 3
classes of user:
• Owner, Group Owner, Everyone Else
• Owner is special, and can totally limit access.

• Each class has 3 bits: (r) Read, (w) Write, (x) Execute
• These are expressed as rwx if allowed or a – if not
allowed
• e.g. rwxr-xr-x means owner allowed all 3, but all others
only allowed read and execute.
• Super user (root access) can do anything even if not
owner. 18

Modern UNIX/Linux permissions
• Now support ACLs (partly for compatibility with
Windows via SAMBA).
• Still based on read, write, execute (not as fiddly
as Windows NTFS, so SAMBA has to ‘translate’

between them)
• ACL’s allow rwx to be set for multiple groups and
specific users.

19

Next Time & references
• Keeping systems up to date.
• Hotfixes vs. Service Packs.
• Managing/automating processes.

• [1] MOAC 290 chapter 10

20

Lecture 9 further permissions

More Related Content

What's hot

Viewers also liked

Similar to Lecture 9 further permissions

More from Wiliam Ferraciolli

Lecture 9 further permissions