![OVERVIEW ,[object Object],[object Object],[object Object],[object Object],[object Object],Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
More Related Content
Viewers also liked
Viewers also liked (20)
Similar to IT103 Microsoft Windows XP/OS Chap07
Similar to IT103 Microsoft Windows XP/OS Chap07 (20)
More from blusmurfydot1
More from blusmurfydot1 (15)
Recently uploaded
Recently uploaded (20)
IT103 Microsoft Windows XP/OS Chap07
- 1. CONFIGURING AND MANAGING NTFS SECURITY Chapter 7
- 6. MASTER FILE TABLE (MFT) Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
- 9. SECURITY DESCRIPTORS Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
- 16. STANDARD NTFS PERMISSIONS Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
- 17. SPECIAL PERMISSIONS Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
- 20. COPYING OR MOVING NTFS OBJECTS Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
- 24. ASSIGNING STANDARD PERMISSIONS Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
- 25. ASSIGNING SPECIAL PERMISSIONS Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
- 26. WHY CAN’T I CHANGE PERMISSIONS FOR THIS FOLDER? Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
- 28. TAKING OWNERSHIP OF FILES Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
- 31. CACLS.EXE Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
- 34. VIEWING EFFECTIVE PERMISSIONS Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
- 35. AUDITING NTFS ACCESS Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
- 36. Who should have what permissions? Chapter 7: CONFIGURING AND MANAGING NTFS SECURITY
Editor's Notes
- This lesson helps to demystify the inner workings of the NTFS file system. Without getting highly technical, it provides enough information to help students understand how NTFS manages security. Students should become familiar with the use of access control lists (ACLs) and access control entries (ACEs). A good understanding of these concepts is fundamental to understanding how permissions are validated during operation.
- This slide depicts the MFT in NTFS. It is a common misconception that security descriptors (ACLs) reside in the MFT. Beginning with NTFS 5, they are stored in a separate metadata file ($Secure) in the NTFS volume. This provides, in essence, single-instance storage of ACLs so they can be reused wherever the same permissions are applied. This allows one security descriptor to be used for every folder and file in a folder tree that has the same permissions. The result is a great savings in space formerly required to store an ACL for each file and folder in the tree. These security descriptors are referenced in the MFT record as a security index value ($SII).
- Security descriptors, stored in the $Secure metadata file, contain the ACLs for files and folders. When a user wants to open a file, the user’s application packages a request containing the requested operation and the user’s access token. This is compared with the ACL for the requested resource; if the user has the required permissions, the operation is allowed.
- ACLs are assigned to the security descriptor for an object stored in NTFS, and they contain ACEs that define the allowed permissions for each user and group that is assigned access to the object. The two types of ACLs are discretionary ACLs (DACLs), which control access permissions to objects, and system ACLs (SACLs), which control security auditing for the object.
- ACEs are the basic building blocks of NTFS security. They map user or group identities with assigned permissions and control file system security auditing by listing which file system operations will be audited for the assigned object. Allow ACEs define which operations are allowed on an object for the specified user or group. Deny ACEs list which operations are specifically denied. Deny ACEs always override Allow ACEs and are used to define exceptions to the general Allow rules for the object. Audit ACEs are stored in SACLs to define which operations will be audited by file system auditing. Audit entries are added to the system’s Security event log when audited operations are performed.
- This slide shows the standard NTFS permissions. As you describe them, be sure to explain the operations allowed by each permission. When we discuss special permissions in the next slide, you can show students how the operations are aggregated into the standard permissions. List Folder Contents and Read & Execute appear to be the same, but they differ in how they allow inheritance. List Folder Contents can be inherited only by subfolders, while Read & Execute can be inherited by both subfolders and files.
- This slide lists the special permissions that make up each of the standard NTFS permissions. If classroom equipment permits, display the Advanced Security Settings dialog box while you discuss special permissions so students can see where special permissions are configured and you can demonstrate the effects of setting custom combinations of special permissions.
- Permissions are inherited by all subfolders and files unless they are prevented or blocked. When blocking inheritance, you can copy existing permissions or remove all permissions and start anew. Only by blocking inherited permissions can you modify the permissions of a folder. Discuss scenarios in which a user might see unexpected effects of permission blocking (such as when the user expects new permissions applied on a top-level folder to be inherited, but they are not).
- When you move or copy files or folders, the only time permissions are preserved without the aid of Xcopy.exe is when the object is moved within an NTFS volume. In all other operations, the object inherits permissions from the destination folder (even when the permissions are “None” in the case of a FAT volume). There is a registry hack (ForceCopyAclWithFile) that causes Windows Explorer to preserve permissions, but this causes all move or copy operations to copy ACLs and might result in unintended consequences if not properly documented. Discuss how moving or copying files might complicate effective permissions (moving files into folders and then wondering why users cannot access them or wondering why users can access files they should be locked out of).
- By using these best practices, students can plan effective permission policies for their folders. By consolidating data that requires like permissions into folders and assigning permissions to groups of users, you can greatly simplify the process of assigning permissions. Advise students to carefully document any blocked inheritance or use of the Deny ACE. If time permits, construct a fictional folder tree and discuss permissions assignment as a class exercise.
- Use the Security tab of an object’s Properties dialog box to assign NTFS standard permissions. If time and classroom equipment permit, demonstrate the assignment of permissions to a folder. Browse for a security group, and apply permissions. As you apply permissions, discuss which permissions are most effective for the resource for the group you selected. Try to inject real-world factors into the exercise.
- If you need to assign special permissions to an NTFS folder, you can do so by editing permissions in the Advanced Settings dialog box. This slide depicts the editing of special permissions for the Administrators group on the Syllabi folder. The last frame depicts the clearing of the Write Extended Attributes permission.
- When permissions are inherited, you must block inheritance to apply new permissions to a folder. You do this in the Advanced Security Settings dialog box. Demonstrate this, and make note of the option to copy or remove existing permissions. Show students how this dialog box also indicates which folder the inherited permissions are coming from.
- If a user is not the owner of a folder or does not have at least Read permission to it, she cannot see what permissions have been assigned. If she is an administrator, she must take ownership of the folder in order to be able to set permissions on it. Demonstrate taking ownership if time permits, and discuss how you might “give” ownership to another user by assigning him the Take Ownership permission and having him take ownership of the folder. Be sure to emphasize that there is no other way to transfer ownership.
- CACLS.exe is a powerful command-line tool that you can use to change ACLs for a folder or multiple folders. It is especially effective for automating periodic permission changes, such as locking users out of a folder during backups or special processing. Demonstrate the following CACLS commands on a data folder: CACLS <foldername> Lists permissions CACLS <foldername> /G Adminisrators:F Removes all permissions and assigns Full Control to Administrators CACLS <foldername> /E /G Users:R Grants Users Read permission without modifying other permissions CACLS <foldername> /E /R Users Revokes access to Users Discuss how /R and /D differ: /R removes a specific ACE but allows access from other ACEs that the user or group might have. /D creates a Deny ACE for the user or group.
- This slide deals with calculating effective permissions from multiple ACEs for a user or group. The effective permission is the most lenient of all the permissions from ACEs the user or group is associated with. A Deny ACE, however, overrides all Allow ACEs for the Deny permission.
- This slide depicts the Effective Permissions tab of the Advanced Security Settings dialog box. This feature helps you troubleshoot effective permissions issues.
- This slide depicts the setting and monitoring of NTFS object access auditing. Be sure to mention the two steps to enable auditing: enabling object access auditing and enabling the auditing for the object in question. Discuss how auditing, combined with permissions, might be used to provide security for a highly secure folder.
- Lead a discussion about planning permissions for the folder tree on this slide. For each folder, select groups likely to be used for permissions on each folder, and discuss how to assign permissions to each folder (block inheritance, etc.). Finally, discuss how you might configure auditing to ensure that privacy of the personnel records is not breached by anyone (even Administrators).
- This and the next slide recap the chapter. As you discuss each point, answer any questions students might have. NTFS security is the basis for many aspects of system operation, and NTFS-like security dialog boxes are used for DACLs in other areas, such as Active Directory security.
- Remind students that transferring ownership requires giving the permission to take ownership rather than giving ownership directly. Also emphasize the importance of documenting use of the Deny ACE.