Identifying and Troubleshooting Problems Related to Security Permissions

Identifying and Troubleshooting Problems Related to Security Permissions

When you create files, you must ensure the data is secure. For example, the Accounting department certainly would not share company financial information with everyone on the network. You set resource security on files and folders within the NT File System (NTFS) by using NTFS permissions . You need to have a good grasp of how these permissions affect users on the network.

You must have a thorough understanding of NTFS file and folder permissions.

Understanding NTFS File Permissions

A permission is a rule associated with an object to regulate which users can gain access to that object and in what manner. Permissions that can be used only on NTFS-formatted partitions or volumes are commonly called NTFS permissions.

NTFS file permissions enable you to control the access a user , group , or application has to files. This access includes everything from reading a file to modifying and executing it.

The five NTFS file permissions are listed in Table 8.1 with a description of the access allowed to a user or group when each permission is assigned. The permissions are listed in a specific order because they all build on each other.

Table 8.1. NTFS File Permissions

If a user needs access to a file to do anything except take ownership or change its permissions, you can grant the Modify permission. The access allowed by the Read, Write, and Read & Execute permissions is automatically granted within the Modify permission. Assigning it saves you from assigning multiple permissions to a file or group of files.

Understanding NTFS Folder Permissions

NTFS folder permissions determine what access is granted to a folder and the files and subfolders within that folder. These permissions can be assigned to a user or group. Table 8.2 displays a list of the NTFS folder permissions and the access granted to a user or group when each permission is applied.

Table 8.2. NTFS Folder Permissions

The only major difference between NTFS file and folder permissions is the List Folder Contents NTFS folder permission. By using this NTFS folder permission, you can limit a user's ability to browse through a tree of folders and files. This capability is useful when trying to secure a specific directory such as an application directory. A user must know the name and location of a file to read or execute it when this permission is applied to its parent folder.

Using Access Control Lists

Windows XP stores an Access Control List (ACL) with every file and folder on the NTFS partition or volume. The ACL includes all the users and groups that have access to the file or folder. In addition, it indicates what access or specifically what permissions each user or group is allowed to that file or folder. Whenever a user tries to access a file or folder on an NTFS partition or volume, the ACL checks for an Access Control Entry (ACE) for that user account. The ACE indicates what permissions are allowed for that user account. The user is granted access to that file or folder, provided that the access requested is defined within the ACE. In other words, when a user wants to read a file, the Access Control Entry is checked in that file's Access Control List. If the Access Control Entry for that user contains the Read permission, the user is granted access to read that file.

If a user does not have an entry in the ACL, she is denied access to that file or folder.

Applying Multiple NTFS Permissions

Multiple permissions can be assigned to a single user account. They can be assigned to the user account directly or to a group in which the user account is a member. When multiple permissions are assigned to a user account, unexpected things can happen.

First, you must understand that NTFS permissions are cumulative. This means that a user's effective permissions are the result of combining the user's assigned permissions and the permissions assigned to any groups in which the user is a member. For instance, if a user is assigned Read access to a folder, and a group in which the user account is a member has the Write permissions assigned, the user is allowed the Read and Write NTFS permissions to that folder.

NTFS file permissions override or take priority over NTFS folder permissions. A user account having access to a file can access that file even though it does not have access to the parent folder of that file. However, a user would not be able to navigate to the file through the folder. The user would require the List Folder Contents permission. When the user tries to access the file, he must supply the full path to it. The full path can be either the logical file path ( F:\MyFolder\ MyFile.txt ) or the Universal Naming Convention (UNC). If the user has access to the file but does not have an NTFS folder permission to browse for that file, the file is invisible to the user and he must supply the full path to access it.

Using Deny to Override All Other Permissions

The concept of permission denial has not changed through the evolution of the Microsoft Windows operating systems and NTFS. If a user is denied an NTFS permission for a file, any other instance in which that permission has been allowed is canceled . Microsoft does not recommend using permission denial to control access to a resource. For instance, if a user has access to a file or folder as being a member of a group, denying permission to that user stops all other permissions that the user might have to the file or folder. Troubleshooting this situation can be very hard on a large network with thousands of users and groups.

Managing Inherited Permissions

By default, when NTFS permissions are assigned to a parent folder, all the same permissions are applied or propagated to the subfolders and files of that parent folder. However, the automatic propagation of these permissions can be stopped .

Subfolders and files inherit NTFS permissions from their parent folder. As the Windows XP administrator, you assign NTFS permissions to a folder. All current subfolders and files with that folder inherit the same permissions. Any new files or subfolders created within that parent folder also assume the same NTFS permissions of that parent folder.

You can prevent NTFS permission inheritance so that any files and subfolders in a parent folder do not assume the same NTFS permissions of their parent folder. The directory or folder level on which you decide to prevent the default NTFS permission inheritance becomes the new parent folder for NTFS permission inheritance.

Planning NTFS Permissions

A Windows XP network should be well thought out and planned. Not only should you spend time planning the Active Directory and Windows domain infrastructure, but you also need to plan for NTFS permissions. You should plan the NTFS permissions in advance before implementing the Windows network.

Having a plan for NTFS permissions on your Windows network will save your organization time and money. You will also find that a network with well-planned NTFS permissions is easier to manage. Use the following guidelines to help you plan NTFS permissions on your Windows network. Notice that some steps are not directly related to NTFS permissions themselves , but they help organize the data on your network. This way, you can manage the resources on your Windows network more easily and make sure those resources are secure.

Working with NTFS Permissions

After a newly created volume is formatted with the NTFS 5.0 file system in Windows XP, by default the Full Control NTFS permission is granted to the Administrator. The Users group is assigned the following permissions:

• Read and Execute

• List Folder Contents

• Read

You can change the permissions to meet your requirements by using the Security tab from the folder's or file's Properties dialog box.

If the Security tab is not visible, your system is probably configured to use simple file sharing. To enable the Security tab, open the Folder Options dialog box from the Tools menu in the My Computer window. On the View tab, remove the check mark from the Use Simple File Sharing (Recommended) option.

To access permissions, follow these steps:

The Security tab displays the permissions currently assigned to the selected user or group. Table 8.3 lists the options available on the Security tab and describes briefly what they are used for.

Table 8.3. Security Tab Options

Clicking the Advanced command button near the bottom of the Security tab displays the Advanced Security Settings dialog box, which you use to assign special access permissions. Here, you can also find the check box to allow inheritable permissions from the parent to propagate to this object, as discussed earlier. By default, when a folder is created on an NTFS volume, this option is set. To turn it off, clear the check box on the Permissions tab. Figure 8.2 displays the message box displayed when you clear this option. If you click Remove, the permissions that were inherited from the parent folder are removed. Conversely, clicking the Copy button copies the permissions assigned to the parent folder.

Using Special Access Permissions

NTFS file and folder permissions provide a great way to secure your resources on a Windows network. Special access permissions can be used if the default selections do not give you the required results.

The 14 special access permissions provide the specific level of security to resources on a Windows network that some administrators require. Table 8.4 lists the special access permissions and provides a description of the type of access they allow or deny.

Table 8.4. Special Access Permissions

It is important to understand how the special access permissions are related to the standard NTFS file permissions. Table 8.5 displays a cross-reference chart of NTFS permissions and special access permissions. Notice that each standard NTFS file permission is actually a group made up of special access permissions. For example, the Write NTFS permission is made up of four special access permissions. The Write NTFS permission is actually made up of the Create Files/Write Data, Create Folders/Append Data, Write Attributes, and Write Extended Attributes special access permissions.

Having these reference tables will be helpful when you decide which special access permissions to use in your organization.

Table 8.5. Special Access Permissions and NTFS Permissions

Using Change Permissions and Take Ownership Permissions

Two special access permissions are worth special mention: Change Permissions and Take Ownership .

When using special access permissions, you no longer need to assign users or Windows administrators the Full Control NTFS permission so that they are allowed to change permissions. Using the Change Permissions special access permission, users or Windows administrators can change permissions to a file or folder. However, they do not have access to delete any files or subfolders. That way, the users or Windows administrators can control the access to the data but not delete any of the data itself.

All files and folders on an NTFS volume have an owner. By default, the owner is the person installing the volume and formatting it with the NTFS file system. This person is usually a Windows administrator. File and folder ownership can be transferred to another user or group. You can grant a user account or a user group the ability to take ownership of a file or folder. As an administrator, you have the ability to take control of any files or folders on the NTFS volume.

Two hard-and-fast rules apply here. Remember these rules when thinking about granting someone the ability to take ownership of a file or folder:

You can assign the Take Ownership special access permission to a user account or group. The receiving user account or group can then take ownership of the respected resources. However, it cannot assign ownership to a file or folder for a user account or group.

Assigning Special Access Permissions

Special access permissions provide a specific level of security other than the standard NTFS permissions. It is important that you understand how each special permission affects the user.

To set special access permissions to a folder, follow these steps:

The special access permissions are listed in the Permissions list box of the Permission Entry dialog box. All special access permissions are assigned and denied here. Table 8.6 lists the options and their descriptions.

Table 8.6. NTFS File Permissions

Taking Ownership of Secure Resources

A Windows administrator working with NTFS file and folder permissions should know how to take ownership of a resource. The Take Ownership special access permission allows users to claim ownership of files and folders.

To take control of a file or folder, the user or group member must have the Take Ownership permission assigned for that file or folder. Then the user or group member must explicitly take ownership of that file or folder. You follow these steps to take ownership:

Copying and Moving Data

When files and folders on an NTFS volume are copied to another volume, the permissions change. For instance, if you copy a file from one NTFS volume to another NTFS volume, the following changes occur if the right criteria are met:

• The receiving NTFS volume treats the file as a new file. Like any new file, it gains the permissions of the folder it is created in.

• The user account used to copy the file must have the Write NTFS permission in the destination folder on the receiving volume.

• The user account used to copy the file becomes the Creator Owner of that file.

Essentially, any permissions assigned to that file before it is copied are lost during the copy itself. If you want to keep those same permissions, they must be reassigned to the destination folder.

When files and folders are copied from an NTFS volume to a FAT partition, the permissions are lost. This happens because FAT partitions do not support NTFS permissions.

When files or folders are moved from an NTFS volume, the permissions might or might not change. This depends entirely on where the destination folder lies. If any files or folders are moved to a FAT partition, the permissions are lost. As stated earlier, a FAT partition does not support NTFS permissions. However, you need to consider other scenarios when moving files and folders from an NTFS volume: moving files and folders within an NTFS volume and moving files and folders to another NTFS volume.

When files and folders are moved within a single NTFS volume, these rules are followed:

When files and folders are moved from one NTFS volume to another NTFS volume, these rules are followed:

Troubleshooting Insufficient User Permissions and Rights

Avoiding permission problems is the first step in troubleshooting permission problems. These preventive measures involve following some basic guidelines:

• When assigning NTFS permissions, try to assign only enough access for a user or group of users to perform their job.

• Try not to assign any NTFS permissions at the file level. Doing so increases the complexity of managing the permissions. Assign the NTFS permissions at the folder level only. If several files require the same access, move them to a common folder and assign the permissions to that folder.

• Application executables should have Read & Execute and Change assigned to the Administrators group. The Users group, on the other hand, should have only Read & Execute. Setting permissions this way prevents users or a virus from modifying the files. When an administrator wants to update the application executables, she can temporarily assign herself Full Control to perform the task.

• Assign Full Control to the Creator Owner of public folders and the Read and Write NTFS permissions to the Everyone group. This way, users have full access to the files they create, but members of the Everyone group can only read and create files in the folder.

• Try not to deny any NTFS permissions. If you have to do this to a user or group, document it well and state that this is a special case. Instead of denying access to a resource by denying NTFS permissions, don't assign the permissions to gain access.

To help troubleshoot some of the more common NTFS permission problems, Table 8.7 lists the most common problems and solutions.

Table 8.7. Common NTFS Permissions Problems and Solutions

Determining Effective NTFS Permissions

One of the new features with Windows XP is the ability to view the effective permissions on an object for a particular user. Windows XP calculates the net result permissions by looking at all user and group memberships, along with any inherited permissions. This feature allows you to troubleshoot permission problems much faster than previous versions of Windows.

There is one caveat with the effective permissions feature: It calculates the resulting general permissions for a given user, but those permissions may not be exactly correct. What's the scoop? The addition of Implicit Groups can wreak havoc because permissions can be assigned based on group membership that changes depending on how the data is accessed: local to the server, over the network, via a Terminal Server client, and so on. The effective permissions feature takes this into account to the best of its ability, but you should be aware that the connection method may be a contributing factor.

Microsoft has buried the effective permissions feature within a file or folder's Security Properties. To access the Effective Permissions tab, right-click the file, select Properties, and select the Security tab. Click the Advanced button and then click the Effective Permissions tab. From there, you need to select a user or user group, and the resultant special permissions are displayed with a check mark in the box.

Managing Share Permissions

Sharing data is the primary purpose of configuring a company network. The process of enabling shared data is to specifically flag the data as shared. Data access is granted or denied based on a combined set of shared permissions and NTFS permissions.

You create a share by right-clicking the folder and selecting Sharing and Security from the pop-up menu. A Properties dialog box opens, with the Sharing tab in focus. You can also access the Sharing tab by right-clicking the folder, selecting Properties, and then clicking this tab.

Share permissions haven't changed with the times. Although it might be easier for you if the Share permissions were the same as NTFS permissions, this is not the case. Unfortunately, they do use some of the same names, which just serves to confuse the issue:

• Full Control allows users to create, delete, modify, and grant Share permissions.

• Read allows users to read the contents of a folder but not modify any contents. Users cannot create files either.

• Change allows users to create, delete, and modify the contents of a folder. This includes creating documents and subfolders.

When you are first learning about NTFS permissions, confusing Share permissions and NTFS permissions is easy; the result causes a jumble of permissions that not only are impossible to track and document, but also frequently leave security holes wide open.

One hole in particular deals with the Guest account. Anonymous users who don't have a local or domain account on the server are automatically converted to the Guest account and allowed access to any resources the Guest account can access. The solution is to disable the Guest account and create specialized accounts for any real guests who need access to network data. Another solution is to rely on NTFS permissions to stop any transgressions from occurring.

Combining NTFS and Share Permissions

When you mix NTFS permissions with Share permissions, the most restrictive permission between the two rules wins. In other words, if permissions are stacked with the most restrictive on the bottom and the least restrictive on top,the one at the bottom of the stack is the permission you live by.

To determine a user's effective permissions, you start by reviewing the user's NTFS permissions as well as Share permissions. If the user belongs to multiple groups, you need to determine the least restrictive NTFS permissions and the least restrictive Share permissions in effect. After you determine the least restrictive NTFS permission and the least restrictive Share permission, you need to determine which permission is the most restrictive between them. The most restrictive permission is the permission in effect.

When you are dealing with multiple group memberships, you can easily understand why someone may become confused . Consider this: Multiple NTFS permissions are cumulative. They stack up on each other, with the most restrictive on the bottom and the least restrictive on top. The highest permission wins. Share permissions are also cumulative, so you must determine the least restrictive Share permission. When you mix NTFS permissions with Share permissions, the most restrictive permission between the two rules wins. In other words, the one at the bottom of the stack is the permission that is in effect.

Managing Hidden Shares

By default, without your ever touching the system, some shares are configured for you. These shares are called administrative shares . For example, shares are automatically created for every drive installed on the system. These shares are called hidden shares because they do not show up on a list of shares when you type \\SERVERNAME , the UNC name for the computer. If you look at the share name for a drive on the system, you'll notice that a $ symbol appears after the share name. This symbol indicates that the share is hidden and can be used to hide any share on the system.

The hidden shares can help you gain access to a user's computer if he does not know how to set up a share. It is a great way to transfer files if the user is not familiar with creating his own shared folder.

Sharing Printers

To share a printer, open the Printers and Faxes folder on the computer connected to the printer by following these steps:

Auditing User Access of Files, Folders, and Printers

As an administrator of a Windows XP Professional computer, you can configure your computer to audit user access to files, folders, and printers. The audit log appears in the security log in Event Viewer. To enable this feature, follow these steps:

Specifying Files, Folders, and Printers to Audit

After you enable auditing, you can specify the files, folders, and printers that you want audited . To do so, follow these steps:

Troubleshooting Auditing

Two requirements must be met for auditing to function properly. When troubleshooting, be sure to verify these items first so you can rule them out immediately:

• The hard disk must be formatted with the NTFS file system for auditing to work.

• If your computer is a member of a domain and the administrator has set domain-level auditing policies, those policies override these local settings.