Lesson 1: Securing Access to File Resources | MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security: Designing Microsoft(r) Windows(r) 2000 Network Security (IT-Training Kits)

When you design security for file resources, consider

The design of share permissions
The design of NT file system (NTFS) permissions
The effect of combining share and NTFS permissions

The key to ensuring secure file access is to plan your share and NTFS permissions before you deploy resources.

After this lesson, you will be able to

Design security for local and network-based files by combining share and NTFS permissions

Estimated lesson time: 45 minutes

Designing Share Security

Share permissions are used to secure network access to data stored on a server. Share permissions are flexible in that they aren't limited to a specific file system. You can establish shares for folders located on file allocation table (FAT), FAT32, NTFS, and CD-ROM file system (CDFS) volumes.

Although they're flexible, share permissions are limited in that they have no effect on a user who is logged on locally at the computer hosting the shared folder. For example, if share permissions for the Project folder are configured to deny Read access to members of the Sales group, the share permissions would only come into effect if the Sales group is connecting to the Project folder over the network. If seated at the server itself, a user could read and execute any file in the Project folder. It's only by combining share permissions with NTFS permissions that you achieve a totally secure file access solution.

Configuring Share Permissions

You can enable a shared folder by editing the folder properties. In the Properties dialog box, configure the share permissions in the Sharing tab, as shown in Figure 6.3.

Figure 6.3 Enabling a shared folder

When you enable a shared folder, you can limit the maximum number of sessions that are allowed. To configure more precise permissions, click Permissions. The standard permissions for a share are

Full Control. This permission allows the assigned security principal to create, delete, and modify any content within the shared folder. In addition, if it's located on an NTFS partition, Full Control permission allows the security principal to take ownership of files and folders and to change permissions on the files or folders within the shared folder.
Change. This permission allows a security principal to read, write, create, or modify any content within the shared folder.
Read. This permission allows a security principal to read, copy, or execute any content within the shared folder.

Changes to Shares in Windows 2000

In Windows 3.1, Windows 95, Windows 98, and Windows NT, if you assigned a logical drive letter to a file share, you could only establish a fake root directory at the folder that was shared. For example, if you used the command net use h:\\server\home\brian , the drive mapping when you connect to the H drive would be h:\brian>. If you wanted the Brian folder to appear as the root folder, you had to share the Brian folder separately. In organizations with large numbers of users, this created an impossibly long listing of available shared home folders.

In Windows 2000 the default behavior is different. Typing the above net use command results in the root being established at the Brian folder. In other words, if you switched to drive H, you'd see h:\> as the command prompt. This provides additional security because the user won't be able to navigate to any folders above or at the same level in the folder hierarchy.

This doesn't affect down-level clients. They still require separate shares to be established for each user home directory.

Making the Decision

When you design share permissions, use the following guidelines to increase security of share permissions:

Remove the default share permission that assigns Everyone the Full Control permission. For higher security networks, you can consider the default permission assignment an excess assignment of permissions. Users should usually not require more than Change permission.
Assign share permissions to domain local groups, not user accounts. By assigning permissions to domain local groups, you can manage share permissions by modifying group memberships rather than by editing the permissions of each shared folder.
Assign the maximum permission that a security principal will require for the folder hierarchy below the shared folder. The assigned share permissions should never exceed the required level of access for all folders within the shared folder. When you define share permissions, inspect the entire folder hierarchy contained within the shared folder.

Applying the Decision

You need to establish two separate shares for Wide World Importers: one for the default applications in Washington and a second for the Graphics department in Dallas.

To meet the current requirements, you need to establish the following share permissions for the \\Washington\Applications share:

Users: Read. Users don't require any permissions other than Read permissions to find and run application software.
Administrators: Full Control. Administrators require Full Control permissions to modify permissions on files and to update files. If Administrators aren't required to change permissions, you could implement Change permissions for Administrators instead of Full Control.

These permissions allow all users to read and install the applications. Administrators are able to modify files and change permissions on the files.

To meet the security requirements for share permissions in Dallas, the need to assign elevated privileges to Lisa Jacobson, David Jaffe, Stefan Knorr, and Linda Kobara requires you to define a different set of share permissions for \\Dallas\Applications. You must define the following permissions to meet security requirements:

Graphics Users: Read. Members of the Graphics department must have Change permissions assigned. This is because all members of the Graphics department need to be allowed to submit new graphic files to the Common Graphics folder.
Graphics Admins: Change. This domain local group contains four users: Lisa, David, Stefan, and Linda. Lisa and David would be in a global group named Common Graphics and Stefan and Linda would be in another global group named Template Admins.
Administrators: Full Control. Administrators require Full Control permissions to modify permissions on files and to update files. If Administrators aren't required to change permissions, you could implement Change permissions for Administrators instead of Full Control.

Planning NTFS Security

While share permissions affect only network users, NTFS permissions affect both network users and users who are at the computer console. In addition to providing local folder security, NTFS allows permissions to be set for individual files within a folder. The ability to set permissions on files gives you more flexibility when you design your security model for file access.

NOTE
This raises the question of why share permissions are even required. Remember that to connect to a network resource, you must have an entry point. The share provides this entry point, and you can secure it by using share permissions.

Changes in the Windows 2000 NTFS File System

Windows 2000 introduces functionality in the NTFS file system that isn't found in Windows NT. (Unless otherwise indicated, "Windows NT" refers to versions 3.51 and 4.0.) This functionality includes

Encryption. File-level and directory-level encryption is supported in Windows 2000 through the Encrypting Files System (EFS). EFS allows files and folders to be encrypted so that only the user who performed the encryption (or a designated EFS recovery agent) can decrypt the protected files.
Quotas. NTFS allows storage space restrictions to be set on a per volume basis. You can apply these quotas on a per user basis to limit the amount of disk space in which a user can store data on a volume.
Permission inheritance. Permissions configured at a parent folder propagate to subfolders and file objects within the parent folder. This feature reduces the effort required to modify the permissions of multiple files and subfolders.

NOTE
If permissions for a resource are inherited, you can't remove them directly. You must copy the inherited permissions to the folder, thus breaking the inheritance, and then remove the individual Access Control Entry (ACE) from the Discretionary Access Control List (DACL).

Assessing NTFS Permissions

You can define NTFS permissions at either the folder or file level. For folders, you can assign the following permissions in the Security tab of the folder's Properties dialog box: Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. Likewise, you can set permissions for individual files to Full Control, Modify, Read & Execute, Read, and Write.

The predefined NTFS permissions are compilations of several special permissions, including

Traverse Folder/Execute File. Traverse Folder allows or denies navigating through folders, even though the user doesn't have permissions to access files or folders within that folder. This permission applies to folders only. Execute File allows or denies running program files and applies to files only.
List Folder/Read Data. List Folder allows or denies viewing file names and subfolder names within the folder and applies to folders only. Read Data allows or denies viewing data in files and applies to files only.
Read Attributes. Allows or denies viewing the attributes of a file or folder, such as read-only and hidden attributes.
Read Extended Attributes. Allows or denies viewing the extended attributes of a file or folder. Specific programs define the extended attributes.
Create Files/Write Data. Create Files allows or denies creating files within a folder. Write Data allows or denies making changes to a file and overwriting existing content.
Create Folders/Append Data. Create Folders allows or denies creating folders within a folder. Append Data allows or denies making changes to the end of the file but not changing, deleting, or overwriting any existing data in the file.
Write Attributes. Allows or denies changing the attributes of a file or folder, such as read-only and hidden attributes.
Write Extended Attributes. Allows or denies viewing the extended attributes of a file or folder. The extended attributes are defined by specific programs.
Delete Subfolders and Files. Allows or denies deleting subfolders and files when applied at a parent folder, even if the Delete permission hasn't been granted on the specific subfolder or file.
Delete. Allows or denies the deletion of a file or folder.
Read Permissions. Allows or denies reading permissions assigned to a file or folder.
Change Permissions. Allows or denies modification of the permissions assigned to a file or folder.
Take Ownership. Allows or denies taking ownership of the file or folder.
NOTE
The owner of a file or folder can always change permissions, even if the current permissions explicitly deny access to the owner of the file or folder.
Synchronize. Allows or denies a thread to synchronize with another thread that may signal the original thread. This permission applies only to multi-threaded, multiprocessed programs.

Table 6.1 outlines how the special permissions map to the default folder and file NTFS permissions.

Table 6.1 Special Permission Composition

Special Permissions	Full Control	Modify	Read & Execute	List Folder Contents	Read	Write
Traverse Folder/Execute Files	X	X	X	X
List Folder/Read Data	X	X	X	X	X
Read Attributes	X	X	X	X	X
Read Extended Attributes	X	X	X	X	X
Create Files/Write Data	X	X	X	X	X
Create Folders/Append Data	X	X				X
Write Attributes	X	X				X
Write Extended Attributes	X	X				X
Delete Subfolders and Files	X
Delete	X	X
Read Permissions	X	X	X	X	X	X
Change Permissions	X
Take Ownership	X
Synchronize	X	X	X	X	X	X

In general, you can define most permissions by choosing the predefined permissions. Remember that you must create security groups that will be included in each ACE in the DACL. The DACL will have one ACE for each level of access you define for an object.

Making the Decision

The following factors will affect your NTFS permission design:

Assign only necessary permissions. By ensuring that excess permissions are never granted, you increase your network's security and prevent accidental use of excess permissions, such as the deletion of a document.
If multiple access rights are required to a resource, create a custom domain local group for each type of access. By creating custom domain local groups, you can create separate ACEs for each type of required access. The level of access for any user will be based on that user's group memberships.
ACEs defined directly to an object are evaluated before any inherited ACEs. Consider, for example, a folder that inherits an ACE that denies write access to the Finance domain local group. While at the folder, Sally, a member of the Finance domain local group, is allowed write access. She can then modify the document's contents because the write ACE is evaluated before the deny ACE. The processing of the ACEs terminates when it's determined that Sally has the necessary permissions to modify the folder's contents.
Within a group of explicit ACEs, access-denied ACEs are placed before access-allowed ACEs. This order of processing ensures that deny ACEs take precedence over allow ACEs when applied in the same grouping.
If there are multiple inherited ACEs, the ACEs are evaluated from closest to the object to farthest. This ensures that any explicit ACEs applied to the file or folder containing the file are evaluated before any inherited ACEs.
Use security templates and Group Policy to standardize NTFS permissions. You can define security templates that set prescribed NTFS permissions for specific folders in a Windows 2000 installation. You can then import these security templates into Group Policy to ensure that they're applied to all computers within the container where the Group Policy is applied.

NOTE
For more information on using security templates to define security configuration, see Chapter 8, "Securing Microsoft Windows 2000–Based Computers."

Applying the Decision

For the software deployment at the Washington office, the NTFS permissions are going to be consistent for the entire directory structure. This allows you to define NTFS permissions at a higher level in the directory structure. You could deploy the following NTFS permissions to meet the security requirements:

Users: Read & Execute. You don't need to implement separate NTFS permissions for individual files in the Microsoft Office folder. The Read & Execute permissions allow users to read the data in the folder and to execute programs.
Administrators: Full Control. Administrators require Full Control permissions.

The NTFS permissions for the Dallas office will be more complex. This is because you need to provide additional permissions for the Corporate Graphics and Templates folders. By taking advantage of NTFS permission inheritance, you can make the permission assignments shown in Figure 6.4.

click to view at full size.

Figure 6.4 Recommended NTFS permission assignments

These permission assignments take advantage of NTFS permission inheritance in that all subfolders of the Applications folder inherit the permissions assigned at the Applications folder.

Combining Share and NTFS Security

An important aspect of securing file access is understanding the interaction of share and NTFS permissions. One set of permissions doesn't necessarily take precedence over the other. Instead, the most restrictive set becomes the effective permissions for the resource. Use the decision tree in Figure 6.5 to determine effective permissions of each security principal.

Figure 6.5 Combining share permissions and NTFS permissions

Because individual share permissions or NTFS permissions may vary depending on the group memberships of the security principal, you should perform this evaluation separately for each security principal. For example, the share and NTFS permissions shown in Table 6.2 have been assigned to a folder named Data.

Table 6.2 Share and NTFS Permissions Assigned to the Data Folder

Share Permissions	NTFS Permissions
Users: Read	Users: Read & Execute
Administrators: Full Control	Users: Write
	Marketing: Modify
	Administrators: Modify

If a member of the Marketing department attempts to access a file in the Data folder over the network, the permissions are evaluated as follows:

Determine share permissions. All user accounts are members of the Domain Users group. The Domain Users group is a member of the Users group. Based on membership, the user account would be assigned a share permission of Read.
Determine NTFS permissions. The member of the Marketing department is a member of the Users group and the Marketing group. The NTFS permission for the Data folder would be Modify.
Determine the most restrictive permissions. In this case, the share permissions are the most restrictive, so the user's effective permissions would be Read. This prevents members of the Marketing department from modifying or deleting documents in the Data folder when they connect over the network.

Likewise, the effective permissions for an administrator would be Modify because the NTFS permissions would be the most restrictive.

In general, your strategy should be to designate either share permissions or NTFS permissions as the primary permissions when you set your security. To define a more granular level of security, designate your effective security through NTFS permissions. Evaluate all folders below a shared folder to determine the highest level of permissions that a security group requires and set the share permissions at that level. This ensures that the share permissions won't become the most restrictive permissions and prevent the NTFS permissions from being the effective permissions.

Should I Just Leave the Default Share Permissions in Place?

Probably not. When you create a new share, the default share permissions include a single entry that assigns Full Control permission to the Everyone group. In a secure Windows 2000 network, modify this share permission to prevent granting excessive privileges if NTFS permissions aren't monitored.

The Full Control permission under NTFS includes three additional abilities over the Modify permission:

Delete files and folders you don't have permissions to

Take ownership of a file

Change permissions of a file

In most networks, these permissions are restricted to the network's administrators. If this is the case in your network, a more effective set of default permissions to use for a shared folder are

Administrators: Full Control

Users: Change

NOTE
If users require only Read access to a folder, you should change the Users permissions to Read rather than use Change.

These permissions allow users to create, read, delete, and modify any files in the share, but they can't redefine security settings within the folder.

Making the Decision

Use the following guidelines when planning for combined share permissions and NTFS permissions:

Set share permissions as the highest level of permissions required for the tree below. This ensures that if NTFS permissions are changed, share permissions won't provide excess privileges to a security principal.
Use NTFS permissions to define precise access control to file resources. Because NTFS permissions allow protection of both files and folders, define your security by using NTFS permissions. Share permissions don't provide the required flexibility and should only be considered as an entry point to the file system.
Always use the NTFS file system for data. If you don't use NTFS as your file system, you're limited to share permissions. This prevents you from defining more specific security for files and subfolders within shared folders.
Evaluate whether Full Control is appropriate. The Full Control permission allows security principals to redefine security for a resource. In general, assign Full Control permission only to administrators and never assign permissions greater than Modify to non-administrators.

Applying the Decision

In reviewing the initial share permissions and NTFS permissions applied to the Applications folders in Washington and Dallas, you see that neither share per-missions nor NTFS permissions assign excess permissions.

While you could have left share permissions for Wide World Importers at the default of Everyone being assigned Full Control permissions, doing so could have resulted in excess permissions if any of the NTFS permissions were applied incorrectly.

To troubleshoot any potential problems with NTFS and share permissions, Wide World Importers must complete the design by documenting all initial permission assignments. The documentation should include all folders where permissions are assigned, details on group memberships, and the rationale for each permission assignment. The documentation will assist in troubleshooting permissions later.

Lesson Summary

You must perform the design of share and NTFS permissions by inspecting both sets of permissions. The effective permissions for any resources are based on the most restrictive settings when comparing the share permissions to the NTFS permissions. When designing file security, always base the share permissions on the maximum level of permissions required by a security principal for the directory structure. This ensures that share permissions never restrict access that NTFS permissions are attempting to provide.