If you configure ACLs for resource groups or security groups and add or remove users or resources from the appropriate groups when your organization changes, it is easier to control and audit user rights and permissions and reduces the need to change ACLs.
There are two types of ACLs Discretionary Access Control Lists (DACLs), which identify the users and groups that are allowed or denied access, and System Access Control Lists (SACLs), which control how access is audited. For more information about the use of SACLs, see Auditing and Analyzing Access Control later in this chapter.
Viewing ACLs
The access control list for an object is generally found on the Security tab of the object s property sheet. This tab lists the groups and users that have access to this object, and provides a summary of the permissions allowed to each group.
Note
The Security tab for an object can be viewed only by users who have the appropriate permissions on the object. In addition, users on computers running Windows XP Professional in stand-alone or workgroup environments will not be able to view the security tab if simple sharing has been enabled. For more information about simple sharing, see Managing Network Authentication later in this chapter.
Figure 16-2 shows the Properties page with a number of ACEs visible.
Figure 16-2: Security Properties page for a Windows folder
The Group or user names box lists the security principals that have permissions assigned for this resource. The Permissions for box lists the permissions allowed or denied for the security principal highlighted in the Group or user names box. The Add and Remove buttons allow you to add new security principals for this resource or to delete existing principals from the list.
Note
Generally, the Group or user names box includes the resolved network names for the security principal. If the name does not resolve if the computer is disconnected from the network, for example the user or group s SID might appear instead.
To view the Security tab on your system
Right-click an object such as a file, folder, or printer, and select Properties.
Click the Security tab.
Clicking the Advanced button opens the Advanced Security Settings page, which provides additional information about the permissions that apply to a user or group.
Figure 16-3 shows an example of an Advanced Security Settings page.
Figure 16-3: Advanced Security Settings for a Windows folder
The Advanced Security Settings page allows you to use more advanced features for granting permissions, such as:
Modifying special permissions that apply to each user or group.
Modifying access inheritance options for the object and any child objects.
Auditing attempts to access the object.
Modifying ownership information for the object and any child objects.
Viewing effective permissions.
Note
As long as settings are inherited from a parent object rather than explicitly defined on the object you are assessing, you have to go back to the source ACL in order to change access control settings on the child object.
The Permissions tab shows permissions that have been explicitly configured on the object, permissions that have been inherited, where inherited permissions are inherited from, and what child objects they apply to. A new advanced option in the Windows XP Professional, the Effective Permissions tab, allows you to see all of the permissions that apply to a security principal for a given object, including the permissions derived from memberships in security groups. The Effective Permissions tab is illustrated in Figure 16-4.
Figure 16-4: Effective Permissions tab
To view the Effective Permissions for a user or group
On the Effective Permissions tab, click the Select button to open the Select User or Group dialog box.
In the Name box, type the name of the built-in security principal, group, or user, for which you would like to view Effective Permissions.
or
Click the Object Types button, and then select Built-in security principals, Groups, or Users.
Click OK.
Tip
If the security principal is network based, you can click Locations and select a target, or you can type in the domain name together with the group name, such as reskit\users.
It is important to specify the correct object types and the locations for your search. Failure to do so will result in an error message and the suggestion that you refine your search before searching again.
Access Control Entries
Access control lists contain a wide variety of ACEs that can be viewed on the Permissions and Effective Permissions tabs. All ACEs include the following access control information:
A SID that identifies a user or group, such as Alice, the Accounting department, or users in the Denver office.
A list of special permissions that specify access rights, such as List Folder/Read Data.
Inheritance information that determines whether new files created in a particular folder will receive access permissions from the parent folder.
A flag that indicates whether the ACE is an Allow or Deny ACE.
To view a specific ACE
Navigate to the Advanced Security Settings page for the file, folder, or object.
Double-click the entry or entries you want to view in the Permission entries box.
Figure 16-5 shows the ACE for the Windows folder.
Figure 16-5: ACE for the Windows folder
How Access Control Is Applied to New Objects
The operating system uses the following guidelines to set the DACL in the security descriptors for most types of new securable objects:
The new object s DACL is the DACL from the security descriptor specified by the creating process. The operating system merges any inheritable ACEs from the parent object into the DACL.
If the creating process does not specify a security descriptor, the operating system builds the object s DACL from inheritable ACEs in the parent object s DACL. For example, in the case of a new file, this might be the inheritable ACEs from the folder in which the file is being created.
If the parent object has no inheritable ACEs, for example if the file is being created in the root directory, the operating system asks the object manager to provide a default DACL.
If the object manager does not provide a default DACL, the operating system checks for a default DACL in the access token belonging to the subject (the user, for example).
If the subject s access token does not have a default DACL, the new object is assigned no DACL, which allows Everyone unconditional access.
Warning
Failure to set DACLs or setting DACLs improperly might have undesirable consequences. For example, an empty DACL, where neither Allow nor Deny has been configured, denies access to all accounts. On the other hand, if there is no DACL then all accounts have full access.
Modifying Inheritance of Permissions
Inheritance is one of the primary tools for managing access control. By default, permissions assigned to a parent folder are inherited by the subfolders and files that are contained in the parent folder. You can block inheritance, however, so that permission changes made to parent folders will not affect child folders and files. This is useful when permissions on individual files need to be more restrictive than the permissions that apply to a parent folder, for example.
To block permission changes made to parent folders from affecting child folders and files
Open the Advanced Security Settings page for the file or folder.
Click the Permissions tab.
Clear the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here check box.
Click OK.
Permissions can also be denied. By denying a user or group permission to a folder or file, you are denying a specific level of access regardless of the other permissions assigned to the user or group. Even if a user has access permissions to the file or folder as a member of one group, denying permission to the user as a member of a second group blocks any other permissions the user has.
Managing Ownership Permissions
You can take ownership of a resource if you are a member of the Administrators group. It is important for administrators to take full ownership or reassign ownership for key resources, so that if an employee creates a resource, such as a file share, and then leaves the organization, that resource remains accessible.
To view the ownership information associated with a resource
Right-click the file or folder and select Properties from the secondary menu.
On the Security tab, click the Advanced button to view the Advanced Security Settings of the resource.
Click the Owner tab.
Note
You must have Read permission on the object in order to view ownership data.
Figure 16-6 shows the Owner tab.
Figure 16-6: Owner tab
Every object has an owner, usually the user who created the object. The owner has an implied right to Allow or Deny other users permission to use the object. This right cannot be withdrawn. Owners can give other users permission to Change Permissions (WRITE_DAC). This permission, unlike the owner s inherent right, can be withdrawn.
By default, a new object s owner is the security principal identified as the default owner in the access token attached to the creating process. When an object is created, the SID stored in the access token s Owner field is copied to the security descriptor s Owner field. The default owner is normally an individual the user who is currently logged on.
In Windows XP Professional, you can use Group Policy to modify this rule of object ownership as it pertains to members of the Administrators group. The Group Policy option allows you to reassign ownership of objects created by members of the Administrators group to all members of the group rather than to the individual who created the object.
To make the Administrators group the owner of all objects created by its members
In Control Panel, click Performance and Maintenance, click Administrative Tools, and then double-click Local Security Policy.
Under Security Settings, double-click Local Policies, and then click Security Options.
Double-click the policy System objects: Default owner for objects created by members of the administrators group.
In the drop-down list box, select Administrators group, and then click OK.
Owners of NTFS objects can allow another user to take ownership by giving that user Take Ownership permission. In addition, certain users can take ownership without having permission if they have been assigned the Take ownership of files or other objects (SeTakeOwnershipPrivilege) privilege. By default, this privilege is assigned only to the Administrators group.
Determining Ownership of Objects
You can use the dir command to determine the owners of objects in a share or folder. At the command line, type the dir command using the following syntax:
dir /q [share or folder name]
Default Permissions
Windows XP Professional offers a very fine degree of security control over access to a wide variety of objects. A local file folder, for example, has 14 available permissions, beginning with Read, Write, Modify, and Delete. Both basic and special permissions are available for files and folders.
Basic File and Folder Permissions
The number and type of permissions that are available for any object depend on the security context of the object. For example, the following permissions are available for folders on NTFS partitions:
Read. Allows a user to see the files and subfolders in a folder and view folder attributes, ownership, and permissions.
Write. Allows a user to create new files and subfolders with the folder, change folder attributes, and view folder ownership and permissions.
List Folder Contents. Allows a user to see the names of files and subfolders in the folder.
Read & Execute. Gives a user the rights assigned through the Read permission and the List Folder Contents permission. It also gives the user the ability to traverse folders. Traverse folders rights allow a user to reach files and folders located in subdirectories even if the user does not have permission to access portions of the directory path.
Modify. Gives a user the ability to delete the folder and perform the actions permitted by the Write and Read & Execute permissions.
Full Control. Allows a user to change permissions, take ownership, delete subfolders and files, and perform the actions granted by all other permissions.
The following basic permissions apply to files on NTFS partitions:
Read. Allows a user to read a file and view file attributes, ownership, and permissions.
Write. Allows a user to overwrite a file, change file attributes, and view file ownership and permissions.
Read & Execute. Gives a user the rights required to run applications and perform the actions permitted by the Read permission.
Modify. Gives a user the ability to modify and delete a file and perform the actions permitted by the Write and Read & Execute permissions.
Full Control. Allows a user to change permissions, take ownership, and perform the actions granted by all other permissions.
Note
Share permissions for NTFS volumes work in combination with file and directory permissions. By default, the permissions for a new share on an NTFS partition allow Everyone Full Control. Using Full Control permission for Everyone on all NTFS shared directories is the easiest way to manage NTFS file security. This way, you need only manage the underlying file and directory permissions.
Advanced File and Folder Permissions
A number of more detailed permissions are available when you click the Advanced button on the Properties page; select a user, group, or security principal; and then click Edit. These permissions include:
Traverse Folder/Execute File. Allows or denies moving through folders to reach other files or folders, even if the user has no permissions to the folders being traversed (the permission applies only to folders). Traverse Folder takes effect when a group or user is not granted the Bypass Traverse Checking user right in the Group Policy snap-in. (By default, the Everyone group is given the Bypass Traverse Checking user right.) The Execute File permission allows or denies running program files (the permission applies only to files).
Note
Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder.
List Folder/Read Data. Allows or denies viewing filenames and subfolder names within the folder (the permission applies only to folders). The Read Data permission allows or denies viewing data in files (the permission applies only to files).
Read Attributes. Allows or denies viewing the attributes of a file or folder (for example, the read-only and hidden attributes). Attributes are defined by NTFS.
Read Extended Attributes. Allows or denies viewing the extended attributes of a file or folder. Extended attributes are defined by programs and can vary by program.
Create Files/Write Data. Allows or denies creating files within the folder (the permission applies only to folders). Also, the Write Data permission allows or denies making changes to the file and overwriting existing content (the permission applies only to files).
Create Folders/Append Data. Allows or denies creating folders within the folder (the permission applies only to folders). The Append Data permission allows or denies making changes to the end of the file but not changing, deleting, or overwriting existing data (the permission applies only to files).
Write Attributes. Allows or denies changing the attributes of a file or folder.
Write Extended Attributes. Allows or denies changing the extended attributes of a file or folder. Extended attributes are defined by programs and might vary by program.
Delete Subfolders and Files. Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file.
Delete. Allows or denies deleting the file or folder. If you don t have Delete permission on a file or folder, you can still delete it if you have been granted Delete Subfolders and Files permission on the parent folder.
Read Permissions. Allows or denies reading permissions of a file or folder, such as Full Control, Read, and Write.
Change Permissions. Allows or denies changing permissions on the file or folder, such as Full Control, Read, and Write.
Take Ownership. Allows or denies taking ownership of a file or folder. The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder.
Many of the advanced permissions are already configured when you select certain basic permissions. As a result, in general, you do not need to manually configure advanced permissions in order to benefit from them. For example, Table 16-3 illustrates the links between basic and advanced permissions for folders.
Table 16-3: Advanced Folder Permissions
Special Permissions
Full Control
Modify
Read & Execute
List Folder Contents
Read
Write
Traverse Folder/Execute File
Yes
Yes
Yes
Yes
No
No
List Folder/Read Data
Yes
Yes
Yes
Yes
Yes
No
Read Attributes
Yes
Yes
Yes
Yes
Yes
No
Read Extended Attributes
Yes
Yes
Yes
Yes
Yes
No
Create Files/Write Data
Yes
Yes
No
No
No
Yes
Create Folders/Append Data
Yes
Yes
No
No
No
Yes
Write Attributes
Yes
Yes
No
No
No
Yes
Write Extended Attributes
Yes
Yes
No
No
No
Yes
Delete Subfolders and Files
Yes
No
No
No
No
No
Table 16-4 illustrates the links between basic and advanced permissions for files.
Table 16-4: Advanced File Permissions
Special Permissions
Full Control
Modify
Read & Execute
Read
Write
Traverse Folder/Execute File
Yes
Yes
Yes
No
No
List Folder/Read Data
Yes
Yes
Yes
Yes
No
Read Attributes
Yes
Yes
Yes
Yes
No
Read Extended Attributes
Yes
Yes
Yes
Yes
No
Create Files/Write Data
Yes
Yes
No
No
Yes
Create Folders/Append Data
Yes
Yes
No
No
Yes
Write Attributes
Yes
Yes
No
No
Yes
Write Extended Attributes
Yes
Yes
No
No
Yes
Delete
Yes
Yes
No
No
No
Read Permissions
Yes
Yes
Yes
Yes
No
Change Permissions
Yes
No
No
No
No
Take Ownership
Yes
No
No
No
No
Note
File and folder security permissions are available only with the NTFS file system. File and folder permissions are not available with the FAT or FAT32 file systems.
Applying Folder and Share Permissions at Setup
Default NTFS file and folder permissions for the installation partition are applied during setup by the Security Configuration Manager using the Setup security template.
The Security Configuration Manager also secures the root directory during setup if the current root security descriptor grants Everyone Full Control. This is a change from previous releases of Windows NT and provides increased security for non-Windows directories that are created off of the root. Because of the ACL inheritance model, any non-Windows subdirectories that inherit permissions from the root directory will also be modified during setup. The new Windows XP Professional root ACL (also implemented by Format and Convert) is as follows:
Administrators, System: Full Control (Container Inherit, Object Inherit)
Creator Owner: Full Control (Container Inherit, Object Inherit, Inherit Only)
The Setup Security.inf template can be used to reapply default security settings. For more information about applying templates, see Using Security Templates later in this chapter.
Using CACLs
Although the Properties page is the basic user interface for viewing and modifying ACLs and ACEs, it is not usable for configuring security for all types of objects on a network or Windows XP Professional based computer. In some cases you can use the tool Cacls.exe to perform security configuration tasks.
Cacls.exe can be used to display or modify access control lists (ACLs) for one or more files at time. It includes options that can be used to grant (/g), revoke (/r), replace (/p), or deny (/d) specific user access rights. For example, you can use the cacls command to grant an access right to a user. At the command line, type the cacls command using the following syntax:
cacls [filename] /g [username:right]
In this command, the user name of the user is followed by a colon and the specific user right that you want.
