Previous posts
Using Group Policy to Restrict AccessDisable, automatic ,logons
Force Windows to display a secure logon screen
How Interactive Logons Work
Controlling the Logon and Authentication Process
Windows Built-In Security Groups
Security Groups
Windows Built-In User Accounts
Windows What Are User Accounts?
Windows Local vs. Domain Accounts
Friends
mercredi 30 janvier 2008
Ensuring the Security of Files
Among the most powerful security features of Windows XP and Windows 2000 are the ones that allow you to restrict access to files and folders, both on the local computer and across network shares. In this section, we look at the sometimes confusing mechanisms you need to master to take advantage of these features.
Using NTFS Permissions
For every object stored on a volume formatted with the NTFS file system, Windows maintains an access control list (ACL). As its name implies, this list defines which users are allowed access to that object—typically a file or folder—and which users are denied access. Individual items in the ACL are called access control entries (ACEs) and are made up of the following information:
The SID for a user or group. (Remember that Windows uses SIDs, not user or group names, to keep track of access rights.)
The list of permissions that make up the access right, drawn from a long list of basic and special permissions—Full Control, Read, and Write, for instance.
Inheritance information, which determines whether and how Windows applies permissions from the parent folder.
A flag that indicates whether access is being allowed or denied.
Probably no subject in Windows XP and Windows 2000 is more confusing than NTFS permissions. Figuring out the interaction of inherited permissions and determining which ones take precedence in the case of conflicts between individual and group ACEs can be daunting tasks. In Windows 2000, you can inspect these details by right-clicking an object, choosing Properties, and clicking the Security tab. As Figure 2-6 shows, this tab offers a concise, although hardly intuitive, display of the current ACL.
Figure 2-6. Deciphering the ACL for this folder can be a challenge.
In Windows XP Professional, the Security tab is essentially the same (although it's slightly better organized), but many Windows users never see it at all, thanks to a feature called Simple File Sharing. When this configuration option is enabled (as it is in a default installation on any computer that is not part of a Windows domain), Windows drastically reduces the number of options available to users and sets permissions only when you choose to make files in your personal profile private. On a computer running Windows XP Home Edition, Simple File Sharing is always on, and the only time you see the Security tab is when you boot into Safe Mode.
For more details about Simple File Sharing, including instructions on how to disable it, see Viewing and Changing NTFS Permissions.
INSIDEOUT
--------------------------------------------------------------------------------
See all permissions at a glance
Windows XP includes a new feature, not found in Windows 2000, that helps you sort out the interaction of permissions. This capability can be a helpful troubleshooting tool if you've assigned several sets of permissions to different users and groups and the results are not what you expect. To use this option, you must have Simple File Sharing disabled. Right-click the icon for an object, choose Properties, and then click the Security tab. Click Advanced, and then click the Effective Permissions tab to see a summary of the access controls in effect for the selected object.
By default, Windows 2000 does a fairly good job of setting permissions on default directories. If you store all your data in the My Documents folder associated with your personal profile, for instance, access is automatically restricted to your account, the System account, and the Administrators group. Windows XP does the same and goes a step further, adding an option to automatically make all files in your personal profile private, which removes the Administrators group from this list so that only you can access your personal files. Anyone else who logs on to the computer is locked out.
Default permissions in other locations are less predictable, however. Under Windows 2000, if you create a new folder in the root of the C drive, the default permissions will assign Full Control to the Everyone group, which means that any users who log on to that computer can add, remove, or change files in that folder, even if they've logged on using the restricted Guest account. By contrast, when you create the same sort of folder under Windows XP, the default permissions allow limited users (including the Guest account) to read existing files and create new ones but not to rename, edit, or delete existing files.
Learning the ins and outs of Simple File Sharing is essential to maintaining security with Windows XP. After you understand how this restricted menu of permissions works, you might choose to disable Simple File Sharing and return to the Windows 2000-style NTFS Security dialog box. If that's your choice, it's especially important to learn how to apply NTFS permissions properly.
Among the most powerful security features of Windows XP and Windows 2000 are the ones that allow you to restrict access to files and folders, both on the local computer and across network shares. In this section, we look at the sometimes confusing mechanisms you need to master to take advantage of these features.
Using NTFS Permissions
For every object stored on a volume formatted with the NTFS file system, Windows maintains an access control list (ACL). As its name implies, this list defines which users are allowed access to that object—typically a file or folder—and which users are denied access. Individual items in the ACL are called access control entries (ACEs) and are made up of the following information:
The SID for a user or group. (Remember that Windows uses SIDs, not user or group names, to keep track of access rights.)
The list of permissions that make up the access right, drawn from a long list of basic and special permissions—Full Control, Read, and Write, for instance.
Inheritance information, which determines whether and how Windows applies permissions from the parent folder.
A flag that indicates whether access is being allowed or denied.
Probably no subject in Windows XP and Windows 2000 is more confusing than NTFS permissions. Figuring out the interaction of inherited permissions and determining which ones take precedence in the case of conflicts between individual and group ACEs can be daunting tasks. In Windows 2000, you can inspect these details by right-clicking an object, choosing Properties, and clicking the Security tab. As Figure 2-6 shows, this tab offers a concise, although hardly intuitive, display of the current ACL.
Figure 2-6. Deciphering the ACL for this folder can be a challenge.
In Windows XP Professional, the Security tab is essentially the same (although it's slightly better organized), but many Windows users never see it at all, thanks to a feature called Simple File Sharing. When this configuration option is enabled (as it is in a default installation on any computer that is not part of a Windows domain), Windows drastically reduces the number of options available to users and sets permissions only when you choose to make files in your personal profile private. On a computer running Windows XP Home Edition, Simple File Sharing is always on, and the only time you see the Security tab is when you boot into Safe Mode.
For more details about Simple File Sharing, including instructions on how to disable it, see Viewing and Changing NTFS Permissions.
INSIDEOUT
--------------------------------------------------------------------------------
See all permissions at a glance
Windows XP includes a new feature, not found in Windows 2000, that helps you sort out the interaction of permissions. This capability can be a helpful troubleshooting tool if you've assigned several sets of permissions to different users and groups and the results are not what you expect. To use this option, you must have Simple File Sharing disabled. Right-click the icon for an object, choose Properties, and then click the Security tab. Click Advanced, and then click the Effective Permissions tab to see a summary of the access controls in effect for the selected object.
By default, Windows 2000 does a fairly good job of setting permissions on default directories. If you store all your data in the My Documents folder associated with your personal profile, for instance, access is automatically restricted to your account, the System account, and the Administrators group. Windows XP does the same and goes a step further, adding an option to automatically make all files in your personal profile private, which removes the Administrators group from this list so that only you can access your personal files. Anyone else who logs on to the computer is locked out.
Default permissions in other locations are less predictable, however. Under Windows 2000, if you create a new folder in the root of the C drive, the default permissions will assign Full Control to the Everyone group, which means that any users who log on to that computer can add, remove, or change files in that folder, even if they've logged on using the restricted Guest account. By contrast, when you create the same sort of folder under Windows XP, the default permissions allow limited users (including the Guest account) to read existing files and create new ones but not to rename, edit, or delete existing files.
Learning the ins and outs of Simple File Sharing is essential to maintaining security with Windows XP. After you understand how this restricted menu of permissions works, you might choose to disable Simple File Sharing and return to the Windows 2000-style NTFS Security dialog box. If that's your choice, it's especially important to learn how to apply NTFS permissions properly.
0 Comments:
Funny Blogs
Blogger Roll
Free Software
