Windows XP Access Control: Understanding File and Folder Permissions, Slides of Computer Security

An introduction to access control models in windows xp and explains how to set, view, change, or remove file and folder permissions. It covers topics such as discretionary access control, mandatory access control, role-based access control, and special permissions. The document also discusses best practices for effective access control.

Typology: Slides

2012/2013

Uploaded on 04/22/2013

satheesh
satheesh 🇮🇳

4.5

(11)

85 documents

1 / 20

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Introduction to Information
Security
Windows XP Access Control
Docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14

Partial preview of the text

Download Windows XP Access Control: Understanding File and Folder Permissions and more Slides Computer Security in PDF only on Docsity!

Introduction to Information

Security

Windows XP Access Control

Access Control Models

CSCE 201 - Farkas 2

All accesses

Discretionary AC

Mandatory AC (^) Role-Based AC

Permissions

• Apply to objects

• Selecting where to apply permissions

– Permission Entry for File or Folder N ame

– Apply onto list

– Check box: Apply these permissions to objects

and/or containers within this container only

(Default: empty check box)

When the Apply these permissions to objects and/or containers within this container only check box is cleared

Apply onto Applies permissions to current folder

Applies permissions to subfolders in current folder

Applies permissions to files in current folder

Applies permissions to all subsequent subfolders

Applies permissions to files in all subsequent subfolders

This folder only x

The folder, subfolders and files

x x x x x

This folder and subfolders

x x x

This folder and files

x x x

Subfolders and files only

x x x x

Subfolders only x x

Files only x x When the Apply these permissions to objects and/or containers within this container only check box is cleared Source: XP Product Documentation, http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/acl_topnode.mspx?mfr=true

To set, view, change, or remove special

permissions for files and folder

  1. Open Windows Explorer, and then locate the file or folder for

which you want to set special permissions

  1. Right-click the file or folder, click Properties , and then click

the Security tab

  1. Click Advanced , and then do one of the following:

Advanced Setting

To Do this

Set special permissions for an additional group

or user

Click Add. In Name , type the name of the user

or group, and then click OK.

View or change special permissions for an

existing group or user

Click the name of the group or user and then

click Edit.

Remove an existing group or user and its special

permissions

Click the name of the group or user and then

click Remove. If the Remove button is

unavailable, clear the Inherit from parent the

permission entries that apply to child objects.

Include these with entries explicitly defined

here check box, click Remove , and skip the

next two steps.

Permission Assignment

• Assign permissions to groups rather than to users –

administration

• Set permission to be inheritable to child objects.

• Assign Full control , if appropriate, rather than individual

permissions

• Deny should be used for these special cases

– Exclude a subset of a group which has Allowed

permissions

– Exclude one special permission when you have already

granted full control to a user or group

User Rights

• Administrators can assign specific rights to

group accounts or to individual user accounts

• Apply to user accounts

• Define capabilities at the local level

• Can apply to individual user accounts or a

group account

User Rights

• Types of user rights:

– Privileges: specifies allowable actions on the system,

e.g., the right to back up files and directories

– Logon rights: specifies the ways in which a user can log

onto a system, e.g., such as the right to log on to a

system remotely

• In general, user rights assigned to one group do

not conflict with the rights assigned to another

group

• Exception: Logon rights

Logon Rights

  • Control access to a system
  • Logon Rights and default settings for Windows XP Professional are

available at http://www.microsoft.com/resources/documentation/windows/xp/al l/proddocs/en-us/acl_topnode.mspx?mfr=true

  • Examples:
    • Log on locally, Default setting : Administrators, Power Users, Users, Guest, and Backup Operators
    • Deny access to this computer from network, Default setting : No one
    • Access this computer from a network, Default setting : Administrators, Everyone, Users, Power Users, and Backup Operators

Privileges, which can override

permissions set on an object

  • Take Ownership of Files or Other Object – grants WriteOwner access to an

object

  • Manage Auditing and Security Log -- provides several abilities including

access to the security log, overriding access restrictions to the security log

  • Back Up Files and Directories – grants read and write access to an object
  • Restore Files and Directories – grants read and write access to an object
  • Debug Programs -- grants read or open access to an object
  • Bypass Traverse Checking -- provides the reverse access on directories

Assigning User Rights

  • Assigned through the Local Policies node of Group Policy
  1. Log on using an administrator account
  2. Open the Active Directory Users and Computers tool
  3. Right-click the container holding the domain controller and click

Properties

  1. Click the Group Policy tab, and then click Edit to edit the Default

Domain Policy

  1. In the Group Policy window, expand Computer Configuration,

navigate to Windows Settings, to Security Settings, and then to Local Policies

User Rights

• Assign rights as high in the container tree as possible –

administration

• Apply inheritance to propagate rights through the tree

• Administrators should

– use an account with restrictive permissions to perform

routine, non-administrative tasks

– use an account with broader permissions only when

performing specific administrative tasks

Next Class

• Back up procedures