Download Windows XP Access Control: Understanding File and Folder Permissions and more Slides Computer Security in PDF only on Docsity!
Introduction to Information
Security
Windows XP Access Control
Access Control Models
CSCE 201 - Farkas 2
All accesses
Discretionary AC
Mandatory AC (^) Role-Based AC
Permissions
• Apply to objects
• Selecting where to apply permissions
– Permission Entry for File or Folder N ame
– Apply onto list
– Check box: Apply these permissions to objects
and/or containers within this container only
(Default: empty check box)
When the Apply these permissions to objects and/or containers within this container only check box is cleared
Apply onto Applies permissions to current folder
Applies permissions to subfolders in current folder
Applies permissions to files in current folder
Applies permissions to all subsequent subfolders
Applies permissions to files in all subsequent subfolders
This folder only x
The folder, subfolders and files
x x x x x
This folder and subfolders
x x x
This folder and files
x x x
Subfolders and files only
x x x x
Subfolders only x x
Files only x x When the Apply these permissions to objects and/or containers within this container only check box is cleared Source: XP Product Documentation, http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/acl_topnode.mspx?mfr=true
To set, view, change, or remove special
permissions for files and folder
- Open Windows Explorer, and then locate the file or folder for
which you want to set special permissions
- Right-click the file or folder, click Properties , and then click
the Security tab
- Click Advanced , and then do one of the following:
Advanced Setting
To Do this
Set special permissions for an additional group
or user
Click Add. In Name , type the name of the user
or group, and then click OK.
View or change special permissions for an
existing group or user
Click the name of the group or user and then
click Edit.
Remove an existing group or user and its special
permissions
Click the name of the group or user and then
click Remove. If the Remove button is
unavailable, clear the Inherit from parent the
permission entries that apply to child objects.
Include these with entries explicitly defined
here check box, click Remove , and skip the
next two steps.
Permission Assignment
• Assign permissions to groups rather than to users –
administration
• Set permission to be inheritable to child objects.
• Assign Full control , if appropriate, rather than individual
permissions
• Deny should be used for these special cases
– Exclude a subset of a group which has Allowed
permissions
– Exclude one special permission when you have already
granted full control to a user or group
User Rights
• Administrators can assign specific rights to
group accounts or to individual user accounts
• Apply to user accounts
• Define capabilities at the local level
• Can apply to individual user accounts or a
group account
User Rights
• Types of user rights:
– Privileges: specifies allowable actions on the system,
e.g., the right to back up files and directories
– Logon rights: specifies the ways in which a user can log
onto a system, e.g., such as the right to log on to a
system remotely
• In general, user rights assigned to one group do
not conflict with the rights assigned to another
group
• Exception: Logon rights
Logon Rights
- Control access to a system
- Logon Rights and default settings for Windows XP Professional are
available at http://www.microsoft.com/resources/documentation/windows/xp/al l/proddocs/en-us/acl_topnode.mspx?mfr=true
- Examples:
- Log on locally, Default setting : Administrators, Power Users, Users, Guest, and Backup Operators
- Deny access to this computer from network, Default setting : No one
- Access this computer from a network, Default setting : Administrators, Everyone, Users, Power Users, and Backup Operators
Privileges, which can override
permissions set on an object
- Take Ownership of Files or Other Object – grants WriteOwner access to an
object
- Manage Auditing and Security Log -- provides several abilities including
access to the security log, overriding access restrictions to the security log
- Back Up Files and Directories – grants read and write access to an object
- Restore Files and Directories – grants read and write access to an object
- Debug Programs -- grants read or open access to an object
- Bypass Traverse Checking -- provides the reverse access on directories
Assigning User Rights
- Assigned through the Local Policies node of Group Policy
- Log on using an administrator account
- Open the Active Directory Users and Computers tool
- Right-click the container holding the domain controller and click
Properties
- Click the Group Policy tab, and then click Edit to edit the Default
Domain Policy
- In the Group Policy window, expand Computer Configuration,
navigate to Windows Settings, to Security Settings, and then to Local Policies
User Rights
• Assign rights as high in the container tree as possible –
administration
• Apply inheritance to propagate rights through the tree
• Administrators should
– use an account with restrictive permissions to perform
routine, non-administrative tasks
– use an account with broader permissions only when
performing specific administrative tasks
Next Class
• Back up procedures