LAB8 - NTFS Permissions and Sharing Notes.pdf

Full Transcript

NETW-0005 NETWORKING 1

LAB 8 – NTFS Permissions and Sharing

- NTFS (New Technology File System)
- NTFS Permissions
- NFTS Permission Rules & Tools
- ICACLS
- NTFS Sharing

NTFS {NEW TECHNOLOGY FILE SYSTEM)

Previous Operating Systems before Windows 2000 (ME, 98, 95) did not have any security on the
file system and allowed any user with access to logon to the Operating System full administrative
control over everything including the Operating System and any files. Windows 2000 was the first
Operating System to introduce NTFS on a client Operating System.

1. When a user logs onto an NTFS formatted computer an Access Token is created
containing:

- User SID
- Group SID
- Permissions

2. All processes check the token and compare to the requested resource ACL (Contains ACE)

- ACL
o Access Control List

- ACE
o Access Control Entry

- An ACL is just a list of people allowed. Each
person allowed is an ACE
 NETW-0005 NETWORKING 1

3. The system looks for a match between the token and an ACE in the ACL

ALLOW = Access Granted

DENY = Access Denied

NO MATCH FOUND = Access Denied

FAT (File Allocation Table) File System NTFS (New Technology File System)
Windows 95, 98, ME and below OS Windows 2000 and up
Commonly used for USB devices Usage Used on all Windows Server and Clients

NTFS PERMISSIONS

NTFS permissions have a simple set of rules. If you follow the rules, you can figure out the
permissions any user has to any object. This also allows us to apply different permissions for
different users efficiently.

What permissions do

- NTFS permissions specify what users, groups and computers can access files, folders
and objects (printers)

- NTFS permissions dictate what level of access (read, write, modify, etc.) users, group
and computers can do with the files, folders and objects

- Files \ Folders use the same permissions settings/template

- Basic permissions are comprised of advanced permissions

- We use BASIC permissions 99% of the time
 NETW-0005 NETWORKING 1

BASIC PERMISSIONS ADVANCED PERMISSIONS
FULL CONTROL
MODIFY 13 Permissions for FILES
READ & EXECUTE 14 Permissions for FOLDERS
LIST FOLDER CONTENTS (Folder Only)
READ Full Control, Traverse folder / Execute file, list
WRITE folder / Read data, Read attributes, Read
SPECIAL PERMISSIONS extended attributes, Create files / write data,
Create folders / append data, Write attributes,
Write extended attributes, Delete subfolders
and files, Delete, Read permissions, change
permissions, Take ownership

- Groups are used to make permissions easier (set permissions to the group and just add
/ remove members)

NTFS PERMISSION RULES & TOOLS

NTFS permissions have a simple set of rules. If you follow the rules, you can figure out the
permissions any user has to any object. This also allows us to apply different permissions for
different users efficiently.
 NETW-0005 NETWORKING 1

1. GET / SET PERMISSIONS

Where do default permissions come from when I create a new file, folder or object?

o EXPLICIT – Permissions set directly at the object

o INHERITED – Permissions always propagate down from a parent folder to a
child folder unless we stop inheritance. This is the (DEFAULT) and permission
will be greyed out so we can’t change inherited permissions.

2. PERMISSIONS ARE CUMULATIVE

All permissions are added to make up your effective permissions to an object

o USER has READ to a Example.txt

o STUDENTS GROUP (USER, DOG, CAT) has WRITE to Example.txt

o USER = READ and WRITE to Example.txt

3. INHERITANCE CAN BE DISABLED

o You can DISABLE INHERITANCE to stop the flow of inherited permissions so you
can set new explicit permissions.

o The previous child folder that has DISABLED INHERITANCE will become a
parent folder and start a new chain of inheritance flowing down to the child
folders.

o Options when DISABLING INHERITANCE are CONVERT or REMOVE
 NETW-0005 NETWORKING 1

a. CONVERT = Previous inherited permissions (greyed out) will turn black
and become explicit permissions that you can edit.

This will also keep existing permissions intact so the Windows System
will maintain full control of the object.

b. REMOVE = All existing permissions are removed (including System) and
new explicit permissions can be set.

4. DENY overrides ALLOW

o DENY permission will cancel ALL existing permissions to that object for that
user.

o DENY should not be used if possible. Better practice is to modify group
membership and permissions to allow those who need access.

5. OWNERSHIP

o Every object (File, Folder, Printer, etc.) has an owner.

o Can be used for auditing and administration.
 NETW-0005 NETWORKING 1

o Owner can change permissions to an object even if they don’t have any
permissions to it.

o Administrator accounts can take ownership of an orphaned object.(nobody
has any rights to the object)
6. COPY / MOVE (with NTFS Permissions)

o COPY = Copied object will become a NEW object in its new location and inherit
permissions from its new parent.

o MOVE = Moved object will keep its existing permissions because a new object is
not being created. The file pointer will change to point at the objects new
location.

What happens between NTFS and FAT volumes/partitions?

a. New objects will inherit permissions from parent

b. Move on same NTFS volume will keep permissions (because pointer to
object changes and no new object is created)

c. Copy on same NTFS volume will inherit permissions (because a new
object is created)

d. Move/Copy to different NTFS volume will inherit from parent (because a
new object is created on the new NTFS volume)

e. Move/Copy from NTFS volume to FAT partition = Lose all permissions

f. Move/Copy from FAT partition to NTFS volume = Inherit permissions
from parent

7. EFFECTIVE PERMISSIONS

o We can check a specific users cumulative permissions to an object

o SECURITY → ADVANCED → EFFECTIVE ACCESS → Select User
 NETW-0005 NETWORKING 1

ICACLS (Integrity
Control Access
Control List)

- CMD Line tool for checking and setting permissions

- Allows us to save permissions settings for an object before making changes so if
something goes wrong we can restore. (/save)

- Can be used in a script to automate permission modification

- Examples: ICACLS /? For help

ICACLS EFFECT
icacls testfolder /grant Tom:F /t /c Gives tom full control to testfolder
icacls testfolder /reset /t /c Resets folder permissions for testfolder
icacls testfolder /inheritance:d /t /c Disables inheritance on testfolder

NTFS SHARING
 NETW-0005 NETWORKING 1

There are two options for sharing objects. In the real world,
Microsoft world and in the NAT program, there is only one
correct way to configure shares.

SHARE PERMISSIONS

- 3 NTFS Share permissions

o Read

o Change Allow or Deny

o Full Control

- NTFS share permissions and NTFS object
permissions work together

- The most restrictive permissions apply

SHARE NTFS RESULT

Full Control Read Read

Read Full Control Read

This creates a situation where a user would have different permissions depending on if they are
accessing the object locally or remotely

To avoid this, we always set share permissions as:

EVERYONE = FULL CONTROL

o This means that the user will have the same permissions locally and remotely
as the NTFS permissions will always be the most restrictive

- Access share using UNC path (Universal Naming Convention)
 NETW-0005 NETWORKING 1

o Format = \\ComputerName\ShareName
o Ex. \\Deathstar\plans
o Ex. \\192.168.215.10\plans

- Share name can be different than the folder name

HIDDEN SHARES

- Won’t show up in File Explorer, must explicitly enter the share UNC

- Create hidden share by adding $ to the end of a share name

o \\ComputerName\SecretShare$

- C:\ is a hidden share by default

o \\ComputerName\C$

- Default share accessible on Domain network, but not on home network. Must use
Registry Editor to enable on our network.

o Open REGEDIT.EXE

o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Polici
es\System

o Create New DWORD = LocalAccountTokenFilterPolicy with a value of 1