Wednesday, November 03, 2010
Windows Shared Permissions vs NTFS Security
http://www.copyrunstart.net/understanding-windows-shared-permissions-vs-ntfs-security/
General Information:
■Windows 9x/ME workstations cannot access NTFS partitions
■Shared permissions only apply to shares connected to over the network
■NTFS Security applies to users both locally and across the network
■When there’s a difference between the sharing permission and the NTFS security permission, the most restrictive setting wins
■There are two types of NTFS permissions, file and folder
■Deny will always take precendence over allow permissions.
First, let's cover the definitions of security levels and permissions. We'll start with Shared permissions, there are only 3
1.Read: View files and subdirectories. Execute applications. No changes can be made.
2.Change: Includes read permissions and the ability to add, delete or change files or subdirectories
3.Full Control: Abilities to perform any and all functions on all files and folders within the share.
Now, let's cover what the 5 NTFS file permissions are and what they allow, you should notice that each level of security builds upon the one before it.
1.Read: This allows the user or group to read the file and view its attributes**, ownership, and permissions set.
2.Write: This allows the user or group to overwrite the file, change its attributes, view its ownership, and view the permissions set.
3.Read & Execute: This allows the user or group to run and execute the application. In addition, the user can perform all duties allowed by the Read permission.
4.Modify: This allows the user or group to modify and delete a file including perform all of the actions permitted by the Read, Write, and Read and Execute NTFS file permissions.
5.Full Control: This allows the user or group to change the permission set on a file, take ownership of the file, and perform actions permitted by all of the other NTFS file permissions.
Next, are the the 6 NTFS folder permissions
1.Read: This allows the user or group to view the files, folders, and subfolders of the parent folder. It also allows the viewing of folder ownership, permissions, and attributes of that folder.
2.Write: This allows the user or group to create new files and folders within the parent folder as well as view folder ownership and permissions and change the folder attributes.
3.List Folder Contents: This allows the user or group to view the files and subfolders contained within the folder.
4.Read & Execute: This allows the user or group to navigate through all files and subfolders including perform all actions allowed by the Read and List Folder Contents permissions.
5.Modify: This allows the user to delete the folder and perform all activities included in the Write and Read & Execute NTFS folder permissions.
6.Full Control: This allows the user or group to change permissions on the folder, take ownership of it, and perform all activities included in all other permissions.
Earlier in the General Information list the last bullet mentioned deny takes precedence over allow. This is in reference to NTFS special permission, which are used when your file and folder permissions just aren't specific enough. Here's all 13of them...
1. Traverse Folder/Execute File: This allows or denies a user to browse through a folder's subfolders and files where he would otherwise not have access. In addition, it allows or denies the user the ability to run programs within that folder.
2.List Folder/Read Data: This allows or denies the user to view subfolders and fill names in the parent folder. In addition, it allows or denies the user to view the data within the files in the parent folder or subfolders of that parent.
3.Read Attributes: This allows or denies a user to view the standard NTFS attributes of a file or folder.
4.Read Extended Attributes: This allows or denies the user to view the extended attributes of a file or folder, which can vary due to the fact that they are defined by the programs themselves.
5.Create Files/Write Data: This allows or denies the user the right to create new files in the parent folder. In addition, it allows or denies the user to modify or overwrite existing data in a file.
6.Create Folders/Append Data: This allows or denies the user to create new folders in the parent folder. In addition, it allows or denies the user the right to add data to the end of files. This does not include making changes to any existing data within a file.
7.Write Attributes: This allows or denies the ability to change the attributes of a files or folder, such as Read-Only and Hidden.
8.Write Extended Attributes: This allows or denies a user the ability to change the extended attributes of a file or folder. These attributes are defined by programs and may vary.
9.Delete Subfolders and Files: This allows or denies the deleting of files and subfolder within the parent folder. It also true that if this permission is assigned files and subfolders can be deleted even if the Delete special access permission has not been granted.
10.Delete: This allows or denies the deleting of files and folders. If the user does not have this permission assigned but does have the Delete Subfolders and Files permission, she can still delete.
Read Permissions This allows or denies the user the ability to read the standard NTFS permissions of a file or folder.
11.Change Permissions: This allows or denies the user the ability to change the standard NTFS permissions of a files or folder.
12.Take Ownership: This allows or denies a user the ability to take ownership of a file or folder. The owner of a file or folder can change the permissions on the files and folders she owns, regardless of any other permission that might be in place.
13.Synchronize: This allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies to only multithreaded, multiprocessing programs.
So now that you have an idea of what defines these, what are the best practices, the best practice should be to keep access and administration to a minimum. Secure your windows shares with the minimum access needed. Utilize NTFS to further minimize access to your folders and files. Use groups for folders if appropriate as opposed to single user settings. Best of luck!
**Atributes are part of the file and include Read-Only, Hidden, Archive, and System
1.Read Only: A file that is marked Read Only cannot be altered. It can be read, but it cannot be changed or deleted.2.Hidden: By default, hidden files do not appear in a directory listing. (Normally power users uncheck "hide systems files in Folder Settings).
3.Archive: Every time the user or the software modifies a file, then the archive bit will be marked. This tells you when the file was last modified.
4.System: System files are files flagged for use by the operating system and are not usually displayed in a directory listing. System files should not be modified or deleted.
You also want to be careful of contradictory permissions, a great article no this topic can be found here. (http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci1194946,00.html)
In summary, it recommends "assigning everyone full control at the share level and using NTFS permissions to secure the individual files or folders." This is considered a security risk to many, however, it may make it easier for you to keep track of what you're sharing to whom.
Also, if you want to play it safe and use permissions at both the NTFS and Share level, Server Check is a tool that is part of the Server 2003 Resource kit, and it works for Windows 2003, 2000, and XP. It is a command line interface that will let you know what permissions are defined for each shared resource
Sources:
http://www.home-network-help.com/folder-private.html
http://articles.techrepublic.com.com/5100-6346-5032876.html
http://www.mcmcse.com/microsoft/guides/ntfs_and_share_permissions.shtml
http://kb.iu.edu/data/aift.html
http://www.windowsitlibrary.com/Content/592/1.html
http://www.proprofs.com/certification/comptia/a-plus/study-guide/wbt13/8004.shtml
General Information:
■Windows 9x/ME workstations cannot access NTFS partitions
■Shared permissions only apply to shares connected to over the network
■NTFS Security applies to users both locally and across the network
■When there’s a difference between the sharing permission and the NTFS security permission, the most restrictive setting wins
■There are two types of NTFS permissions, file and folder
■Deny will always take precendence over allow permissions.
First, let's cover the definitions of security levels and permissions. We'll start with Shared permissions, there are only 3
1.Read: View files and subdirectories. Execute applications. No changes can be made.
2.Change: Includes read permissions and the ability to add, delete or change files or subdirectories
3.Full Control: Abilities to perform any and all functions on all files and folders within the share.
Now, let's cover what the 5 NTFS file permissions are and what they allow, you should notice that each level of security builds upon the one before it.
1.Read: This allows the user or group to read the file and view its attributes**, ownership, and permissions set.
2.Write: This allows the user or group to overwrite the file, change its attributes, view its ownership, and view the permissions set.
3.Read & Execute: This allows the user or group to run and execute the application. In addition, the user can perform all duties allowed by the Read permission.
4.Modify: This allows the user or group to modify and delete a file including perform all of the actions permitted by the Read, Write, and Read and Execute NTFS file permissions.
5.Full Control: This allows the user or group to change the permission set on a file, take ownership of the file, and perform actions permitted by all of the other NTFS file permissions.
Next, are the the 6 NTFS folder permissions
1.Read: This allows the user or group to view the files, folders, and subfolders of the parent folder. It also allows the viewing of folder ownership, permissions, and attributes of that folder.
2.Write: This allows the user or group to create new files and folders within the parent folder as well as view folder ownership and permissions and change the folder attributes.
3.List Folder Contents: This allows the user or group to view the files and subfolders contained within the folder.
4.Read & Execute: This allows the user or group to navigate through all files and subfolders including perform all actions allowed by the Read and List Folder Contents permissions.
5.Modify: This allows the user to delete the folder and perform all activities included in the Write and Read & Execute NTFS folder permissions.
6.Full Control: This allows the user or group to change permissions on the folder, take ownership of it, and perform all activities included in all other permissions.
Earlier in the General Information list the last bullet mentioned deny takes precedence over allow. This is in reference to NTFS special permission, which are used when your file and folder permissions just aren't specific enough. Here's all 13of them...
1. Traverse Folder/Execute File: This allows or denies a user to browse through a folder's subfolders and files where he would otherwise not have access. In addition, it allows or denies the user the ability to run programs within that folder.
2.List Folder/Read Data: This allows or denies the user to view subfolders and fill names in the parent folder. In addition, it allows or denies the user to view the data within the files in the parent folder or subfolders of that parent.
3.Read Attributes: This allows or denies a user to view the standard NTFS attributes of a file or folder.
4.Read Extended Attributes: This allows or denies the user to view the extended attributes of a file or folder, which can vary due to the fact that they are defined by the programs themselves.
5.Create Files/Write Data: This allows or denies the user the right to create new files in the parent folder. In addition, it allows or denies the user to modify or overwrite existing data in a file.
6.Create Folders/Append Data: This allows or denies the user to create new folders in the parent folder. In addition, it allows or denies the user the right to add data to the end of files. This does not include making changes to any existing data within a file.
7.Write Attributes: This allows or denies the ability to change the attributes of a files or folder, such as Read-Only and Hidden.
8.Write Extended Attributes: This allows or denies a user the ability to change the extended attributes of a file or folder. These attributes are defined by programs and may vary.
9.Delete Subfolders and Files: This allows or denies the deleting of files and subfolder within the parent folder. It also true that if this permission is assigned files and subfolders can be deleted even if the Delete special access permission has not been granted.
10.Delete: This allows or denies the deleting of files and folders. If the user does not have this permission assigned but does have the Delete Subfolders and Files permission, she can still delete.
Read Permissions This allows or denies the user the ability to read the standard NTFS permissions of a file or folder.
11.Change Permissions: This allows or denies the user the ability to change the standard NTFS permissions of a files or folder.
12.Take Ownership: This allows or denies a user the ability to take ownership of a file or folder. The owner of a file or folder can change the permissions on the files and folders she owns, regardless of any other permission that might be in place.
13.Synchronize: This allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies to only multithreaded, multiprocessing programs.
So now that you have an idea of what defines these, what are the best practices, the best practice should be to keep access and administration to a minimum. Secure your windows shares with the minimum access needed. Utilize NTFS to further minimize access to your folders and files. Use groups for folders if appropriate as opposed to single user settings. Best of luck!
**Atributes are part of the file and include Read-Only, Hidden, Archive, and System
1.Read Only: A file that is marked Read Only cannot be altered. It can be read, but it cannot be changed or deleted.2.Hidden: By default, hidden files do not appear in a directory listing. (Normally power users uncheck "hide systems files in Folder Settings).
3.Archive: Every time the user or the software modifies a file, then the archive bit will be marked. This tells you when the file was last modified.
4.System: System files are files flagged for use by the operating system and are not usually displayed in a directory listing. System files should not be modified or deleted.
You also want to be careful of contradictory permissions, a great article no this topic can be found here. (http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci1194946,00.html)
In summary, it recommends "assigning everyone full control at the share level and using NTFS permissions to secure the individual files or folders." This is considered a security risk to many, however, it may make it easier for you to keep track of what you're sharing to whom.
Also, if you want to play it safe and use permissions at both the NTFS and Share level, Server Check is a tool that is part of the Server 2003 Resource kit, and it works for Windows 2003, 2000, and XP. It is a command line interface that will let you know what permissions are defined for each shared resource
Sources:
http://www.home-network-help.com/folder-private.html
http://articles.techrepublic.com.com/5100-6346-5032876.html
http://www.mcmcse.com/microsoft/guides/ntfs_and_share_permissions.shtml
http://kb.iu.edu/data/aift.html
http://www.windowsitlibrary.com/Content/592/1.html
http://www.proprofs.com/certification/comptia/a-plus/study-guide/wbt13/8004.shtml
