CHAPTER 6NTFS PERMISSIONS & SECURITY SETTING

INTRODUCTION

NTFS provides performance, security, reliability & advanced features that are not found in FAT files type.

NTFS permission is used to identify which users & groups can gain access to the files & folders.

FILE PERMISSION & FOLDER PERMISSION

Standard permission = permissions that controls a broad range of permissions. Ex: Full control

Folders have same standard permissions as files but Folder has extra standard permission which is ‘List Folder Contents’

STANDARD NTFS FILE & FOLDER PERMISSION

PLANNING NTFS PERMISSIONS Guidelines to follow before assigning

permissions: Group the files into application, data & home folders

to simplify administration Benefit: assign permissions only to folders not to the

individual files, backup is less complex. Allow users only the level of access that they require Create group according to the access that the group

member requires for resources. Assign the read & execute permission to the user

group & administrator when you assign permission to work with data / application folders.

Assign read & execute permission & the write permission to the users group. Full Control permission to owner for public data folders.

PLANNING NTFS PERMISSIONS Deny permissions

only when it is essential to deny specific access to a specific user account / group.

Encourage users to assign permissions to the files & folders that they create & educate them about how to do so.

TAKE OWNERSHIP OF FILES & FOLDERS

Every object (files & folders) on an NTFS volume has an owner who controls how permissions are set on the object & to whom permissions are granted.

When a user creates an object, the user automatically becomes the object’s owner.

The owner of a file, an administrator or anyone with Full Control permission can assign Take Ownership permission to a user account / group.

TAKE OWNERSHIP OF FILES & FOLDERS

The following rules apply for taking ownership of file/folder. Current owner / user with Full Control can

assign the full control standard permissions or the Take Ownership special access permission to another user account / group.

Administrator can take ownership of a file or folder. If an administrator takes ownership, the Administrator group can become the owner & any member from this group can change the permissions for file & folders and assign the Take Ownership permission to other group/user

NTFS PERMISSIONS INHERITANCE

By default, permissions that you assign to the parent folder are inherited to the subfolders 7 files contained in the parent folder.

You can also prevent this inheritance by un-checking the ‘Inherit from parent the permission entries that apply to child objects’ box.

EFFECTS ON COPYING FILES & FOLDERS Permissions change when you copy files/folders

from one folder to another or from one volume to another.

Ex: if you copy folders to the FAT volumes, the folder will lose their NTFS permissions.

EFFECTS ON COPYING FILES & FOLDERS

When you copy a file within or between NTFS volumes, note the following; Windows XP professional treats it as a new file &

takes on the permissions of the destination folder.

You must have write permission for the destination folder to copy files & folders.

You become the creator and owner.

EFFECTS ON COPYING FILES & FOLDERS

When you move a file or folder within NTFS volume; The file / folder retains the original permissions. You must have write permission for the

destination folder to move files & folders to it. You must have modify permission for the source

file/folder You become the creator & owner.

EFFECTS ON COPYING FILES & FOLDERS

When you move a file / folder between NTFS volumes: The file/folder inherits the permissions of the

destination folder. You must have the write permission for the

destination folder to move files & folders into it. You must have the modify permission for the

source file / folder. You become the creator & owner.

OVERVIEW OF SECURITY POLICY

Security policy = to be secure for a system, organization or other entity.

There are 2 types of policies in Windows XP Professional; Local security policy – applied to specific computers

that are members of a workgroup Group policy – applied to sites, domain & it effects all

computers or users that are members of the container to which the group policy is assigned.

LOCAL SECURITY POLICY Allows you to implement security relevant settings

on a local computer such as group membership, permissions & rights, password requirements, desktop setting etc. Some of the settings are: Account policy – password policies Local policies – audit policy, user right & security option Public key policies – used to configure encrypted data

recovery agent & trusted certificate authorities. Software restriction policies – prevent unwanted

applications IP security policies – configure the security of network

internet protocol System services – manage security setting such as print

services, internet services, network services etc Registry – to manage registry subkeys & entries File system – manage security settings on local file

system

GROUP POLICY

Administrators primary tool for controlling how programs, network resources & the Operating system behaves.

It can be configured at the local level / within the active directory structure.

Administrators can manage the group policy components such as enforce password history, administrative templates, security settings, software installation, scripts and folder redirection.

CONFIGURING ACCOUNT POLICY Account policy = a policy that controls the

password requirements & how the system responds to invalid logon attempts.

2 ways to configure; Password policy & Account lockout policy

CONFIGURING ACCOUNT POLICY

CONFIGURING ACCOUNT POLICY

CONFIGURING USER RIGHT Administrators can assign specific rights to group

accounts / individual user accounts. These rights authorize users to perform specific

actions such as logging on the system interactively or backing up files / directories.

It is recommended that user rights should be assigned only to groups & not the individual group accounts. 2 types of user rights ; privileges & Logon rights

CONFIGURING SECURITY OPTIONS

Windows XP Professional’s special security options are grouped into the following categories: accounts, audit, devices, domain controller, domain member, interactive logon, microsoft network client, network access, network security, recovery console, shutdown, system cryptography & system objects.

These options can be accessed in the Local Security window which is inside the Local policy Folder.

SECURITY OPTIONS