Chapter 7
description
Transcript of Chapter 7
Chapter 7
Configuring and Managing NTFS Security
NTFS File System
Described as a collection of files Files are classified into two types
Normal data files – files that contain data Metadata files – files that contain data about data
The four part of the NTFS system Master File Table $Secure metafile Transaction logging Quota Tracking
Layout of an NTFS Disk
$Boot MFT Data 1 Data 2
Data 3
MFT Mirror
$Secure
Data 4
Master File Table (MFT)
Contains Pointers to the actual storage sites of files on the
NTFS formatted disk Directory indexes Attributes for the files and folders
A mirror copy is maintained on each NTFS volume to insure recovery of the file system if the MFT is damaged.
MFT Records
Data 1
Data 2
Data 3
Data 4
Abc.doc
123.doc
xyz.xls
987.txt
Timestamp
Timestamp
Timestamp
Timestamp
NTFSSID01
NTFSSID01
NTFSSID01
NTFSSID01
LCN
LCN
LCN
LCN
MFT Records
MFT Record Header
File Name Attribute
Standard Information Attributes
Security Index Reference
Location on Disk
MFT is placed in an are called the MFT zone The zone is an area set aside for expansion
of the MFT As a disk fills, the MFT zone will be reduced
in size If the zone becomes two small to hold all of
the MFT data it will become fragmented This will cause a significant reduction in
performance
Consolidated Security
Another area the MFT is responsible for is tracking security information
In earlier versions security descriptions were stored separately with each file and folder
Security descriptions – lists of users and group with access to the files or folders
$Secure metafile contains a common set of security descriptions that can be referenced by a single listing in the MFT
As a file or folder is assigned security settings these setting are compared to the settings for other files and folders
If the comparisons match the file or folder is assigned the same entry in the $Secure metadata file.
This reduces the amount of resources needed to maintain separate security descriptions
Transition logging tracks changes to files Ensures recovery by reversing unfinished
transactions Quota tracking
Tracks the amount of data that each user has stored
Prevent further disk writes if a quota limit has been set and exceeded by a user.
NTFS Permissions
Security descriptions described above contain access control lists (ALC’s)
The ALC’s are lists of users and group security ID’s (SID) matched up with the permission setting for each SID.
The individual entries are called access control entries (ACE).
Components of NTFS Permissions
Access Control Lists Access control Entries Users and Groups
Access Control Lists
Access Control Lists (ACL) are the fundamental construct of all security in Microsoft Windows
Objects (from files to hard drive to group police objects) are controlled by Access Control Lists (ACL).
Two Types of Access Control Lists (ACL)
System Access Control Lists (SACL) Defined by the operating system (OS) Controlled administratively by either
Policies System administrator
Control auditing of access to objects
Discretionary Access Control Lists (DACL) Referred to as ACL’s Lists of users and groups that have been granded
access to objects Access is granted at the discretion of the objects
owner hence the word Discretionary
Each object has a security description containing a Discretionary Access Control Lists (DACL) that defines what users and groups have access permissions to that object.
NTFS stores the DACL’s in the $Security metafile
NTFS records the DACL’s index attribute in the standard information attribute in the Master File Table
MFT Records
Data 1
Data 2
Data 3
Data 4
Abc.doc
123.doc
xyz.xls
987.txt
Timestamp
Timestamp
Timestamp
Timestamp
NTFSSID01
NTFSSID01
NTFSSID01
NTFSSID01
LCN
LCN
LCN
LCN
NFT Records
MFT Record Header
File Name Attribute
Standard Information Attributes
Security Index Reference
Location on Disk
Access Control Entries (ACE)
Access Control Lists consist of one or more Access Control Entries (ACE)
These Access Control Entries consist of The user or group security identifier (SID) Paired with permissions assigned to that security
identifier (SID)
Permissions (three types)
Allow – allows access to the listed user or group security identifier (SID) for the listed operation (read, write, modify, delet, etc)
Deny – denies access to the listed user or group security identifier (SID) for the listed operation (read, write, modify, delet, etc)
System Audit – a component of system control lists (SACL) lists the operations to be audited
When more then one Action Control Entry (ACE) exists on an Action Control List (ACL) the effectives of all of the ACE’s are taken into account to determine what actions are permitted for a specific user.
The Rule Governing Cumulative Effect ACE
Permission assigned to a user who has more then one Action Control Entry for an object is the most lenient of the accumulated permissions unless one of the permissions is Deny which overrides all other permissions for the specific operation.
Example
A user might be a member of more then one security group with access to a file.
In one group the use has allow read permission In the other group the user has allow read and allow
modify The user has the allow modify permission If another group has allow modify and ,deny read
the user can not open the file and this negates the modify permission
Users and Groups
The final part of the NTFS security system They are identified by security ID (SID) in the
Access Control Entry (ACE) By placing users into security groups and
assigning groups access to NTFS objects you can easily control object access
Three Major Group Types
Built-in security groups Assigned security groups Special groups
Built-in Security Groups
These are groups included with the operating system
Examples include; Users Group Power Users Administrative
Administrators have full control access to NTFS folders and files so they can administer permissions
Assigned Security Groups
Groups created by administrators Designed to make it easier to manage access
to resources
Special Groups
Groups who’s membership changes based on the circumstances of a user’s access to a file
Examples of Special Groups
Creator Owner group – members are made up pf users who are creators or owners of a resource.
Network group – users who access a resource over a network
Everyone group – user identified by a user name who attempts to access resources on a system
Managing NTFS Permissions
To manage permissions you must understand the use and consequences of each permission
You must understand how permissions from multiple group memberships work together
Best Practices for Assigning Permissions
Assign the most restrictive NTFS permissions that will allow the users and groups to accomplish there assigned tasks
Assign all permissions at the folder level Group files for which you want to restrict
access into separate folders and then assign permissions to that folder creating restricted access
Assign permissions to groups where ever possible You can manage permissions for a group once
and then assign users to that group to have access to the files and folders.
Avoid changing the permissions on system files and folders This can cause unexpected and difficult to
diagnose problems
Do not deny access to the everyone group Administrators are part of this group and would
inherit the deny permission It is better to remove the Everyone group from the
Action Control List (ACL) and add individual groups
For all executable file Assign read, write and execute permissions to the
administrators Assign read and execute permissions to the user
groups This will prevent users or viruses from changing
the executable files Only individuals with administrate privileges will
be able to write information to the executable files.
For public folders assign Full control to the Creator Owner Read and write to the Authenticated Users group This allows only the creator of the folder full
access to files they create.
If you do not what a user or a group to have access to a file or folder do not assign permissions. If you do not grant permissions the user or group
will not have access to the object You should deny permissions under the
following cases
To exclude a person who belong to a group with the allow permission
To exclude one special permission form a standard permission group.
How Permission to Access is Determined
When a user initiates a request to access an object, the application the user is using imitates an access request and attaches the users token
This token was generated when the user logged on
The token contains the users security identifier (SID) and any security groups the user belongs to.
The token is compared to access control entry (ACE) of the objects Discreet Access Control List (DACL).
If the security identifier (SID) of the token matches the SID listed in the Access Control List (ACE) the permissions in the ACE are evaluated to see if access can be granted.
If all of the access control entries (ACE’s) are evaluated and at least one grants access the object is opened
The only exception is if a there is a deny access permission.
If no access control entries (ACE’s) are found referencing any of he users security identifier (SID) or one is found with DENY the operation access is denied.
Effective Permissions
Effective permissions for a resource are the sum of NTFS permissions you assign to the individual users account and any group the user is part of.
Troubleshooting NTFS Permissions
Almost all problems with file or folder access can be traced to improper effective permissions.
Either membership in a group can be causing a problem or from incorrectly assigning permissions to one or more groups the user is in.
It is easy to lose track of deny permissions you have assigned, that is why the deny permission is only used in rare cases.