Upload
sibyl-cameron
View
220
Download
0
Embed Size (px)
Citation preview
MA194 Using WindowsNT 1
Topics for the day…
• WindowsNT Security
• WindowsNT File System (NTFS)
• Viewing/Setting Document and Folder Permissions
• Access Control Lists & Entries
MA194 Using WindowsNT 2
General SecurityIn general, WindowsNT was designed with aneye towards security, both from a network aspect as well as an individual or user accountpoint of view.
When you first log into a WindowsNT system(workstation or server), there are a series of checks that are performed by the system.
MA194 Using WindowsNT 3
Internal vs. External SecuritySecurity can be broken into two areas, internaland external. By external, we refer to the set ofsecurity issues that deal with networked environments. User authentication, machineand domain relationships and trusts and userprofile storage come into play here. To betterunderstand these, we would need to look at theNT approach networking first. Today, we’llinstead look at the internal security issues.
MA194 Using WindowsNT 4
Internal security issues
• User identity verification – The operating system must have some way of
uniquely identifying you from another user– The operating system also needs a way to
insure that it IS you and not someone else
• Filesystem permissions– Controlling access to various documents,
programs and functions of the system you use
MA194 Using WindowsNT 5
Steps taken to try to login• CTRL-ALT-DEL brings up login window• User account and password are entered• User’s input is passed to the Security
Account Manager (SAM)• SAM looks up entry in the Security Accounts
Database (SAD)• System returns an access token for the user or
an error message indicating failure.
MA194 Using WindowsNT 6
Steps taken after loginThe system creates a process for the user and
associates the access token to it and starts up the initial programs for the user.
The access token contains the information the system will use to grant or deny access to various files, programs and functions. Thus, getting the access token right is a must.
MA194 Using WindowsNT 7
Access Token information
• User’s ID (SID) - Assigns a user’s ID for this token.
• Group ID (GID) - Lists the groups to which the user belongs.
• Privileges - System functions the user is allowed to do (print queues, backups, etc)
• Primary group - Default entry of GIDs
• Default ACL
MA194 Using WindowsNT 8
Object Permissions
An object (a file, program, folder, printer, etc.)has a list of permissions associated with it thatdetermines who has the ability to access, use ormodify the object.
Each entry in the list is called an Access Control Entry (ACE). All of the entries are collectively known as an Access Control List (ACL).
MA194 Using WindowsNT 9
Assigning PermissionsAssigning permissions to a file, for example,means generating an ACL and listing whohas permission to do what to the file.
The who part of an ACL may be a user or agroup (of users), whichever youi prefer.
The what part of the ACL is a little trickier.
MA194 Using WindowsNT 10
Users vs. Groups
For easier administration, a list of users can beput into a group and permissions assigned to thegroup instead of each individual user. As a result,each user (account) belongs to at least one group.
Often, a user will be assigned to several groups,based on the administrator’s preference, thecommon tasks and resources for some users, etc.
MA194 Using WindowsNT 11
File Access Permissions
• Read - Access or view the file contents
• Write - Modify the contents of the file
• Execute - Execute (that is, run) the program
• Delete - Delete the file (different than write)
• Change Permissions - Change these
• Take Ownership - Change the owner to you
MA194 Using WindowsNT 12
File Access Types
• No Access - Nothing is granted (El Zilcho)
• Read - Actually allows Read and Execute
• Change - Read, Write, Execute and Delete
• Full - Everything listed in the previous slide
Certain sets of permissions are commonly used and, as a result, are listed as AccessTypes in a pull down menu. They are:
MA194 Using WindowsNT 13
Folder Access Types• No Access - Nothing is granted (El Zilcho)• List - Actually allows Read and Execute• Read - Same as list but may include the files within the directory as well.• Add - Write and Execute• Add & Read - Read, Write, Execute. It may also includes the files
within the folder.• Change - Read, Write, Execute and Delete• Full - Everything listed in the previous slide
MA194 Using WindowsNT 14
Setting a file’s permissions
• Bring up the file’s Permissions Screen– Highlight the file (left mouse click)
– Bring up the Properties screen (right click)
– Choose Security (left click on tab)
– Choose Permissions
• Choose either a group or an individual user
• Select the Access Type or choose Specialto set the permissions individually.
MA194 Using WindowsNT 15
Notes about file permissions
• If the Security tab doesn’t show up in theProperties section, the filesystem may not be an NTFS (that is, it doesn’t support the security features of NTFS)
• If clicking on the Security tab results in anerror message (“Access Denied” or“Nice Try, Shnookums”), that meansthe ACL denies you access to the file.
MA194 Using WindowsNT 16
Steps taken to open an objectWindowsNT has bundled security throughoutthe levels of the OS. The Security ReferenceMonitor (SRM), besides sounding important,is in charge of verifying/granting access tofiles, directories, etc. The first time you accessa file, the system checks with the SRM first. The SRM checks the access token against theACL for the object and either grants or deniesaccess to the object.
MA194 Using WindowsNT 17
Fun HTTP sites
• Http://www.crayon.net
• http://www.ms.uky.edu/~chaney- Choose ‘Danews’ from the top
• The IRS Home page (it’s that time again)
• http://www.washingtonpost.com
MA194 Using WindowsNT 18
Resolving access conflicts
What if a user is granted access but the groupthey belong to is denied access? Or if the userbelongs to ten groups, nine of which has accessand one of which doesn’t?
Denied.
NT checks the ‘Deny’ list first and stops lookingas soon as it finds a hit.