MA194Using WindowsNT1 Topics for the day… WindowsNT Security WindowsNT File System (NTFS) Viewing/Setting Document and Folder Permissions Access Control

MA194 Using WindowsNT 1

Topics for the day…

• WindowsNT Security

• WindowsNT File System (NTFS)

• Viewing/Setting Document and Folder Permissions

• Access Control Lists & Entries


General SecurityIn general, WindowsNT was designed with aneye towards security, both from a network aspect as well as an individual or user accountpoint of view.

When you first log into a WindowsNT system(workstation or server), there are a series of checks that are performed by the system.


Internal vs. External SecuritySecurity can be broken into two areas, internaland external. By external, we refer to the set ofsecurity issues that deal with networked environments. User authentication, machineand domain relationships and trusts and userprofile storage come into play here. To betterunderstand these, we would need to look at theNT approach networking first. Today, we’llinstead look at the internal security issues.


Internal security issues

• User identity verification – The operating system must have some way of

uniquely identifying you from another user– The operating system also needs a way to

insure that it IS you and not someone else

• Filesystem permissions– Controlling access to various documents,

programs and functions of the system you use


Steps taken to try to login• CTRL-ALT-DEL brings up login window• User account and password are entered• User’s input is passed to the Security

Account Manager (SAM)• SAM looks up entry in the Security Accounts

Database (SAD)• System returns an access token for the user or

an error message indicating failure.


Steps taken after loginThe system creates a process for the user and

associates the access token to it and starts up the initial programs for the user.

The access token contains the information the system will use to grant or deny access to various files, programs and functions. Thus, getting the access token right is a must.


Access Token information

• User’s ID (SID) - Assigns a user’s ID for this token.

• Group ID (GID) - Lists the groups to which the user belongs.

• Privileges - System functions the user is allowed to do (print queues, backups, etc)

• Primary group - Default entry of GIDs

• Default ACL


Object Permissions

An object (a file, program, folder, printer, etc.)has a list of permissions associated with it thatdetermines who has the ability to access, use ormodify the object.

Each entry in the list is called an Access Control Entry (ACE). All of the entries are collectively known as an Access Control List (ACL).


Assigning PermissionsAssigning permissions to a file, for example,means generating an ACL and listing whohas permission to do what to the file.

The who part of an ACL may be a user or agroup (of users), whichever youi prefer.

The what part of the ACL is a little trickier.


Users vs. Groups

For easier administration, a list of users can beput into a group and permissions assigned to thegroup instead of each individual user. As a result,each user (account) belongs to at least one group.

Often, a user will be assigned to several groups,based on the administrator’s preference, thecommon tasks and resources for some users, etc.


File Access Permissions

• Read - Access or view the file contents

• Write - Modify the contents of the file

• Execute - Execute (that is, run) the program

• Delete - Delete the file (different than write)

• Change Permissions - Change these

• Take Ownership - Change the owner to you


File Access Types

• No Access - Nothing is granted (El Zilcho)

• Read - Actually allows Read and Execute

• Change - Read, Write, Execute and Delete

• Full - Everything listed in the previous slide

Certain sets of permissions are commonly used and, as a result, are listed as AccessTypes in a pull down menu. They are:


Folder Access Types• No Access - Nothing is granted (El Zilcho)• List - Actually allows Read and Execute• Read - Same as list but may include the files within the directory as well.• Add - Write and Execute• Add & Read - Read, Write, Execute. It may also includes the files

within the folder.• Change - Read, Write, Execute and Delete• Full - Everything listed in the previous slide


Setting a file’s permissions

• Bring up the file’s Permissions Screen– Highlight the file (left mouse click)

– Bring up the Properties screen (right click)

– Choose Security (left click on tab)

– Choose Permissions

• Choose either a group or an individual user

• Select the Access Type or choose Specialto set the permissions individually.


Notes about file permissions

• If the Security tab doesn’t show up in theProperties section, the filesystem may not be an NTFS (that is, it doesn’t support the security features of NTFS)

• If clicking on the Security tab results in anerror message (“Access Denied” or“Nice Try, Shnookums”), that meansthe ACL denies you access to the file.


Steps taken to open an objectWindowsNT has bundled security throughoutthe levels of the OS. The Security ReferenceMonitor (SRM), besides sounding important,is in charge of verifying/granting access tofiles, directories, etc. The first time you accessa file, the system checks with the SRM first. The SRM checks the access token against theACL for the object and either grants or deniesaccess to the object.


Fun HTTP sites

• Http://www.crayon.net

• http://www.ms.uky.edu/~chaney- Choose ‘Danews’ from the top

• The IRS Home page (it’s that time again)

• http://www.washingtonpost.com


Resolving access conflicts

What if a user is granted access but the groupthey belong to is denied access? Or if the userbelongs to ten groups, nine of which has accessand one of which doesn’t?

Denied.

NT checks the ‘Deny’ list first and stops lookingas soon as it finds a hit.

Documents

MA194Using WindowsNT1 Topics for the day… WindowsNT Security WindowsNT File System (NTFS) Viewing/Setting Document and Folder Permissions Access Control