Why in most cases in the organization needs a server? Active Directory, RDS, Print Server and a bunch of small and large services. The most prominent role is perhaps the file server. People with him, unlike other roles, work consciously. They remember which folder what lies where the scans of documents are where their reports are where the faxes where the common folder in which you can all have access to only one of the departments, where else, and they do not recognize

About access to network and local folders on the server I want to talk.

Access to shared resources on the server is carried out, how everyone knows everything perfectly, according to the SMB protocol 3.0. Network access to folders can be limited to SMB and NTFS permissions. SMB permissions only work when accessing a shared folder over the network and have no effect on the availability of a particular folder locally. NTFS permissions work both on the network and locally, providing much more flexibility in creating access rights. SMB and NTFS permissions do not work separately, but complement each other, according to the principle of the greatest limitation of rights.

In order to give the folder to Share Server 2012 in the SMB Share Cmdlets group, the New-SMBShare cmdlet appeared. On the example of this cmdlet, we will see all the features available when creating a shared folder, in addition to cluster configurations (this is a separate big topic).

Creating a new shared folder looks very simple:
NET Share HomeFolder \u003d S: \\ Ivanivanov / Grant: "admin", Full / Grant: "Folderowner", Change / Grant: "Manager", Read / Cache: Programs / Remark: "Ivanov" or
NEW-SMBSHARE HomeFolder S: \\ Ivanivanov -CachingMode Programs -Fullacess Admin -ChangeAccess Folderowner -ReadAccess Manager -Noaccess All -FolderenumerationMode AccessBased -Description "Ivanov"

We understand:

-Name The name of the shared folder on the network may differ from the folder on the local computer. It has a limit in 80 characters, you cannot use Pipe and MailSlot names.

Path Path to the local folder you want to input. The path must be complete, from the root of the disk.

CachingMode Setting the autonomy of files in a shared folder.

What is a standalone file?

A standalone file is a copy of the file located on the server. This copy is located on the local computer and allows you to work with a file without connecting to the server. When connecting the change is synchronized. Synchronized in both directions: if you made changes in your offline file - the next time you connect the file on the server will be changed; If someone made changes on the server - then your local copy will be changed. If the changes occurred in both files at once - we get a synchronization error and you will have to choose which version to be saved. To share this opportunity, I would not use this opportunity, but if you make a ball for each user and restrict access for other reading, without the possibility of recording, we get the following buns:

• The work does not depend on the network - it can burn a switch, a server can reboot, the wire can break through or turn off the access point - the user works with his copy, not noticing that you have some kind of accident there, when restoring the network connection, it goes to the server.
• The user can work work anywhere: at the cottage, on the bus, on the plane - in those places where the connection to VPN for some reason is not available.
• If even the user works via VPN, but the connection or very slow, or is constantly breaking - it is easier to work with an offline copy and synchronize changes than trying to do something on the server.
• The user himself can choose that and when to synchronize, if you give it an opportunity.

Takes the following values:

• none - files are not available offline, access to the server need access to the server.
• manual - users choose the files that will be available autonomously
• pROGRAMS - All in the folder is available autonomously (documents and programs (files with the * .exe, * .dll extension)))
• documents - Documents available, no programs
• branchCache - caching instead of a local computer user occurs on BranchCache servers, users choose offline files themselves

-Noaccess, -ReadAccess, -ChangeAccess, -Fullaccess General Access Permissions (Share Permissions).

These permits have one big advantage - they are very simple.

NoAccess Secretary, Steward - Self-Secretary and Relozem Anyway to do in general accounting folders
-ReadAccess auditor - an auditor checking the accounting work can see file names and subfolders in a shared folder, open files for reading, run programs.
-ChangeAccess Accountant - Accountants in their shared folder can create files and subfolders, change existing files, delete files and subfolders
-Fullacess Admin - Fullaccess is a ReadAccess + ChangeAccess plus the ability to change permissions.

When creating a shared folder, the most restrictive rule is automatically used - the "All" group is given to reading.

These permissions apply only for users who have access to a shared folder over the network. With a local entry into the system, for example, in the case of a terminal server, and the secretary and the crown will be seen in accounting, all that wish. This is corrected by NTFS permissions. SMB permissions apply to all files and folders on a shared resource. Thinner access rights are also carried out by NTFS permissions.

ConcurrentUserLimit Use this parameter to limit the maximum number of connections to the shared folder. In principle, you can also use to restrict access to a folder, complementing NTFS permissions, only you need to be exactly confident in the required number of connections.

Description A description of the shared resource that is visible in the network environment. Description is a very good thing that many neglect.

Encryptdata Encryption

In SMB to version 3.0, the only way to protect traffic from the file server to the client was VPN. How to implement it completely depended on the preferences of the system administrator: SSL, PPTP, IPSec-tunnels or something else. In Server 2012, encryption works out of the box, in a regular local network or through untrusted networks, without requiring any special infrastructure solutions. It can be enabled both for the entire server and for individual shared folders. The encryption algorithm in SMB 3.0 is AES-CCM, the hashing algorithm instead of HMAC-SHA256 has become AES-CMAC. The good news is that SMB 3.0 supports the hardware AES (AES-NI), the bad news is that Russia does not support AES-NI.

What threatens the inclusion of encryption? In the fact that only clients support SMB 3.0 will be able to work with encrypted common folders, that is, Windows 8. The reason again, the maximum allowable limit of the rights of users. It is assumed that the administrator knows what it does and, if necessary, will give access to customers with another version of SMB. But since SMB 3.0 uses new encryption algorithms and client traffic with another SMB version will not be encrypted, VPN is needed. To put all customers on a file server with encryption enabled will help the SET-SMBServerConfiguration -rejectUncryptedAccess $ False command
In the default configuration (non-snugged traffic to encrypted shared folders is prohibited, while trying to access the client folder with the SMB version below 3.0 on the client, we will receive an "access error". On the server to the Microsoft-Windows-SMBServer / Operational log, an event 1003 will be added, in which you can find the client's IP address trying to access.

SMB and EFS encryption are different things that are not connected with each other, that is, it can be used on FAT and Refs volumes.

FOLDERENMEMATIONMODE This is an Access-based Enumeration. With the Access-based Enumeration enabled, users who do not have access to a shared folder simply will not see it on the file server and there will be less questions, why I do not have access to this or that folder. The user sees its available folders and is not trying to climb into other people's affairs. Default - off.

• accessBased - Enable
• unrestricted - Turn off

-Temporary This key creates a temporary shared folder, access to which will be stopped after rebooting the server. By default, constant shared folders are created.

NTFS permissions

With the help of NTFS permits, we can delimit the rights in the folder in more detail. We can prohibit a specific group to change a specific file, leaving the ability to edit the entire main one; In the same folder, one group of users may have the right to change one file and will not be able to view other files edited by another user group and vice versa. In short, NTFS permissions allow us to create a very flexible access system, the main thing later in it does not get confused. In addition, NTFS permissions work, both when accessing a network folder, complementing the overall access permissions and with local access to files and folders.

There are six main (BASIC) permissions that are a combination of 14 additional permissions.

Main permissions

Full Access (FullControl) - full access to a folder or file, with the ability to change access rights and audit rules to folders and files

Modify - The right to read, change, view the contents of the folder, delete folders / files and run the executed files. Includes reading and execution (READANDEXECUTE), writing (WRITE) and delete.

Read and execution (readandexecute) - The right to open folders and read files, without the possibility of recording. It is also possible to start running files.

List of Content Folder (ListDirectory) - the right to view the contents of the folder

Reading (read) - The right to open folders and read files, without the possibility of recording. Includes the contents of the folder / reading of the data (READDATA), reading attributes (readattributes), reading additional attributes (readextendedattributes) and reading permissions (ReadPermissions)

Recording (WRITE) - The right to create folders and files, modify files. Includes Create Files / Writing Data Creation / Data Damage (AppendData), Attribute Recording (WriteAttributes) and Recording Additional Attributes (WriteExtendedAttributes)

Additional permissions

I put on the folder only 1 of the 14 permissions and watched what it turns out. In the real world, in most cases there are enough major permits, but I was interested in the behavior of folders and files with the highest possible rights.

Traverse folders / execution of files (Traverse) - The right to launch and read files, regardless of the access rights to the folder. There will be no access to the folder for a folder, (which is in the folder will remain a mystery) But the files in the folder will be available in direct link (full, relative or UNC path). You can put the traverse folders on the folder folder, and on the file any other permissions that the user needs to work. Create and delete files in the user's folder will not work.

ReadAtributes reading - The right to view attributes (FileAttributes) folders or file.
View the contents of the folder or files or change any attributes cannot be changed.

ReadextendedAttributes (readextendedattributes) - The right to view the additional attributes of the folder or file.

The only thing I could find on additional attributes is what they are used to provide backward compatibility with OS / 2 applications. (Windows Internals, Part 2: Covering Windows Server 2008 R2 and Windows 7). I don't know anything more about them.

Creating Files / Writing Data (Writedata) - gives the user the ability to create files in the folder in which it does not have access. You can copy the files to the folder and create new files in the folder. You can not view the contents of the folder, create new folders and change the existing files. The user will not be able to change any file, even if it is the owner of this file - only create.

Creating Folders / Data Damage (AppendData) - gives the user the ability to create subfolders in the folder and add data to the end of the file without changing the existing content.

Check

With the creation of subfolders, everything is clear: NI C: \\ Testperms \\ TestaPend -Itemtype Directory will work as expected - will create a TestPerms subfolder for viewing the user. Let's try to add a string to the end of the file - make the maintenance of some log. NEWEVENT \u003e\u003e C: \\ Testperms \\ user.log is denied access.
Hmm ... in CMD does not work. And if so. AC C: \\ Testperms \\ user.log NewEvent AC: denied access along "C: \\ Testperms \\ user.log".
And in the conveyor? "NewEvent" | Out-File C: \\ Testperms \\ user.log -APPend Out-File: denied access along the path "C: \\ Testperms \\ user.log".
And so does not work.

We start a black magic session: Use the File class, the AppendText method. We get a log object.
$ Log \u003d :: AppendText ("C: \\ Testperms \\ user.log") Exclusion when calling "AppendText" with "1" arguments: "denied access along the path" C: \\ Testperms \\ user.log "."
I think that AppendallText is not worth trying
$ Log \u003d :: AppendallText ("C: \\ Testperms \\ user.log", "NewEvent") Exception when calling "AppendallText" with "2" arguments: "denied access on the path" C: \\ Testperms \\ user.log " . "
The case, in principle, clear. Only the rights to pre-send data to the file above the methods are not enough, they need an entry to the file. But together with this we will give the opportunity to change the file, and not just adding records, that is, we open the potential ability to destroy all the contents of the file.

We need to reconsider the concept: let's not get a log object, but create a new one, in which we ask all the parameters that interest us. We need something where we can explicitly specify the permissions. We need FileStream, and more specifically, we will help FileStem Constructor (String, Filemode, FileSystemRights, Fileshare, Int32, FileOptions). Next parameters need:

• The path to the file is clear
• How to open the file - open the file and find the end of the file
• File access rights - Data Data
• Access for other FileStream objects - do not need
• Buffer size - default 8 bytes
• Additional options - no

It turns out something like this:
$ Log \u003d New-Object Io.Filestream ("C: \\ Testperms \\ user.log", :: Append, :: AppendData, :: None, 8, :: None)
Works! We created a log object, try to write something there. The FILESTREAM.WRITE method takes incoming values \u200b\u200bin bytes. We distingate the event that we want to record, in bytes - class Encoding, the GETENCODING method (we do not need krakozyabe at the output) and GetBytes (actually converting)
$ event \u003d "A new event happened." $ EventBytes \u003d :: Gteencoding ("Windows-1251"). GetBytes ($ EVENT)
FileStream.Write parameters:
What to write; Where to start writing; The number of bytes to write
We write:
$ log.write ($ EventBytes, 0, $ eventbytes.count)
Check.
GC C: \\ Testperms \\ user.log GC: denied access along "C: \\ Testperms \\ user.log".
Everything is fine, the user has no rights to view written. We shift under the administrator.
GC C: \\ Testperms \\ user.log has happened a new event.
Everything is working.

The folder in which the file besides the permission, the creation of folders / dashing data must be allowed to resolve the content / reading folder. The file is enough only to create folders / dashing data with disabled inheritance. Fully protect the user (and the user can be an attacker) from the files in which he should write something will not work, but on the other hand, in addition to the file list in the folder, the user will not see anything and can not do.

Conclusion from this simple: In the Batnikov, implement a safe logging of something will not work, PowerShell saves the skill to work with .NET objects.

Attribute Recording (WriteAttributes) - Let the user change the file or folder attributes. It seems to be simple. But now just answer the question: "Photos of my cats occupy almost all the place in my profile and I have no place for business correspondence. I would like to squeeze the folder with the quotes, but I demand administrator rights. You said that I have the right to change the attributes of folders. Is the attribute? Why can't I change it? "

Yes, the user with the right to write attributes can be changed almost all visible attributes of files and folders, except compression attributes and encryption. Technically, the user is given the right to execute the SetFileAttributes feature. And the file compression is performed by the DeviceioControl function, which you want to transfer the FSCTL_SET_COMPRESSION parameter and the file compression is far from its work. With this feature, we can manage all devices and their resources in the system and, probably, give the user this right to perform this feature means to make it an administrator.

With encryption The story is similar: the EncryptFile function, which is just responsible for encryption, requires that the user has the right to content folder / reading data, creating files / write data, reading attributes, entry attributes and synchronization to the object. Without them, nothing will happen.

WritextendedAttributes recording (writExtendedattributes). Well, these are those used for backward compatibility with OS / 2 applications, aha. Well, even in the advanced attributes of the file C: \\ Windows \\ System32 \\ Services.exe recently started writing Trojanov (zeroaccess.c). Maybe they should be turned off at the top level? I can not give an answer to this question, theoretically - maybe it is worth it, practically in production - I have not tried.

Remove subfolders and files. (DeleteSubdirectoriesandfiles) An interesting resolution applied only to folders. The essence is to allow the user to delete subfolders and files in the parent folder, without giving permission to remove.

Suppose there is a catalog of goods in which users bring data. There is a parent folder Catalog, inside the subfolder according to the alphabet, from A to Z, some names inside them. The names are changing every day, something is added, something changes, something becomes obsolete and you need to delete outdated information. But it will not be very good if someone in the float or malicious intent rolls the whole catalog K, which is very possible if users have the right to remove. If you pick up the right to remove the right, then the administrator can safely change the work, because it will perform requests for the deletion of a name all day.

Here it turns on the removal of subfolders and files. In all letters of the alphabet, the inheritance is disabled and the users are addressed to delete subfolders and files. As a result, in the CATALOG folder, users will not be able to remove any letter, but inside the letters can delete anything.

Delete. Everything is simple here. Delete is deleted. Does not work without the right to read.

Readpermissions Reading gives the right to the user to view permissions on a folder or file. No right - the user does not see permission on the Safety tab

Change Permits (ChangePermissions) - Allows the user to change permissions, in essence makes the user by the administrator of the folder. You can use, for example, to delegate the powers of technical support. Without the right to read permits, it does not make any sense. Changing permits does not imply a change in the owner of the folder.

Changing owner (Takeownership) - To begin with, who is such an owner. The owner is a user who created a file or folder.

The owner feature is that it has full access to the created folder, it can distribute permissions to its created folder, but more importantly - no one can deprive the owner of the right to change permissions on his folder or file. If Vasya created a folder, he gave full access to Pet, and Petya went and scolded access to the folder in general and Vasi in particular, then Vasya without much difficulty can restore the status quo, as it is the owner of the folder. Change the owner of the Petya folder will not be able, even if he has permission to change the owner. Moreover, even Vasya cannot change the owner, despite the fact that he created the folder. The right to change the owner only applies to the administrators group or domain administrators.

But if Petya inside the Vasina folder created a file and did not give you access to it, then you can only think and guess what is inside this file of such a secret. Vasya will not be able to change the access rights to the file, because the owner of the file is Petya. Also, Vasya will not be able to change the owner of the file - the change in the owner of the subspeteers and objects is also the privilege of the administrators group, to which Vasya does not apply. The only version of Wasi option is to look at the petin file inside its folder.

Manage

CMD to manage permissions is well used well-known ICACLS. In PowerShell, the NTFS-permissions management looks like this:

Get an object to which we will set permissions
$ ACL \u003d Get-ACL C: \\ Testperms
Build a line with rights using the System.Security.accessControl.FileSystemAccessRule class. We can set the following parameters:

• group / username - for whom we do ACL
• resolution - ACE (accepts the values \u200b\u200bspecified in post)
• applies to - in the GUI is a drop-down list in additional security parameters. In fact, only 3 values \u200b\u200bare taken: None (only to this folder), ContainerIrit (applies to all subfolders), ObjectInherit (applies to all files). Values \u200b\u200bcan be combined.
• apply these permissions to objects and containers only inside this container (checkbox in the GUI) - also 3 values: none (check box), inheritonly (ACE applies only to the selected object type), Nopropagateinherit (apply permissions only inside this container).
• rule - Allow (ALLOW) or prohibit (DENY)

The default row will look like this:
$ permission \u003d "contoso.com \\ admin", "FullControl", "Containerinherit, ObjectInherit", "None", "Allow"
Make a new ACE with the above permissions
$ Ace \u003d New-Object Security.accessControl.FileSystemAccessRul.FileSystemAccessRule $ permission
And apply freshly created ACE to the object
$ ACL.SetAccessRule ($ ACE) $ ACL | SET-ACL C: \\ Testperms

Apply in practice

Armed with knowledge of SMB and NTFS permits, combining them can be created by access rules of absolutely any complexity. A few examples:

A type	SMB permissions	NTFS permissions
Folder for everyone (Public)	Members Reading / Recording	Users - change
Black box. Users throw off confidential reports, suggestions, cracks - Guide reads.	Members Reading / Recording Manual - Read / Writing	Users - record, apply only for this folder. It is assumed that the file entry into this folder is one-way ticket, since a convenient way to edit without the right to view the contents of the folder of the folder saved in this file folder does not exist (convenient for users of the method of writing to such a folder, by the way, does not exist either). And viewing violates privacy. Manual - change.
Applications	Users reading	Users reading, reading and executing, viewing the contents of the folder. Naturally, some applications may require additional rights to work. But in general, for example, the storage of system utilities for diagnostics (the same SysInternals Suite) is quite enough.
User Profiles	Each user - read / write to his folder	Each user is a change to its folder.

Permissions in Windows - contradictive thing. On the one hand, the main permits are quite simple and covered 90% of cases. But when a more subtle tuning starts to be required: Different users of users, one folder, security requirements for shared folders - then deal with additional permissions, inheritations and owners are quite difficult.

I hope I did not touch anyone even more.

In the previous lecture, we talked about network security and about such a thing as permits, but it is worth returning now, since permissions are only available on hard disks in NTFS format. In this section, we will talk about NTFS capabilities to protect your files from prying eyes. Unlike the FAT system, access to shared resources cannot be turned on and disconnected. NTFS provides this level of selection detail, which skips only those you want to provide access, and sifts everyone else.

Permissions of a separate user

Before discussing user and group permissions, as well as the files themselves, it is important to consider the basics of permits. First we show what is inheritance, and then consider the Windows XP Professional tool, which should help you, but can turn into a stumbling block if you do not figure it out in its functions.

Inheritance

On the network there may be all a couple of users, and may be thousands. When installing custom permissions for NTFS volumes and folders, this task can be relatively simple in an organization consisting of six people. As already noted in lectures 9, if the organization begins to grow, the division of users to specific groups makes the permissions management is much easier.

First, you should create a set of permissions for a specific group, for example for engineers. In this case, when the new engineer appears in the organization, it is automatically added to this group. At the same time, he is inherited by the permissions for this group.

Note. Inheritance is related to other NTFS Tom objects. For example, if you set permissions for a specific folder, and then created a subfolder in it, then the right of inheritance frees you from creating a new set of permissions for this subfolder, as it inherits the permission of the parent folder.

If you think that the group of engineers needs to be issued or resumed a certain resolution, it is easy to do. After change (what we will talk about in this lecture later) a new permission is assigned to each member of this group.

On the other hand, some particular engineer may require a resolution in which the rest do not need. You can enter into a group of engineers, make changes necessary to this user, and it will receive a new permission that will not be inherited by him for belonging to this group. In this case, the permission will not be distributed to other members of the group.

The new quality in Windows XP Professional is simple file sharing (Simple File Sharing). This feature is included in the primary installation of Windows XP Professional or when using a volume or folder. To connect more users' access control tools, simply sharing the file must be disabled.

You can ask a question why you need to simply share files if this function must be disconnected. Only then to facilitate the process of sharing files and folders. With the simple sharing file, there are no files and multiple configurations to access users to files, printers, etc. This ensures an easy way to share files. However, if you want to manage to those who can receive the right to access files, the simple sharing of files should be disabled. To do this, do the following steps.

1. Select Start \\ My Computer (Start \\ My Computer), then click Tools and select Folder Options (Folder Properties).
2. In the Folder Options dialog box, click on the View tab.
3. Review the list of settings in the Advanced Settings window and then select the Use Simple File Sharing check box to use the Use Simple File Sharing check box.
4. Click on OK.

Note. By itself, disabling the simple file sharing will not allow you to set permissions for files. You should also place all your files and folders in the NTFS volume or section.

Permissions for folders and volumes

Permits carry out control over the fact that the user or group can do with an object on the network or on its local computer. Permissions are supported only when it is disconnected by simply sharing the file and on the hard disk in NTFS format. In listed permissions assigned to folders, and in - for files.

Table 10.2. Resolutions of folders
Resolution
Change Permissions		Change folder permissions.
Create Files.		Creating new files in this folder.
Create Folders.		Creating subdirectories in this folder.
Delete.		Delete folder.
Delete Subfolders and Files		Delete files and subdirectories, even if you do not have permission to create them.
List Folder.		View the contents of the folder.
Read attributes.		View folder attributes.
Read permissions		View folder permissions.
Take Ownership.		Assigning the rights of another user to own a folder.
Traverse Folder.		Opening a folder to view subdirectories and parent folders.
Write attributes.		Making changes to the folder properties.
Table 10.3. File resolution
Resolution	Allows or prohibits this action
Append Data.	Adding information to the end of the file without changing the existing information.
Change Permissions	Making changes to file permission.
Delete.	Deleting a file.
Execute File.	Run the program contained in the file.
Read attributes.	View file attributes.
Read Data.	View the contents of the file.
Read permissions	View file permissions.
Take Ownership.	Assigning ownership of the ownership of this file from another owner.
Write attributes.	Change file attributes.
Write Data.	Changing the file content.

Creating and Managing Permissions

Creating permissions for individual files, folders and NTFS volumes, you can use much more security options than the FAT file system offers. The Properties tab of the selected folder or volume includes the Security tab. By clicking on it, you can see a number of options for access control.

To adjust the permissions of this folder or volume, do the following steps.

1. Specify the volume or folder for which you are going to set permissions.
2. Right-click on it and select Properties.
3. Select the Security tab.

Note. If the NTFS volume is in sharing, then you must set permissions through the Security tab, and not using the Permissions (Permissions) button on the Sharing tab.

In the properties window that appears, you will see two windows. The top window contains a list of users and groups (). In Nizhny - a list of permissions for the user who can be installed and adjust. Again, this tab is available for volumes in NTFS format.

Fig. 10.7. Security Tab (Security) Properties dialog box

By clicking on a specific user or group, you can set permissions for them in the bottom window. The following permissions are available.

• Full Control. Allows the user or group to read, create, modify and delete files.
• Modify (modification). Allows users to delete files and folders, make changes to permission or receive ownership of the file or folder from another user.
• READ & EXECUTE (reading and execution). Allows users to read and run files without making changes to the content of the shared volume or folder.
• LIST FOLDER CONTENTS (List of folder contents). Allows users to view the contents of the folders.
• Read (reading). Allows users to view the contents of the volume or folder. They can also open files, but do not have the right to save changes.
• Write. Allows users to record in folders or volumes, but prohibits opening files or view the list of files.
• Special Permissions (Special Permissions). By clicking on the Advanced button (optional), you can apply special permissions.

Restricting the number of users

Depending on the size and structure of the organization, you may not allow simultaneous access to all those who want to one. If you need to establish a limit on the number of users who have simultaneously access to a folder, open the Permissions dialog box and select the Sharing tab (Fig. 10.8).

In the User Limit section (limit number of users), specify one of the following options.

• Maximum Allowed Allow access to the maximum number of network users.
• Allow This Number of Users Allow access only for the specified user number.

More details about permissions can be found in ch. nine.

To manage user access to folders and files, a detailed and complex system of permissions is used. The access control mechanism for Windows objects is one of the most detailed among well-known operating systems. For files and folders there are at least 14 NTFS permissions that can be turned on or blocked - and checked. These permissions can be assigned files or folders and users or groups. In addition, it is possible to assign the order of inheritance permissions for files or folders and users or groups. In the maze permissions are easy to get lost. This article discusses how permits for folders and files and the most effective ways of their application.

Basics of access to objects

The user never enters the direct "contact" with any object of Windows. All access to objects is carried out through programs (for example, Windows Explorer, Microsoft Office) or processes. A program that refers to the resources on behalf of the user performs a procedure called impersonation (impersonation). A program that refers to a remote resource performs the procedure called delegation (Delegation).

After registering the user, its system identifier (System Identifier - SID) and SID identifiers are processed by the LSASS.EXE process, which generates a secure user access marker. Another information is entered into the secure access marker, including the user assigned rights (permissions), the user session ID (unique for each session), permissions mask with a detailed description of the type of requested access. The rights assigned to the user can be seen using the team.

If the program appeals from the user to a secure resource, the Security Monitor (Security Reference Monitor) requests the user's secure user access chart. Then the security monitor analyzes the marker to determine the effective user permissions, and allows or prohibiting the execution of the user requested by the user. Effective permissions are described in more detail below.

Permissions Share.

Each Windows protected object is including files, folders, shared resources, printers, and registry sections - supports security resolutions. Any Windows folder can be done publicly to resolve remote access. SHARE permissions can be assigned to any Folder and Printer objects in Windows, but permissions are applied only if the reference to the object occurs through the network resource. Folder Share permissions include Full Control, Change and Read.

Security Subjects, which are assigned to full access (Full Control) to the object can produce almost any operations with the object. They can delete, rename, copy, move and change the object. The user with the right of Full Control can change the resolution of the Share object and become the owner of the object (if it is no longer the owner and does not have the permission of Take Ownership). Thus, any user with Full Control resolution can cancel the permissions of other persons, including the administrator (although the administrator can always return possession and permissions). The ability to change permissions is the mandatory requirement of any operating system with selective access management (DAC), such as Windows.

In most cases, the basic resolution of access to the resource required by the usual users is Change. Using the Change resolution, the user can add, delete, change and rename any resources in the corresponding folder. The read resolution provides viewing, copying, renaming and printing an object. The user with the resolution of Read can copy the object to another place in which Full Control has the right.

NTFS permissions

If the NTFS file system (and not FAT) is used in Windows, then all files, folders, registry sections and many other objects have NTFS permissions. NTFS permissions are used both with local and remote access to the object. To view and change the permissions of the NTFS file or folder, click right-click on the object, select the Properties item and go to the Security tab.

Table 1 shows 7 total NTFS permissions. The total permissions are various combinations of 14 more detailed permissions shown in Table 2. View detailed permissions, you can open the Advanced Security Settings dialog box for the object by clicking on the Advanced button in the Security tab, and then click the Edit button in the Permissions tab. Get acquainted with the detailed permissions of the object (especially requiring increased security) - a useful habit, although it requires more effort. Total permissions do not always accurately reflect the status of detailed permits. For example, I had to see the total permission of read, although in reality the user had permission to read & execute.

Similar to the resolution of Full Control Share, the permission of Full Control NTFS provides the owners of great opportunities. Users who are not administrators often have permission from Full Control in their home directory and other files and folders. As already noted, the owner of the rights of such a level can change the permissions of the file and appoint itself by the owner. Instead of providing users with permission from Full Control, you can only give them the right modify. If the user is the owner of the file, then, if necessary, you can manually prohibit it to change permissions.

Technically, NTFS permissions are known as selective access control lists (DACL DISCRETIONARY). Audit permissions are known as system ACLs (SACL). Most of the protected NTFS objects have permissions of both species.

Influence of Windows trust

By default, all Windows 2000 domains and forests and later versions have bilateral trusting relationships with all other forest domains. If the domain trusts another domain, then all users in the trusted domain have the same security permissions in the trust domain as the EveryOne group and the group authenticated users trusting domain. In any domain, many permissions are prescribed by these groups by default, and trusting relationships implicitly provide broad rights that would not be provided in other cases. It should be remembered that if confidential relationships do not share a sample nature, then any permissions provided by the EveryOne and Authenticated Users groups are assigned to all other users in the forest.

Check permissions from the command line

Administrators often use the command line tools such as subinacl.exe, xacls.exe and cacls.exe to check NTFS permissions. SubinCL is included in the Windows Server 2003 Resource Kit Tools resources. Using SubinACL, you can view and change NTFS permissions for files, folders, objects, registry entries and services. The most important possibility subinacl is to copy user permissions, groups or object and apply them to another user, group or object in the same or other domain. For example, when you move the user from one domain to another, a new user account is created in Windows; All previously existing SIDs or permissions associated with the initial user are canceled. Copying permission to a new User account using SubinACL, you can make them identical. Xcacls functions similarly to subinacl and is part of the Windows 2000 Server Resource Kit resource set.

The CACLS program is described in Microsoft published by Microsoft article "Undocumentd CaCls: Group Permissions Capabilities". This is an older tool that appeared as part of Windows from Windows NT. CACLS is not so useful as subinacl or Xacls, but the utility is always available in the Windows system. With CACLS, you can view and change files and permissions by users and groups, but do not create detailed NTFS permissions. Currently, CACLS features are limited to work with NO Access, Read, Change and Full Control permissions that match NTFS permissions, but not resolving Share. In addition, the permission of the READ program CACLS meets the resolution of the READ & EXECUTE NTFS system.

Inheritance

By default, all files, folders and registry sections inherit permissions from the parent container. Inheritance can be activated or disabled for individual files, folders or registry sections and for individual users or groups. As we see on the screen 1, the Apply To field on the Permissions tab of the Advanced Security Settings dialog box shows whether the action of a specific resolution is limited to the current container, or it extends to subfolders and files. The administrator can assign permission (for individual users) that are inherited or not. In this example, the EveryOne group has a permission of Read & Execute in the current folder, and this permission is not inherited.

If the file or folder inherits most of its permits, but also has a set of clearly specified permissions, the latter always have priority to inherited rights. For example, you can provide the user with the Permission of Full Control-Deny in the root catalog of a particular volume, and set the inheritance of these permissions by all files and disk folders. You can then assign any file or folder on the disk the right to access, which cancels the inherited Full Control-Deny mode.

Effective permissions

The Windows Security Monitor defines the effective user permits (the real permissions they have in practice) taking into account several factors. As noted above, the protection monitor first collects information about the user's individual account and all the groups to which it belongs and summarizes all the permissions assigned to all user and group SIDs. If Deny and Allow permissions exist at one level, then, as a rule, deny has priority. If the priority receives Full Control-Deny, the user usually does not have access to the object.

By default, when registering NTFS and Share permissions (the user connects to a resource via the network), the protection monitor must collect all the SHARE and NTFS permissions. As a result, the effective user permissions are a set of permissions provided by both Share permissions and NTFS.

For example, in the end, the user may turn out to be Share-permission Read and Change, and the NTFS permissions read and modify. Effective permits - the most limited set of permissions. In this case, permissions are almost identical. Effective permissions will be Read and Change / Modify. Many administrators mistakenly believe that effective permissions are only Read, due to bad, excessively simplified examples or outdated documentation.

In the Advanced Security Settings dialog box in Windows XP and newer versions, the Effective Permissions tab appeared (see screen 2). Unfortunately, on the Effective Permissions tab, only NTFS permissions are reflected. The impact of Share permissions, actions based on members whose membership does not have, and other factors, such as encryption file system (ENCRYPTING FILE SYSTEM - EFS). If EFS is activated for a file or folder, the user with the appropriate NTFS and Share permissions can lose the possibility of access to the object if it does not have an EFS access to a folder or file.

• Carefully provide permission from Full Control to regular users. It is useful to assign it instead of the MODIFY resolution. In most cases, this approach provides users with all necessary permissions, not allowing to change the rights or assign ownership.
• Carefully work with the EveryOne group; It is better to use the Authenticated Users (or Users) group, or a special limited group. Important omissions of the Authenticated Users group are the lack of a guest and a non-authenticated user.
• Often network administrators are asked to enter guest accounts for third-party users (for example, consultants, contractors, freelance programmers). But regular user rights are often redundant to the guest. You should create and use a group whose rights are highly trimmed (for example, Full Control-Deny permission for root directories), and then explicitly allow access to files and folders necessary for this guest account. Explicitly appointed permissions are preferred, since they provide guest users with those permissions that are necessary for their work, but not more.
• Care should be taken, imposing prohibitions on the groups of EveryOne and Users, as administrators are included in these groups.
• In the case of trust relationships with other domains, it is useful to apply one-sided and selective trust in order to limit the rights of users of the trusted domain.
• It is necessary to periodically audit NTFS and Share permissions to make sure that they are as limited as possible.

Using these recommendations and reference tables with a brief description of all permits, you can safely go to the file system labyrinth. The administrator will be able to confidently assign permissions for files, folders, users and groups.

Table 1. NTFS permissions summary

Resolution	Act
	Provides viewing, copying, printing and rename files, folders and objects. Does not start program executable, except scenario files. Allows you to read the permissions of objects, object attributes and advanced attributes (for example, Archive, EFS bit). Allows you to make a list of files and subfolder folders.
	Reading permits, plus Create and rewriting files and folders
List (Folders ONLY)	Allows you to view file names and subfolders inside the folder
	Read permissions and running software files
	Provides all permits, besides the ability to assign possession and assign permissions. Allows you to read, delete, change and overwrite files and folders.
	Provides full management of folders and files, including allows you to assign permissions.
Special Permissions	Allows you to draw up combination of 14 more detailed permits that do not enter into any of the other 6 total permissions. This group includes Synchronize permission

Table 2. Detailed NTFS permissions

Resolution	Act
Traverse Folder / Execute File	Traverse Folder allows you to move on folders to access other files and folders, even if the security entity does not have permissions in the transit folder. Applies only to folders. Traverse Folder enters into force only if the security entity does not have the permission of Bypass Traverse Checking User (provided by the default EveryOne group). Execute File allows you to run program files. Assigning the permission of the Traverse Folder for the folder does not install the Execute File permissions automatically for all files in the folder
List Folder / READ DATA	Provides views of file names and subfolders in the folder. List Folder affects the contents of the folder - it does not affect whether the folder will be entered into the list for which the resolution is assigned. Read Data allows you to view, copy and print files
	The security entity sees the object attributes (for example, Read-Only, System, Hidden)
Read extended attributes.	The security entity sees extended object attributes (for example, EFS, Compression)
CREATE FILES / WRITE DATA	Create Files allows you to create files inside the folder (applied only to folders). WRITE DATA allows you to make changes to the file and overwrite the existing content (applied only to files)
CREATE FOLDERS / APPEND DATA	CREATE FOLDERS Allows you to create folders inside the folder (applied only to folders). APPEND DATA allows you to make changes to the end of the file, but do not change, delete or overwrite the existing data (applied only to files)
Write attributes.	Determines whether the security entity can record or change standard attributes (for example, read-only, System, Hidden) files and folders. Does not affect the contents of files and folders, only on their attributes.
Write Extended Attributes.	Determines whether a security entity can record or modify extended attributes (for example, EFS, Compression) files and folders. Does not affect the contents of files and folders, only on their attributes
Delete Subfolders and Files	Allows you to delete subfolders and files, even if the Delete resolution is not provided with a subfolder or file
	Allows you to delete a folder or file. If there is no Delete permission for a file or folder it can be deleted if there is a resolution of Delete Subfolders and Files in the parent folder
Read permissions
Change Permissions	Allows you to change permissions (for example, Full Control, Read, Write) file or folder. Does not allow you to change the file itself
	Determines who can be the owner of a file or folder. Owners can always have Full Control, and their permissions in the file or folder cannot be constantly canceled if the ownership is not canceled.
	Administrators rarely use this permission. It is used for synchronization in multi-threaded, multiprocess programs and determines the interaction between several threads that appeal to one resource.

NTFS permissions are used to protect resources from:

local users working at the computer on which the resource is located;

remote users connected to the shared folder over the network.

NTFS permissions provide high security selectivity: for each file in the folder you can set your permissions. For example, one user allows you to read and change the contents of the file, another - only read, and the rest - generally prohibit access to it.

If, when formatting a volume, the NTFS system is installed on it, the EveryOne group is automatically assigned to Full Sontrol permission (full control) on this volume. Folders and files created on this volume, by default inherit this permission.

Individual permissions

Windows NT has six types of individual NTFS permissions, each of which specifies the type of access to the file or folder.

The table describes the user-resolved operations with a folder or file when applied to an object of one of the individual permissions NTFS.

The user who created a file or folder on the NTFS volume becomes the owner of this file or folder. If this user is a member of the Administrators group (administrators), the actual owner becomes the entire AdministratRS group. The owner always has the right to assign and change permissions to access its file or folder.

Standard permissions

In most cases, you will enjoy standard NTFS permissions. They are combinations of individual permissions. The simultaneous purpose of several individual permissions for a file or folder greatly simplifies administration.

After the name of the standard resolution in brackets, the abbreviations of the components of its individual permissions are given. For example, the standard resolution read (read) for a file is equivalent to two individual permissions - read (reading) and execute - and in brackets will stand RX letters.

Standard permissions for folders

The table lists the standard permissions for folders and the corresponding individual NTFS permissions are indicated.

NO Access permission (no access) prohibits any access to a file or folder, even if the user is a member of the group, which is given to access permission. Digger in the "Individual Permissions for File" column means that this standard resolution is not applicable to files.

Standard permissions for files

The table lists the standard permissions for files and the corresponding individual NTFS permissions corresponding to them.

Permissions Full Control (Full Control) and Change (Change) feature that the second does not allow to change the permissions and owner of the object.

1. Application of NTFS permits

NTFS permissions are assigned to user accounts and groups as well as access rights to shared resources. The user can get permission either directly or being a member of one or more groups having permission.

The use of NTFS permissions for folders is similar to the use of access rights to shared resources.

Like access rights to shared resources, the actual NTFS permissions for the user is a combination of user permissions and groups whose member it is. The only exception is the permission of NO Access (access): it cancels all other permissions.

In contrast to the rights of access to shared resources, NTFS permissions protect local resources. In particular, the files and folders contained in this folder may have other permissions than it itself.

NTFS permissions for the file prevail over the permissions for the folder to which it is contained. For example, if the user has a Read permissions for the folder and WRITE for the file attached to it, it will be able to record the data into the file, but will not be able to create a new file in the folder.

This article is ideologically continued by an article. As it was said in it, after selecting users and (or) groups, you must specify the parameters of access to them. This can be done using the NTFS file system permissions discussed in the following table.

File Access Permissions

• Reading. The file reading is allowed, as well as view its parameters, such as the name of the owner, permissions and additional properties.
• Record. It is allowed to rewrite the file, changing its parameters, viewing the name of its owner and permissions.
• Reading and execution. Permission to read and right to launch an executable application.
• The change. It is allowed to change and delete a file, as well as everything that is provided by permits reading and executing, as well as recording.
• Full access.
• Allowed full access to the file. This means that all the actions provided for by all permissions listed above are allowed. It is also allowed to become the owner of the file and change its permissions.

Access permissions to folders

• Reading. It is allowed to view nested folders and files, as well as their properties, such as the name of the owner, permissions and read attributes, such as reading, hidden, archive and systemic.
• Record. It is allowed to create and post new files and subfolders inside the folder, as well as change the folder parameters and view its properties, in particular the name of the owner and permission to access.
• List of folder content. It is allowed to view the names of the files contained in the folder and subfolders.
• Reading and execution. It is allowed to gain access to files in the subfolders, even if there is no access to the folder itself. In addition, the same actions that are provided for permission to read and list the contents of the folder are allowed.
• The change. All actions provided for permission to read and read and execute, and delete the folder is allowed.
• Full access. Full access to the folder is allowed. In other words, all the actions provided for by all the permissions listed above are allowed. Additionally allowed to become the owner of the folder and change its permissions.
• Special permissions. A set of additional permissions different from the standard one.

The file creator is always considered its owner who has rights Full access, even if the owner's account is not listed on the tab File security. In addition to the above permissions for the file, you can select two additional types of permissions.

• Changing owner. This type of resolution allows the user to become the owner of the file. This type of resolution is assigned to the group Administrators.
• Change of permits. The user has the ability to change the list of users and groups having access to the file, as well as change the types of access permissions to the file.