98-367 Chapter Four

Chapter 4: Securing Access with Permission

Topics Covered:

  • Comparing NTFS permissions
  • Exploring share permissions
  • Identifying Active Directory permissions
  • Assigning Registry Permissions

Permissions are the primary method of restricting access to resources in a Microsoft Domain.

Permissions can be assigned via:

  • NTFS drives/shares
  • Active Directory Objects
  • Registry

Many permission concepts for theses resources. Each can be configured as Allow or Deny, can inherit permissions from parent to child.
In NTFS drives/shares a child could be a file or subfile, in AD and registry also have child objects.

Basic NTFS Permissions
  • Read: can read contents of a file or folder
  • Read & Execute: read contents of file or folder, if it is an executable program use can start (execute) it
  • List folder contents: Applies to folders, grants permissions to list items in folder and child folders
  • Write: Permissions to make and save changes to file, add file to folder. Cannot delete files just with this permission
  • Modify: Granted all Read and Write permissions + ability to delete files and folders
  • Full control: All permissions including advanced permissions
Advanced NTFS Permissions
  • Full Control: Includes all 13 permissions. Includes Change Permissions and Take Ownership. These two cannot be assigned independently.
  • Traverse Folder/Execute File: access child folders even if dont have permission to access parent folder. For File: can run file
  • List Folder/Read Data: Can read file and folder names within a folder. Open and read contents of file
  • Read Attributes: View values of Read-Only and Hidden etc.
  • Read Extended Attributes: can view extended attributes provided by some applications
  • Creates files/Write data: for folders: create files in a folder but not delete them. For files: modify contents of a file but not delete entire file.
  • Create folders/append data: folders: create folders within the folder. file: add data to end of file but cannot modify existing data.
  • Write Attributes: can change basic attributes of a file
  • Write Extended Attributes: can change extended attributes of a file
  • Delete subfolders and Files: delete subfolders and files within a folder
  • Delete: can delete a file or an empty folder
  • Read Permissions: read permissions assigned to file or folder
  • Take Ownership: become the owner, who can assign permissions to anyone else
Combining Permissions

Easier to assign permissions to groups then add and remove users from those groups. Users can belong to many groups. Users
get cumulative permissions of all groups they are in. If any permission is set to Deny then this takes precidence over other permissions.
Example one group has read and the other is denied read, user is denied read.

Enabling/Disabling Permission Inheritance

Dimmed permissions mean they are inherited and cannot be modified until inheritance is disabled. Permissions assigedat the drive level
are inherited by all root folders on the drive.

When disabling inheritance have three options:

  • Copy: copies all inherited permissions which can then be modified
  • Remove: All inherited permissions are removed (only removes inherited permissions, directly assiged ones will remain)
  • Cancel: cancels request and makes no changes
Moving and Copying Files

If file is moved (copied is different) within the same partition (same drive letter) explicitly assigned permissions remain.
Any other time permissions are inherited from the new location and original permissions are lost.

Move from C:\Data to C:\Art -> keeps permissions
Copy from C:\Data to C:\Art -> original permissions lost
Move from C:\Data to D:\Sales -> original permissions lost
Copy from C:\Data to D:\Audit -> original permissions lost

NTFS vs FAT

FAT has no security, FAT32 uses 32 bits to address file and therefore cannot address files larger than 4GB

Share Permissions

Folder or file is shared with others on network. Can be shared through mapped drives or UNC (Universal Naming Convention).
UNC format: \servername\sharename

Shares only have three permissions and only apply when accessing over network, do not apply if file is accessed locally.

  • Read: read and files or folders in the share
  • Change: can read, write, modify and delete files and folders (same as NTFS modify)
  • Full control: Do anything, includes changing permissions

Some versions of windows server also allow assigning roles (permission groups) to users.

Combining NTFS and Share Permissions

When accessing share over network both share and NTFS permissions are applied. Three steps to determine combine permissons:

  • Determine cumulative NTFS permissions
  • Determine cumulative share permissions
  • Identify which permissions are more restrictive

The more restrictive permissions are the ones used. Share permissions only apply over network though so when accessed locally
only NTFS permissions are used.

Active Directory Permissions

Active directory has objects to represent resources, groups, computers, users etc. These objects are organized
using OUs (organizational units) and simple containers. Could have an OU for sales dept and one for IT. Computer and user objects could
then be placed in the appropriate OU. Permissions can be applied to OUs to allow users and groups to do/access things.

Comparing NTFS and Active Directory Permissions

Both have:

  • Cumulative permissions: if belong to many groups have the total permissions of all groups
  • Deny takes precidence
  • Permissions are inherited: Permissions assigned to an OU or container are inherited by all objects in the OU or container. Includes child OUs
  • Inheritance can be disabled: similar process to disabling NTFS permissions
Active Directory Permissions
  • Full Control: do anything
  • Read: view object and its properties
  • Write: modify properties of object. Includes renaming user account and resetting user password
  • Create all child objects: create objects such as new users, computers, groups and child OUs
  • Delete all child objects: delete any objects in the container
  • Generate resultant set of policy (logging): determine which settings apply to a specific user when logged into a specific computer.
  • Generate resultant set of policy (planning): pose what ifs and determine resulant group policy settings.

Active directory has thousands of advanced permissions, unlike NTFS advanced which only has 13.

Assigning Registry Permissions

Registry is a database of settings used in windows

Hives/Keys:

  • HKEY_CURRENT_USER: stores user profile for user logged into local system. Profile contains environment variables, desktop settings etc.
  • HKEY_USERS: profile information for all user profile data on system
  • HKEY_LOCAL_MACHINE: info about local machine such as hardware, memory, devices etc
  • HKEY_CURRENT_CONFIG: hardware info used to start up the system
  • HKEY_CLASSES_ROOT: info about applications and file associations

Permissions can be assigned by right clicking keys.

Chapter Review Questions:

  1. True or false: If a user is granted the basic Read Permission for a folder, the user can read both basic and extended attributes
  2. Maria is a member of the Finance group and the Budget group. The Finance group is granted modify permissions for an NTFS
    folder called Funding. The Budget group is granted the Read permission for the same folder. What is Maria’s permission to the Funding Folder?
    a. Impossible to determine
    b. Read
    c. Modify
    d. Full control
  3. True or false: the difference between modify and write permissions is that users with write permissions can delete files, but users with modify
    permissions cant delete files.
  4. A user is assigned Allow Full Control to a file as a member of a group. The same user is assigned Deny Full Control as a member of
    another group. What permission does the user have?
    a. None. Deny takes precidence
    b. Allow Full Control
    c. Denied Full Control, but allowed read
    d. Denied Full Control, unless the user is an administrator, in which case allow full control
  5. If a user is granted Full control permissions for a folder, the user also has Full Control permissions to files in the folder because of __?
  6. Permissions assigned to the C:\Projects folder are Full Control for the IT group. Permissions assigned to the C:\Budget folder are Full Control
    for the Finance group. You copy the costs.xlsx document from C:\Projects to C:\Budget. What is the permission for this document?
    a. Unable to determine
    b. IT group full control
    c. Finance group full control
    d. Both groups full control
  7. Permissions assigned to the C:\Projects folder are Full Control for the IT group. Permissions assigned to the D:\Budget folder
    are full control for the Finance Group. You move the costs.xlsx document from C:\Projects to D:\Budget. What is the permission for this document?
    a. Unable to determine
    b. IT group full control
    c. Finance group full control
    d. Both groups full control
  8. The NTFS permissions assigned to the C:\Projects folder are Full Control for the IT group. The folder is shared and the Share permissions
    are Read for the Finance Group. What permissions do members of the finance group have when accessing the share?
    a. Unable to determine
    b. Read
    c. Full control
    d. Unrestricted Read
  9. True or false: You can assign permssions for a group giving them the ability to reset passwords for user accounts within a specific OU.
  10. True or false: Permission inheritance is enabled by default for all keys in the Registry

Answers:

  1. True. Basic read permission includes Read Data, Read Permissions, Read Attributes and Read Extended Attributes
  2. c. Permissions are cumulative so effective permissions are modify
  3. False
  4. a
  5. inheritance
  6. c
  7. c
  8. b
  9. True
  10. False

Relevant sections of Certification Exam

Understand Permissions: Comparing NTFS Permissions, Exploring Share Permissions, Identifying Active Directory Permissions, Assigning Registry Permissions