Computer network is a concept that we come across frequently in our day to day lives. Usually servers are locked behind closed doors, lockers and they store valuable company resources like important folders, data in documents or spreadsheet applications. As these servers are typically locked they are only accessible by those staff who have permission over the network. So, a special stage of security for protecting these valuable resources is the physical security that can be given by not permitting those staff direct access to the hardware environment in which the resource is physically placed.
For the use of resources stored on the servers for other employees, the server must be configured in such a way as to permit the staff to access the resources over the network. In the case of Windows OS, this is achieved with the concept of shared folders. When a folder becomes a shared folder it becomes accessible throughout the network so that all network users can see the name of the shared folder. For the purpose of protecting those resources that are made accessible with the help of shared folders,” permissions” are being configured for those resources. This task is done by the administrators. Usually two types of permissions are being configured on shared folders: NTFS (New Technology File System) and share. Share permissions and NTFS permissions are independent in the sense that either of them has no particular effect on the the other. In the end the access permissions on a shared folder are determined by taking into effect both the share permission and the NTFS permission settings and more restrictive permissions come into play. Firstly we shall discuss share permissions, and also the issues that come up when share permissions, are used and also recommended methods to successfully configure permissions for shared folders.
Microsoft has traditionally decorated all new shared folders with very open share permissions. The default share permissions for Windows is that the 'Everyone' group has Full Control access. This might seem insecure with Full Control access, but when the NTFS permissions and share permissions are combined, the most secure of the two permissions takes charge of the access to a particular resource.
During the initial period, when share permissions were altered from Everyone having Full Control, it gave rise to more issues than it is worth. For instance, when a firm typically does not utilize share permissions, it can take a very long time to fix permissions to resources when they are used. Also incorrectly configured share permissions on a folder, does not call for the share permissions to be checked initially. In 90% cases, it can take hours before the share permissions are actually investigated. At the same time troubleshooting procedure continues, users can be added to the “admin” groups, provided higher user rights, and added straight to the ACL of the resource. When the share permissions are discovered in the end and fixed, it may become difficult to remember all of the related configurations that have been made during the procedure to fix the users access to the resource. In the end, this forces the resource and surrounding network in an insecure mode, just because share permissions were configured erroneously.
Due to these problems Microsoft decided to change the rules for default share permissions. The new default permissions Windows Server 2008 operating system- for all new shared folders is everyone having Read only access. This appears like a full fledged security setting, until an analysis of how many resources on the network can actually have “read-only” access for everyone comes into play. The number will be limited because of the issue that users will have to modify and change the contents of most of the resources in order to be productive.
The table below denotes a general picture of the permissions that an administrator can provide to the Users group for each type of shared folders. Yet another way is to set share permissions to ‘Full Control’ for the “Everyone” group and to rely fully on NTFS permissions to restrict access.
In most of the cases share permissions will require more than Read access. This requires the network administrator to configure detailed share permissions, which can cause the issues that we discussed before with regard to troubleshooting resource access with the old share permissions being modified. With the share permissions being changed by default, there is a tendency for administrators not configuring NTFS permissions anymore, as they rely on the share permissions to protect the resource. This is a gross error and leaves the network and resources in a very vulnerable state. Share permissions are required at the time of resource access over the network, but not when it is locally used, with Terminal Services, etc. Another point to notice is that shared permissions are not backed up with resource, so all backed up files are exposed without protection, and no permissions are set.
NTFS File Permissions:
NTFS file permissions are mainly utilized for access control of a user, group, or application to folders and other data files. They are usually called NTFS permissions as a drive must be formatted with NTFS in order to utilize these permissions.
The main permissions for files are listed below:
Full Control: Read, write, modify, execute, transform attributes, permissions, and take ownership of the file.
Modify Read, write, modify, execute, and change the file's attributes.
Read & Execute means showing the file's data, attributes, information about the owner, and permissions, and run the file (if the same is a program or has a program linked with it for which the user have appropriate permissions).
Read Display the file's data, attributes, owner, and permissions.
Write: is used to write to the file, append to the file, and read or change its attributes.
NTFS Folder Permissions:
NTFS Folder permissions decide the access that should be provided to a folder and the files and sub folders residing in that folder. These permissions can be given to a particular user or group. The following table displays the different permissions for folders.
Full Control Read, write, modify, and execute the contents (usually files) residing inside the folder, change attributes, permissions, and takes ownership of the folder or files residing inside.
Modify Read, write, modify, and execute files in the folder, and change attributes of the folder or files within.
Read & Execute means showing the folder's contents and display the data, attributes, owner, and permissions for files residing in the folder, and run files within the folder (if the same is a program or have a a program linked with it for which the user have appropriate permissions).
List Folder Contents Lists the contents of the folder and display the data, attributes, information about the owner, and permissions for files within the folder, and run files within the folder (if they're programs or have a program associated with them for which you have the necessary permissions).
Read Show the file's contents, attributes, information about the owner, and permissions. Write : is used to Write to the file, append to the file, and read or change its attributes.
Although Read & Execute and List Folder Contents folder permissions seem to do the same actions, they are inherited independently, and are independent permissions. For instance files have the capability to inherit the Read & Execute permissions but cannot inherit the List Folder Contents permission. Folders have the capability to inherit both. File permissions override folder permissions. For instance, let's say that Riya has read access to a file called test.txt which is placed in a particular folder that she has no access permissions. In this case, the file will be invisible to Riya and since she cannot list the folder contents, she would have to access the file using the UNC path or the logical file path. Another point to note is that file permissions has the capability to override the permissions of its parent folder. The instant a new file is created, it will inherit its permissions from the target folder.
Shares are set through the MMC, My Computer or through Explorer and permissions can be set on a share in the "Share Permissions" tab. Share level permissions only apply when a file or folder is being accessed via the network and do not apply to a user logged into the machine locally. The following are the different share-level permissions:
Read: User is able to see files and subfolders. Applications can be executed but no changes can be made to the files.
Change: Read permission plus the ability to add, delete or edit files or subdirectories
Full Control: Has power to perform any and all functions on all files and folders within the share.
Deny permission can also be set on shares. The Deny permission overrides every other permission. In the case of FAT or FAT32 folder sharing, only the share level permissions apply because these systems cannot support file and directory (NTFS) permissions. As the folders residing on NTFS volumes are shared, the effective permission of the user will be the most restrictive of the NTFS and share permissions. This means that if Riya is trying to access a file called 'code' located on 'busyworks' and she has got share permissions of read and file permissions of full control, in effect her permission would be read. On the contrary, if her share permissions are full control and her file permissions are read, she will still only have read access to 'busyworks' folder.
Points to Consider:
Always assign access to groups rather than to users, since it is not efficient to manage user accounts independently, assigning permissions on a user basis should be in exceptional situations only. If there is any way, do not change the default permission entries on file system objects, especially on system folders and root folders. Changing default permissions can bring in unusual access problems or affect security.
Do not attempt to deny the “Everyone” group access to any objects, because everyone also includes administrators. An even better solution is to remove the “Everyone” group, as long as users, groups, or other systems are provided access to that object. Full Control is usually assigned to the Administrators group and local system.
Inherited Deny permissions usually do not prohibit access to an object if the object has an inherent allow permission entry. In the case of “Explicit” permissions, they have precedence over inherited permissions and that includes inherited Deny permissions. Special cases that use Deny permissions include:
1) To reject subset of a group which possesses “Allowed” permissions.
2) To reject a special permission when Full Control is already assigned to a user or group.
There should be extreme care taken while configuring NTFS permissions for a Web site. If there is any error in setting permissions, even the valid users will not be able to access required files and directories. For instance, even though a user has the appropriate user rights to see and execute a particular executable file, the user might not have permission to access a particular dynamic-link library (DLL) that is essential to run that program. In order to guarantee users, secure and uninterrupted file access, always put related files in the same folder, and then provide correct NTFS permissions to that folder.
Implementing NTFS Permissions
Case Study: There is a folder named "study". A System Administrator wants the users Ann and Bill to access this folder and give both the users 'read' NTFS permission on the “study” folder. But System Administrator has full control NTFS permission.
Sharing of files in the case of Windows Server 2008 is configured from the Network and Sharing Center, chosen by selecting Start -> Network and choosing the Network and Sharing Center option in the toolbar. Once accessed, the Network and Sharing Center will list the current file sharing configuration
- To implement the NTFS permission, perform the following steps:
- Create the folder with the name "study" on an NTFS volume or partition.
- Right click the "study" folder and then click on Properties
- A small pop up window appears with title named “Properties”.
- In the Security tab click on “Advanced” button.
- Now in next dialog box, uncheck the field “Inherit from parent”.
- Click the “Copy” or “Remove” button.
- After that click “Apply” button and thus save
- Now add the system Administrator, user Ann and user Bill in access control list (ACL) by using the “Add” button.
- After doing the above steps clicking on “Advanced” button. It will display the above users.
- Then add the required users in access control list and then click “ok”.
- Inside Access Control Entries (ACE) set the selected user permission then click “Apply” button to save setting and “ok” button to complete the process.
Output of case study: Log in with user name Ann or Bill. Try to modify the contents of "study" folder .Modification or changing contents are not possible for both users because of NTFS permission settings.
In short we can say that share folders give network users with access to resources. In the case of a FAT partition, the shared folder permissions are all that is accessible to give security for the folders the user have shared and for the folders and files they enclose. In the case of an NTFS partition, administrator can provide NTFS access to each user and groups to improve organized access to the files and sub directories in each of the shared folders. When you mix up shared folder permissions and NTFS permissions, the more restrictive permission can always be considered as the superseding authorization. Share permissions will NOT be relevant to a local user while locally contacting the resource with the help of Windows Explorer, but the NTFS permissions do apply. Troubleshooting problems that deal with both NTFS and share permissions usually appear irresistible. Always keep away from having nested shares in your file structures since they can create contradictory behavior for the same network resources if contacted through independent shares. This is like asking for trouble, particularly when the share permissions are dissimilar. A nested share is a shared folder that exists in an independent shared folder. There are, of course, the inherent hidden shares (like C$, D$, etc.), which make all shares nested under them, and they are a default. Anyhow, if the users use two independent non-hidden shares that are nested, there can be contradictory share permissions. Group membership is one of the popular methods to over-privilege or under-privilege admittance to resources. Particularly in domain configurations, the intricacy is augmented by numerous memberships and/or nested groups. Use the Effective Permissions device to see what the ensuing set of access is, resolute by group membership when utilizing Active Directory. Anyhow this is not a straightforward display of NTFS permissions. The user can then inspect each group membership for an entity as a component of troubleshooting NTFS permissions.
• Derek Melber ,Share Permissions. Retrieved from http://windowsecurity.com/articles/Share-Permissions.html on 8th Dec 2011
• Securing Your Files with NTFS Permissions. Retrieved from http://technet.microsoft.com/en-us/library/cc758799%28WS.10%29.aspx on 9th Dec 2011
• What's New for Access Control in Windows Server 2008 . Retrieved from http://technet.microsoft.com/en-us/library/cc731677%28WS.10%29.aspx on 9th Dec 2011