Task 5.5: Implementing a Deny Group
It may be important to be able to lock a collection of users out of certain sensitive content. This can be accomplished by building the chain of granting rights and permissions: The User Account (A) gets added to the Global Group (G), the Global Group gets added to the Domain Local Group (DL), and Permissions (P) get granted to the Domain Local Group—AGDLP. In this case, you’ll be granting the NTFS Deny Full Control permission to the Domain Local Group (DLG).
The Deny permission is all-powerful and overrules any collection of Allow permissions.
Scenario
You are responsible for the security of your information systems. You have a new folder with sensitive content that should not be viewed by the Widget Production Department personnel. You must implement security so that you are certain no member of the Widget Production Department will ever get access to this content.
Scope of Task
Duration
This task should take 20 minutes.
Setup
You have a new folder on the domain controller that contains sensitive content. You will set the NTFS permissions on the content so that the Widget Production workers will never gain access, even accidentally.
Caveat
Because the Deny permission is all-powerful and overrules any collection of Allow permissions, as users change jobs in an organization through promotions and transfers, their access requirements change. Being a member of a group with any Deny permissions will overrule all Allow permissions granted by adding the user into other groups.
If a user continues to receive Access Denied errors, check for membership in any Deny groups that may have been built.
Procedure
Using ADUC, you will build the Deny All GG and the Deny All DLG. You will then add the production workers into the Deny All GG, place the Deny All GG into the Deny All DLG, and then grant the NTFS Deny Full Control permissions to the Deny All DLG on a folder containing sensitive content.
Equipment Used
For this task, you must have:
- Windows Server 2003 domain controller system
- Domain Administrator access
- Completion of Task 5.1: Creating User Accounts
Details
Building the Deny All AGDLP
1. Log on to the Windows Server 2003 domain controller system as the Domain Administrator.
2. Select Start ⇒ Programs ⇒ Administration Tools ⇒ Active Directory Users And Computers (ADUC).
3. In the left pane, expand the domain and select the Widget Production OU.
4. Right-click on the Widget Production OU and select New ⇒ Group.
5. Name the new group Deny All GG, and select Global under Group Scope and Security under Group Type. Click OK.
6. Right-click on the Widget Production OU and select New ⇒ Group.
7. Name the new group Deny All DLG, and select Domain Local under Group Scope and Security under Group Type. Click OK.
8. Now you will add the users from the Widget Production OU into the Global Group. Double-click on the Global Group named Deny All GG. On the Members tab, click Add.
9. Click Advanced.
10. Click Find Now to display all users and groups in the domain.
11. Select Prod1 through Prod5. To select all five users at once, you can click on Prod1, then press and hold the Shift button on the keyboard and click on Prod5. Then click OK.
It doesn’t matter that these accounts are disabled from the earlier exercise. They can still be managed regarding group membership.
12. Click OK a second time to add these users into the Widget Production GG.
13. In the Deny All GG Properties dialog box, select the Member Of tab.
14. Add the Deny All GG into the Domain Local Group called Deny All DLG by first clicking Add.
15. Click Advanced.
16. Click Find Now to display all users and groups in the domain.
17. Select the Deny All DLG. Then click OK.
18. Click OK a second time to add the Deny All GG into the Deny All DLG.
19. Click OK to close the Deny All GG Properties dialog box.
You have just assembled the AGL of the AGDLP chain for granting permissions (Users into Deny All GG; Deny All GG into Deny All DLG).
Granting the NTFS Deny Permission
Next you will grant NTFS Deny Full Control permissions to the Deny All DLG. This will disallow any access to the content by the members of the Deny All DLG.
1. Launch Explorer by right-clicking the Start button and selecting Explore.
2. In the left pane, select the root of a drive that holds the folder STUFF.
If the STUFF folder does not exist, create a new folder named STUFF and copy a few files into it.
3. In the right pane, right-click on the folder STUFF and select Properties. Select the Security tab.
The Security tab is used to set NTFS permissions—that is, permissions that control picking the files up off the NTFS volume.
4. Click Add.
5. Click Advanced.
6. Click Find Now to display all users and groups in the domain.
7. Select the Deny All DLG. Then click OK.
8. Click OK a second time to add the Deny All DLG into the access control list for the STUFF folder.
9. With the Deny All DLG selected in the upper pane, check the Deny Full Control permission in the lower pane. This collection of Deny All permissions denies any access to the Deny All DLG at the NTFS level for this folder.
10. Click Apply. You will receive a security warning regarding the power of the Deny permission. Review the warning and click Yes to continue.
11. Click OK to close the STUFF Properties dialog box.
From this point forward, no matter what Allow permissions may be granted through any other AGDLP chain, any member of the Deny All A-G-DL-P chain will be denied access to the content in the STUFF folder.
Criteria for Completion
You have completed this task when you have built the AGDLP and have assigned Deny Full Control permissions to the Deny All Domain Local Group on a folder with sensitive content.