Microsoft Windows Workstations and Servers
Microsoft Windows-based systems have highly granular file-based access controls. On a local level, an administrator works with users, groups, and objects. The administrator may group users together to grant rights. The administrator may control objects with both basic and advanced rights. TABLE 8-2 lists the basic access rights available in Windows and what they affect.
| NAME | DESCRIPTION | FILE OR FOLDER |
|---|---|---|
| Full Control | Change permissions, take ownership, and delete subfolders and files. Perform actions permitted by all other NT File System (NTFS) file or folder permissions. |
Both |
| Modify | Delete a file or folder. Perform actions permitted by the Write permission and the Read & Execute permission. |
Both |
| Read & Execute | Navigate folders to reach other files and folders, even if the users do not have permission for those folders. Perform actions permitted by the Read permission and the List Folder Contents permission. Run the application. |
Both |
| List Folder Contents | View the names of files and subfolders in the folder. | Folder |
| Read | See files and subfolders in the folder. View folder ownership, permissions, and attributes, such as Read-only, Hidden, Archive, and System. Read the file. View file attributes, ownership, and permissions. |
Both |
| Write | Create new files and subfolders within the folder. Change folder attributes. View folder ownership and permissions. Overwrite the file, change file attributes, and view file ownership and permissions. |
Both |
The Windows operating system can get far more granular with the utilization of advanced rights. The basic rights are just preset groupings of the more granular levels. These groupings cover most roles that an organization would want to give a user or group. The advanced rights for files are listed in TABLE 8-3.
| NAME | DESCRIPTION |
|---|---|
| Full Control | The sum of all other rights |
| Traverse Folder/Execute File | The ability to navigate the file system and execute files |
| List Folder/Read Data | The ability to list the contents of a folder |
| Read Attributes | The ability to view ownership and access control attributes on a file or folder |
| Read Extended Attributes | The ability to view all file or folder attributes |
| Create Files/Write Data | The ability to create new files and write to existing files |
| Create Folders/Append Data | The ability to create new folders |
| Write Attributes | The ability to change file and folder ownership and access control attributes |
| Write Extended Attributes | The ability to change extended attributes such as the ones in this list |
| Delete | The ability to delete files and folders |
| Read Permissions | The ability to view access control permissions on a file or folder |
| Change Permissions | The ability to change access control permissions on a file or folder |
| Take Ownership | The ability to change the ownership attribute on a file or folder |
This gives you a partial picture of the level of granularity. Groups of objects or users—called organizational units (OUs)—provide advanced rights that allow thousands of different options. General administrators use basic rights for ease of management.
An organizational unit is a logical structure that allows you to organize users, computers, and other objects into separate units for administrative purposes. The main difference between an organizational unit and a group is that groups apply only to users while an OU can include any type of object.
Rights in Windows can be either explicit or inherited from parent folders. A user’s rights on any given object is based on all of the inherited and explicit rights granted or denied by every OU of which the user is a member. It is important to note that Deny rights always takes precedence over Allow rights. For example, suppose Julie is a member of both the Accounting and IT OUs. She needs to access the accounts payable spreadsheet. Although the Accounting OU has been granted Read permission to this document, the IT OU is explicitly denied Read rights. Regardless of rights granted to Julie, the explicit denial will block her access.
Granting Windows Folder Permissions
On a Windows system, you may change the permissions settings for a folder by accessing the folder properties. Open File Explorer and right-click on the folder that you wish to modify, choosing Properties from the pop-up menu. When the Properties dialog box opens, select the Security tab. An example from a Windows Server 2019 system is shown in FIGURE 8-2.
FIGURE 8-2 Folder security properties in Windows Server 2019.
Used with permission from Microsoft.
You may then edit the permissions assigned to users by clicking the Edit button. Windows will then present a Permissions dialog box, such as the one shown in FIGURE 8-3. You may add or remove users or groups from the listing by clicking the Add or Remove button. To modify the permissions assigned to a specific user or group, highlight the user or group in the top pane and then modify the checkboxes in the bottom pane to reflect the desired settings. Note that the checkboxes correspond with the settings that appear in Table 8-2
FIGURE 8-3 Editing folder permissions in Windows Server 2019.
Used with permission from Microsoft.
If you wish to modify the permission settings found in Table 8-3, you may do so by clicking the Advanced button. This will open the dialog box shown in FIGURE 8-4, where you may edit advanced permission settings.
FIGURE 8-4 Windows Server 2019 advanced folder permissions.
Used with permission from Microsoft.
Domain Administrator Rights
A domain administrator in Windows is a member of the special Domain Administrators group in Active Directory. Members of this group have full control over all computers in the domain, including any file or folder that they haven’t explicitly been denied access to. Members of this group have the ability to assign and modify the ACL of users, files, and folders on all systems in the domain. This group also has the ability to add or remove computers and OUs from the Windows domain. This group is added to the Local Administrators group on any computer joined to the domain.
This is not the top-level authority in Active Directory. Above the Domain Administrators group is the Enterprise Administrators group. This group has administrative rights to the entire Active Directory forest in an organization. It is the only group with the ability to add or remove domains from the Active Directory forest and is included in all Domain Administrator groups when a new domain joins the forest.
Super Administrator Rights
The Super Administrator is a built-in “secret” account in all versions of Windows, including Windows 10. This account is the local administrator on a standalone installation of Windows and is disabled by default. This account has full rights on the local system and can take ownership of all objects. It is generally not needed in a standalone installation, but users with a lot of legacy applications may find a need to activate this account.
To activate the Super Administrator account, a user must first launch a command window with administrative rights using the runas command. In the command window, enter the following commands:
Net user Administrator /active:yes
To deactivate the account, run the following command:
Net user Administrator /active:no
The Super Administrator account has no password by default. If it is activated, the first thing you should do is give the account a password.
Pass-the-Hash Attacks
Some operating systems, including versions of Windows, cache password hashes locally in order to facilitate authentication. This leads to the potential for a pass-the-hash attack, where an attacker gains access to those hashed passwords and uses them to move laterally across the network.
For example, when a user logs onto a Windows system, the system retains the NTLM password hash for that user’s account in memory. If an attacker is able to log onto that same system with local administrator privileges, the attacker can then harvest those NTLM passwords. If the cache includes password hashes for any administrative accounts, the attacker can use that hash to connect to other networked systems that the attacker might not already be able to access. Using the hash harvested from one system to log onto another is known as “passing” the hash.
NOTE
While the techniques required to conduct a pass-the-hash attack require knowledge of Windows’ internal functions, there are tools available that automate these techniques, making them simple for an attacker to use. For example, the Mimikatz tool automates pass-the-hash attacks, allowing them to occur with just a few keystrokes.