Access Control System in Windows is completely based on Access Control Lists (ACL) and in this aspect it is quite different from Linux. Windows has a list of permissions / actions that can be performed over any object in the operating system and based on the ACL assigned to it OS determines whether to give the access to the user or not. This applies to any resource in the operating system, not just to the element of the file-system.
These are the standard set of file-system permissions available in Windows (simplified list):
- Full control: A user with this permission can do anything
- Modify: Ability to modify file system objects
- Read and Execute: Gives a user ability to traverse through folder(s), list its content, read files, and execute them
- Read: A user can open and read contents of any file
- Write: A user can store the modified files
- List folder content: A user can list content of a specific folder
Every file object can have a DACL (Discretionary Access Control List) that contains different Access Control Entries (ACE). Each of those entries can specify a set of permissions or prohibitions for a particular user or group. Have in mind that the system implicitly denies any kind of access not specified for a particular user.
For example, we have user John and give him read-only permission on file test.txt. If he tries to delete that file, the system will inform him that he does not have adequate permissions to perform such operation. In the next section you will see a real-life example of file permissions applicable to Moodle and other software pieces of your server.
By default the web root folder for IIS 7 is located on base system partition (usually C:) in the inetpubwwwroot directory. This is not the place where we should install Moodle. Moodle should be installed in a completely separate directory preferably on non-system partition dedicated only to data storing. In our example, we have a partition Z: which we will use for all non-OS applications. First let us download Moodle. Open the elevated command prompt and execute this:
mkdir Z: emp bitsadmin /transfer getmoodle /priority HIGH http://download.moodle.org/download.php/direct/stable19/moodle-weekly-19.zip Z: empmoodle-weekly-19.zip
Now create the directory structure and apply appropriate security settings:
mkdir Z:moodledata icacls Z:moodledata /Q /T /inheritance:r icacls Z:moodledata /Q /T /grant Administrators:(OI)(CI)(F) icacls Z:moodledata /Q /T /grant moodle:(OI)(CI)(F) mkdir Z:website icacls Z:website /Q /T /inheritance:r icacls Z:website /Q /T /grant Administrators:(OI)(CI)(F) icacls Z:website /Q /T /grant moodle:(OI)(CI)(RX)
With the above commands we created moodledata directory and assigned full permissions to both Administrators group and Moodle user, which we specially created for running the Moodle website. We also created the parent directory where Moodle files will be placed. Administrators group received full permissions over that directory while user moodle got only read permissions. However, in both cases we configured both directories to automatically apply the same permissions on any newly added file or directory within them.
Extract downloaded file using Compression support in Windows Explorer to Z:website. To do this, open Windows Explorer and navigate to Z: emp. Right-click on the moodle-weekly.zip file and choose the Extract All option.