Windows Objects and Access Controls
One of the primary security features of Windows is the ability to control access to resources. In a Windows environment, every resource where access can be controlled is defined as a securable object. There are many types of securable objects in Windows, including both named and unnamed objects. The most common securable objects include:
NTFS files and folders
Pipes, named or unnamed
Processes and threads
Registry keys
Windows services
Printers, both local and remote
Network shares
Job objects
Windows DACLs
A securable object requires a DACL for Windows to control access to the object. Any object with no DACL defined is accessible by any subject—any process, any user. An object’s DACL is a collection of individual ACEs and can be modified in the object’s Properties dialog box.
The Security page of the object Properties dialog box (FIGURE 3-7) allows you to view and modify the security permissions for the selected object. On the Security page, the Group or User Names area lists the users and groups for which ACEs are defined. The Permissions for Users area shows the current permissions for the selected user or group.
FIGURE 3-7
Object Properties dialog box, Security page.
Courtesy of Microsoft Corporation.
The Edit button under the Group or User Names area modifies basic permissions for the highlighted user or group. New users, group permissions, or the removal of existing user or group permissions can be modified here. Basic permissions are predefined common groups of individual permissions that make maintaining DACLs easier. Every permission has two check boxes next to it. Actions can be allowed or modified by using one of the two check boxes. TABLE 3-2 lists the basic permissions that can be modified for each user or group.
TABLE 3-2 Basic Windows Object Permissions |
|
|---|---|
| PERMISSION | DESCRIPTION |
| Full Control | Provides no restrictions on access to object |
| Modify | Allows all modifications to files and folders; cannot delete files or folders, change permissions, or take ownership |
| Read and Execute | Traverses folders; executes files; lists folders; reads data, basic and extended attributes, and permissions |
| Read | Lists folders; reads data, basic and extended attributes, and permissions |
| Write | Creates files and folders; writes data and basic and extended attributes; reads permissions |
| Special Permissions | Indicates the ACE for this user or group is defined on the Advanced page |
© Jones & Bartlett Learning. |
|
DACL Advanced Permissions
The Advanced page provides access to individual object permissions, as opposed to predefined groups of permissions in the general Security page (FIGURE 3-8). The Advanced page lists every individual permission for the selected user or group.
FIGURE 3-8
DACL Advanced Security Settings.
Courtesy of Microsoft Corporation.
There are several changes you can make in the Advanced Security Settings dialog box. ACEs for specific users or groups can be added or deleted. The ACE inheritance setting can also be modified. Most objects inherit some ACEs from other objects. For example, it is common for file objects to inherit at least some ACEs from the parent folder.
To disable ACE inheritance, select the “Disable” button. If this button is disabled, first select the Change link next to the Owner. When disabling the inheritance feature, Windows asks what to do with existing inherited ACEs. There are two choices:
Add—Select this option to add all previously inherited ACEs as new explicit ACEs. This option retains the same functionality but any subsequent changes to the parent’s ACEs will not change the current object’s permissions.
Remove—Select this option to simply remove all previously inherited ACEs from this object’s DACL.
TABLE 3-3 lists the special permissions available in the Advanced page.
TABLE 3-3 Special Windows Object Permissions |
|
|---|---|
| PERMISSION | DESCRIPTION |
| Traverse Folder/Execute File | Navigates to a folder for folder objects and can execute files for file objects |
| List Folder/Read Data | Lists the contents of folders for folder objects or reads data for nonfolder objects |
| Read Attributes | Reads basic object attributes |
| Read Extended Attributes | Reads extended object attributes |
| Create Files/Write Data | Creates files in a folder for folder objects or writes data for nonfolder objects |
| Create Folders/Append Data | Creates new folders for folder objects or appends data to existing nonfolder objects |
| Write Attributes | Writes basic object attributes |
| Write Extended Attributes | Writes extended object attributes |
| Delete | Deletes nonfolder objects |
| Read Permissions | Reads object permissions |
| Change Permissions | Changes object permissions |
| Take Ownership | Becomes the new owner of this object |
© Jones & Bartlett Learning. |
|