S 4.149 File and share authorisations in Windows
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: Administrator, Head of IT
Windows operating systems with NT core use the NTFS file system. The current versions are NTFS 3.0 for Windows 2000 and NTFS 3.1 for Windows XP and higher. The mechanisms used for access control are practically indistinguishable though. The following table provides an overview of the possible file access rights. The file access rights in Windows 2000 or higher versions permit a significantly more detailed configuration than is possible in Windows NT 4.0 using NTFS 2.
| Access rights for folders | Access rights for files |
|---|---|
| Browse Folders | Run File |
| List Folder | Read Data |
| Read Attributes | Read Attributes |
| Read Extended Attributes | Read Extended Attributes |
| Create Files | Write Data |
| Create Folders | Append Data |
| Write Attributes | Write Attributes |
| Write Extended Attributes | Write Extended Attributes |
| Delete Subfolders and Files | |
| Delete | Delete |
| Read Authorisations | Read Authorisations |
| Change Authorisations | Change Authorisations |
| Take Property Rights (in Windows 7 or higher, this setting is called "Take Ownership".) | Take Property Rights (in Windows 7 or higher, this setting is called "Take Ownership".) |
Table: Overview of the access rights for folders and files
The access rights can be applied to files or folders. When access rights are inherited, it is possible for the rights of a folder to be passed on to its files and/or subfolders, which means there is an easy way to change the access authorisations in an entire branch of the file tree simply by changing the authorisations at a single location. Inheritance to the objects in a directory can be controlled specifically using the following seven settings. These settings specify the objects which the access rights will be inherited to:
- This folder only
- This folder, subfolders, and files
- This folder, subfolders
- This folder, files
- Subfolders and files only
- Subfolders only
- Files only
Using the Only assume authorisations for objects and/or containers in this container option, it is furthermore possible to prevent the inheritance of access rights from propagating recursively through the corresponding subtree and limit inheritance to the objects in the current directory only.
There are two additional options available to control how rights are passed to objects when the inheritance mechanism is used:
- The acceptance of inherited rights can be permitted or blocked for objects using the Adopt inheritable parent authorisations option.
- The acceptance of inherited rights by objects in the subtree can be forced using the Reset authorisations in all child objects and Enable processing of inheritable authorisations options.
If the settings for these two rights conflict, then the acceptance of inherited rights is forced.
In Windows XP, Vista, and Windows 7, the Access control settings for folder or file name were renamed Enhanced security configuration for folder or file name and the Auditing and Effective Authorisations tabs were added.
In Windows XP and Windows 7, how the access to objects such as files, folders, and programs is monitored can be configured using the Auditing tab. This tab allows for monitoring for incorrect accesses to a folder, for example. This access control can then be inherited to all folders and files contained in this folder.
The Effective Authorisations tab available in Windows XP, Vista, and Windows 7 supports the examination of the rights of a user It is possible to check which authorisations are in effect for a user or a user group regarding every file and every folder. These effective authorisations may differ due to inherited rights or due to the user's membership in different groups.
This abundance of different file authorisations and their interaction with the various inheritance mechanisms renders the administration of access rights complicated for the user. It is therefore recommended to use only the standard access rights in standard cases:
| Folders | Files | Corresponds to |
|---|---|---|
| Full Control | Full Control | All Authorisations |
| Change | Change | Read, Run plus Delete |
| Read, Run | Read, Run | Read plus Run file |
| List Folder Contents | - | |
| Read | Read | Read Data, Read Attributes, read Extended Attributes, Read Authorisations |
| Write | Write | Write Data, Append Data, Write Attributes, Write Extended Attributes |
Table: Standard access rights
Within the framework of planning the use of Windows, it is necessary to create an authorisation and access concept for files and folders that defines the access rights in detail. When creating this concept, the organisational and business requirements must be taken into account. In general, it is recommended to grant rights to the Windows system files restrictively.
The following user privileges can be used as an initial configuration for Windows 2000, whereby they must be adapted to the local conditions in any case. The suggested settings assume that the Power User user ID is not used because administrative issues will be dealt with by the administrators with corresponding authorisations and covered by the administration concept. For this reason, the Power User user ID should be removed from all access control lists. In addition, it is recommended to separate the authorities in the administration concept so that the administrative authorisations are assigned to the corresponding accounts. In the following, though, it is assumed that the members of the Administrators group possess all administrative powers. The access rights only apply to the specified directories or files and are not meant to be inherited.
| Master directory of the system partition | Administrators: Full controlSYSTEM: Full controlUser: Read |
|---|---|
| \WINNT | Administrators: Full controlSYSTEM: Full controlCREATOR OWNER: Full controluser: Read, Run |
| WINNT\REPAIR | Administrators: Full Control |
| WINNT\SYSTEM32\CONFIG | Administrators: Full controlSYSTEM: Full controluser: Read |
| WINNT\SYSTEM32\SPOOL | Administrators: Full controlSYSTEM: Full controlCREATOR OWNER: Full controluser: Read |
Table: Default rights for directories in Windows 2000
| Directory / File | Rights |
|---|---|
| boot.inintldr | Administrators: Full controlSYSTEM: Full Control |
| autoexec.batconfig.sys | Administrators: Full controlSYSTEM: Full controluser: Read |
| TEMP | Administrators: Full controlSYSTEM: Full controluser: Change |
| Program Files | Administrators: Full controlSYSTEM: Full controluser: Read, Run |
| Documents and Settings | Administrators: Full controlSYSTEM: Full controluser: Read |
Table: Default rights for files in Windows 2000
| Directory | Rights |
|---|---|
| Master directory of the system partition | Administrators: Full controlSYSTEM: Full controluser: Read, Run; List Folder Contents; Read |
| \WINDOWS | Administrators: Full controlSYSTEM: Full controlCREATOR OWNER: Specific authorisationsUser: Read, Run; List Folder Contents; Read |
| WINDOWS\REPAIR | Administrators: Full Control |
| WINDOWS\SYSTEM32\CONFIG | Administrators: Full controlSYSTEM: Full control user: List Folder Contents |
| WINDOWS\SYSTEM32\SPOOL | Administrators: Full controlSYSTEM: Full controlCREATOR OWNER: Specific authorisationsUser: Read, Run; List Folder Contents; Read |
Table: Default rights for directories in Windows XP
| Directory / File | Rights |
|---|---|
| boot.inintldr | Administrators: Full controlSYSTEM: Full Control |
| autoexec.batconfig.sys | Administrators: Full controlSYSTEM: Full controluser: Read, Run |
| /WINDOWS/Temp | Administrators: Full controlSYSTEM: Full controluser: Special authorisations |
| Program Files | Administrators: Full controlSYSTEM: Full controluser: Read, Run; List Folder Contents; Read |
| Documents and Settings | Administrators: Full controlSYSTEM: Full controluser: Read, Run; List Folder Contents; Read |
Table: Default rights for files in Windows XP
The following table documents the default rights for directories in Windows Vista and Windows 7:
| Directory | Rights |
|---|---|
| Master directory of the system partition | Administrators: Full controlSYSTEM: Full controluser: Read, Run; Display Folder Contents; Read |
| \WINDOWS | Administrators: specific authorisations: Search Folders / Run File, List Folders / Read File, Read Attributes, Read Extended Attributes, Create Files / Write Files, Create Folder / Append Data, Write Attributes, Write Extended Attributes, Delete, Read authorisationsAdministrators have full control over the subfoldersSYSTEM: as AdministratorsUsers Read, Run; Display Folder Contents; ReadTrustedInstaller: Display Folder Contents |
| WINDOWS\SYSTEM32\CONFIG | Administrators: Full controlSYSTEM: Full controlUser: Read, Run; Display Folder Contents; ReadCREATOR OWNER: Full controlTrustedInstaller: Display Folder Contents |
| WINDOWS\SYSTEM32\SPOOL | Administrators: Full controlSYSTEM: Full controlUser: Read, Run; Display Folder Contents; ReadCREATOR OWNER: Full controlTrustedInstaller: Display Folder Contents |
Table: Default rights for directories in Windows Vista and Windows 7:
The TrustedInstaller is mentioned in the table above (see the S 4.341 Integrity protection in Windows Vista and higher in the section Windows Resource Protection and TrustedInstaller for more information.
The following table documents the default rights for files in Windows Vista and Windows 7:
| Directory / File | Rights |
|---|---|
| Bootmgr BCD | System: read, runAdministrators: read, runTrustedInstaller: Full Control |
| autoexec.batconfig.sys | Administrators: Full controlSYSTEM: Full controlUser: ReadTrustedInstaller: Full Control |
| TEMP | Administrators: Full controlSYSTEM: Full controlUser: Special rights |
| Program Files | Administrators: specific authorisations Search Folders / Run File, List Folders / Read File, Read Attributes, Read Extended Attributes, Create File / Write File, Create Folder / Append Data, Write Attributes, Write Extended Attributes, Delete, Read Authorisations. Administrators have full control over the subfoldersSYSTEM: specific authorisations as administratorsTrustedInstaller: Full controlUser: Read, Run, Display Folder Contents, Read |
| User | Administrators: Full controlSYSTEM: Full controluser: Read, Run; Display Folder Contents |
Table: Default rights for files in Windows Vista and Windows 7:
When updating a Windows NT computer to a newer version of Windows, the default authorisations of the newer Windows version are not installed and the existing Windows NT settings are used instead. Therefore, it is always necessary to check such systems as to whether the authorisations conform to the authorisation concept created.
Share for network access
In Windows 2000 and higher versions, it is possible to make directories and the files they contain available over the network using a share. When using a share, access is controlled in two stages. Access authorisations for network share can be established. They define who is allowed to access the network share in general.
If the users are responsible for assigning authorisations, for example to their own files or to project files, they must be trained accordingly. Otherwise, insecure file access authorisations could result in a compromised stand-alone system or, in the worst case, to the entire network being compromised.
As a matter of principle, no authorisations should be granted to the pre-configured user group Everyone (especially Full Control or Write/Change rights). If all users are to be granted access rights, it is instead recommended to use the group Authenticated Users which is also pre-configured. Furthermore, the access rights described above, which are specified at the file system level, allow access to files and directories. Only the following rights:
- full control,
- change, and
- read
can be used to control the authorisations to network shares. More precise control is not necessary at this point, however.
The following rules should be followed when defining file, directory, and share authorisations:
- Shares on workstation computers should be avoided
- Shares on domain controllers should also be avoided because sensitive data is stored on domain controllers.
- Reasons must be provided and documented for all unavoidable shares on workstation computers and domain controllers and should only be carried out after weighing the risks involved.
- Access authorisations for all shares and the data accessible on these shares should be granted as restrictively as possible.
- Consideration should be given to deleting the Everyone user account and using the Authenticated Users user account instead.
- The access concept must be documented.
Review questions:
- Was an authorisation and access concept in line with demand created for Windows?
- Have the authorisations of all directories and files on all computers with an updated Windows operating system been checked?
- Are the file and directory authorisations specified for de-allocated directories suitable for network access? Was access to shares granted as restrictively as possible?