420 likes | 428 Views
Chapter 7. Configuring and Managing NTFS Security. NTFS File System. Described as a collection of files Files are classified into two types Normal data files – files that contain data Metadata files – files that contain data about data The four part of the NTFS system Master File Table
E N D
Chapter 7 Configuring and Managing NTFS Security
NTFS File System • Described as a collection of files • Files are classified into two types • Normal data files – files that contain data • Metadata files – files that contain data about data • The four part of the NTFS system • Master File Table • $Secure metafile • Transaction logging • Quota Tracking
Layout of an NTFS Disk MFT $Boot Data 1 Data 2 Data 3 MFT Mirror $Secure Data 4
Master File Table (MFT) • Contains • Pointers to the actual storage sites of files on the NTFS formatted disk • Directory indexes • Attributes for the files and folders • A mirror copy is maintained on each NTFS volume to insure recovery of the file system if the MFT is damaged.
MFT Records MFT Records Data 1 Abc.doc Timestamp NTFSSID01 LCN Data 2 123.doc Timestamp NTFSSID01 LCN Data 3 xyz.xls Timestamp NTFSSID01 LCN Data 4 987.txt Timestamp NTFSSID01 LCN Location on Disk Security Index Reference Standard Information Attributes File Name Attribute MFT Record Header
MFT is placed in an are called the MFT zone • The zone is an area set aside for expansion of the MFT • As a disk fills, the MFT zone will be reduced in size • If the zone becomes two small to hold all of the MFT data it will become fragmented • This will cause a significant reduction in performance
Consolidated Security • Another area the MFT is responsible for is tracking security information • In earlier versions security descriptions were stored separately with each file and folder • Security descriptions – lists of users and group with access to the files or folders • $Secure metafile contains a common set of security descriptions that can be referenced by a single listing in the MFT
As a file or folder is assigned security settings these setting are compared to the settings for other files and folders • If the comparisons match the file or folder is assigned the same entry in the $Secure metadata file. • This reduces the amount of resources needed to maintain separate security descriptions
Transition logging • tracks changes to files • Ensures recovery by reversing unfinished transactions • Quota tracking • Tracks the amount of data that each user has stored • Prevent further disk writes if a quota limit has been set and exceeded by a user.
NTFS Permissions • Security descriptions described above contain access control lists (ALC’s) • The ALC’s are lists of users and group security ID’s (SID) matched up with the permission setting for each SID. • The individual entries are called access control entries (ACE).
Components of NTFS Permissions • Access Control Lists • Access control Entries • Users and Groups
Access Control Lists • Access Control Lists (ACL) are the fundamental construct of all security in Microsoft Windows • Objects (from files to hard drive to group police objects) are controlled by Access Control Lists (ACL).
Two Types of Access Control Lists (ACL) • System Access Control Lists (SACL) • Defined by the operating system (OS) • Controlled administratively by either • Policies • System administrator • Control auditing of access to objects
Discretionary Access Control Lists (DACL) • Referred to as ACL’s • Lists of users and groups that have been granded access to objects • Access is granted at the discretion of the objects owner hence the word Discretionary
Each object has a security description containing a Discretionary Access Control Lists (DACL) that defines what users and groups have access permissions to that object. • NTFS stores the DACL’s in the $Security metafile • NTFS records the DACL’s index attribute in the standard information attribute in the Master File Table
MFT Records NFT Records Data 1 Abc.doc Timestamp NTFSSID01 LCN Data 2 123.doc Timestamp NTFSSID01 LCN Data 3 xyz.xls Timestamp NTFSSID01 LCN Data 4 987.txt Timestamp NTFSSID01 LCN Location on Disk Security Index Reference Standard Information Attributes File Name Attribute MFT Record Header
Access Control Entries (ACE) • Access Control Lists consist of one or more Access Control Entries (ACE) • These Access Control Entries consist of • The user or group security identifier (SID) • Paired with permissions assigned to that security identifier (SID)
Permissions (three types) • Allow – allows access to the listed user or group security identifier (SID) for the listed operation (read, write, modify, delet, etc) • Deny – denies access to the listed user or group security identifier (SID) for the listed operation (read, write, modify, delet, etc) • System Audit – a component of system control lists (SACL) lists the operations to be audited
When more then one Action Control Entry (ACE) exists on an Action Control List (ACL) the effectives of all of the ACE’s are taken into account to determine what actions are permitted for a specific user.
The Rule Governing Cumulative Effect ACE • Permission assigned to a user who has more then one Action Control Entry for an object is the most lenient of the accumulated permissions unless one of the permissions is Deny which overrides all other permissions for the specific operation.
Example • A user might be a member of more then one security group with access to a file. • In one group the use has allow read permission • In the other group the user has allow read and allow modify • The user has the allow modify permission • If another group has allow modify and ,deny read the user can not open the file and this negates the modify permission
Users and Groups • The final part of the NTFS security system • They are identified by security ID (SID) in the Access Control Entry (ACE) • By placing users into security groups and assigning groups access to NTFS objects you can easily control object access
Three Major Group Types • Built-in security groups • Assigned security groups • Special groups
Built-in Security Groups • These are groups included with the operating system • Examples include; • Users Group • Power Users • Administrative • Administrators have full control access to NTFS folders and files so they can administer permissions
Assigned Security Groups • Groups created by administrators • Designed to make it easier to manage access to resources
Special Groups • Groups who’s membership changes based on the circumstances of a user’s access to a file
Examples of Special Groups • Creator Owner group – members are made up pf users who are creators or owners of a resource. • Network group – users who access a resource over a network • Everyone group – user identified by a user name who attempts to access resources on a system
Managing NTFS Permissions • To manage permissions you must understand the use and consequences of each permission • You must understand how permissions from multiple group memberships work together
Best Practices for Assigning Permissions • Assign the most restrictive NTFS permissions that will allow the users and groups to accomplish there assigned tasks • Assign all permissions at the folder level • Group files for which you want to restrict access into separate folders and then assign permissions to that folder creating restricted access
Assign permissions to groups where ever possible • You can manage permissions for a group once and then assign users to that group to have access to the files and folders. • Avoid changing the permissions on system files and folders • This can cause unexpected and difficult to diagnose problems
Do not deny access to the everyone group • Administrators are part of this group and would inherit the deny permission • It is better to remove the Everyone group from the Action Control List (ACL) and add individual groups
For all executable file • Assign read, write and execute permissions to the administrators • Assign read and execute permissions to the user groups • This will prevent users or viruses from changing the executable files • Only individuals with administrate privileges will be able to write information to the executable files.
For public folders assign • Full control to the Creator Owner • Read and write to the Authenticated Users group • This allows only the creator of the folder full access to files they create.
If you do not what a user or a group to have access to a file or folder do not assign permissions. • If you do not grant permissions the user or group will not have access to the object • You should deny permissions under the following cases
To exclude a person who belong to a group with the allow permission • To exclude one special permission form a standard permission group.
How Permission to Access is Determined • When a user initiates a request to access an object, the application the user is using imitates an access request and attaches the users token • This token was generated when the user logged on • The token contains the users security identifier (SID) and any security groups the user belongs to.
The token is compared to access control entry (ACE) of the objects Discreet Access Control List (DACL). • If the security identifier (SID) of the token matches the SID listed in the Access Control List (ACE) the permissions in the ACE are evaluated to see if access can be granted.
If all of the access control entries (ACE’s) are evaluated and at least one grants access the object is opened • The only exception is if a there is a deny access permission.
If no access control entries (ACE’s) are found referencing any of he users security identifier (SID) or one is found with DENY the operation access is denied.
Effective Permissions • Effective permissions for a resource are the sum of NTFS permissions you assign to the individual users account and any group the user is part of.
Troubleshooting NTFS Permissions • Almost all problems with file or folder access can be traced to improper effective permissions. • Either membership in a group can be causing a problem or from incorrectly assigning permissions to one or more groups the user is in.
It is easy to lose track of deny permissions you have assigned, that is why the deny permission is only used in rare cases.