1 / 42

Chapter 7

Chapter 7. Configuring and Managing NTFS Security. NTFS File System. Described as a collection of files Files are classified into two types Normal data files – files that contain data Metadata files – files that contain data about data The four part of the NTFS system Master File Table

terrencem
Download Presentation

Chapter 7

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 7 Configuring and Managing NTFS Security

  2. NTFS File System • Described as a collection of files • Files are classified into two types • Normal data files – files that contain data • Metadata files – files that contain data about data • The four part of the NTFS system • Master File Table • $Secure metafile • Transaction logging • Quota Tracking

  3. Layout of an NTFS Disk MFT $Boot Data 1 Data 2 Data 3 MFT Mirror $Secure Data 4

  4. Master File Table (MFT) • Contains • Pointers to the actual storage sites of files on the NTFS formatted disk • Directory indexes • Attributes for the files and folders • A mirror copy is maintained on each NTFS volume to insure recovery of the file system if the MFT is damaged.

  5. MFT Records MFT Records Data 1 Abc.doc Timestamp NTFSSID01 LCN Data 2 123.doc Timestamp NTFSSID01 LCN Data 3 xyz.xls Timestamp NTFSSID01 LCN Data 4 987.txt Timestamp NTFSSID01 LCN Location on Disk Security Index Reference Standard Information Attributes File Name Attribute MFT Record Header

  6. MFT is placed in an are called the MFT zone • The zone is an area set aside for expansion of the MFT • As a disk fills, the MFT zone will be reduced in size • If the zone becomes two small to hold all of the MFT data it will become fragmented • This will cause a significant reduction in performance

  7. Consolidated Security • Another area the MFT is responsible for is tracking security information • In earlier versions security descriptions were stored separately with each file and folder • Security descriptions – lists of users and group with access to the files or folders • $Secure metafile contains a common set of security descriptions that can be referenced by a single listing in the MFT

  8. As a file or folder is assigned security settings these setting are compared to the settings for other files and folders • If the comparisons match the file or folder is assigned the same entry in the $Secure metadata file. • This reduces the amount of resources needed to maintain separate security descriptions

  9. Transition logging • tracks changes to files • Ensures recovery by reversing unfinished transactions • Quota tracking • Tracks the amount of data that each user has stored • Prevent further disk writes if a quota limit has been set and exceeded by a user.

  10. NTFS Permissions • Security descriptions described above contain access control lists (ALC’s) • The ALC’s are lists of users and group security ID’s (SID) matched up with the permission setting for each SID. • The individual entries are called access control entries (ACE).

  11. Components of NTFS Permissions • Access Control Lists • Access control Entries • Users and Groups

  12. Access Control Lists • Access Control Lists (ACL) are the fundamental construct of all security in Microsoft Windows • Objects (from files to hard drive to group police objects) are controlled by Access Control Lists (ACL).

  13. Two Types of Access Control Lists (ACL) • System Access Control Lists (SACL) • Defined by the operating system (OS) • Controlled administratively by either • Policies • System administrator • Control auditing of access to objects

  14. Discretionary Access Control Lists (DACL) • Referred to as ACL’s • Lists of users and groups that have been granded access to objects • Access is granted at the discretion of the objects owner hence the word Discretionary

  15. Each object has a security description containing a Discretionary Access Control Lists (DACL) that defines what users and groups have access permissions to that object. • NTFS stores the DACL’s in the $Security metafile • NTFS records the DACL’s index attribute in the standard information attribute in the Master File Table

  16. MFT Records NFT Records Data 1 Abc.doc Timestamp NTFSSID01 LCN Data 2 123.doc Timestamp NTFSSID01 LCN Data 3 xyz.xls Timestamp NTFSSID01 LCN Data 4 987.txt Timestamp NTFSSID01 LCN Location on Disk Security Index Reference Standard Information Attributes File Name Attribute MFT Record Header

  17. Access Control Entries (ACE) • Access Control Lists consist of one or more Access Control Entries (ACE) • These Access Control Entries consist of • The user or group security identifier (SID) • Paired with permissions assigned to that security identifier (SID)

  18. Permissions (three types) • Allow – allows access to the listed user or group security identifier (SID) for the listed operation (read, write, modify, delet, etc) • Deny – denies access to the listed user or group security identifier (SID) for the listed operation (read, write, modify, delet, etc) • System Audit – a component of system control lists (SACL) lists the operations to be audited

  19. When more then one Action Control Entry (ACE) exists on an Action Control List (ACL) the effectives of all of the ACE’s are taken into account to determine what actions are permitted for a specific user.

  20. The Rule Governing Cumulative Effect ACE • Permission assigned to a user who has more then one Action Control Entry for an object is the most lenient of the accumulated permissions unless one of the permissions is Deny which overrides all other permissions for the specific operation.

  21. Example • A user might be a member of more then one security group with access to a file. • In one group the use has allow read permission • In the other group the user has allow read and allow modify • The user has the allow modify permission • If another group has allow modify and ,deny read the user can not open the file and this negates the modify permission

  22. Users and Groups • The final part of the NTFS security system • They are identified by security ID (SID) in the Access Control Entry (ACE) • By placing users into security groups and assigning groups access to NTFS objects you can easily control object access

  23. Three Major Group Types • Built-in security groups • Assigned security groups • Special groups

  24. Built-in Security Groups • These are groups included with the operating system • Examples include; • Users Group • Power Users • Administrative • Administrators have full control access to NTFS folders and files so they can administer permissions

  25. Assigned Security Groups • Groups created by administrators • Designed to make it easier to manage access to resources

  26. Special Groups • Groups who’s membership changes based on the circumstances of a user’s access to a file

  27. Examples of Special Groups • Creator Owner group – members are made up pf users who are creators or owners of a resource. • Network group – users who access a resource over a network • Everyone group – user identified by a user name who attempts to access resources on a system

  28. Managing NTFS Permissions • To manage permissions you must understand the use and consequences of each permission • You must understand how permissions from multiple group memberships work together

  29. Best Practices for Assigning Permissions • Assign the most restrictive NTFS permissions that will allow the users and groups to accomplish there assigned tasks • Assign all permissions at the folder level • Group files for which you want to restrict access into separate folders and then assign permissions to that folder creating restricted access

  30. Assign permissions to groups where ever possible • You can manage permissions for a group once and then assign users to that group to have access to the files and folders. • Avoid changing the permissions on system files and folders • This can cause unexpected and difficult to diagnose problems

  31. Do not deny access to the everyone group • Administrators are part of this group and would inherit the deny permission • It is better to remove the Everyone group from the Action Control List (ACL) and add individual groups

  32. For all executable file • Assign read, write and execute permissions to the administrators • Assign read and execute permissions to the user groups • This will prevent users or viruses from changing the executable files • Only individuals with administrate privileges will be able to write information to the executable files.

  33. For public folders assign • Full control to the Creator Owner • Read and write to the Authenticated Users group • This allows only the creator of the folder full access to files they create.

  34. If you do not what a user or a group to have access to a file or folder do not assign permissions. • If you do not grant permissions the user or group will not have access to the object • You should deny permissions under the following cases

  35. To exclude a person who belong to a group with the allow permission • To exclude one special permission form a standard permission group.

  36. How Permission to Access is Determined • When a user initiates a request to access an object, the application the user is using imitates an access request and attaches the users token • This token was generated when the user logged on • The token contains the users security identifier (SID) and any security groups the user belongs to.

  37. The token is compared to access control entry (ACE) of the objects Discreet Access Control List (DACL). • If the security identifier (SID) of the token matches the SID listed in the Access Control List (ACE) the permissions in the ACE are evaluated to see if access can be granted.

  38. If all of the access control entries (ACE’s) are evaluated and at least one grants access the object is opened • The only exception is if a there is a deny access permission.

  39. If no access control entries (ACE’s) are found referencing any of he users security identifier (SID) or one is found with DENY the operation access is denied.

  40. Effective Permissions • Effective permissions for a resource are the sum of NTFS permissions you assign to the individual users account and any group the user is part of.

  41. Troubleshooting NTFS Permissions • Almost all problems with file or folder access can be traced to improper effective permissions. • Either membership in a group can be causing a problem or from incorrectly assigning permissions to one or more groups the user is in.

  42. It is easy to lose track of deny permissions you have assigned, that is why the deny permission is only used in rare cases.

More Related