Home > Uncategorized > Windows Security: Part 7

Windows Security: Part 7

I could go on talking about Windows security forever, but I won’t, as we need to move on to other important issues. But in this last posting in this series I’d like to discuss and evaluate Windows object permissions In Unix and Linux systems there are only three permissions, read, write and execute. Critics have long complained that having only three permissions does not provide the granularity needed for precise access control when the need for security is high.

Windows file and folder permissions go a long way in addressing this concern. Although the exact permissions available depend on the particular version of Windows, these systems have two types of permissions, Molecular and Atomic. Molecular permissions, which are more high-level in nature, generally include ones such as the following:

– Full Control
– Modify
– Read-Execute
– Read
– Write
– Special Permissions (e.g., Take Ownership)

In contrast, Atomic (or Advanced) permissions are very granular in nature. They generally include the following types of access rights:

– Full Control
– Traverse Folder / Execute File
– List Folder / Read Data
– Read Attributes
– Read Extended Attributes
– Create Files/ Write Data
– Create Folders / Append Data
– Write Attributes
– Delete
– Read Permissions
– Change Permissions
– Take Ownership

I suspect that most Windows administrators and users do not think about permissions for files and folders very much. After all, the default permissions for critical files and folders are almost without exception good from a security standpoint. For example, the default installation directory (which is generally C:\WINDOWS) in Windows XP systems by default allows Full Control to Administrators, but only Read, Read / Execute and List Contents permissions to Users. And the fact that permissions are by default inherited from higher level objects (e.g., folders) to lower-level objects (e.g., subfolders and files within folders) helps keep unsafe permissions from being assigned to newly created objects.

Permissions do not apply exclusively to files and folders. Active Directory containers and their attributes also have permissions that control how much access each group and person is allowed. Groups such as Enterprise Administrators and Domain Administrators are usually by default assigned Full Control access (or nearly as much access), whereas Users are usually by default assigned only something such as Read access. Once again, the default Active Directive object and attribute permissions are good from a security perspective. The only trouble with them that I have ever seen is when a new application that creates its own Active Directory objects and attributes has been installed. Sometimes faulty permissions such as Full Control to Everyone are assigned. Administrators thus need to find and change permissions that are created in this manner.

The only real limitation in Windows permissions is that they are in a certain sense overwhelming. Consider the widely accepted information security principle of keeping information classification schemes and labels simple. Failure to observe this principle causes confusion and complications that result in people failing to comply with standards related to labeling and handling sensitive information. The same basic principle applies to permissions. When there are too many of them and when there are tens of thousands of objects (files, directories, Active Directory containers and attributes, and shares) to which they apply, people will and do simply ignore them.

There is an alternative—Simple File Sharing (which is by default enabled on Windows XP Professional systems). This way of setting permissions offers a much simpler way of controlling share access to individual files, folders and even an entire hard drive, but critics complain that it is too simplistic and that it leads to errors that can leave files and file systems wide open to anyone.

I must credit Microsoft for at least offering meaningful choices when it comes to access control. For those who need high levels of security, there are Atomic and Molecular permissions. For those who don’t, there is Simple File Sharing. Really–what more could we ask?

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.