Vraag & Antwoord
Windows XP Accounts NTFS
- Hoe kan ik zelf restricite opleggen? Ik kan nu alleen kiezen voor 2 soorten accounts. Ik draai Windows XP Pro.
[ Dit bericht is bewerkt door: RoySuk op 2002-04-06 23:56 ]
- 3 4
Controlling Access with NTFS Permissions
If you’re frustrated by the limitations of Simple File Sharing, you do have an alternative—that is, if you’re running Windows XP Professional and if the drive that contains the files you want to protect is formatted with the NTFS file system. (On a machine running Windows XP Home Edition, the only way to adjust permissions on individual files or folders is by restarting in Safe Mode or using the Cacls utility from a command prompt, an option we describe in "Setting Permissions from a Command Prompt.")
By disabling Simple File Sharing and using the full range of NTFS access controls, you can accomplish any or all of the following goals:
Control access to any file or folder on any NTFS-formatted drive This is a dramatic improvement over Simple File Sharing, which allows you to protect files in your user profile only.
Allow different types of access for different users or groups of users For instance, you might allow your teenagers read-only access to your collection of digital music files, so they can play them but not erase them to make room for their own downloaded tunes. You and your spouse, on the other hand, get full rights to add or delete any files. This is a significant change from the all-or-nothing access controls available via Simple File Sharing.
Fine-tune permissions on specific files or folders In a folder that contains the templates you use to create new documents or Web pages, you might want to restrict users to read-only access, while blocking their ability to overwrite or delete files. Anyone can open a new file based on an existing template, but you can be certain that the revised file won’t inadvertently replace one of your carefully crafted templates.
Setting NTFS permissions without understanding the full consequences can lead to unexpected and unwelcome results, including a complete loss of access to files and folders. Working with the built-in permission sets—Full Control, Modify, and so on— is the safest strategy. If you plan to tinker with special permissions, set up a folder and fill it with test files so that you can experiment safely. When you’re certain you’ve worked out the correct mix of permissions, apply them to the folder containing your real working files and delete the test folder.
The best way to begin working with permissions is to start by using the Make This Folder Private option on any folders you want to protect in your user profile. This sets a baseline of default permissions that guarantee you’ll have exclusive access to those files. After completing that process, you’re ready to turn off the Simple File Sharing interface and reveal the more complex Security tab, with its full array of NTFS permissions. To do so, from any Windows Explorer window, click Tools and then click Folder Options. On the View tab, clear the Use Simple File Sharing (Recommended) check box.
As a general practice, you should be consistent in your use of either the Simple File Sharing interface or the full NTFS permissions. Switching back and forth indiscriminately can wreak havoc with network shares, for instance, as we point out in Chapter 31, "Managing Shared Folders and Printers." If you normally use Simple File Sharing, but occasionally need to work with the full set of permissions, you can bypass the dialog boxes with this simple script, which toggles between the two modes. Open Notepad or any plain text editor and enter the following text:
' Toggles between Simple Sharing and full NTFS permissions
Dim strOldForceGuestValue, WshShell
On Error Resume Next
Set WshShell = WScript.CreateObject("WScript.Shell")
strOldForceGuestValue = _
If strOldForceGuestValue = "1" Then
"HKLMSYSTEMCurrentControlSetControlLsaforceguest", 0, "REG_DWORD"
WScript.Echo "Full permissions are now available"
"HKLMSYSTEMCurrentControlSetControlLsaforceguest", 1, "REG_DWORD"
WScript.Echo "Simple sharing is now on"
Alternatively you can copy the ToggleSharingOptions.vbs file from the companion CD included with this book.
Save the file in the Windows folder or in the All UsersDesktop folder as ToggleSharingOptions.vbs. Create a shortcut to the script and add it to the All Programs menu; for even faster access, assign a keyboard shortcut to the script.
Applying Advanced Security Settings
To view and edit NTFS permissions for a file or folder, right-click its icon, choose Properties, and then click the Security tab. This dialog box lists all the groups and users with permissions set for the selected object. As the example in Figure 13-5 shows, you can assign different permissions to each user—in this case, Katy can read and play (Execute) files in the Music Downloads folder but is forbidden to change existing files (Modify) or create new ones (Write).
In Windows XP, the owner of a file or folder (typically the person who creates the file) has the right to allow or deny access to that resource. In addition, members of the Administrators group and other authorized users can grant or deny permissions. You can add individual users to the list of users and allow or deny specific types of file and folder actions. You can also assign permissions to built-in groups (Administrators, for instance) or create your own groups and assign permissions that way. As we’ll explain later in this section, some permissions don’t need to be explicitly defined but instead
Figure 13-5. View and edit permissions for the selected user in the list at the bottom of this dialog box; each user or group can have a different set of permissions.
are inherited based on permissions from a parent folder. All permissions are stored in the file system as part of the access control list (ACL).
For more details about creating and managing user accounts and groups, see "Working with User Accounts."
If the user or group whose permissions you want to edit is already listed at the top of the Security dialog box, you can select check boxes in the Allow column to add permissions, or clear boxes to remove permissions. Select check boxes in the Deny column only if you want to explicitly forbid certain users from exercising a specific permission. Deny access control entries take precedence over any other permission settings that apply to an account, such as those granted through membership in a group. If you want to completely lock out a specific user or group from access to a selected file or folder, select the Deny check box on the Full Control line.
tip - Be careful with the Deny box
On the average home or small business computer, resist the temptation to select any of the check boxes in the Deny column on the Security tab. This option is typically used on large, complex networks where many groups of users are defined (individual departments, for example) and administrators want to exercise tight control over sensitive files in specific locations. Unraveling the interactions between Allow and Deny permissions can be a daunting task. On a machine with a handful of users, it’s almost always simpler to define permissions by selecting and clearing check boxes in the Allow column.
In most cases, you can safely assign permissions by selecting a user or group name and then selecting one or more of the predefined groups of permissions listed in the bottom of the Security dialog box. Table 13-1 describes the basic function of each of these entries.
Table 13-1. How Permissions Control File and Folder Access
Permission How It Controls Access to Files and Folders
Full Control Gives the designated user or group full control over the selected file or folder, as the name implies. Selecting this box selects all check boxes below it as well. These users can list contents of a folder, read and open files, create new files, delete files and subfolders, change permissions on files and subfolders, and take ownership of files.
Modify Allows users to read, change, create, and delete files, but not to change permissions or take ownership of files. Selecting this check box selects all the options listed below it and is equivalent to choosing the Write and Read & Execute permissions.
Read & Execute Allows the user to view files and execute programs. Selecting this check box selects the List Folder Contents and Read boxes as well.
List Folder Contents (folders only) Provides the same individual permissions as Read & Execute and is available only on the Security tab for a folder. The only difference between the two permissions is in the way they are inherited. 1
Read Allows users to list the contents of a folder, view file attributes, read permissions, and synchronize files. This is the most basic permission of all.
Write Allows users to create files, write data, read attributes and permissions, and synchronize files.
Special Permissions If this permission is selected, the assigned permissions don’t match any of the built-in templates shown here. Click the Advanced button to see details.
1 When the Read & Execute permission is applied to a folder, this permission is inherited by all files and subfolders within the folder. The List Folder Contents permission, on the other hand, though functionally identical, is inherited by subfolders but not by files within the folder or subfolders. For details about inherited permissions, see "Applying Permissions to Subfolders Through Inheritance."
To set permissions for a group or user that isn’t listed in the Group Or User Names box, follow these steps:
Open the properties dialog box for the file or folder and click the Security tab.
Click the Add button.
Type the name in the Select User Or Group dialog box shown here; when entering multiple names, separate them with semicolons. (Note that you must type the user name, which may be different from the full name that appears on the Welcome screen.)
Click the Check Names button to confirm that you entered the names correctly.
Click OK to return to the Security dialog box and set permissions for the newly added user(s).
On a standalone computer or on a computer that is part of a workgroup and is not joined to a Windows domain, the list of available names is drawn only from the account database on the local computer—that is, the computer at which you’re logged on. If your machine is a domain member, you can click the Locations button and choose whether you want to specify permissions based on users of the local computer or those in the domain’s directory. If you’re entering names of users on a Windows domain, enter a portion of the name and then click the Check Names button. Unfortunately, you can’t use the same shortcut to select users and groups defined in the local computer’s account database; instead, you have to enter the user’s name in full, and if you’re off by even a single letter you’ll get an error message. (Windows will, however, fill in the computer or domain name for you automatically.) To see a list of available local users and groups, click the Advanced button, and then click Find Now. The resulting list includes all user accounts, groups, and special accounts on the local computer.
When adding or removing permissions, follow these basic principles:
Start from the top and work down By default, permissions you set on a folder apply to all files and subfolders within that folder. (For more details, see "Applying Permissions to Subfolders Through Inheritance.") Managing file access is much easier when you have a consistent set of permissions for all files in a location, with exceptions only where needed.
Organize shared data files into common locations If shared data is scattered over multiple drives and folders, it’s too easy to inadvertently let permissions get out of sync. Try to consolidate shared data files into a single group of folders. When data is all in one place, you’ll find it easier to manage permissions and make proper backups.
Use groups whenever possible This is especially important in a small business setting. Take advantage of the built-in Administrators, Power Users, and Users groups for basic permissions. If you need to define custom permissions so that several users can access files stored in multiple folders, usegroup-based permissions to simplify the process. Create a new local group and add the users who need access to the files in question. (For details, see "Using the Local Users and Groups Snap-in.") Open the properties dialog box for the first folder, click the Security tab, add the newly created group, and grant the appropriate permissions to that group. Repeat this process for each additional folder. Later, when one member of the group leaves and another one joins, you can change the group membership and automatically update the permissions for all folders without having to go through each folder’s properties dialog box again.
For more information about how to create and manage local groups, see "Working with User Accounts."
Steer clear of Special permissions Unless you’re a wizard at understanding the interplay of NTFS permissions, resist the temptation to tweak special permissions for individual files or folders. The built-in security settings (Full Control, Modify, Read & Execute) cover most needs adequately.
Grant only the level of access that users require If a specific user needs to read files stored in a certain location, but does not need to create new files or edit existing ones, grant that user only the Read permission. This precaution is especially important to prevent novices and untrained users from wiping out important data files accidentally.
You can’t change file or folder permissions.
If you’re unable to set custom permissions, look for the symptom in this list and try the following problem-solving techniques:
The Security tab is not visible. Do you see only a Sharing tab? If so, choose Tools, Folder Options and clear the Use Simple File Sharing (Recommended) check box. If, after making this change, you still see only a Sharing tab, check the properties for the drive; the most likely explanation is that the drive is formatted using the FAT32 file system. The Security tab is visible only on NTFS drives.
You’ve made changes, but the check marks disappear. This may not be a problem at all. If you set permissions and apply them to anything other than the default location—This Folder, Subfolder, And Files—Windows adds a check mark in the Special Permissions box (when viewing permissions for a folder, you have to scroll to the bottom of the Permissions list to see this box). You can view the applied permissions by clicking the Advanced button, selecting the user or group, and clicking the Edit button.
Permission settings are unavailable. Check your user account rights. You must be logged on as a member of the Administrators group or be the owner of an object to set its permissions. These settings will also be unavailable if the selected object is inheriting its permissions from a parent folder. To set custom permissions on such an object, you have to remove the inheritance, as described later in this chapter, in "Applying Permissions to Subfolders Through Inheritance."
Working with Built-in Users and Groups
In addition to the standard local groups (Administrators and Users, for instance), Windows XP includes a number of special identities. These users and groups, which are built into the system and can’t be deleted, are used to apply special permissions to system resources (including files and folders); in many cases, these identities are placeholders that apply to user accounts based on the way a given account uses the system.
Special identities are often referred to as well-known security identifiers (SIDs).
The most common special identity you’re likely to encounter in everyday use is the Everyone group, which includes all users who log onto the system. On a drive that’s been newly converted to NTFS, the Everyone group is assigned the Full Control permission—as you would expect, this has the effect of allowing anyone who logs on to the computer to do anything with files and folders on that drive, unless further restrictions are placed on subfolders and files.
Understanding these built-in accounts and groups is crucial to using advanced NTFS permissions effectively. Table 13-2 lists the most common special identities.
Table 13-2. Special Identities Available in Windows XP
Special Identity Description
Everyone Includes every user who accesses the computer, including Guests. This group does not include Anonymous logons.
Creator Owner Identifies the user who created the selected file or folder or who has taken ownership of it since it was created.
Authenticated User Includes any user who logs on with a user name and password. Unlike the Everyone identity, this group does not include users who log on as Guest, even if the Guest account has been assigned a password.
Interactive Includes any user that logs on locally or through a Remote Desktop connection.
Anonymous Logon Identifies network logons for which credentials are not provided, such as connections to a Web server. Anonymous and Interactive logons are mutually exclusive.
Dialup Includes any user who accesses the computer over a dial-up connection.
Network Includes any user that logs on over the network. Does not include Interactive logons that use Remote Desktop over a network.
Some of these special identities are esoteric, and the average user will never need to apply them. But others can be extremely powerful additions to your security toolkit. For instance, you can use the following combinations of permissions to tighten security on your computer:
For shared data folders, assign the Read & Execute permission and the Write permission to the Users group, and the Full Control permission to the Creator Owner special identity. In this configuration, every user who creates a file or folder becomes that object’s owner and has the ability to read, modify, and delete it. Other users can read and modify documents created by other users but can’t accidentally delete them.
If you have a second drive in your system and you want to prevent all access to files on that drive by anyone using the Guest account, change the default permissions on the root of the drive. Add the Authenticated Users group and give it Full Control, and then remove the default Everyone group.
One of the most common mistakes made by users who are inexperienced with NTFS permissions is to remove the Everyone group from the root of a drive—or worse, to select the Deny box next to Full Control for this group. If you try to take either of these drastic measures in Windows XP Professional, the system displays a dialog box warning you that you’re about to deny all access to all files on the drive by all users—which is almost certainly not the intended result! Remember, more restrictive permissions always override more lenient permissions. As a rule of thumb, the best strategy for the permissions on the top-level folder for any drive is to make sure that all users who will access files on that drive have the proper level of access. After you’ve organized data on that drive, tighten up permissions on each subfolder so that it’s accessible by the correct users and groups.
Windows XP includes three special identities that are reserved for software and system processes and are never used by human users. The Batchidentity provides permissions for any batch process (such as a job launched via Task Scheduler) that needs to access a resource on the computer. The Serviceidentity is used by system services and is controlled by the operating system. The System identity allows the operating system itself to access protected resources. As a general rule, permissions for these three groups are set by the operating system and should never be adjusted by users.
Tampering with the default permissions on the drive that contains Windows system files is a bad idea. As part of the setup process, Windows XP applies specific permissions to the root of the system drive; to the Windows, System32, and Documents And Settings folders; and to specific subfolders within each of these locations. Changing the default permissions will not improve security and will almost certainly cause some users or programs to have problems. If you’ve made a mess of permissions in a system folder and you need to know how to put things right again, search the Knowledge Base for a Windows XP–specific update to article Q244600, "Default NTFS Permissions in Windows 2000."
Applying Permissions to Subfolders Through Inheritance
Files and subfolders can inherit permissions from a parent folder. By default, any new permissions you assign to a folder are passed on to subfolders as well. Thus, when you create a new subfolder in your My Documents folder, it inherits the permissions you’ve set for your profile. If you made your user profile private, the new subfolder and any files you create or store within it will be private as well.
You can prevent permissions from being inherited by changing the inheritance options for a folder. You can specify that subfolders or files (or both) no longer inherit permissions that have been assigned to the parent folder containing them. Instead, only permissions you explicitly apply to files and subfolders will apply.
To see the inheritance options for a selected folder, right-click the folder icon, choose Properties, and then click the Security tab. Click the Advanced button to display the Advanced Security Settings dialog box. The Inherited From column in the Permission Entries list shows the parent folder from which a given set of permissions is inherited. In the example shown in Figure 13-6, the Everyone group inherits Full Control permissions from the access control list on the root folder of drive E, whereas the other permissions, designated as <not inherited>, have been applied directly on this folder.
In this example, the inherited permissions are getting in the way of the tight security we want to apply to this folder. To remove the inherited permissions, clear the option labeled Inherit From Parent The Permission Entries That Apply To Child Objects. When you clear this check box, you see the following dialog box, which warns you to specify how you want to reset the permissions on the selected folder.
Choose one of the following three options:
Copy. This option copies the permissions from the parent folder to the current file or folder and then breaks the inheritance link to the parent folder. After choosing this option, you can adjust the permissions to suit your security needs.
Remove. This option completely removes the inherited permissions and keeps only the permissions you’ve explicitly assigned to the file or folder.
Cancel. This option closes the warning dialog box and leaves the inheri-tance options intact.
Figure 13-6. The list of permissions shown here helps you identify which are inherited from parent folders.
When you remove inherited permissions from a folder, it becomes a new top-level folder. By default, any permissions you assign to this folder ripple down the hierarchy of subfolders and to files within those subfolders as well.
For an excellent illustration of how these settings all work together, look at the permissions on your user profile after you choose the Simple File Sharing option to make the folder private. Using Simple File Sharing, click the Make This Folder Private option, and then turn off Simple File Sharing. When you click the Advanced button on the Security tab of the "private" folder, you’ll see that the Inherit From Parent The Permission Entries That Apply To Child Objects check box has been cleared and that the permissions on the folder now include only the System account and your user account, both with Full Control permissions. The net effect is to block out every user except you.
In some cases, you may want to apply two or more sets of permissions to the same folder for the same group, with each set of permissions having different inheritancesettings. For instance, say that you and several coworkers on a shared computer are working on a top-secret project. You’ve set up a shared folder called Project X Files for use by everyone who has an account on your computer. In the main folder, you’ve stored a handful of document templates that you want members of the team to use when creating new documents; you’ve also set up subfolders to hold files that are currently being worked on.
In this scenario, you might want the Everyone group to have Read & Execute access to files within a top-level folder, and Full Control over subfolders. Using this arrangement of permissions, you can allow users to open templates stored in the top-level folder, while protecting those templates from accidental changes or deletions. By using a different set of permissions on subfolders, you can allow users to create new files and modify previously saved documents. To apply permissions with this level of fine-grain control, follow these steps:
Open the properties dialog box for the top-level folder you want to adjust (Project X Files in this example), and click the Security tab.
Click the Add button.
In the Select Users Or Groups dialog box, enter Administrators and click OK.
Choose Administrators from the Group Or User Names List at the top of the properties dialog box, and then select the Allow box to the right of the Full Control entry in the Permissions list.
Click the Add button again.
This time, enter Everyone in the Select Users Or Groups dialog box and click OK.
Select Everyone and then select the Allow box to the right of the Read & Execute entry.
Click the Advanced button to open the Advanced Security Settings dialog box.
If necessary, clear the Inherit From Parent The Permission Entries That Apply To Child Objects check box (and then select Copy when the Security message appears).
Select the entry for Everyone and click the Edit button to open the Permission Entry dialog box (shown here). Open the Apply Onto list, choose This Folder And Files, and click OK.
From the Advanced Security Settings dialog box, click the Add button.
In the Select User Or Group box, enter Everyone and click OK.
In the Permission Entry dialog box, check the Full Control box, choose Subfolders Only from the Apply Onto list, and then click OK.
The resulting set of permissions should look like the one shown in Figure 13-7. With these settings, you and other members of the Administrators group can add and change files in the main folder; you can also add subfolders. All other users can view and open files in the main folder but can’t create new files, change existing files, or delete files or subfolders. They can, however, save files in the subfolders you create.
Figure 13-7. By applying different sets of permissions to files and subfolders, you can fine-tune permissions for a group of folders all at once.
What’s the advantage of using inherited permissions in this fashion? Each time you create a subfolder, Windows automatically applies the proper permissions to it, using the inheritance settings you defined. Without these settings, you would be forced to define permissions from scratch for each new subfolder. That’s a lot of needless work, with the potential for errors and inconsistencies. More importantly, if you decide to change the permissions later—by changing the Full Control permission for subfolders from the Everyone group to a more limited group of users, for instance—you can make a single change and have the changes apply to all the child folders automatically.
Testing the Effect of Permissions
Because file and folder permissions can come from a variety of settings, it’s sometimes difficult to figure out exactly what each user can and can’t do with a given file or folder. As a general rule, you can figure out effective permissions by combining all the NTFS permissions assigned to an individual user account and to all of the groups to which that user belongs. Thus, if a user has Read & Execute permission for a folder set through her user account and is also a member of a group that has been assigned Write permissions for that folder, she has both Read and Write permissions for the folder.
On a scale of complexity, calculating effective permissions is more difficult than programming a VCR and only slightly less taxing than quantum physics. Fortunately, Windows XP Professional includes a new tool that does the calculations for you.
To see what the effect of all NTFS permissions will be on a given user or group, follow these steps:
Open the properties dialog box for the file or folder in question and then choose Properties.
On the Security tab, click the Advanced button and then click the Effective Permissions tab.
Click the Select button to open the Select User or Group dialog box.
Enter the name of the user or group for which you want to check effective permissions and then click OK.
Anyone who’s ever struggled trying to figure out Windows 2000 permissions will really appreciate the Effective Permissions dialog box in Windows XP. It’s a wonderful addition, and if you’re going to use NTFS permissions you should learn its ins and outs. Unfortunately, it also includes one potentially confusing interface element: The Group Or User Name box looks like a place to enter text directly, but it doesn’t work that way in practice. You have to display the Select User or Group dialog box to enter a name. Presumably, this will be fixed in a service release.
The resulting dialog box shows the effective permissions that apply to the user or group you selected. These permissions are presented using the complete list of available permissions from the Advanced Security Settings dialog box, which are far more detailed than those shown on the Security tab. This level of detail can be difficult to decipher, but it’s crucial in identifying subtle changes that can compromise security. In the example in Figure 13-8, for instance, the user named Ed has permissions that are equivalent to Read & Execute; in addition, he can change permissions on the selected object.
The Effective Permissions calculation looks up all local and domain groups to which a user or group belongs and takes those permissions into account in its summary. A check mark identifies permissions that have been assigned. The resulting display is a snapshot of permissions based on other settings. You can’t change any permissions from this dialog box.
The effective permissions calculation does not include the Anonymous Logon or Authenticated Users group, nor does it include settings granted because a user is the Creator Owner of an object. In addition, the calculation does not consider whether you’re logging on interactively or over a network. If you’ve customized any of these permissions, you’ll need to account for the differences.
Figure 13-8. Use this dialog box to see how permissions through user accounts and groups combine for a given user. Check marks indicate which permissions are assigned.
Using Special Permissions
Don’t be misled by the long list of so-called special permissions that you see when you click the Advanced button, select a user or group name, and then click the Edit button. Whenever you use NTFS permissions, whether it’s through the Simple File Sharingmodel or the more full featured Security dialog box, your actions result in changes to this list. Using the built-in permission options—Full Control, Modify, and so on— actually sets predetermined groups of permissions here. Figure 13-9, for instance, shows the results when you select the Allow box next to the Read & Execute entry—Windows actually sets five individual permissions in response to the single click.
When dealing with unusual access control situations, the best solution is usually to start by applying the predefined basic permission that comes closest to the desired result. Then add or remove special permissions as needed. Table 13-3 lists the full set of special permissions that are applied when you set each of the predefined permission options.
Table 13-3. Special Permissions Applied by Basic Permissions
Basic Permission Special Permissions
Read List Folder / Read Data
Read Extended Attributes
Read & Execute or
List Folder Contents All Read permissions listed above
Traverse Folder / Execute File
Write Create Files / Write Data
Create Folders / Append Data
Write Extended Attributes
Modify All Read & Execute permissions listed above
All Write permissions listed above
Full Control All permissions listed above
Delete Subfolders And Files
Figure 13-9. In general, you don’t need to adjust these so-called special permissions. Using the check boxes on the Security dialog box makes the adjustments for you.
Setting Permissions from a Command Prompt
Cacls.exe, a command-line utility available in both Windows XP Professional and Home Edition, provides another way to view and edit permissions. With Cacls (short for Control ACLs), you can view existing permissions by typing cacls filename at a command prompt, replacing filename with the name of the file or folder you’re interested in (wildcards are acceptable as well). The resulting list of permissions is terse, to say the least. Next to each user account name, Cacls displays a single letter for any of three standard permission settings: F for Full Control, C for Change, R for Read. Any other combination of settings from the Security tab or the Advanced Security Settings dialog box generates output only a programmer could love.
Cacls is useful for quickly finding the permissions for an object—particularly if you’re already working in a Command Prompt window. As an administrator, especially when working with Windows XP Home Edition, it’s an indispensable part of your toolkit.
tip - Get a more powerful permission tool
If you like Cacls, you’ll love Xcacls. As the name suggests, it’s an extended version of the basic utility included with Windows 2000 and Windows XP. This utility is included in the Support Tools collection found on the Windows XP CD in SupportToolsSupport.cab.
You can also set permissions with Cacls. In fact, in Windows XP Home Edition, using this utility is the only way to adjust individual permissions without restarting in Safe Mode. Use the switches listed in Table 13-4 to modify the effects of Cacls.
Table 13-4. Command-line Switches for Cacls.exe
Switch What It Does
/T Changes permissions of specified files in the current directory and all subdirectories
/E Edits access control list instead of replacing it
/C Continues on "access denied" errors
/G user:perm Grants specified user access rights; if used without /E, completely replaces existing permissions
/R user Revokes specified user’s access rights (must be used with /E)
/P user:perm Replaces specified user’s access rights
/D user Denies access to specified user
In conjunction with the /G and /P switches, use one of the following four letters where indicated by the perm placeholder:
F (for full control) is equivalent to selecting the Allow box next to Full Control on the Security tab.
C (for change) is equivalent to selecting the Allow box for Modify.
R (for read) is equivalent to selecting the Allow box for Read & Execute.
W (for write) is equivalent to selecting the Allow box for Write.
Note that wildcards can be used to specify more than one file in a command and that you can specify more than one user in a command. For instance, if you’ve created a subfolder called Archives in the Shared Documents folder and you want Carl to have Full Control and Craig to have Read permissions in that folder, open a command prompt window, navigate to the Shared Documents folder, and type the following command:
cacls archives /g carl:f craig:r
If you then decide that you want to revoke Craig’s access rights and give Read permissions to the Administrators group, type this command:
cacls archives /e
craig /g administrators:r
Just because you can set permissions with Cacls doesn’t mean you should. It’s easy to make a mistake that causes you to lose existing permissions on a file. If you’re using Windows XP Professional, there’s no reason to use Cacls to set permissions. If you’re using Windows XP Home Edition, try the Cacls command on a test folder first and make sure that your settings have the desired effect before you use this command on your actual working files.
Taking Ownership of Files and Folders
When you create a file or folder on an NTFS drive, Windows XP designates your user account as the owner of that object. That status gives you the right to allow or denypermission for other users and groups to access the file or folder. As owner, you can lock out every other user, including all members of the Administrators group.
So what happens if you turn over responsibility for a document (or an entire folder full of documents) to another user? As the owner, you can allow the other user to take ownership of the object. In addition, any member of the Administrators group can take ownership of any file or folder, although he or she cannot transfer ownership to other users.
Turning over the ownership of a file or folder makes sense when you want someone else to be responsible for setting permissions for that object. To ensure a smooth transition of power, use either of the following techniques.
If you’re a member of the Administrators group, follow these steps:
Right-click the file or folder icon and choose Properties.
On the Security tab, click the Advanced button to open the Advanced Security Settings dialog box for the file or folder.
Click the Owner tab. As the example in Figure 13-10 shows, this dialog box shows the current owner and allows you to transfer ownership to the Administrators group or to your account.
Select either name from the Change Owner To list and click OK.
Figure 13-10. Only members of the Administrators group have the right to take ownership of files and folders.
If you’re not an administrator, you must first be granted the right to take ownership of a file or folder explicitly. To do this, ask the current owner or any member of the Administrators group to add your account to the access control list for the file or folder and give you the Take Ownership permission. This permission can be found at the bottom of the list of special permissions available by clicking Edit from the Advanced Security Settings dialog box.
Ultimately, the ability for an administrator to take ownership of files and folders means that you can’t count on absolute privacy for any files stored on an NTFS drive. No matter how securely you lock them up, an administrator can break through the lock by taking ownership of the files. This is a brute force solution, however, and it’s not something that can be easily hidden. If you’re concerned about security and you want to monitor changes in ownership of file-system objects, configure your system so that Take Ownership events in a particular location are audited. You’ll find step-by-step instructions in "Seeing Who Has Tried to Access Your Files and Folders."
Moet je nog meer weten?
[ Dit bericht is bewerkt door: Binary op 2002-04-08 15:02 ]
- Kleine toevoeging:
[b:84a34426c9]Introducing Windows XP Security [/b:84a34426c9][br]
The Windows XP approach to security is discretionary. That is, each securable system resource-each file or printer, for example-has an owner, who has discretion over who can and cannot access the resource. Usually, a resource is owned by the user who created it. If you create a file, for example, you are the file's owner under ordinary circumstances. (Computer administrators, however, can take ownership of resources they didn't create.)
To exercise full discretionary control over individual files, you must store those files on an NTFS volume. Windows XP supports the FAT and FAT32 file systems used by MS-DOS and Windows 95, Windows 98, and Windows Me for the sake of compatibility. However, the FAT and FAT32 systems were not designed with security in mind. To enjoy the full benefits of Windows XP security, you must use NTFS. For more information, see "NTFS or FAT32: Which Disk Format Should You Choose?".
To determine which users have access to a resource, Windows assigns a security ID (SID) to each user account. Your SID (a gigantic number guaranteed to be unique) follows you around wherever you go in Windows. When you log on, the operating system first validates your user name and password. Then it creates a security access token. You can think of this as the electronic equivalent of an ID badge. It includes your user name and SID, plus information about any security groups to which your account belongs. (Security groups are described later in this chapter.) Any program you start gets a copy of your security access token.
Whenever you attempt to walk through a controlled "door" in Windows (for example, when you connect to a shared printer), or any time a program attempts to do that on your behalf, the operating system examines your security access token and decides whether to let you pass. If access is permitted, you notice nothing. If access is denied, you see an unavailable menu or dialog box control or, in some cases, you get to hear a beep and read a refusal message.
In determining whom to pass and whom to block, Windows consults the resource's access control list (ACL). This is simply a list of SIDs and the access privileges associated with each one. Every resource subject to access control has an ACL.
Permissions and Rights
Windows distinguishes two types of access privileges: permissions and rights. A permission is the ability to access a particular object in some defined manner-for example, to write to an NTFS file or to modify a printer queue. A right is the ability to perform a particular systemwide action, such as logging on or resetting the clock.
The owner of a resource (or an administrator) assigns permissions to the resource via its properties dialog box. For example, if you are the printer owner or have administrative privileges, you can restrict someone from using a particular printer by visiting the properties dialog box for that printer. Administrators set rights via the Local Security Policy console in the Administrative Tools folder. If you have an administrative account, you can use Local Security Policy to grant someone the right to load a device driver.
In Depth: Security Identifiers
Windows XP security relies on the use of a security identifier (SID) to identify a user. When you create a user account, Windows assigns a unique SID to that account. The SID remains uniquely associated with that user account until the account is deleted, whereupon the SID is never used again-for that user or any other user. Even if you re-create an account with identical information, a new SID is created.
A SID is a variable-length value that contains a revision level, a 48-bit Identifier Authority value, and a number of 32-bit subauthority values. The SID takes the form S-1-x-y1-y2-.. S-1 identifies it as a revision 1 SID; x is the value for the IdentifierAuthority; and y1, y2, and so on are values for subauthorities.
You'll sometimes see the SID in a security dialog box (for example, on the Security tab of a file's properties dialog box while Simple File Sharing is not enabled) before Windows has had time to look up the user account name. If a SID on a Security tab doesn't change to a name, it's because it's a SID for an account that has been deleted; you can safely delete it from the permissions list because it'll never be used again. You'll also see SIDs in the hidden Recycler folder (each SID you see in this folder represents the Recycle Bin for a particular user), in the registry (the HKEY_USERS hive contains a key, identified by SID, for each user account on the computer), and deep in the %UserProfile%Application DataMicrosoft folder structure, among other places.
Not all SIDs are unique. A number of commonly used SIDs are constant among all Windows XP installations. For example, S-1-5-18 is the SID for the built-in System account, a hidden member of the Administrators group that is used by the operating system and by services that log on using the System account. Microsoft Windows XP Professional Resource Kit Documentation (Microsoft Press, 2001) contains a complete list of such SIDs, called well-known SIDs.
In this book, as in many of the Windows XP messages and dialog boxes, privileges serves as an informal term encompassing both permissions and rights.
The backbone of Windows XP security is the ability to uniquely identify each user. During setup-or at any time later-a computer administrator creates a user account for each user.The user account is identified by a user nameand (optionally) a password,which the user provides when logging on to the system. Windows then controls, monitors, and restricts access to system resources based on the permissions and rights associated with each user account by the resource owners and the system administrator.
In addition to such "normal" user accounts, Windows provides two special accounts that have predefined sets of permissions and rights associated with them: the Administrator account and the Guest account.
Administrator account. Every computer running Windows XP has a special account named Administrator. This account has full rights over the entire computer. It can create other user accounts and is generally responsible for managing the computer. Many system features and rights are off limits to accounts other than Administrator (or another account that belongs to the Administrators group).
Guest account. The Guest account resides at the other end of the privilege spectrum. It is designed to allow an infrequent or temporary user such as a visitor to log on to the system without providing a password and use the system in a restricted manner. (By default, the Guest account is disabled on a clean install of Windows XP; no one can use an account that's disabled.) The Guest account is also used for access to shared network resources on your computer when Simple File Sharing is enabled.
For information about using the Administrator account, see "What Happened to the Administrator Account?". For information about using the Guest account, see "Setting Up a Secure Guest Account."
Local Accounts and Groups vs. Domain Accounts and Groups
Windows stores information about user accounts and security groups in a security database. Where the security database resides depends on whether your computer is part of a workgroup or a domain.
A workgroup setup (or a standalone computer) uses only local user accounts and local groups-the type described in this chapter. The security database on each computer stores the local user accounts and local groups that are specific to that computer. Local user accounts allow users to log on only to the computer where you create the local account. Likewise, a local account allows users to access resources onlyon that same computer. (This doesn't mean that you can't share your resources with other network users, even if you're not part of a domain. For details, see Chapter 31, "Managing Shared Folders and Printers.") With such a setup, you avoid the initial expense of purchasing and configuring Microsoft Windows .NET Server-but because you must manage user accounts on each individual computer, this process becomes unwieldy with more than five or ten computers.
The alternative is to set up the network as a domain. A Windows domain is a network that has at least one machine running Windows .NET Server, Windows 2000 Server, or Windows NT Server as a domain controller. A domain controller is a computer that maintains the security database, including user accounts and groups, for the domain. With a domain user account, you can log on to any computer in the domain (subject to your privileges set at the domain level and on individual computers), and you can gain access to permitted resources anywhere on the network.
In general, if your computer is part of a Windows domain, you shouldn't need to concern yourself with local user accounts. Instead, all user accounts should be managed at the domain controller. But you might want to add certain domain user accounts or groups to your local groups. By default, the Domain Admins group is a member of the local Administrators group, and Domain Users is a member of the local Users group; members of those domain groups thereby assume the rights and permissions afforded to the local groups to which they belong.
Domain-based accounts and groups are also known as global accounts and global groups.
For more information about working with domains, see Chapter 33, "Working with Windows Domains."
Account type is a simplified way-new in Windows XP-of describing membership in a security group, a collection of user accounts. Groups allow a system administrator to create classes of users who share common privileges. For example, if everyone in the accounting department needs access to the Payables folder, the administrator can create a group called Accounting and grant the entire group access to that folder. If the administrator then adds all user accounts belonging to employees in the accounting department to the Accounting group, these users will automatically have access to the Payables folder. A user account can belong to one group, more than one group, or no group at all.
Groups are a valuable administrative tool. They simplify the job of ensuring that all members with common access needs have an identical set of privileges. Although youcan grant privileges to each user account individually, doing so is tedious and prone to errors-and usually considered poor practice. You're better off assigning permissions and rights to groups, and then adding user accounts to the group with the appropriate privileges.
Permissions and rights for group members are cumulative. That means that if a user account belongs to more than one group, the user enjoys all the privileges accorded to all groups of which the user account is a member.
Windows XP classifies each user account as one of four account types:
Computer administrator. Members of the Administrators group are classified as computer administrator accounts. The Administrators group, which by default includes the Administrator account and all accounts you create during Windows XP setup, has more control over the system than any other group. Computer administrators can
Create, change, and delete user accounts and groups
Access all files
Take ownership of files
Grant rights to other user accounts and to themselves
Install or remove hardware devices
Log on in Safe Mode
Limited. Members of the Users group are classified as limited accounts. By default, limited accounts can
Change the password, picture, and associated .NET Passport for their own user account
Use programs that have been installed on the computer
View permissions (if Simple File Sharing is disabled)
Create, change, and delete files in their document folders
View files in shared document folders
Guest. Members of the Guests group are shown as guest accounts. Guest accounts have privileges similar to limited accounts. A user logged on with the Guest account (but not any other account that is a member of the Guests group) cannot create a password for the account.
Unknown. The account type for a user account that is not a member of the Administrators, Users, or Guests group is shown as Unknown. Because accounts you create with User Accounts in Control Panel are automatically assigned to the Administrators group or the Users group, you'll see the Unknown account type only if you upgraded your computer from an earlier version of Windows (for example, new users in Windows 2000 are assigned by default to the Power Users group) or if you use the Local Users And Groups console or the Net Localgroup command to manage group membership.
tip - Reserve administrator accounts for special occasions
A limited account is the best and safest type for everyday use. Limited accounts and their limited privileges provide fewer opportunities for malicious hackers to cause problems; a limited account also prevents some self-inflicted damage, such as accidentally deleting shared files. Unfortunately, some programs don't work properly when accessed by a limited account. Try making your own account a limited account (or, if you use Windows XP Professional, a member of the Power Users group) and see whether you can perform all your normal computing activities. When you need to run a program that doesn't work with limited accounts or you need to make administrative changes, use a separate administrator account you set up for the purpose. (Log on using your administrator account or use the Run As command. For details about Run As, see "Running a Program as Another User.") If this becomes too cumbersome, change your everyday account back to an administrator account.
There's nothing wrong with accounts of this type, and if you need to use other security groups to classify the accounts on your computer you should do so. In User Accounts, all the usual account-management tasks are available for accounts of Unknown type, but if you want to view or change group membership, you'll need to use Local Users And Groups or the Net Localgroup command.
For information about the User Accounts option in Control Panel, see "Working with User Accounts." For information about Local Users And Groups and Net Localgroup management tools, see "Advanced Account Setup Options."
A clean installation of Windows XP Professional creates the following groups-each with predefined rights and permissions-in addition to the Administrators, Users, and Guests groups:
Backup Operators. Members of the Backup Operators group have the right to back up and restore folders and files-even ones that they don't otherwise have permission to access. Backup operators also have access to the Backup Utility program.
HelpServicesGroup. This group is used by Microsoft and computer manufacturers for Remote Assistance, enabling technical support personnel to connect to your computer (only with your permission, of course!).
For information about Remote Assistance, see "Connecting to Another PC with Remote Assistance."
Network Configuration Operators. Members of this group have administrative privileges in areas that relate to setting up and configuring networking components.
Power Users. The Power Users group is intended for those who need many, but not all, of the privileges of the Administrators group. Power Users can't take ownership of files, back up or restore files, load or unload device drivers, or manage the security and auditing logs. Unlike ordinary users, however, Power Users can share folders; create, manage, delete, and share local printers; and create local users and groups.
Remote Desktop Users. Users in this group can connect to the computer via the Remote Desktop feature, if it is enabled.
For information about Remote Desktop, see Chapter 32, "Remote Access Options."
Replicator. Members of the Replicator group can manage the replication of files on the domain, workstation, or server. (File replication, a feature of Windows .NET Server and its predecessors, Windows 2000 Server and Windows NT Server, is beyond the scope of this book.)
Except for HelpServicesGroup, these additional groups are not included on a computer running Windows XP Home Edition.
Acomputer that is a member of a domain offers two standard account types, and they're slightly different from the ones that appear on a workgroup computer. A standard user is one that is a member of the Power Users group, and a restricted user is one that is a member of the Users group.
Windows limits access to information through the use of user profiles. A user profile contains all the desktop settings for a user's work environment. But it's much more than that. In addition to storing the user's personal registry settings for everything from desktop background to the author initials used in Microsoft Word, the profile contains a number of files that are specific to a user, such as cookies the user receiveswhile using Microsoft Internet Explorer, documents in the My Documents folder and its subfolders, and shortcuts to network places.
By default, each user who logs on to a computer has a local user profile, which is created when the user logs on for the first time. Local user profiles are stored in %SystemDrive%Documents And Settings. Each user's profile is stored in a subfolder with the user name as the folder name. The full path of one of the profiles on a computer in our office is C:Documents And SettingsCheryl, for example. (The entire path for the current user's profile is stored in another commonly used environment variable, %UserProfile%.)
In general, each user account has full access to its own user profile and can create, change, and delete files within the profile as well as make settings that are stored in the profile. Nonadministrative accounts have only limited access to profiles belonging to other users; by default, they can view files but not make any changes to another user's profile.
For more information about the content of user profiles and managing them, see Chapter 34, "Managing User Profiles and Policies."
Simple File Sharing vs. Windows 2000-Style Sharing
A primary feature of Windows XP is the ability to securely allow or deny access to files, printers, and other resources. Maximum flexibility-the ability to specify permissions at a granular level (for example, separate permissions for reading a folder directory, reading a file, changing a file, adding a new file, deleting a file, and so on) for individual users or groups-requires an option-filled user interface that many users find daunting.
Windows XP addresses this potential confusion by introducing Simple File Sharing, a stripped-down interface that makes it easy to set up common security arrangements. Simple File Sharing differs from classic (Windows 2000-style) file sharing in the following ways:
The Sharing tab in a folder's properties dialog box provides fewer, simpler options, as shown in Figure 3-1. This simplified Sharing tab controls share permissions and NTFS file permissions. (Many Windows NT and Windows 2000 users were confused by this subtle, yet important, distinction; placing all the controls on this tab makes it clear what you need to do to share with other local users and network users.)
The properties dialog box for a folder, file, or printer does not have a Security tab. Figure 3-2,, shows the Security tab revealed when Simple File Sharing is disabled.
Permissions are set only at the folder level; you can't apply permissions to individual files (except with the arcane Cacls and Xcacls command-line utilities).
Your options for sharing folders and the files they contain are few: you can share with all other local users; you can share with network users; and you can prevent other users from viewing one or more of your private folders.
Network users who connect to your computer are authenticated using your computer's Guest account. This means that network users who access a shared folder on your computer have only those privileges and permissions that are specifically granted to the Guest account.
For information about setting permissions, see Chapter 13, "Securing Files and Folders." For information about sharing with other users on your network, see Chapter 31, "Managing Shared Folders and Printers."
If you use Windows XP Home Edition, you don't have a choice: Simple File Sharing is your only option.
Figure 3-1. Simple File Sharing consolidates the small number of sharing and security options on a single tab.
If you use Windows XP Professional, you can choose to use Simple File Sharing or the classic sharing and security interface. To switch between them, open Folder Options (in Control Panel's Appearance And Themes category), click the View tab, and select or clear the last item in the Advanced Settings box, Use Simple File Sharing (Recommended). Simple File Sharing is enabled by default on computers that are not members of a domain.
Even power users sometimes appreciate the cleaner, simpler approach provided by Simple File Sharing. It's one of those settings that you might like to be able to switch to and from quickly and easily-using Simple File Sharing most of the time and disabling it when you need to set special permissions for a particular object. Making the change through the user interface requires, at a minimum, six clicks. To switch back and forth rapidly, you might want to create a script that changes the ForceGuest value of the HKLMSystemCurrentControlSetControlLsa registry key. Setting ForceGuest to 0 disables Simple File Sharing; setting it to 1 enables the feature. You can find such a script, called ToggleSharingOptions.vbs, on the companion CD. (For a program listing of ToggleSharingOptions.vbs, see "Controlling Access with NTFS Permissions.") After you have a registry-toggling switch, you might want to assign a shortcut key to it or place a shortcut in an easily accessible location. (Forgeneral information about scripts, see "Automating Tasks with Windows Script Host." You'll find a sample script that toggles registry settings in the sidebar titled "Batch Programs vs. Scripts: Which Should You Use?.")
Figure 3-2. With classic sharing, the Security tab for a file (as shown here) or a folder lets you specify various permissions for individual users and groups.
De pics ontbreken helaas, dat is ietsje te lastig. Verder moet ik het volgende er even bij zeggen: bovenstaande komt (met knippen en plakken uiteraard) uit de electronische versie van [b:84a34426c9]Windows XP InsideOut[/b:84a34426c9]. Een boek dat dus op de boekenplank hoort te staan van iedere nieuwsgierige Windows XP (m.n. Professional) gebruiker.
[ Dit bericht is bewerkt door: Binary op 2002-04-08 18:48 ]
- Hoi Binary,
Interessant onderwerp maar, als ik al
verstand van computers zou hebben….
Please!!… Weet iemand dit op Jan Boere…… en in Nederlands?? te vertellen?
- Beste Martijn
Als je inderdaad geen verstand van computer hebt, dan is dat niet erg, want daar heb ik af en toe ook wel last van. Maar je moet toch wel ongeveer weten hoe ze werken, voordat je met de rechten en permissies gaat stoeien. Over dat onderwerp zijn boeken te verkrijgen, vast en zeker ook in het nederlands. Ik ga alles wat hierboven staat echt niet vertalen, dus als je hier echt meer van wilt weten, dan is [b:149f266a06]Handboek Windows XP[/b:149f266a06] (ISBN 90.395-1910.2) misschien iets voor jouw?
Beantwoord deze vraag
Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.