Have you ever tried to figure out all of the permissions in Windows? There’s share permissions, NTFS permissions, access control lists, and more. Here’s how they all work together.
The Security Identifier
The Windows Operating systems use SIDs to represent all security principals. SIDs are just variable length strings of alphanumeric characters that represent machines, users and groups. SIDs are added to ACLs(Access Control Lists) every time you grant a user or group permission to a file or folder. Behind the scene SIDs are stored the same way all other data object are, in binary. However when you see a SID in Windows it will be displayed using a more readable syntax. It is not often that you will see any form of SID in Windows, the most common scenario is when you grant someone permission to a resource, then their user account is deleted, it will then show up as a SID in the ACL. So lets take a look at the typical format in which you will see SIDs in Windows.
The notation that you will see takes a certain syntax, below are the different parts of a SID in this notation.
- An ‘S’ prefix
- Structure revision number
- A 48-bit identifier authority value
- A variable number of 32-bit sub-authority or relative identifier (RID) values
Using my SID in the image below we will break up the different sections to get a better understanding.
The SID Structure:
‘S’ – The first component of a SID is always an ‘S’. This is prefixed to all SIDs and is there to inform Windows that what follows is a SID.
‘1’ – The second component of a SID is the revision number of the SID specification, if the SID specification was to change it would provide backwards compatibility. As of Windows 7 and Server 2008 R2 the SID specification is still in the first revision.
‘5’ – The third section of a SID is called the Identifier Authority. This defines in what scope the SID was generated. Possible values for this sections of the SID can be:
- 0 – Null Authority
- 1 – World Authority
- 2 – Local Authority
- 3 – Creator Authority
- 4 – Non-unique Authority
- 5 – NT Authority
’21’ – The forth component is sub-authority 1, the value ’21’ is used in the forth field to specify that the sub-authorities that follow identify the Local Machine or the Domain.
‘1206375286-251249764-2214032401’ – These are called sub-authority 2,3 and 4 respectively. In our example this is used to identify the local machine, but could also be the the identifier for a Domain.
‘1000’ – Sub-authority 5 is the last component in our SID and is called the RID (Relative Identifier), the RID is relative to each security principal, please note that any user defined objects, the ones that are not shipped by Microsoft will have a RID of 1000 or greater.
A security principal is anything that has a SID attached to it, these can be users, computers and even groups. Security principals can be local or be in the domain context. You manage local security principals through the Local Users and Groups snap-in, under computer management. To get there right click on the computer shortcut in the start menu and choose manage.
To add a new user security principal you can go to the users folder and right click and choose new user.
If you double click on a user you can add them to a Security Group on the Member Of tab.
To create a new security group, navigate to the Groups folder on the right hand side. Right click on the white space and select new group.
Share Permissions and NTFS Permission
In Windows there are two types of file and folder permissions, firstly there are the Share Permissions and secondly there are NTFS Permissions also called Security Permissions. Take note that when you share a folder by default the “Everyone” group is given the read permission. Security on folders is usually done with a combination of Share and NTFS Permission if this is the case it is essential to remember that the most restrictive always applies, for example if the share permission is set to Everyone = Read(which is the default), but the NTFS Permission allow users to make a change to the file, the Share Permission will take preference and the users will not be allowed to make changes. When you set the permissions the LSASS(Local Security Authority) controls access to the resource. When you logon you are given an access token with your SID on it, when you go to access the resource the LSASS compares the SID that you added to the ACL (Access Control List) and if the SID is on the ACL it determines whether to allow or deny access. No matter what permissions you use there are differences so lets take a look to get a better understanding on when we should use what.
- Only apply to users who access the resource over the network. They don’t apply if you log on locally, for example through terminal services.
- It applies to all files and folders in the shared resource. If you want to provide a more granular sort of restriction scheme you should use NTFS Permission in addition to shared permissions
- If you have any FAT or FAT32 formatted volumes, this will be the only form of restriction available to you, as NTFS Permissions are not available on those file systems.
- The only restriction on NTFS Permissions is that they can only be set on a volume that is formatted to the NTFS file system
- Remember that NTFS are cumulative that means that a users effective permissions are the result of combining the user’s assigned permissions and the permissions of any groups the user belongs to.
The New Share Permissions
Windows 7 bought along a new “easy” share technique. The options changed from Read, Change and Full Control to. Read and Read/Write. The idea was part of the whole Home group mentality and makes it easy share a folder for non computer literate people. This is done via the context menu and shares with your home group easily.
If you wanted to share with someone who is not in the home group you could always choose the “Specific people…” option. Which would bring up a more “elaborate” dialog. Where you could specify a specific user or group.
There is only two permission as previously mentioned, together they offer an all or nothing protection scheme for your folders and files.
- Read permission is the “look, don’t touch” option. Recipients can open, but not modify or delete a file.
- Read/Write is the “do anything” option. Recipients can open, modify, or delete a file.
The Old School Way
The old share dialog had more options and gave us the option to share the folder under a different alias, it allowed us to limit the number of simultaneous connections as well as configure caching. None of this functionality is lost in Windows 7 but rather is hidden under an option called “Advanced Sharing”. If you right click on a folder and go to its properties you can find these “Advanced Sharing” settings under the sharing tab.
If you click on the “Advanced Sharing” button, which requires local administrator credentials, you can configure all the settings that you were familiar with in previous versions of Windows.
If you click on the permissions button you’ll be presented with the 3 settings that we are all familiar with.
- Read permission allows you to view and open files and subdirectories as well as execute applications. However it doesn’t allow any changes to be made.
- Modify permission allows you to do anything that Read permission allows, it also add the ability to add files and subdirectories, delete subfolders and change data in the files.
- Full Control is the “do anything” of the classic permissions, as it allows for you to do any and all of the previous permissions. In addition it gives you the advanced changing NTFS Permission, this only applies on NTFS Folders
NTFS Permission allow for very granular control over your files and folders. With that said the amount of granularity can be daunting to a newcomer. You can also set NTFS permission on a per file basis as well as a per folder basis. To set NTFS Permission on a file you should right click and go to the files properties where you’ll need to go to the security tab.
To edit the NTFS Permissions for a User or Group click on the edit button.
As you may see there are quite a lot of NTFS Permissions so lets break them down. First we will have a look at the NTFS Permissions that you can set on a file.
- Full Control allows you to read, write, modify, execute, change attributes, permissions, and take ownership of the file.
- Modify allows you to read, write, modify, execute, and change the file’s attributes.
- Read & Execute will allow you to display the file’s data, attributes, owner, and permissions, and run the file if its a program.
- Read will allow you to open the file, view its attributes, owner, and permissions.
- Write will allow you to write data to the file, append to the file, and read or change its attributes.
NTFS Permissions for folders have slightly different options so lets take a look at them.
- Full Control allows you to read, write, modify, and execute files in the folder, change attributes, permissions, and take ownership of the folder or files within.
- Modify allows you to read, write, modify, and execute files in the folder, and change attributes of the folder or files within.
- Read & Execute will allow you to display the folder’s contents and display the data, attributes, owner, and permissions for files within the folder, and run files within the folder.
- List Folder Contents will allow you to display the folder’s contents and display the data, attributes, owner, and permissions for files within the folder.
- Read will allow you to display the file’s data, attributes, owner, and permissions.
- Write will allow you to write data to the file, append to the file, and read or change its attributes.
Microsoft’s documentation also states that “List Folder Contents” will let you execute files within the folder, but it you will still need to enable “Read & Execute” in order to do so. It’s a very confusingly documented permission.
In summary, user names and groups are representations of an alphanumeric string called a SID(Security Identifier), Share and NTFS Permissions are tied to these SIDs. Share Permissions are checked by the LSSAS only when being accessed over the network, while NTFS Permissions are only valid on the local machines. I hope that you all have a sound understanding of how file and folder security in Windows 7 is implemented. If you have any questions feel free to sound off in the comments.