File system access controls allow administrators to limit data access to only those users with authorized access. All modern file systems provide administrators with a way to restrict access to files and directories based upon the identity of a user or group. In this video, you will learn how to use file system permissions and access control lists to restrict access to data on Windows and Linux systems.
- [Teacher] File system access controls allow administrators to limit data access to only those users with authorized access. All modern file systems provide administrators with a way to restrict access to files and directories based upon the identities of users and groups. These access control systems allow the simple enforcement of an organization's security policies. The NTFS file system, used on Windows servers and workstations, provides a graphical interface that allows file owners to easily add and remove users and groups from file access, and modify the access that users and groups have to existing files.
NTFS has five basic sets of permissions that may be assigned to users and groups. Full control is just that. A user with full control of a file or folder may perform any action on that file or folder. They can read, execute, delete, modify, take ownership, or change file permissions. They're in full control. Read permission allows a user to read the contents of a file, or list the contents of a folder. Read & Execute gives the same permissions as Read, but also allows users to traverse directories and execute application files.
Write permission allows a user to create files and folders, and write data to those files and folders. Modify is a combination of Read & Execute and Write, with the additional ability to delete files. Let's take a look at how we might implement file system access controls on a Windows system. Here I am inside the Documents folder on a Windows server. This simple folder has three items in it: a document containing sensitive employee information, a product catalog that contains no sensitive information, and a folder full of files belonging to the accounting department.
Let's go ahead and set some file permissions on this NTFS folder. First, we want to make sure that everyone in the organization has access to read the product catalog, and that only Carol Adams, the catalog supervisor, may edit it. So I'm going to right-click on Product Catalog, and then choose Properties. I'll open the Security tab in the Properties window, and I can see here the permissions that are already set. I need to do two things. I need to give Carol Adams the ability to edit this file, and I need to give everyone the ability to read it.
Let's go ahead and give Carol the editing permission first. I'm gonna click Edit here to edit the permissions. And now I'm going to click Add, because I want to add a new entry to this access control list. In this box where it says Enter the Object Names to Select, I need to enter the user ID of the person I'm giving access to. That would be Carol Adams, and I happen to know her user ID is cadams. I'll click the Check Names button just to make sure I got that correct, and Carol Adams' user ID is now underlined, so that means it checked properly.
I'm gonna go ahead and click OK, and then I can look at the permissions that Carol will have. The default here is that she has Read and Read & Execute permissions, but I also want her to have the ability to write and modify this file, so I'll click those options and then click Apply. Now Carol's entry is added to the access control list. The next thing I want to do is give everyone the ability to read this file, so I'll again click the Add button, and then in Object Names, I'm just going to type EVERYONE and click the Check Names button, and you can see that got underlined, so we're good to go there, and the only permission I want everyone to have is Read, so I'm going to make sure that's the only check box that's selected in the Allow column.
And I'll click OK to save this access control list. I'll close the Properties tab, and we've gone ahead and set the Product Catalog properties correctly. Now let's restrict access to the Employee file so that only members of the human resources group have access to read and modify this file. I'll go ahead and do the same thing here, Properties on Employee Information, Security, and we have this set now so only the system and administrators can read it, that's okay. Let's go ahead and add that permission for the human resources group.
We'll click the Add button, and we'll type Human Resources here. I happen to know that's the name of a local group on the server. The Check button says that's okay. Now I need to set the permissions properly, and I want users in this group to be able to read and modify. So let's go ahead and alter these permissions. Notice that when I click Modify, Write was automatically selected. That's because the Write permissions are a subset of the Modify permissions. I'll just click OK here and close that out after we've done that properly.
Then the last thing I want to do is give those same Read and Modify permissions on this Accounting Files folder to members of the accounting group. So for a folder, I just follow that same process. I click Properties, Security, I'm going to edit this access control list, I wanna add a new entry, and this time, it's going to be for the Accounting group, so I type that in, click Check Names, and OK, and then Modify is the permission I want them to be able to have.
So I click Modify, verify these permissions are okay, click OK, and I've gone ahead and set the access control settings on this NTFS file system for the business needs of this organization. Linux file systems use a somewhat more complicated set of permissions. Each file or folder belongs to both an individual user and a group. There are two commands used to change the ownership of files and folders. The chown command, short for change owner, changes the user owner of a file or folder.
The chgrp, for change group command, changes the group owner. And we use the chmod command, C H M O D, short for change mode, to alter the permissions granted to users or groups on files. Linux uses three different permissions for each file: the Read permission, abbreviated with an r; Write permission, abbreviated with a w; and Execute permisssion, abbreviated with an x; and then uses letter abbreviations for each type of owner: the User Owner, abbreviated with a u; the Group Owner, abbreviated with a g; and all other users, abbreviated with an o.
One quick exam tip for you: be careful not to confuse the User Owner permission, which uses the letter u, and the Others permission, with uses the letter o. It's easy to get confused and forget that o means others and not owner. When we want to change Linux file permissions using the chmod command, we use all of these abbreviations. We first use the chmod command, and then add the letter of the ownership type we wish to change permissions for, then the plus sign if we're adding permissions or the minus sign if we're removing them, followed by the permission letters that we wish to change, and finally the name of the file or directory that we want to modify.
For example, if we wanted to add Read permission for all users to a file named PublicFile, we'd use this command. chmod, o for any user, plus to add permissions, r for Read, and then the file name. Let's try this on a real Linux system. Let me first list the contents of this directory using the ls -l command, and you can see that there are two files in this directory: PublicFile and PrivateFile. Both of them have a user owner of mchapple, my account name, and a group owner of users.
First, let's use the chown command to change the ownership of one of these files. Let's say I want to give the PublicFile ownership to my friend Carol Adams. I go ahead and enter sudo, because I need to run this command using root privileges, the chown command, Carol's user ID cadams, it's the same on a Linux system as it was on the Windows system, and then the name of the file, PublicFile. I'm asked to enter the password to be able to use sudo, and then it executes.
If I go ahead and type ls -l again, you can see that the PublicFile's owner has now changed to Carol Adams. Next, let's change the group owner of my PrivateFile to a group called friends. I'm again going to use sudo here, I'm going to use the change group command, the group name is friends, and the file name is PrivateFile. If I do ls -l, you can see that the group name for the PrivateFile has now changed to friends.
One quick note here. You notice when I entered the sudo command a second time, it did not ask me for the password like it did the first time. That's because it's cached and knows that I currently have the ability to use administrative privileges. Finally, let's work with permissions a little bit. If you look at the output of the ls -l command, you can see that permissions here are already set. They're shown as three groups of three letters. This is the first group, the second group, and the third group. They appear in the order r, w, x.
The first group here is the permissions for the user owner, the second group is the permissions for the group owner, and the third group are the permissions for everyone else. Where there's a dash instead of a letter indicates that that permission is not currently set. On these files, you can see that the user and group owners have Read and Write permissions on the file, while other users have no permissions. Let's go ahead and give all users permission to read the PublicFile. I'm going to use the chmod command, C H M O D, I'm going to say others, and I want to add the Read permission to PublicFile.
And I received an error message here because I forgot to use the sudo command. It says chmod: changing permission of 'PublicFile': Operation not permitted. That's because I had changed the ownership of this file from my own user ID to Carol Adams, and I'm not logged in as Carol. If I go ahead and repeat this command, using sudo in front of it this time, it executes successfully, and I can verify using ls -l that other users now have Read permission to PublicFile.
And those are basic file permission settings on Windows and Linux systems.
Members who take all eight courses in the series will be prepared to take and pass the CISSP exam. Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- Understanding data security policies and roles
- Limiting data collection
- Developing security baselines
- Leveraging industry standards
- Restricting access to data with Windows and Linux file permissions
- Encrypting data
- Securing cloud storage