Join Lisa Bock for an in-depth discussion in this video Understanding permission behavior, part of IT Security Foundations: Operating System Security.
- We've looked at different types of permissions on folders and files, however special permissions can implicate the way that the permission-behavior responds to when someone tries to access a resource. Now, I'm in Windows 7 Operating System, and there is the folder Secret. I'm going to right-click and I'll go to Properties, and here's where we can see some of those folder and file permissions and some special permissions that we can modify. I'll select Security and here I'll say Advanced, but before we do, here are your permissions, listed for Sherlock Holmes.
Also, the system, Security Basics, which is the name of this system and Administrators. Now, when we look at permissions itself, you see the two icons represents a group. A single icon or head, represents a single user. Now what I'm going to do is, you can see that Sherlock Holmes, we have there that he has listed, he has some special permissions. Let's select Advanced. Now I'm going to take a look at Sherlock Holmes here, and I'm going to ask to Change Permissions.
Once I open this up, we can see some of the Advanced Settings, and then I'm going to select Edit. Now I'm going to pull this up in the center, here, so we can take a look at this, and this is your entry for Sherlock Holmes. I'm going to Clear these All, so that we have a fresh set of permissions, and then we'll just take a look at what they mean. Now, if I were to select Full Control, now as you noticed, that defaults all of those permissions, all the special permissions now are selected.
I'll clear them and we'll start over. Now, one of the things that you can see is called Traverse Folder/Execute File. Of course, that's something that happens, and Execute File means I can run a program and open a file, but what about Traverse Folder? Now, if I were to allow this, what does this mean? Traversing through a restricted folder can occur, sometimes when I need to access a folder, where I don't have permission to access. Traversal allows me to go through that restricted folder to access the folder I eventually want to get to.
We might also want Sherlock Holmes to be able to List Folder and Read Data. List Folder is view the file names and sub-folder names, within that folder. It only affects the contents of that folder and doesn't affect whether the folder you're setting the permission on, will be listed. Read Data allows you to view the data in the files. That means just view, we're not going to be able to change or modify, just take a look at it. What about Read Attributes? Well, on a folder or file there are Attributes.
Let's see if we can get to those. I'm going to Cancel this and go back out to General. There we see the Properties and there are your Attributes. Now we can see that view, the Attributes, either Read-Only or Hidden, that's all we'll be allowed to do. But, if I select Read Extended Attribute, now I can click Advanced and see the Advanced Attributes of the folder or file. Understand, Extended Attributes may be specific to individual programs and may vary.
I'm going to Cancel that, we'll go back in... to our folder and file permissions for Sherlock Holmes. Now, we've given him some permissions already. Let's take a look at Create Files and Append Data. Create Files is simply creating files within a folder, if I want to write data, I will then be able to overwrite existing content and make changes to a file.
Create Folders and Append Data, now I can create sub-folders within the folder, and Append Data, I can make changes to the end of a file without changing, deleting or overwriting any existing data. Write Attributes and Write Extended Attributes goes again to those attributes we saw on the folder or file. Now, when we're allowed to write them, then we can change the attributes of a folder or file, such as Read-Only or Hidden. The Write Attribute Permission does not imply creating or deleting folders or files.
It only includes the permission to make changes to the attributes of an existing folder or file. Deleting Sub-Folders and Files. Those will be allowed, even if the Delete permission has not been granted on a sub-folder or file. Delete, allows deleting a file or a folder. If this is set on the parent, remember inheritance. If set on the parent, will allow, even if the Delete Permission has not been granted on a subfolder or file. Read permissions means I can read a folder or file.
Change permissions, meaning I can change the permissions, as we are doing on a folder or file. And Take Ownership. Taking ownership of a folder or file, that is if I wanted to take ownership of it. However, a file or folder Owner can always change permissions, regardless of any existing permissions that protect the file or folder. There's also one more called Synchronize. Synchronize allows any programs to Synchronize with another program or thread.
And here on the Microsoft.com website, this webpage here tells us the access limitations for each set of special, new technology file-set permissions, and what their limitations are. So permission-behaviour can be complicated. Just take a look at some of those variables, and see, how granular of a control, you can put on a folder or file.
Note: This training maps to a number of the exam topics on the Microsoft Technology Associate (MTA) Security Fundamentals exam (98-367). See https://www.microsoft.com/learning/en-us/exam-98-367.aspx for more information.
- Creating strong passwords
- Understanding biometric security
- Adjusting permission behavior
- Enabling auditing
- OS hardening
- Using the Microsoft Baseline Security Analyzer
- Protecting email