dcsimg
 

Learn Windows XP in 15 Minutes a Week: User Rights and User Privileges, Part 2

Monday Jun 16th 2003 by Jason Zandri

This latest installment in Jason Zandri's 'Learn Windows XP in 15 Minutes a Week' series delves further into the User Rights/User Privileges in Windows XP Professional by examining all of the permission options available to administrators and users.

Welcome to this installment of Learn Windows XP Professional in 15 minutes a week, the 24th in our series. This article will look User Rights/User Privileges in Windows XP Professional.

Rights are best described as permitted actions allowed to those users or groups on a specific system or allowed actions within the domain. The Windows XP Professional operating system allows for Rights to be configured to both individual users and groups of users.

[NOTES FROM THE FIELD] - For the 70-270 exam it is fairly important that the test taker understand the different permissions mentioned below and have good knowledge and a general understanding of each.

Permissions can apply to users and groups in the domain, any trusted domains, and all of the local user accounts and local groups on a given system. They are best described as access granted or denied to a user or group for an object or the object's properties and the level at which this access is set.

Access levels are set via the security settings within NTFS.

This means that access to a folder on an NTFS partition called DATA for users in a group called DATAUSERS may be set to "ALLOW - READ" and another group may have a setting of "DENY - WRITE."

Both are examples of permissions, granted and denied.

A DENY setting takes precedence over an ALLOW setting, even over cumulative group settings. A user that is a member of multiple groups has all of her access permissions combined, and she is given the maximum level of access to the resource based on the combined settings.

For example, a user named JUSER who is a member of the Domain Users group may have READ rights to the folder on an NTFS partition called DATA. He may also have READ/WRITE access because he is also a member of the ALTCFG group. Consequently, JUSER may also have the MODIFY right specifically assigned to him directly though his user account.

The effective sum of all of these permissions is the cumulative total, which in this case is MODIFY.

If JUSER were also a member of the group SYS, which had a permission setting of DENY - READ&EXECUTE, the only permissions JUSER would have to the DATA folder would be WRITE because DENY access control entries take precedence over ALLOW.

File and folder permissions are set through Access Control Lists (ACLs) on the object. The entries (e.g., Read) listed in the two tables below are called Access Control Entries (ACEs).

This first table lists the ACLs that can be set for folders and the Special Permissions granted that correspond to the settings.

NTFS Folder Permission
PermissionDescription
ReadRead files and subfolders in the folder and view folder ownership, permissions, and attributes
WriteCreate new files and subfolders within the folder, change folder attributes, and view folder ownership and permissions
List Folder ContentsList the names of files and subfolders in the folder
Read & ExecuteMove through folders to reach other files and folders (even if the users don't have permission for those folders) and perform actions permitted by the Read permission and the List Folder Contents permission
ModifyDelete the folder as well as perform actions permitted by the Write permission and the Read & Execute permission
Full ControlChange permissions, take ownership, and delete subfolders and files, as well as perform actions permitted by all other NTFS folder permissions

Special
Permissions
Full ControlModifyRead &
Execute
List
Folder
Contents
ReadWrite
Traverse Folder/Execute File
  •   
    List Folder/Read Data
  •  
    Read Attributes
  •  
    Read Extended Attributes
  •  
    Create Files/Write Data
  •    
  • Create Folders/Append Data
  •    
  • Write Attributes
  •    
  • Write Extended Attributes
  •    
  • Delete Subfolders and Files
  •      
    Delete
  •     
    Read Permissions
  • Change Permissions
  •      
    Take Ownership
  •      
    Synchronize
  • These tables list the ACLs that can be set directly to files and the breakdown of the ACEs that can be set for files under Windows XP Professional.

    NTFS File Permission
    PermissionDescription
    ReadRead the file, and view file attributes, ownership, and permissions
    WriteOverwrite the file, change file attributes, and view file ownership and permissions
    Read & ExecuteRun applications, as well as perform the actions allowed by the Read permission
    ModifyModify and delete the file, as well as perform the actions permitted by the Write permission and the Read & Execute permission
    Full ControlChange permissions and take ownership, as well as perform the actions permitted by all other NTFS file permissions

    PermissionDescription
    Traverse Folder/Execute FileExecute File permission can be set to allow or deny to set the level of permissions for running program files. Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder.
    List Folder/Read DataApplies only to files, and allows or denies viewing data in files. (List Folder applies to Folders settings.)
    Read AttributesAllows or denies viewing the attributes of a file. This setting is defined via NTFS by default.
    Read Extended AttributesAllows or denies viewing the extended attributes of a file. This setting is defined via programs by default and may vary by program.
    Create Files/Write DataWrite Data allows or denies making changes to the file and overwriting content.
    Create Folders/Append DataAppend Data allows or denies making changes to the end of the file but not changing, deleting, or overwriting existing data. (Create Folders applies to Folder settings).
    Write AttributesAllows or denies changing the attributes of a file only; no permissions are granted for writing to the file itself (entering data). This setting is defined via NTFS by default.
    Write Extended AttributesAllows or denies changing the extended attributes of a file only; no permissions are granted for writing to the file itself (entering data). This setting is defined via programs by default and may vary by program.
    Delete Subfolders and FilesAllows or denies deleting files, even if the Delete permission has not been granted on the file. (Delete Subfolders applies to folders.)
    DeleteAllows or denies deleting the file. (If you do not have Delete permission on a file you can still delete it if you have been granted Delete Subfolders and Files on the parent folder.)
    Read PermissionsAllows or denies reading access permissions of the file.
    Change PermissionsAllows or denies changing access permissions of the file.
    Take OwnershipAllows or denies taking ownership of the file.

    It is through proper permissions on all network resources that administrators enforce the principle of least privilege to users. This means that users are given no more privilege or rights to network resources than is necessary to perform their assigned tasks.

    To make certain users are granted only necessary privileges, administrators or resource owners must identify what users' jobs are, determining the minimum set of privileges required to perform those jobs, and restricting the users to that level of access.

    Administrators and resource owners tend to loosen access restrictions for users in an effort to ease administration. Oftentimes, however, they relax access too much, leading to an insecure environment.

    That wraps up this installment of "Learn Windows XP Professional in 15 Minutes a Week." As always, if you have any questions, comments, or even constructive criticism, feel free to drop me a note. I want to write solid technical articles that appeal to a wide range of readers and skill levels, and it is only through your feedback that I can be sure I am doing that.

    Until next time, best of luck in your studies and remember:

    "Love is blind, but marriage is a real eye-opener."

    Home
    Mobile Site | Full Site