This installment of our Internet Information Services 6.0 on Windows Server 2003 series provides an introductory overview of the NTFS file system and explains its importance to IIS 6.0.
Welcome to the fifth installment of Internet Information Services 6.0 on Windows Server 2003. This series of articles discusses IIS 6.0 on Windows Server 2003 and is designed to be both a refresher for the IT professional familiar with designing and administrating IIS 4.0 and IIS 5.0, and for newcomers looking to get their feet wet.
This installment provides an introductory overview of the NTFS file system.
NOTES FROM THE FIELD -- For those wondering why we opted to do an entire chapter related to the NTFS file system in a series of articles about IIS 6.0, the reason is a fairly simple one: A big part of the reputation that Internet Information Server 4 on Windows NT4 and Internet Information Services 5 on Windows 2000 have earned comes from an inherent lack of security. While Microsoft is to blame for a bulk of it, IIS administrators have earned a place in the blame trail as well.
IIS 5 on Windows 2000 is installed automatically on a default installation of the operating system, but a knowledgeable administrator should perform a custom installation of Windows 2000 Server to keep unnecessary features and services from being installed where they are not needed. The original line of thinking with regard to the default availability of IIS 5 on Windows 2000 was to have all of the available functionality of services ready to offer to end users, as needed, on all of the Windows 2000 servers at all times.
While IIS 6.0 on Windows Server 2003 is not available out of the box by default, it can be turned on by the administrator. Although the default configuration of IIS 6.0, once enabled, is quite locked down and will initially offer up only static Web content, an administrator with just enough knowledge to be dangerous can enable additional services and features without knowing all of the drawbacks of his actions.
By providing information on better ways to work and best practices to further lock down the IIS 6.0 application and the server operating system, administrators can add to Microsoft's Secure Computing Initiative rather than reducing its effectiveness.
To aid in the effort, this article aims to offer a better understanding of the NTFS file system.
How the IIS 6.0 server is configured affects the level and type of access to the system. If the server is a domain member, permissions can apply to users and groups in the domain and any trusted domains, as well as all of the local user accounts and local groups on the system itself. If the IIS 6.0 server is set up as a stand-alone server that is a member of a workgroup, it is usually only the local user accounts and local groups on the system itself that will specifically allow or deny access to the server.
NTFS is used to set the appropriate access levels for data and the type of access to that data.
NOTES FROM THE FIELD -- External access to a public IIS server available via the internet is normally handled by two users on the local machine: IUSR_ and IWAM_, unless restricted access is allowed only to the particular Web server, in which case only specified users with their own accounts can access the system. The proper use and configuration of these two default access accounts is also important and will be outlined in a future article.
Access to a particular folder on an NTFS partition for users in a group called IISUSERS may be set to "ALLOW - READ" or "DENY - WRITE." This means that IISUSERS are allowed to read all of the information provided to them via that particular folder, but they are not allowed to write to the folder at all.
They might also be denied permission to write to the folder in the first place by simply not having been granted the permission at all.
If access to the folder is set to "ALLOW - READ" only and nothing else, all of the IISUSERS would be able to do nothing more than read the data in the folder; they would have been implicitly denied access to write to the folder through the IISUSERS group. What this also means is that if any of those users belonged to another group that allowed them write access, they would be granted that right. To ensure all of the users in the IISUSERS group are explicitly denied a certain access (write, in the case of this example), you must explicitly deny them write access via the IISUSERS group.
Any DENY setting is going to take precedence over any and all ALLOW settings, even over cumulative group settings. Users that are members of multiple groups have all of their access permissions combined, and they are given the maximum level of access to the resource based on the combined settings. As an example, a user named JOEUSER who is a member of the Domain Users group may have READ rights to the folder on an NTFS partition, called DOCS, and may have READ/WRITE access to the same folder because he is also a member of the ACCTS group. Consequently, JOEUSER may have the MODIFY right specifically assigned to him directly though his user account.
The effective sum of all of these permissions is the cumulative total, which in this case is MODIFY.
If JOEUSER has all of the above permissions to the DOCS folder and was also a member of the group CTRUSR, which had a permission setting of DENY - READ&EXECUTE, the only permissions JOEUSER would have to the DATA folder would be WRITE because DENY access control entries take precedence over ALLOW.
File and folder permissions are set through Access Control Lists (ACL) on the object. The entries listed, such as READ, are called Access Control Entries (ACE).
Below are two tables. This first one lists ACLs that can be set for folders; the second details Special Permissions that correspond to the settings.
NTFS Folder Permissions
|Read||User can read files and subfolders in the folder and view folder ownership, permissions, and attributes.|
|Write||User can create new files and subfolders within the folder, change folder attributes, and view folder ownership and permissions.|
|List Folder Contents||User can list the names of files and subfolders in the folder.|
|Read & Execute||User can negotiate files and folders, even if they don't have permission to read the contents within those specific folders. He or she can also perform actions permitted by the Read permission and the List Folder Contents permission.|
|Modify||User can delete the folder as well as perform actions permitted by the Write permission and the Read & Execute permission.|
|Full Control||User can change permissions, take ownership, and delete subfolders and files, as well as perform actions permitted by all other NTFS folder permissions.|
NTFS Permissions Required for Specific Actions
Read & Execute
List Folder Contents
|Traverse Folder/Execute File|
| || |
|List Folder/Read Data|
|Read Extended Attributes|
|Create Files/Write Data|
| || || |
|Create Folders/Append Data|
| || || |
| || || |
|Write Extended Attributes|
| || || |
|Delete Subfolders and Files|
| || || || || |
| || || || |
| || || || || |
| || || || || |
The following tables list the ACLs that can be set directly to files and the breakdown of the ACEs that can be set for files in Windows XP Professional and Windows Server 2003.
NTFS File Permission
|Read||User can read the file and view file attributes, ownership, and permissions.|
|Write||User can overwrite the file, change file attributes, and view file ownership and permissions.|
|Read & Execute||User can run applications, as well as perform the actions permitted by the Read permission.|
|Modify||User can modify and delete the file, as well as perform the actions permitted by the Write permission and the Read & Execute permission.|
|Full Control||User can change permissions and take ownership, as well as perform the actions permitted by all other NTFS file permissions.|
Additional File Permissions
|Traverse Folder/Execute File||Allows the user to execute File permission by setting the level of permissions for running program files to allow or deny. Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder.|
|List Folder/Read Data||With regard to files, Read Data allows or denies the user to view data in files. List Folder applies to Folders settings.|
|Read Attributes||Allows or denies the user to view the attributes of a file. This setting is defined via NTFS by default.|
|Read Extended Attributes||Allows or denies the user the ability to view the extended attributes of a file. This setting is defined via programs by default and may vary by program.|
|Create Files/Write Data||Write Data allows or denies the user the ability to make changes to the file and overwrite existing content.|
|Create Folders/Append Data||Append Data allows or denies the user the ability to make changes to the end of the file but not to change, delete, or overwrite existing data. (Create Folders applies to Folder settings.)|
|Write Attributes||Allows or denies the user the ability to change file attributes, only. It does not grant permissions to write to the file itself (entering data). This setting is defined via NTFS by default.|
|Write Extended Attributes||Allows or denies the user the ability to change the extended attributes of a file only. It does not grant permissions to write to the file itself (entering data). This setting is defined via programs by default and may vary by program.|
|Delete Subfolders and Files||Allows or denies the user the ability to delete files, even if the Delete permission has not been granted on the file in the case of an "allow" setting. (Delete Subfolders applies to folders.)|
|Delete||Allows or denies the user the ability to delete the file. (If you do not have Delete permission on a file you can still delete it if you have been granted Delete Subfolders and Files on the parent folder.)|
|Read Permissions||Allows or denies the user the ability to read the access permissions of the file.|
|Change Permissions||Allows or denies the user the ability to change the access permissions of the file.|
|Take Ownership||Allows or denies the user the ability to take ownership of the file.|
NOTES FROM THE FIELD -- Many of the entries in the tables above cite "the user" as a point of reference. If a program or a process is given the same rights to access the data in a particular way (e.g., Append Data), it too is allowed that level of permission.
It is through proper permissions on all network resources that administrators enforce the principle of least privilege to users, groups, processes, and applications. The principle of least privilege requires that users, groups, processes, and applications be given no more privilege or rights to network resources than is necessary to perform their designated function.
To ensure this level of least privilege is maintained, administrators and resource owners must identify the minimum set of privileges required and restrict that level of access to the network resource and allow nothing more.
Generally, administrators and resource owners loosen access restrictions in an effort to ease administration. However, they tend to relax access too much, which lends to an insecure environment.