LOCAL SECURITY AND PERMISSIONS - Sevecek

[Pages:98]Ondej Sevecek | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@ | |

LOCAL SECURITY AND PERMISSIONS

1

Outline

Generic Terminology NTFS Permissions Registry Permissions LDAP Permissions File Sharing Disk Quotas Windows Management Instrumentation Other Permission Settings Windows Firewall Service Accounts and Impersonation Physical Security BitLocker Dynamic Access Control

2

Advanced Windows Security

GENERIC TERMINOLOGY

3

Security Descriptor

Objects are protected with permissions

files, folders, registry keys, LDAP objects, printers, windows, desktops, ...

ACE ? Access Control Entry

one item in the permissions list Deny, Allow

ACL ? Access Control List

permission list

SACL ? System Access Control List

auditing ACL

Owner

4

Object Owner

Members of Administrators group

owner is Administrators group instead of the user

Can always change permissions

even if explicitly denied

Take Ownership

user right that allows taking ownership

CREATOR OWNER identity

used as a placeholder to express the current owner of the file

5

ACL Processing vs. ACE Order

ACEs are ordered

Note: it is contrary to a common statement that Deny ACEs are always stronger

the correct order must be maintained by applications when they modify ACL

ACEs are evaluated in the order present

like with firewall rules

6

Lab: Investigate Incorrect ACE Order

Log on to GPS-WKS as Kamil Start REGEDIT Right-click on

SYSTEM/CurrentControlSet/Services/{anyGUID}/ Parametes/Tcpip and select Permissions Note the text:

The permissions on the object are incorrectly ordered, which may cause some entries to be ineffective

Click Cancel to see the incorrect order, click Advanced

note that the Full Control permissions are lower than expected

7

Auditing

Object Access auditing category

general switch to turn auditing on/off

ACEs in SACL of objects

be carefull to audit only preciselly required ACEs applications generate extreme number of access

attempts

8

Advanced Windows Security

NTFS PERMISSIONS

9

NTFS Permissions

10

Common Permissions

Common permission Read Modify

Real permissions

Read data Read attributes Read extended attributes Read permissions (Read control) List folder

Read + Write Delete (not Delete subfolders)

Full Control

Modify Change permissions (Write DAC) Take ownership

11

NTFS Permissions

12

Dynamic Access Control (DAC)

13

NTFS Inheritance

Newly created folders and files inherit from parent by default

Explicit permissions can be granted in addition

Inheritance can be blocked

14

NTFS Copying vs. Moving

Move Copy

Single Volume

keeps keeps inherited! inherits new

Between Volumes inherits new

inherits new

note: moving of a file/folder keeps inherited permissions although they may not be inherited from the new parent (displayed also in gray)

15

Lab: Common Documents

Log on to server GPS-DATA Create F:\FS folder

permissions inheritance: disable (remove all) Allow, Administrators, Full Control, All objects

Create F:\FS\Doc

permissions inheritance: inheriting from parent

Allow, Employees, Read&Ex+CreateFolders, This folder only Allow, Employees, Modify, Subfolders and files only Allow, BIKES\Bikers, Read&Execute, All objects

16

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download