NTFS

Authentication

• Is the person who she says she is?• If so, access is allowed• In Windows, authentication is handled by a

password-protected user account.

Authorization

• What an authenticated user can, and can not, do on a system.

• Authorization for Windows files and folders is controlled by the NTFS file system

• NTFS assigns permissions to users, groups or both

Principle of least privilege

• Give a user only as much permissions as are required for the tasks they do and no more.

• To much invites trouble

Local User Account

• Each Windows computer keeps an encrypted list of user names and passwords

• You don’t get to use a computer unless you know a valid user name and password (even if it is blank)

• User also belongs to a group• To create/manage users and groups you need

administrator privileges

Passwords

• Ultimate key to protecting your computer• For a hacker, this is half the battle• Protect passwords; make them complex; no Post-It

notes on the monitor• Make passwords strong: at least eight characters

including letters, numbers and punctuation symbols• You should change passwords at regular intervals• Password reset disk had to be a floppy – little value;

now can be USB stick in Windows 7; can’t use it if you are on a domain

Groups

• Groups are collection(s) of accounts with similar needs/permissions

• Add a person/account to a group rather than set permissions for the single account

• XP groups: Administrators, Power Users, Users, Everyone and Guest

• Home editions: Administrators, Users and Guest

Managing Users in XP

• User Accounts applet in Control Panel• Limited Users see only their account in User

Accounts; Admins see all accounts

Vista Users

• Three accounts when you set up Vista: guest, administrator and a local account that’s a member of Administrator group

• User Accounts and Family Safety in Home• User Accounts applet in Business, Ultimate

Add a User - Vista

• Open the User Accounts applet• Click Manage Another Account and select

Create a New Account• Click Create Account• At least one account must be Administrator

Parental Controls

• Administrator account can monitor and limit the activities of any standard user

• Can be used for employees also• Web sites, applications, files downloaded,

amount of time logged on, access to types of games and specific applications

Users in 7

• User Accounts Control Panel applet• Open User Accounts and select Manage

Another Account; Create a New Account• Almost the same as Vista

Local Users and Groups

• Control Panel | Administrative Tools | Computer Management

• Right-click Computer and select Manage | Users and Groups

• Can add Users, Groups or Computers• Can add group membership of a user’s

properties or add a user to a group’s properties

Authorization Through NTFS

• After creating account, need to specify permissions for files, folders applications, etc.)

• File or folder Properties window then Security tab

• Permissions can be assigned to both user and groups; best practice: groups

• Whoever creates file/folder has complete control over it (ownership)

• Administrators do not automatically have control over every file and folder

Ownership

• If you created it, you own it and have full control over it

• Can remove Administrator access

Take Ownership Permission

• With this, you can take ownership of any file or folder and then set permissions as you want

• Administrator accounts have Take Ownership for all files and folders

• Leaves a “trail” behind Administrator

Change Permission

• Able to take away or give permission to file or folder

• Different from file permission

Folder Permissions• Full Control: do anything you want• Modify: Anything except delete, change permissions

and take ownership• Read and Execute: Allows you to see the contents of

folder and any subfolders• List Folder Contents: See contents of folder and any

subfolders• Read: enables you to view a folder’s contents and

open any file in the folder• Write: Write to files (and delete) and create new

files/folders

File Permissions

• Full Control: do anything you want• Modify: Anything except Take Ownership or

Change Permissions• Read and Execute: Open folders and run

application(s)• Read: Open folders and files; not applications• Write: Open and write to file

The Rule

• Permissions are cumulative. The highest permission is the rule. Except Deny.

• Full Control on folder means full control on files in folder

Permission Propagation

• Inheritance: Folder gets permissions of parent folder; turned on by default

• Deny trumps anything

Copy/Move• Copy within partition. Original retains original; copy

inherits new permissions• Moving within partition. Retains permissions

unchanged• Copying across partitions. Original retains original;

copy inherits new permissions• Move across partitions. Inherits permissions from new

location• Copying to FAT partition. New copy has no permissions• Moving to FAT partition. No permissions• (FAT partitions are on flash drives)

Techs and Permissions

• Major pain; have to have Administrative permissions to do most work

• Try to get new admin account for duration of work

• Make sure admin deletes account when you are done

Secure Sharing - XP

• Each user has set of folders: My Documents and folders within (My Pictures, etc.)

• Shared Documents: folder all users can access• Simple file sharing is enabled• XP Pro allows full NTFS permissions• Can make My Documents private to block

access; administrator can take ownership• Any folder in Shared Docs is also shared

Simple File Sharing

• One option: put it in Shared Documents• Over a network have to give everyone full

access• Pro allows turning off SFS: folder | Tools |

Folder Options |View tab. Last option is SFS

Sharing in Vista

• Targeted sharing: select user account, then permission level – – Reader, read-only– Contributor, read and write, delete user-created

objects– Co-owner, do anything

• Public folders: share with anyone on the network; full access by default

Sharing in 7

• Add homegroup to share libraries; accessible by everyone, need password

• Finding shares: Computer Management | Shared Folders. Works in XP and above

Administrative Shares

• C$• Allow administrators access local or remote• Have to have administrator password (not

blank) to get access to these shares

Encryption

• This is for the really paranoid• Home editions don’t do it• XP uses Encrypting File System to encrypt files• Vista/7 add encryption system that can

encrypt entire hard drive• Tied to password and system ID so if you loose

password, file(s) are gone

BitLocker Drive Encryption

• Again, for the really paranoid or defense contractors

• Select Security in Control Panel Home view• Must have Trusted Platform Module (TPM)

chip on motherboard

User Account Control• What helped bury Vista• The vast majority of users had no idea how risky their

computing behavior was• Long list of dangerous actions – page 709• XP has Power User to handle most of the list; few

people used it• Vista actually has four UAC prompts:– Red for blocked programs– Yellow for unverified programs– Blue/gray for verified programs– Teal for published by Vista programs

Turn Off UAC

• UAC Control Panel applet; uncheck the box• MSCONFIG and select Disable UAC on Tools

tab

UAC in 7

• Made UAC less aggressive• Introduced four levels to UAC:– Always notify is same as Vista– Don’t notify me when I make changes (default)– Notify me only when programs try to make

changes– Never notify

• Mike votes for turning UAC back on