Various Tidbits Before We Start

1
Various Tidbits Before We Start

• Windows Vista
• Beta 2 around end of 2005, release 4Q 2006?
• Yes, I have a beta 1 you can try email me.
• Windows Server 2003 R2 Real Soon

2
Windows Security BasicsACLs Explained

• Ken Hooverken.hoover_at_yale.edu
• Sr. Systems Programmer
• ITS Academic Media Technology
• Windows Security Sysadmin Meeting
• September 28, 2005

3
Agenda

• Why Im talking about ACLs
• How people mess them up
• Fundamentals and Vocabulary
• The Security tab
• Inherited and Explicit permissions in ACLs
• File sharing and ACLs
• Configuring an ACL structure to fit complex
  access requirements.

4
Why Talk About ACLs?

• Key to Windows security is properly configured
  ACLs.
• The Security tab confuses people.
• Properly configured ACLs provide high security
  with minimal maintenance overhead.
• People consistently get them wrong.

5
How people consistently botch ACLs

• Default entries provide too much access
• Unnecessary entries clutter ACLs
• Too many entries create confusion
• Wrong kinds of entries create management
  nightmares.

6
ACL Fundamentals

• Everything in Windows is an object.
• All objects have an ACL.
• ACLs may contain users and/or groups.
• Groups may come from the local system or from the
  Active Directory.
• The ACL ideal One or two entries at most.

7
ACL Vocabulary

• Basic rights (for files) Read, Write, Execute,
  Delete, change Permissions, take Ownership.
• Permissions may be explicitly granted or denied.

8
The Security Tab
Printer
File
9
Details of the security tab
Users and groups listed in the ACL
Add or remove users and/or groups
Rights for the selected user or group
Button to show the confusing stuff
This shows NTFS (disk) permissions for a single
file.
10
The Confusing Stuff
Allow Inheritance ACL entries that are set
above the current object may be propagated down
to it.
Reset permissions on every object below to match
this one.
11
Mixing Inherited and Explicit Permissions
12
Building an ACL

• Principle of Least privilege
• Keep ACLs simple for easy maintenance.
• Groups are free.
• Dont put users in ACLs.

13
Simplify!
Whats wrong with this ACL entry for a file
share? Can we reduce this to a single-entry ACL?
14
Securely Configuring File services

• Remember users must go through two ACLs to
  access a file via a share
• ACL on the share
• ACL on the file itself
• Users effective permission through a file share
  is determined by masking both sets of ACLs
  together.
• In general, set the NTFS permissions broadly and
  focus on the file share permissions because they
  are much easier to maintain.
• Dont grant Full Control access through a file
  share unless you have no choice.

15
Layers 1
What are the effective permissions that the
client has to the data?
Client
Data
NTFS Permissions
Share Permissions
Everyone R
Everyone F
16
Layers 2
What are the effective permissions that the
client has to the data?
Client
Data
NTFS Permissions
Share Permissions
Everyone F
Everyone R
17
Layers 3
What are the effective permissions that the
client has to the data?
Client
Data
NTFS Permissions
Share Permissions
User R
Everyone Change
18
Layers 4
What are the effective permissions that the
client has to the data?
Client Is member of group A
Data
NTFS Permissions
Share Permissions
Group A ChangeDomain Users Read
Everyone F
19
Watch out for Default Permissions!
Windows 2000 (and earlier) Everyone Full
Control Windows XP and 2003 Everyone
Read Both BAD
20
Web Servers and File System ACLs

• Web Servers complicate things significantly
  because they run as local users on the system.
• IIS performs typical web browsing access as user
  IUSR_ and runs code as user
  IWAM_.
• Typical security move is to put an explicit deny
  write on the web server user/group for web
  content and other important directories.
• If the web server falls under the control of
  malware it wont be able to write any files into
  your system.

21
Deny write to web server user
22
Configuring Security

• Step away from the computer.
• How will users interact with this system?
• Who needs access to what data?
• What sort of access do they need?

23
ACLs and Complex Access Requirements

• TaskA research group is broken into several
  sub-groups, which each work on separate parts of
  the project, and data admins which are
  responsible for all data from all groups. The
  sub-groups collect data and record it and the
  data admins aggregate the data from all groups.
  Configure a file server to meet their needs.
• Requirements
• Data admins need read/write access to all
  data.
• Sub-groups have read access to all data
• Sub-groups can write to their sub-groups data
  sets (only).
• Each sub-group should have its own share that it
  can write to.

24
Step 1 Create Groups

• Project People All users in the research
  group.
• Data Admins Can read and write everything.
• Sub-Group 1 People in Sub-group 1
• Sub-Group 2 People in Sub-group 2
• (More sub-groups as necessary)

25
Step 2 Configure On-Disk Structure
Root Folder ACL Entries Administrators Full
ControlData Admins ModifyProject Users Read
Sub-Folder 1 ACL Entries Administrators Full
(inherited)Important People Modify
(inherited)Project Users Read
(inherited)SubGroup 1 Modify (explicit)
Sub-Folder 2 ACL Entries Administrators Full
(inherited)Important People Modify
(inherited)Project Users Read
(inherited)SubGroup 2 Modify (explicit)
26
Step 3 Configure File Sharing
Root Folder (shared as Project)Share
ACLData Admins ModifyProject Users Read
Sub-Folder 2 Shared as SubGroup2Share ACL
SubGroup 2 Modify
Sub-Folder 1 Shared as SubGroup1 Share ACL
SubGroup 1 Modify
27
Does this design meet the requirements?

• Data Admins group reads and writes everything?
• Sub-groups have read access to everything?
• Sub-groups can write to their sub-groups
  directory but not to those of other sub-groups?
• Each sub-group has its own share that it can
  write to?

28
Wrap-up

• Configuring ACLs is easy if you pick a method
  and stick with it.
• Use groups to simplify ACLs.
• Limit the number of entries in an ACL.

Ken Hoover