Understanding Microsoft Windows 7 File System Security and Permissions

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search

Microsoft is trying to emulate something that existed in Linux from the start, the UNIX style file system permissions that account for a critical part of system security.

Windows NT, 2000, XP used the NTFS file system (with the exception of some FAT32 exceptions) and NTFS has always contained some degree of file system level security. However, Microsoft has revised NTFS many times attempting to improve the file system level security striving to be more like UNIX. NTFS has several improvements over the File Allocation Table (FAT) file system. NTFS can control access to files and folders by assigning permissions that specifically allow or deny access to user or group accounts.

Windows XP could be installed on FAT32 or NTFS, however, Windows 7 must be installed on NTFS. This is because Windows 7 relies on the file system level security. Windows 7 restricts users on how and where they can access the file system.

Basic NTFS Permissions

To view basic file or folder permissions:

  • Right-click the folder or file in Windows Explorer or on the desktop.
  • Click Properties.
  • Click the Security tab.

The Security tab shows the object name at the top and the group or user accounts with permissions set on this file or folder. Clicking on a user or group will show the permissions for that account in the Permissions For list.

Full Control – This option allows user or group to read, write, modify, execute, and delete permissions. A user with full control can take ownership of the file or folder.

Modify – This allows users or groups to read, write, change, execute, and delete permissions. It does not allow user to take but allows for the user to create folders and subfolders.

Read & execute – This option allows the user or group to view and execute files. This setting is applied to subfolders. This permission enables the List folder contents and Read permissions.

List folder contents (folder only) – This option allows a user or group to view and list files and subfolders as well as execute files. Permission is inherited by subfolders but not by files within the folder or subfolders.

Read – This option allows users or groups to view and list the contents of a folder, view file attributes, read permissions, and synchronize files.

Write – This option allows the user or group to create new files and write to existing files, view file attributes, read permissions, synchronize files, and delete files and folders.

Selecting a user or a group in the Permissions console shows the access that object has in the Permissions for list. An administrator may check or uncheck the allow or deny box for each permission. Keep in mind that using group accounts for administering file system security is often the better choice as individual accounts in groups may be managed easier. Denied permissions have precedence over any other permission so any group or user account that has denied access will be denied.

Restricted Access to File System

Users are finding that downloads and files cannot be saved directly to the file system, unless within the user home directory or a few other select places. Access to the file system has been highly restricted, but not necessarily in an intelligent way. To enhance security Microsoft has even denied Administrators access to some folders.

Users are supposed to have the option to grant permission to write to a restricted folder. However, this works inconsistently at best.

When working with file system security consider the two individual components:

  • permission
  • ownership

Changing file or folder ownership:

  • right-click any file or folder, select Properties, and go to Security tab. Now click the Advanced
  • go to Owner tab and click Edit
  • select owner

Changing file or folder permission (does not work consistently):

  • right-click the file or folder and select Properties. Go to Security tab, and click Edit
  • select your username and check the Full Control checkbox

Remember, even if you are administrator account you still may not be able to save to a folder or access a file or folder. You can try to give complete permission to yourself, but this even fails due to Microsoft poor implementation. Some folders and files are locked in such a way that access will remain restricted. Microsoft likes to restrict your access to your own PC.

Running Applications With Administrator Privilege

Microsoft borrowed the concept of 'sudo' from UNIX/Linux by allowing users to run an application as root. When you run a program, it runs under your user account and is restricted the same way your user account is. You can run a program as administrator from your user account by right click on the program and choosing "Run as..." (technically the option existed in XP too)

Folder Virtualization Security

Windows restricts portions of the Windows file system and registry, and also restricts write operations during normal operation. Applications no longer have unlimited access to C:\Program Files and C:\Windows . Since software created for Windows often expect access to all directories, windows does some shifting behind the scenes. Windows will automatically and silently redirect global registry and anywhere file system writes to per-user locations that are not supposed to harm the system or compromise security. This will cause some legacy installers to fail or installed applications to not function correctly.

To prevent failure and preserve operation of legacy installers that require direct access to restricted file system and registry locations, Microsoft engineers cooked up this virtualization scheme. If a legacy application attempts to write to the Program Files directory, Windows User Account Control silently redirects that operation to an unprotected user-specific folder.

Virtualized Folders when downloading files

Downloading a file may go directly to the path you choose under your user directory. However, sometimes a web site might use an ActiveX control to download. ActiveX controls cannot write directly to anywhere on the file system, including your own user folder, except for a virtualized cage buried deep within AppData.

Basically, if you try to save a download to: 

c:\users\<username>

It might actually end up going to the virtualized folder: 

c:\users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\<username>

Microsoft intentionally tries to obfuscate actual file system paths. Internet Explorer 7 offered users the opportunity to open the Virtualization Folder. Since Internet Explorer 8 the virtualized folder path is hidden and the user receives no indication that a download is not actually going where the user thinks it is, that it has silently been redirected to the bastardized and buried virtualized folder.


 

 

Retrieved from "http://wiki.robotz.com/index.php?title=Understanding_Microsoft_Windows_7_File_System_Security_and_Permissions&oldid=7744"