Understanding Microsoft Windows 7 File System Security and Permissions
Microsoft is trying to emulate something that existed in Linux from the start, the UNIX style file system permissions that account for a critical part of system security.
Windows NT, 2000, XP used the NTFS file system (with the exception of some FAT32 exceptions) and NTFS has always contained some degree of file system level security. However, Microsoft has revised NTFS many times attempting to improve the file system level security striving to be more like UNIX. NTFS has several improvements over the File Allocation Table (FAT) file system. NTFS can control access to files and folders by assigning permissions that specifically allow or deny access to user or group accounts.
Windows XP could be installed on FAT32 or NTFS, however, Windows 7 must be installed on NTFS. This is because Windows 7 relies on the file system level security. Windows 7 restricts users on how and where they can access the file system.
Basic NTFS Permissions
To view basic file or folder permissions:
- Right-click the folder or file in Windows Explorer or on the desktop.
- Click Properties.
- Click the Security tab.
The Security tab shows the object name at the top and the group or user accounts with permissions set on this file or folder. Clicking on a user or group will show the permissions for that account in the Permissions For list.
Full Control – This option allows user or group to read, write, modify, execute, and delete permissions. A user with full control can take ownership of the file or folder.
Modify – This allows users or groups to read, write, change, execute, and delete permissions. It does not allow user to take but allows for the user to create folders and subfolders.
Read & execute – This option allows the user or group to view and execute files. This setting is applied to subfolders. This permission enables the List folder contents and Read permissions.
List folder contents (folder only) – This option allows a user or group to view and list files and subfolders as well as execute files. Permission is inherited by subfolders but not by files within the folder or subfolders.
Read – This option allows users or groups to view and list the contents of a folder, view file attributes, read permissions, and synchronize files.
Write – This option allows the user or group to create new files and write to existing files, view file attributes, read permissions, synchronize files, and delete files and folders.
Selecting a user or a group in the Permissions console shows the access that object has in the Permissions for list. An administrator may check or uncheck the allow or deny box for each permission. Keep in mind that using group accounts for administering file system security is often the better choice as individual accounts in groups may be managed easier. Denied permissions have precedence over any other permission so any group or user account that has denied access will be denied.
Restricted Access to File System
Users are finding that downloads and files cannot be saved directly to the file system, unless within the user home directory or a few other select places. Access to the file system has been highly restricted, but not necessarily in an intelligent way. To enhance security Microsoft has even denied Administrators access to some folders.
Users are supposed to have the option to grant permission to write to a restricted folder. However, this works inconsistently at best.
When working with file system security consider the two individual components:
- permission
- ownership
Changing file or folder ownership:
- right-click any file or folder, select Properties, and go to Security tab. Now click the Advanced
- go to Owner tab and click Edit
- select owner
Changing file or folder permission (does not work consistently):
- right-click the file or folder and select Properties. Go to Security tab, and click Edit
- select your username and check the Full Control checkbox
Remember, even if you are administrator account you still may not be able to save to a folder or access a file or folder. You can try to give complete permission to yourself, but this even fails due to Microsoft poor implementation. Some folders and files are locked in such a way that access will remain restricted. Microsoft likes to restrict your access to your own PC.
Running Applications With Administrator Privilege
Microsoft borrowed the concept of 'sudo' from UNIX/Linux by allowing users to run an application as root. When you run a program, it runs under your user account and is restricted the same way your user account is. You can run a program as administrator from your user account by right click on the program and choosing "Run as..." (technically the option existed in XP too)