Skip to main content
NICE security How-To

NICE security How-To

Search
Winservices Help Pages
  

 Contact Service Desk

Email:service-desk@cern.ch
Phone: +41 22 76 77777

 

ACL, ACE ... Permissions... How to handle File security?

Site Structure
NICE Environment
NICE Installation
Libraries
Installation of Windows at CERN
Moving or Renaming a Computer
How to verify your computer name ?
Electronic delivery of Microsoft software for Work at Home
NICE Windows 7
Status of Windows 7 at CERN
Applications available on NICE Windows 7
NICE Windows 7 User's Manual (printable)
NICE Windows 8.1 (Pilot)
Pilot support for Windows 8.1 at CERN
Supported Windows 8.1 hardware
Migrating from Windows 8 to 8.1
NICE Windows 8 (Pilot Terminated)
Pilot support for Windows 8 at CERN (Pilot project terminated)
Supported Windows 8 hardware
NICE Vista (Support Ended)
End of Support Notice for Windows Vista
Getting started with Windows Vista at CERN
Working with Windows Vista
Improving performance of Windows Vista
Advanced Topics
Offering Remote Assistance from Windows Vista
Applications available on NICE Vista
NICE XP (End of support)
End of Support Notice for Windows XP
Getting Started with Windows XP at CERN
Using the build-in Firewall of Windows XP SP2
Working with limited privileges
Portable computers
Accessing remotely your Windows Desktop at CERN via SSH tunneling
Offering Remote Assistance from Windows XP
Applications available on NICE XP
NICE Windows Updates
Keeping your computer up-to-date under NICE
Working with network files
Folder Redirection
Working with Offline Files and Folders
Requiring DFS folder.
Installation of Windows at CERN
How to recover network files
Manage Rights on your Network file/folder.
Home Folder Reorganization
DFS WebDAV remote access
Introduction to WebDAV
Accessing the DFS through WebDAV from Windows
Using WebDAV from Mac OSX
Accessing WebDAV resources from Linux SLC4 or SLC5
Accessing WebDAV resources from Linux using davfs2
FAQ for NICE
Get Information
Your Desktop
Keyboard Interaction
Working with files
Office Applications
Internet Explorer
Windows System
Periferals
Screensaver Settings
Administrative account review
NICE Administrative Account Review
NICE hard disk encryption
Bitlocker for Windows 7 and Windows 8
Mandate
Software Lifecycle End of Support Notices
NICE security and antivirus
NICE security How-To
How to disable/enable the "System Restore" feature ?
How to delete the temporary internet files ?
How to configure shared folders for a good security level ?
How to check applications versions & hotfixes on your system ?
How to display file extensions ?
How to disable the Guest account in Windows XP Professional ?
Converting your File system to NTFS
Setting the 'sa' Password in Microsoft SQL Server
ACL, ACE ... Permissions... How to handle File security?
Best Practice to Manage Permissions
Virus hoaxes and spyware
About viruses
Suspicious email messages and viruses
How to react when a virus is detected on your computer ?
How to react when someone tell you that you sent him a virus by mail ?
How to decode the name of a virus ?
How to protect dedicated computers ?
About spywares
Why my Antivirus program does not detect Spywares? Explanations
Several kind of spyware
How to uninstall HOTBAR from my computer ?
About hoaxes
How to recognize a Hoax ?
Antivirus software
Forefront
Microsoft Forefront
How to Manage a Schedulled System Scan?
How to perform a manual system scan?
How to stop a scheduled scan?
How to keep virus definitions up to date?
How to install an Antivirus program on a non-NICE computer?
A brief tour of the icons in Forefront Client Security
Endpoint Protection 2012
Microsoft Endpoint Protection
How to manage a scheduled system scan ?
How to perform a manual scan ?
How to stop a scheduled scan ?
How to keep virus definitions up to date ?
How to install an Antivirus program on a non-NICE computer ?
A brief tour of the icons in System Center Endpoint Protection
CMF local Administrators
Procedure for deploying System Center 2012 Endpoint Protection on locally managed computers
CMF Management of System Center 2012 Endpoint Exclusion Lists
Printing
Configuring printers
Printing from SLC systems
Add a Printer on Mac OS System
Printer Management on Windows 7
Printer Management on Windows Vista
Printer Management on Windows XP
Alternative Method
Printing for Visitors
Searching or administrating printers
Search and Configure
Search on the Web
FAQs
OS FAQ
Help related to printer Hardware problems
Overview
Frequently Asked Questions
Computer management framework
The Computer Management Framework - User Guide
NICE applications
Help for applications
Office 2003
Compatibility Pack for Office 2007
Office Proofing Tools
Office XP
Office 2000
Office 2003
Using Frontpage
Using Outlook
Adobe Acrobat
Adobe Illustrator
Using Corel
Micrografx Designer
Microsoft Visio
Putty
PuTTY_CERN
OpenAFS
WinZip
CERN Alerter
RealPlayer
MSDN Library
New Features of Adobe Acrobat X
XWin-32 X11 Server for Windows
Office 2003
Migration schedule
Office 2007
Using Microsoft Office Enterprise 2007
Word 2007 - Basic Elements
Excel 2007 - Basic Elements
Powerpoint 2007 - Basic Elements
Changes in Outlook 2007
Using Microsoft Office 2007 Proofing Tools
Office 2010
Microsoft Office 2010 Pilot
Installing Microsoft Office Professional Plus 2010
Using Microsoft Office Professional Plus 2010
Word 2010 - Presentation and New Features
Excel 2010 - Presentation and New Features
Powerpoint 2010 - Presentation and New Features
Changes in Outlook 2010
Using Microsoft Office 2010 Proofing Tools
Microsoft Office 2010 at CERN
Office 2013
Microsoft Office 2013
How To Install MS Office 2013 ?
Using MS Office 2013 Proofing Tools
Recommended Applications
Internet Explorer 9
Mozilla Firefox
Internet Explorer 10
Internet Explorer 11
Support for NICE
Scheduled tutorials
IT3T - IT Technical Training Tutorials 2012
IT3T - IT Technical Training Tutorials 2011
IT3T - IT Technical Training Tutorials 2010
IT3T - IT Technical Training Tutorials 2007
IT3T - IT Technical Training Tutorials 2005
Support Central Help Desk Books
Presentations hold in the IT/IS Group
Running Linux on a Windows PC
Install multiple OS using Virtual PC Windows XP and Vista
Intall multiple OS with PXE using Virtual PC Windows 7
Install SLC5 with VHD using Virtual PC Windows 7
Install Windows XP Mode using Virtual PC Windows 7
Custom servers hosting
Server hosting service
Terminal Services
Introduction
Terminal Services Manifest
Linux client
Mac Client
Win Client
Architecture Overview
Login into Terminal Services
Other clients
FAQ
Available Applications
How to contact Windows Terminal Services Managers
How to Print
Accessing remotely your Windows Desktop at CERN via SSH
Transfer files to you WTS session
Rdesktop Reconnection
Connecting to WTS from home is slow
Licensing issue
Remote Desktop Gateway
Configuring remote connection via Remote Desktop Service
Manually setting up local RemoteDesktop configuration
Manually defining the RDP file to connect using the Remote Desktop Gateway
DFS
DFS WebDAV remote access
Accessing WebDAV resources from Linux using davfs2
Using WebDAV from Mac OSX
Accessing the DFS through WebDAV from Windows
Accessing WebDAV resources from Linux SLC4 or SLC5
Introduction to WebDAV
Working with network files
Folder Redirection
Manage Rights on your Network file/folder.
Manage your DFS folder.
How to recover network files
Requiring DFS folder.
Working with Offline Files and Folders
Skip Navigation LinksWinservices Help Pages > NICE security and antivirus > NICE security How-To > ACL, ACE ... Permissions... How to handle File security?



 

Nowadays, security is taking a bigger and bigger part in all industry company and research institute. We face an increasing need to control who is accessing and information and when it is accessible. Windows provide a built-in way for accessing information and checking user privilege to know whether one should be able to access a document/folder or not. In this article we will first make a little introduction to technical word. We will the present the way windows handles security on file/folder                                                                            and the way to manage them. Then a section will introduce the notion of rights inheritance before evoking the notion of Owner and its function. Then a few "typical test cases" will be presented.

SID, Permission, ACE, ACL: barbarous words

 

A little understanding of technical word is needed to fully understand what we are talking about while discussing permission problem. All needed notion are sum up in the following drawing.






SID
(Security Identifier) : user identity. This is basically the user login or the group name.

Permission : integer that represent the acess given to the associated SID (read, write, ...)

ACE (Access Control Entry): couple (SID, permission). It thus represent the acess that is given to a user/group

ACL (Access Control List): list of ACE sat on a given file of folder




This information can be displayed displaying the file/forder property (right click on the file) in the Security tab.

In that case Bruno Lenski is the SID of the user, the permission are listed below and the couple Bruno Lenski and its permission consist in the ACE. The ACL are the set of AC for Bruno Lenski and for Administrators

 

 

 

The above view of permission is the condense way windows display the permission it has on folder. To display the fill list of permission, one would have to click on the advance button in the above picture and get to the screen on the right.

These permissions can be edited by clicking on the edit button.

 

Question to answer before granting permissions?

Before setting permission on a folder, there are few points to be considered:

  • Who will have access? Is that a set of user or a single user? (SID, list of SID)
  • How often do I expect that list of SID to change? (for instance in the case of a newcomer in the group, ...)
  • What are the rights to be granted for each SID?

To address the first and second point, on should be aware that, permission are set on file/folder level. Adding a new permission for a single user in a folder is not a trivial task as it implies modifying all ACL. It is strongly recommended to user Groups to give access to folder. Thus, if I want to give access to all person in IT/IS to a folder I should use the group called "Users IT-IS". All existing groups can be displayed via the win services web page: https://winservices.web.cern.ch/winservices/Services/GroupManager/GroupManager.aspx

This page allows allows one to create a new group and associate login with it.

To address the third point, one should be aware that is strongly recommended to give access to resource and not to deny access. If someone is granted access then he would be able to access the resource. If someone is not given access then he would not be able to access the resource. Note that denying the access is another process that can have side effect (described below) and thus it is not recommended to use that functionality. (see the examples for more in formations)

List of possible permission.

There are 13 permissions in windows whose names are understandable. These permissions are all stated in the table below all together with a parallel with Unix permissions:

Permission Components

Permission Types (Unix)

Read (R)

Write (W)

Execute (X)

Delete (D)

Traverse Folder /
Execute File

 

 

 Yes

 

List Folder /
Read Data

Yes

 

 

 

Read Attributes

Yes 

 

 Yes

 

Read Extended Attributes

Yes

 

 

 

Create Files /
Write Data

 

Yes

 

 

Create Folders /
Append Data

 

Yes

 

 

Write Attributes

 

 Yes

 

 

Write Extended Attributes

 

Yes

 

 

Delete Subfolders and Files

 

 

 

 

Delete

 

 

 

Yes

Read Permissions

Yes

Yes

Yes

 

Change Permissions

 

 

 

Take Ownership

 

 

 

 

A few notes about this table:

  • Delete Subfolders and Files can be applied as an individual permission to folders.
  • There is actually a 14th permission component, called Synchronize. This permission is used to control synchronization of access to file or folder handles for multithreaded applications. It is sort of a "different bird" from the other permissions, which is why I mostly ignore it. :^)

Ownership and permission assignment

Every object within the NTFS volume has an owner, which is a user identified by the object as being the one who controls it. By default, the user who creates a file or folder becomes its owner. The significance of ownership is that the owner of a file or folder always has the ability to assign permissions for that object. The owner can decide what permissions should be applied to the object, controlling others' access to the file or folder.

The two special permissions that are associated with ownership and permission assignment are "Change Permissions" (P) and "Take Ownership" (O). If a user is granted the "Change Permissions" permission, the user can change the permission settings for the object even if he or she does not own it. If a user has "Take Ownership" permission, the user has the ability to take over ownership of the resource, and of course, once it is owned the user can do anything he or she wants with the permissions.

Note that by default, members of the "Administrators" user group can always take ownership of, or change permissions on, any file or folder. This allows administrators to fix permission problems if they occur. Thus wile assigning permission, removing/denying permission to the Administrator is pointless as these persons can reassign themselves all the rights.

Permission inheritance

The notion of inheritance is base on the notion of folder and subfolder. The permission sat on a parent folder can be propagated to all folders that it contains. an administrator or user is though inheritance able to manage a hierarchical tree of permissions that matches the hierarchical tree of directories. Since each child inherits permissions from its parent, when you set up a hierarchy of three or more levels of folders, the objects deep within the structure will inherit permissions from their parent, "grandparent", "great grand-parent" and so on.

In addition to this powerful dynamic inheritance feature, Windows offers several advanced inheritance control features that give the administrator more power over how inheritance works:

  • Child Protection: The main security properties dialog box for each object contains a check box labeled "Allow inheritable permissions from parent to propagate to this object". If the check in this box is cleared, this breaks the normal inheritance link between this child and its parent (and higher-level ancestors as well). When this is done, the child will no longer dynamically inherit permissions from higher up in the directory tree. Such a child object is said to be protected from inheritance changes.
  • Forced Propagation: An option called "Reset permissions on all child objects and enable propagation of inheritable permissions" is provided. This works the same way as the "Replace Permissions on Subdirectories" and "Replace Permissions on Existing Files" options from the older Windows NT static permission model. When selected, NTFS will force propagation down to all child objects and remove any permission that were directly assigned to those child objects. This allows administrators to easily "fix" permission problems in large directory structures.

Inheritance is thus a powerful tool even though it brings a disadvantage: performance. Inheritance requires more processing resources to deal with changes to files and folders, and to determine which permissions take precedence each time access to an object is attempted...

Permission resolution

 Here is the thought part... how does the system interprets the list of ACL. How are permissions granted... this section might seems a bit technical but few examples afterwards will try to clarify the situation.

Here is the algorithm used to check weather one have access or not :

  1. "Deny" permissions take precedence over "allow" permissions.
  2.  Permissions applied directly to an object take precedence over permissions inherited from a parent object.
  3. Permissions inherited from near relatives take precedence over permissions inherited from distant predecessors. So permissions inherited from the object's parent folder take precedence over permissions inherited from the object's "grandparent" folder, and so on.
  4. Permissions from different user groups that are at the same level (in terms of being directly-set or inherited, and in terms of being "deny" or "allow") are cumulative. So if a user is a member of two groups, one of which has an "allow" permission of "Read" and the other has an "allow" of "Write", the user will have both read and write permission--depending on the other rules above, of course. :^)

The system combines these rules into a process that it uses to resolve various permission settings. Since directly-applied permissions take precedence over inherited ones, and "deny" permissions take precedence over "allow" permissions, it first looks for directly-set "deny" permissions, combining them all together for all groups the user is a member off. If it finds sufficient deny permission to refuse access, it is done--the access is refused. Otherwise, it looks at directly-set "allow" permissions. If it finds sufficient permission to allow access, the access is allowed. If not, it continues on; the sequence is as follows:

Examples

Here is a set of example to explain the system behaviour.

Let's assume I am Bruno lenski part of the IT-IS group.

In this example the inheritance of rights are removed from that folder.



Case 1:


If I create a folder in "My document", it has the following ACL :
  • Bruno lenski has full Control
  • Administrators has full Control

In that case Myself and administrators of the cenhome12 machine has access to the folder and its content.

All other person from IT-IS has no access.

 

 

 

 

 



Case 2:

I want my college from IT-IS to access this folder with read permission. I thus have to add the "User IT-IS" Group to the list of SID and allow them to have read rights.
Note that this read rights for the user is composed of 3 different windows rights :
  • List folder /Read Data
  • Read Attributes
  • Read Extended Attributes

Restraining the right only to "List Folder/Read Attribute" would lead to have "Special permission" ticked instead of read.

Once a user X want to access then the resolution is done that, if he is member of IT-IS, he is granted the right.

As Bruno Lenski is member of IT-IS, he get the rights.

 

 



Case 3:

Let assume now, I now want to deny access to all person from IT-IS on that folder. I can apply a deny permission on the read rights to the IT-IS ACL. This then lead to the following behaviour. If a user X want to access, the system successfully check :
  • Is X member of IT-IS, if yes the access is denied.
  • If not, is X = Bruno Lenski, if yes the access is granted
  • If not is he in the cernhome12\Administrator Group

The problem now is that Bruno Lenski is member of IT/IS group though the first rule gives an access deny. So even if the second rule grant access, the first rule applies and thus Bruno lenski is NOT granted access.

Due to this behaviour, we recommend not using deny access.

 

 

 



Case 4:

Starting back from the status in case 2.
Let assume I want people from TE-MSC to have access in read mode instead of IT-IS. Then I remove the IT-IS entry and add a TE-MSC entry with read rights.
Thus if a user X presents and wants to read in the repository, the system will successively check :
  • Is X = Bruno Lenski, if yes he has full control
  • If not, is X member of Users TE-MSC
  • If not is he in the cernhome12\Administrator Group

If all test fail then the access will not be granted

 

 

 



Case 5:

Let's assume now, that I am creating a folder inside that folder. This folder inherits it the parent folder rights.
Thus the security Tab is showing me the permission in grey.
o remove this inheritance, one should click on "Advanced", to open the detail right windows. Then one should click on edit on that newly opened window and untick :

 

 

The system will then ask if the user want to remove all permission or copy the current permissions. Les assume we remove the permission. The folder has then no SID and thus nobody has permission on that folder.

 

 

Nobody... No.. in fact the owner (person that created this folder) have the permission to change the permission. Then I can add myself permission on that folder.

The owner can be displayed by clicking on "Advanced" on the security tab and browse "Owner" tab.

Note that the machine administrator can always take ownership and thus give himself rights afterwards.

 

 

I can then add access to myself as having full control on the folder. The problem I face then is that I cannot grant access to Administrators anymore (in our case CERNHOME12\Administrators) thus, the folder will have backup problems.

 

Thus removing all permission is not good. I should have copied the permission instead of removing the permission when I was prompted.

 

 

 

PDF version of this document is available ACL_helpPage_v1.0.pdf