Skip to main content
NICE security How-To

NICE security How-To

Search
Winservices Help Pages
  

 Contact Service Desk

Email:service-desk@cern.ch
Phone: +41 22 76 77777

 

Best Practice to Manage Permissions

Site Structure
NICE Environment
NICE Installation
Libraries
Installation of Windows at CERN
Moving or Renaming a Computer
How to verify your computer name ?
Electronic delivery of Microsoft software for Work at Home
NICE Windows 7
Status of Windows 7 at CERN
Applications available on NICE Windows 7
NICE Windows 7 User's Manual (printable)
NICE Windows 8.1 (Pilot)
Pilot support for Windows 8.1 at CERN
Supported Windows 8.1 hardware
Migrating from Windows 8 to 8.1
NICE Windows 8 (Pilot Terminated)
Pilot support for Windows 8 at CERN (Pilot project terminated)
Supported Windows 8 hardware
NICE Vista (Support Ended)
End of Support Notice for Windows Vista
Getting started with Windows Vista at CERN
Working with Windows Vista
Improving performance of Windows Vista
Advanced Topics
Offering Remote Assistance from Windows Vista
Applications available on NICE Vista
NICE XP (End of support)
End of Support Notice for Windows XP
Getting Started with Windows XP at CERN
Using the build-in Firewall of Windows XP SP2
Working with limited privileges
Portable computers
Accessing remotely your Windows Desktop at CERN via SSH tunneling
Offering Remote Assistance from Windows XP
Applications available on NICE XP
NICE Windows Updates
Keeping your computer up-to-date under NICE
Working with network files
Folder Redirection
Working with Offline Files and Folders
Requiring DFS folder.
Installation of Windows at CERN
How to recover network files
Manage Rights on your Network file/folder.
Home Folder Reorganization
DFS WebDAV remote access
Introduction to WebDAV
Accessing the DFS through WebDAV from Windows
Using WebDAV from Mac OSX
Accessing WebDAV resources from Linux SLC4 or SLC5
Accessing WebDAV resources from Linux using davfs2
FAQ for NICE
Get Information
Your Desktop
Keyboard Interaction
Working with files
Office Applications
Internet Explorer
Windows System
Periferals
Screensaver Settings
Administrative account review
NICE Administrative Account Review
NICE hard disk encryption
Bitlocker for Windows 7 and Windows 8
Mandate
Software Lifecycle End of Support Notices
NICE security and antivirus
NICE security How-To
How to disable/enable the "System Restore" feature ?
How to delete the temporary internet files ?
How to configure shared folders for a good security level ?
How to check applications versions & hotfixes on your system ?
How to display file extensions ?
How to disable the Guest account in Windows XP Professional ?
Converting your File system to NTFS
Setting the 'sa' Password in Microsoft SQL Server
ACL, ACE ... Permissions... How to handle File security?
Best Practice to Manage Permissions
Virus hoaxes and spyware
About viruses
Suspicious email messages and viruses
How to react when a virus is detected on your computer ?
How to react when someone tell you that you sent him a virus by mail ?
How to decode the name of a virus ?
How to protect dedicated computers ?
About spywares
Why my Antivirus program does not detect Spywares? Explanations
Several kind of spyware
How to uninstall HOTBAR from my computer ?
About hoaxes
How to recognize a Hoax ?
Antivirus software
Forefront
Microsoft Forefront
How to Manage a Schedulled System Scan?
How to perform a manual system scan?
How to stop a scheduled scan?
How to keep virus definitions up to date?
How to install an Antivirus program on a non-NICE computer?
A brief tour of the icons in Forefront Client Security
Endpoint Protection 2012
Microsoft Endpoint Protection
How to manage a scheduled system scan ?
How to perform a manual scan ?
How to stop a scheduled scan ?
How to keep virus definitions up to date ?
How to install an Antivirus program on a non-NICE computer ?
A brief tour of the icons in System Center Endpoint Protection
CMF local Administrators
Procedure for deploying System Center 2012 Endpoint Protection on locally managed computers
CMF Management of System Center 2012 Endpoint Exclusion Lists
Printing
Configuring printers
Printing from SLC systems
Add a Printer on Mac OS System
Printer Management on Windows 7
Printer Management on Windows Vista
Printer Management on Windows XP
Alternative Method
Printing for Visitors
Searching or administrating printers
Search and Configure
Search on the Web
FAQs
OS FAQ
Help related to printer Hardware problems
Overview
Frequently Asked Questions
Computer management framework
The Computer Management Framework - User Guide
NICE applications
Help for applications
Office 2003
Compatibility Pack for Office 2007
Office Proofing Tools
Office XP
Office 2000
Office 2003
Using Frontpage
Using Outlook
Adobe Acrobat
Adobe Illustrator
Using Corel
Micrografx Designer
Microsoft Visio
Putty
PuTTY_CERN
OpenAFS
WinZip
CERN Alerter
RealPlayer
MSDN Library
New Features of Adobe Acrobat X
XWin-32 X11 Server for Windows
Office 2003
Migration schedule
Office 2007
Using Microsoft Office Enterprise 2007
Word 2007 - Basic Elements
Excel 2007 - Basic Elements
Powerpoint 2007 - Basic Elements
Changes in Outlook 2007
Using Microsoft Office 2007 Proofing Tools
Office 2010
Microsoft Office 2010 Pilot
Installing Microsoft Office Professional Plus 2010
Using Microsoft Office Professional Plus 2010
Word 2010 - Presentation and New Features
Excel 2010 - Presentation and New Features
Powerpoint 2010 - Presentation and New Features
Changes in Outlook 2010
Using Microsoft Office 2010 Proofing Tools
Microsoft Office 2010 at CERN
Office 2013
Microsoft Office 2013
How To Install MS Office 2013 ?
Using MS Office 2013 Proofing Tools
Recommended Applications
Internet Explorer 9
Mozilla Firefox
Internet Explorer 10
Internet Explorer 11
Support for NICE
Scheduled tutorials
IT3T - IT Technical Training Tutorials 2012
IT3T - IT Technical Training Tutorials 2011
IT3T - IT Technical Training Tutorials 2010
IT3T - IT Technical Training Tutorials 2007
IT3T - IT Technical Training Tutorials 2005
Support Central Help Desk Books
Presentations hold in the IT/IS Group
Running Linux on a Windows PC
Install multiple OS using Virtual PC Windows XP and Vista
Intall multiple OS with PXE using Virtual PC Windows 7
Install SLC5 with VHD using Virtual PC Windows 7
Install Windows XP Mode using Virtual PC Windows 7
Custom servers hosting
Server hosting service
Terminal Services
Introduction
Terminal Services Manifest
Linux client
Mac Client
Win Client
Architecture Overview
Login into Terminal Services
Other clients
FAQ
Available Applications
How to contact Windows Terminal Services Managers
How to Print
Accessing remotely your Windows Desktop at CERN via SSH
Transfer files to you WTS session
Rdesktop Reconnection
Connecting to WTS from home is slow
Licensing issue
Remote Desktop Gateway
Configuring remote connection via Remote Desktop Service
Manually setting up local RemoteDesktop configuration
Manually defining the RDP file to connect using the Remote Desktop Gateway
DFS
DFS WebDAV remote access
Accessing WebDAV resources from Linux using davfs2
Using WebDAV from Mac OSX
Accessing the DFS through WebDAV from Windows
Accessing WebDAV resources from Linux SLC4 or SLC5
Introduction to WebDAV
Working with network files
Folder Redirection
Manage Rights on your Network file/folder.
Manage your DFS folder.
How to recover network files
Requiring DFS folder.
Working with Offline Files and Folders
Skip Navigation LinksWinservices Help Pages > NICE security and antivirus > NICE security How-To > Best Practice to Manage Permissions



 

Nowadays, security is taking a bigger and bigger part in all industry company and research institute. We face an increasing need to control who is accessing and information and when it is accessible. Windows provide a built-in way for accessing information and checking user privilege to know whether one should be able to access a document/folder or not.

This page tackles the best practices to have a smooth use of the windows built-in access control and avoid having trouble to access information either on a local PC or on DFS folders.



Each file/folder in windows have, within its property, a tab called Security :

This tab contains all information relative to the security of the file/folder. In the example on the left we can see that this information is composed of a SID (basically a group/user Name) and a set of permissions.

The edit button allows one to change those permissions but, what are the rules over permissions?

  • Rule 1 - Never remove the administrator entry.

The administrator entry is used by the system to access information on the file. If one remove the right for administrator to access the file side effect could be that backup are not effect, � Moreover, for obvious maintenance reason, the administrator of the system can always grant himself access. So not allowing administrator to access the data does not make it more secure.

  • Rule 2 - Do not use deny Permission.

If one does not want someone to access a folder/file, it is better to �not giving him� the permission to access than �denying� him access. This is due to the resolution method of access. As first deny are taken into consideration, if you are member of IT-IS for instance and deny access to a folder to IT-IS. Then you will be denied access even though you have also an entry in the list granting you access. For more information one can read the help pages on �Managing ACL�.

  • Rule 3 - User Groups to give access to multiple persons

If you want to grant access to person in your group to a given folder, you should use as user name to give permission, the �User -� Group. One should not add all members one by one for the following reason: Maintenance!!! If someone leave/join the group then you would have to modify permission on every file. This operation is cost full whereas adding someone to a group is a straight forward operation and is done automatically when one enter CERN for built in groups. If you want a set of people to access the data but do not have a pre-built in group, one can create group on the win-services pages: https://winservices.web.cern.ch/winservices/Services/GroupManager/GroupManager.aspx

And in e-groups: http://e-groups.cern.ch

These pages also allow you to create and manage your own groups

  • Rule 4 - Check user permission in case of doubt

While granting permission, one should want to verify if a given user/group has access to the resource he is managing. This can be done easily the windows explorer. To do this operation, one should open the security Tab of the file/folder. Then one should:

1- Click on the "Advanced" Button



2- Open the "Effective Permission" tab



3- Click on "Select ..." to be allowed to enter a user/group name
on a pop up screen

4- Click on "OK" in the pop up screen to display what permission are granted

Thus, as described Permission handling is a difficult topics but everyone should be able to handle that problematic using the 4 rules describes above.

For more information on file security, please consult the "Managing ACL" page in the help pages of win-services website.