Common NTFS Permissions Assigned to Files and Folders in Software

Creation PDF-417 2d barcode in Software Common NTFS Permissions Assigned to Files and Folders

Share-level security is a security mechanism supported in older Windows operating systems, such as Windows 95 and Windows 98 (as shown in Figure 12-6), that involves configuring the security on a resource, not by selecting which users have access to the resource but by assigning a password to the resource Anyone who knows the password will have access to the resource Share-level security is easy to implement and maintain on small peer-to-peer networks; however, users must remember the password for each resource that is shared Access is very hard to control because anyone who knows the password can gain access This is one reason user-level access is much more secure than share-level access and is the most popular method of implementing security

12:

figUre 12-6

Part of securing a Windows system is also securing the Windows Registry The Registry is a central database of all the user and computer settings on the system If this information were accessible to a malicious user, the results could be disastrous and could cause the system to be dysfunctional Because of the risk involved in accessing the Registry, Microsoft does not even list the utilities provided to modify the Registry with the rest of the administrative tools These utilities, REGEDITEXE (for Windows) and REGEDT32EXE (for Windows NT based operating systems such as Windows 2000/XP), are located in the systemroot\system32 directory In the past, regeditexe could not set permissions, while regedt32exe was the registry editor you had to use to set permissions Today s operating systems allow you to use either regeditexe or regedt32exe to set permissions in the registry There are two ways to secure the Registry The first way is to secure the folder that holds the Registry files; the second way involves securing each section of the Registry Let s look at securing the Registry files The Registry files are stored in the systemroot\system32\config folder, so you can secure the Registry by securing this folder which is done for you by default Figure 12-7, which shows the default permissions in Windows Server 2003 for the config folder, reveals that

figUre 12-7

authenticated users (users who have logged on) have only the List Folder Contents permission This means that they can only see that the files are there they can t modify them The second method of securing the Registry is giving users or not giving users specific permissions to a particular area of the Registry You can control these permissions by using regedt32exe in Windows operating systems Once you start regedt32exe, you can right-click a folder (known as a key) and then choose permissions as shown in Figure 12-8 Once you choose the permissions command, you can modify the DACL for that section of the Registry To make sure that users can only read a section of the Registry and not modify it, you can establish that authenticated users have only the Read permission in the permission list but not the Full Control permission The Full Control permission would allow a user to create and delete items from the Registry The Permissions dialog box is shown in Figure 12-9, while Exercise 12-1 demonstrates how to secure the Registry with permissions

12:

figUre 12-8

figUre 12-9

In this exercise you will log on to Windows XP as a user named Bob, who does not have access to modify the Registry You will subsequently log on as a network administrator and configure Registry permissions so that Bob can modify the contents of the Run area of the Registry Keep in mind that you normally would not allow users to modify the Registry and this part of the exercise is simply for demonstration purposes 1 Log on to Windows XP as Bob with a password of password If you do not have a bob account, you must create one 2 Select Start | Run and type regedt32, and press enter 3 In regedt32, navigate to Hkey_Local_Machine\Software\Microsoft \Windows\CurrentVersion\Run 4 Right-click the Run folder, and choose New | String Value (as shown in the following illustration)

12: