NTFS Permissions

In the beginning..

MS DOS had a file system called FAT (File Allocation Table). It supported a maximum partition size of 2.1GB and was prone to fragmentation. Windows 98 shipped with FAT32, an enhanced 32-bit file system which supported larger disk sizes and offered more efficient storage, although file sizes were natively limited to 4GB (it all seemed so much bigger then..)

However neither of these systems had any form of local security. You could get straight into the operating system without passwords, or you could boot to a floppy and access the full file system of C:\ from the command prompt. Fine for the average user with no security concerns, but these days, frankly there's no computing without security concerns.

However earlier in 1996 Windows NT (New Technology, well it's all relative) had already introduced a new, more secure file system to the world. The FAT was replaced with the MFT (Master File Table) and the file system was known as NTFS. For the first time, you had to log on to a Windows stand-alone system with a valid username and password.

More Secure..

Imagine you have a laptop running Windows XP Pro. One day I ask if I can borrow your laptop. You're happy to lend me it, but you don't want me to see your fine erm, ornithological JPEG collection.

The great thing about NTFS and other secure file systems is that you can give me a separate username and password to log onto the laptop with and you can also stop andym from having access to your My documents folder. In fact he won't have access by default and if you don't make him an Administrator on the system, andym can't give himself access to your My Documents folder either.

Another useful thing about NTFS is that someone can't just boot up your system and access C:\ like they could with FAT32. This is because a boot disk using the FAT32 file system reader, simply cannot read an NTFS partition natively. So to the potential laptop floppy hacker, it's just like the C: drive doesn't exist.

..but not totally secure

NTFS has many more great benefits well beyond the scope of this article. But before you shoot off and become an NTFS Junkie, remember that NTFS is not totally secure. Like everything else, there are degrees of security. NTFS is more secure than FAT/32 but is less secure in the hands of somebody who knows how to tap into it using other means. Like me.

Yes indeedy, there are ways of hacking into the NTFS file system and accessing data (i.e. mounting an NTFS partition in Linux) but these are harder to do than just using a DOS boot disk (you use a Linux boot disc instead). It's a bit like car security; using a steering lock might put off the average thief, but there are ways of getting through if you're motivated or knowledgable enough. A steering lock provides another obstacle that the intruder must overcome. A secure file system is the same.

Wossit like?

NTFS works just like any other file system and on the surface looks like say, FAT32 on a Windows 98 box. To use NTFS you need an OS which supports it, such as NT, 2000, XP and 2003 and a partition or drive formatted with the NTFS file system (it is possible to install the latter three on FAT32, you could also store your laptop on a park bench). For NTFS security to work, it needs a username/password system, where all users have their own credentials and are members of a hierarchical group structure.

Time for a picture. Right-clicking on a drive brings up a summary of its properties..

Drive Properties

See those two tabs at the top, Sharing and Security? That's what I'm talking about. So back to the laptop scenario then. Your name is Ronald Sitch and your laptop is formatted with the NTFS file system. You have piles, of files and you log-on with your username rsitch, this user being a member of the Administrators Group, thus [mouseover]..

User Ronald's Properties

You then create a username and password for andym in the same manner, however andym is only a member of the Users Group, not Administrators. People in the Users group can perform only limited activities on the system. More on this later..

Now the whole purpose of a user hierarchy is to allocate users permissions (or not) to various resources. The resource we are going to control is one of Ronald's folders on his C: drive. Once a folder is created, right-click on it in Windows Explorer, bringing up the Folder Properties box. If the drive is NTFS-formatted then the box will have a Security tab at the top. This is where permissions are set as to who can do what to this folder and this tab is sometimes referred to as NTFS Permissions..

NTFS (Security) Premissions

A word on Users and Groups

As you click on each user, their relevant NTFS permissions are displayed. So each user or user-group can have different permissions to the resource. Generally on a large network, it is inefficient to add single users to a resource. It is preferable (and easier) to create individual users and to create user groups (or use the system's own pre-defined groups). Next add the group to the resource, with the relevant permissions and finally add the users to the user group.

So for example, I wish all accountants (and only accountants) to access a folder called spreadsheets. Rather than adding every single accountant's username to the spreadsheets folder, it is far easier to create a user group called accountants, to add every accountant username to the accountants user group and then to add the accountants user group the the folder, with the correct permissions. Then if a new accountant arrives, just add the name to the accountants user group and this person will automatically get the same permission as all the other accountants.

In a nutshell, add users to groups and assign groups to resources..

Inheritance

Unable to change the permissions for a user/group? By default these are greyed out and cannot be altered immediately. This is due to the phenomena of inheritance. Each folder automatically inherits the permissions of the folder (or drive) directly above it. Likewise if you change permissions on a folder then these settings can be inherited by the folder below, known as child objects.

Inheritance is handy as it relieves the administrator of having to set permissions on each and every folder. But to alter specific permissions, inheritance must be turned off. Click on the Advanced button in the bottom right hand corner of the Properties Security tab (see above). In the ensuing Advanced Security settings window, uncheck the "Inherit from parent.." box, click the COPY button in the popup box and then click OK to finish..

Kill the inheritance

Back to the users then. Again the system will pop all sorts of users and user groups into the folder permission list by default, but now we have full control of these permissions, we can set explicit rules [mouseover]..

Users Ronald and Andy's Permissions

So from the above sets of permissions for the folder Butterflies, we see that andym has Read Only access and rsitch has Full Control. If Ronald Sitch didn't want andym to have any access at all, he could remove the andym entry from the security permissions list.

Administrators Rule

One caveat here is that if andym was a member of the Administrators Group, then he could add himself to the Butterflies directory with any permissions he wished. The usual process is for the person who installed and configured Windows to be the user Administrator and most other users to be members of the users group. This way users can't mess with things. Y'know, users always have to mess with things. Well this will go a long way to stopping them.

NTFS Permissions and Share Permissions

So far we have discussed what NTFS can do for multiple users using the same computer system. In addition NTFS permissions also dictate what other users on the network can do to resources on the local machine. So in the above example, user andym connecting to the laptop from the netwwork would still only have Read Only permissions to the Butterflies directory, whereas rsitch could still have Full Access.

In the old days of Windows 9x it was relatively simple. There were no NTFS permissions and the only way to control access was through Share Level Security, by right clicking on a folder and going to the Properties dialogue box. Here the Win98 folder is called secrets. Note the only control options are Read Only or Full Access..

Folder Properties

With NTFS based systems there are two levels of security, Share Level Security and File Level Security (NTFS permissions). It is important to understand the difference.

Share Level Security

So called because it is set at the share level, i.e. on the shared directory itself. SLS only affects what can be done from across the network. It has no influence on what can be done when sitting at the computer itself. Share Level security is the only real form of security on non-secure systems such as Windows 95/98/ME.

File Level Security

Comes with secure operating systems such as Windows NT/2000/XP/2003, Unix, Linux, etc. On Windows systems, File Level Security is also known as NTFS Permissions. Users have to use valid usernames and passwords and an electronic access token is created at logon, which grants the user various permissions around the system.

FLS affects what users can do on the local system as well as what users can do from across the network. In terms of controlling what users can do from the network, SLS and FLS both have an influence and because of this some administrators can get confused about how to set permissions.

Combining Share Level Security with NTFS Permissions

There is a method which most experienced Admins use, which I recommend. When sharing a folder on an NTFS based system, go with Share Permissions of Everyone, Full Control [mouseover]..

Sharing Permissions

This may sound like madness but when it comes to SLS and FLS, the most restrictive will apply. We are going to use the NTFS Permissions (Security Tab) to override the Share Level Permissions (Sharing Tab) and set the Actual Permissions, just as we did above [mouseover]..

In summary, with NTFS shares set the Share Permissions to Everyone, Full Control and forget it. Then set the NTFS (Security) permissions to the actual required levels of security (Actual Permissions.

A final note about Windows 9x users

In order to connect a Windows 9x user to a Windows NT/200/XSP/2003 NTFS box, the username which the user uses to log onto Windows 9x must be entered into the NTFS Windows' user database with the same password. If a Windows 98 user tries to connect to a Windows XP share without having their 98 username and password also in the XP's user database, the 98 user won't be able to connect..

Now all of this may seem like a lot to digest, but set up a Windows box with NTFS and have a go with these settings. With a little bit of practice it will start to make more sense.

Hacking NTFS

No, I don't advocate hacking other people's systems. However I DO advocate hacking your own boxes. As a Systems Administrator you MUST be aware of the techniques others may use to try and compromise your own systems. It's handy too if like me, you sometimes forget the Administrator password which you set yourself..

So how do you hack into an NTFS based system? Well if it's not on a network you need to be able to get to get physical access to the computer. Laptops are easy targets due to their portability. Simply remove the hard disk and put it in another machine running an NTFS file system. Et voila! All security is bypassed as the laptop disk is not the boot disk. Windows XP carries a new version called NTFS3.1 with added features such as encryption. If our laptop hard disk has encrypted folders, then these can't be viewed from the second system unless the encryption can be broken (very hard). Prevent people doing this to you by: Preventing physical access to the computer/hard drive.

Another way to view the (unencrypted) contents of an NTFS disk is to put it in a Unix/Linux system and mount the partition, giving you full read access - see Mounting Windows NTFS Partitions under Linux. Prevent people doing this to you by: Preventing physical access to the computer/hard drive.

Windows passwords are generally pretty secure, but if a username can be compromised then a hacker could use a legitimate user id to log on, all the better if the user id is a member of the administrators group. One way to achieve this is to use a utility like John-the-Ripper. On an unsecured system, once logged on (i.e. as a user) John can be run and will attempt to brute force all the username passwords on the system. Depending on the complexity of the password, I've seen John compromise an administrative user id within a couple of minutes. Prevent people doing this to you by: Ensuring all usernames are secure and imposing strong (long) passwords.

Even more scary, a system can be hacked without even logging on with a valid username. I have a handy little boot disk which loads a Linux kernel which accesses the Windows SAM security database, pops up a list of all users and allows you to give any of these users a nice shiny new password. A slight disadvantage of this is that you don't learn the real password and once changed, the user's old password won't work any more; an obvious indication of a potential compromise. Still, if your main objective is to steal information then you can lay a system wide open. Prevent people doing this to you by: Stopping the system booting to A: or completely disabling the floppy drive.

In summary, NTFS has many good features including security, encryption, compression and stability and is good as a further line of defence against those who don't know how to hack it (i.e. most people). And if you know how to hack it yourself, you can take measures to prevent these techniques being used, thus rendering your system much more secure.