540 Chapter 11 • Understanding Windows XP Security Figure 11.5); click Copy to copy the permissions that were inherited from the parent object or click Remove to remove the inherited per- missions and keep only explicitly set permissions. 7. The second option is Replace permission entries on all child objects with entries show here that apply to child objects.This option will remove the permissions on the subfolders and their contents and cause them to inherit the permissions you are setting. Select this option and click OK.As shown in Figure 11.6, a Security dialog box asks you if you wish to continue. Click Ye s . Auditing is an additional benefit of NTFS.Auditing is added per user or per group as an access control entry for NTFS files or folders.You may enable auditing of both successes and failures for each of the advanced NTFS permis- sions. Each time a user accesses a file using a type of permission that you are auditing, an entry is logged in the security log, which is accessible through Event Viewer.As with any type of auditing, less is often more. If you wish to audit suc- cessful use of user rights for Read access, for example, your security log may grow very large, very quickly.You may be better off auditing only failure of Read access.Additional overhead is associated with auditing, as each type of access that you are auditing must be individually logged.When considering implementing auditing, you may decide to audit only file deletion and changing of permissions, or possibly Write if you are concerned with monitoring who last modified a file. To add a user or group whose access to a file or folder you want to audit, go to the Auditing tab within the Advanced Security Settings, as shown in Figure 11.7. www.syngress.com Figure 11.5 Removing Inheritance Figure 11.6 Resetting Permissions on Child Objects Inheritance 189_XP_11.qxd 11/12/01 10:40 AM Page 540 Understanding Windows XP Security • Chapter 11 541 Click Add, type in the group name or username, and click OK.As you see in Figure 11.8, you may then select the types of access and successes or failures. Click OK when you’re finished. Each file or folder has an owner. Generally the owner of a file is the user who created the file or folder, however, the Administrators group owns the operating system–created files and folders.The owner of a file or folder may change the per- missions of the file or folder. Sometimes, files may become orphaned when their owner’s account is deleted, and no user may have rights to access the files or folders. However, the Administrators group always has the ability to take owner- ship of a file or folder and then change the permissions.Additionally, users or groups may be granted the permission to take ownership via NTFS permissions. www.syngress.com Figure 11.7 Auditing File System Access Figure 11.8 Selecting the Types of Access to Audit 189_XP_11.qxd 11/12/01 10:40 AM Page 541 542 Chapter 11 • Understanding Windows XP Security To take ownership of a file or folder, go to the Owner tab within the Advanced Security Settings, as shown in Figure 11.9. Select the user account or group under the Change Owner To section and click OK. Windows XP includes a new tab within Advanced Security Settings called Effective Permissions (see Figure 11.10). By selecting this tab, and choosing a group or user, you may see what permissions will be granted to the user or group based on all of the permissions that apply to that user or group.This is a great tool for verifying that the access that you think you are granting a user or group is really the effective access that they will have. Generally, you should assign file and folder permissions to groups rather than to users. Although you may assign permissions for individual user accounts if you so desire, this is an inefficient manner of assigning permissions and an administrative www.syngress.com Enabling Auditing for File and Printer Access Before you can audit file and printer access, you must first configure Windows XP to perform this kind of auditing. Specifically, you must con- figure “Audit object access” to audit for successes and failures in the Local Policies of Security Settings configuration tool. You can find more information on audit policies later on in this chapter. Configuring & Implementing… Figure 11.9 Changing Ownership of a File or Folder 189_XP_11.qxd 11/12/01 10:40 AM Page 542 Understanding Windows XP Security • Chapter 11 543 burden.Assigning permissions to groups is much more efficient and requires less administrative effort. For each user right that you assign file and folder permis- sions, an access control entry (ACE) is created, so it is more efficient to have 2 ACEs for 2 groups rather than 15 ACEs for 15 individual users.You should assign permissions on a per-user basis as the exception rather than the norm. www.syngress.com Figure 11.10 Effective Permissions Effect on Permissions of Moving or Copying Files Depending on whether you are moving or copying a file may have an effect on the permissions of the resulting file. If you move a file to a dif- ferent folder on the same partition as the source folder, the file will retain the original permissions it had in the source folder. This is true regardless of whether or not the file’s original permissions were explicit or inherited. As an example, assume that a group called “Editors” has inherited Read permission to a file. If you were to move this file to a folder on the same partition that had explicit Write permissions for the Editors group, you would find that the inherited permissions on the file in the target folder remain the same as they were in the source folder: Editors would have Read permission. If you were, however, to copy this file to the target folder, the file in the new folder would inherit the per- missions of the parent folder. Furthermore, if you were to move the file to a different folder on a different partition, the file would inherit the permissions from the new parent folder. Configuring & Implementing… Continued 189_XP_11.qxd 11/12/01 10:40 AM Page 543 544 Chapter 11 • Understanding Windows XP Security You should set permissions to be inheritable to child objects whenever pos- sible.Assigning Full Control, if appropriate, is more efficient than assigning indi- vidual permissions because each individual permission is an individual ACE.You should only use Deny in special cases.You may need to use Deny permissions in order to exclude part of a group that has Allow permissions.You may also use Deny to exclude a special permission for a user or group that has full control. The Access Control List (ACL) contains the individual ACEs.The ACL is eval- uated from the top down, and Deny entries are evaluated first.All Allow ACEs are added to any other Allow ACEs that may apply.The net effect of this is that Deny permissions override any Allow permissions, and if a user has multiple Allow per- missions (either expressly applied to her user account or from multiple group memberships), these are added together to give all of the permissions granted. You can also use the command line utility cacls to set NTFS permissions. This utility is often helpful because you can incorporate it into a batch file to easily modify ACLs for files or folders.You may want to create a batch file to easily reapply a set of permissions or to add permissions for the user’s account that the batch file is passed as a command-line variable. For example, the com- mand cacls *.* /e /g Administrator:f /t would edit the existing ACL and add Full Control permission for the Administrator account to all files, subfolders, www.syngress.com The reason for this behavior is twofold. First, Windows 2000 does not calculate effective ACEs when you access a file. Rather, for reasons of efficiency and speed, inherited ACEs are actually copied to the file when you create the file. In other words, the inherited permissions are actual properties that belong to the file. Second, when you move all files from one folder to another on the same partition, you are only changing a pointer in the Master File Table (MFT). You are not changing anything in the file itself. You are not creating and then deleting the file. However, this is what happens if you move the file to a folder on a different par- tition. In this case, you are dealing with a separate MFT. When you are moving the file to a folder on the same partition, you will need to consider whether you want the file to retain its original per- missions or inherit the permissions of the parent folder. If you want the file to retain it original permissions, you should make those permissions explicit. The reason you should do this is that if you were to change the permissions on the new parent folder, the file would at that point inherit these new permissions. If you want the file to inherit the permissions of the target folder, you should copy the file to the target folder and then delete it from the source folder. 189_XP_11.qxd 11/12/01 10:40 AM Page 544 Understanding Windows XP Security • Chapter 11 545 and folders.Typing cacls at a command prompt will display the syntax for the command as shown here: C:\>cacls Displays or modifies access control lists (ACLs) of files CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [ ]] [/P user:perm [ ]] [/D user [ ]] filename Displays ACLs. /T Changes ACLs of specified files in the current directory and all subdirectories. /E Edit ACL instead of replacing it. /C Continue on access denied errors. /G user:perm Grant specified user access rights. Perm can be: R Read W Write C Change (write) F Full control /R user Revoke specified user's access rights (only valid with /E). /P user:perm Replace specified user's access rights. Perm can be: N None R Read W Write C Change (write) F Full control /D user Deny specified user access. Wildcards can be used to specify more that one file in a command. You can specify more than one user in a command. Abbreviations: CI - Container Inherit. The ACE will be inherited by directories. OI - Object Inherit. The ACE will be inherited by files. www.syngress.com 189_XP_11.qxd 11/12/01 10:40 AM Page 545 546 Chapter 11 • Understanding Windows XP Security IO - Inherit Only. The ACE does not apply to the current file/directory. Encrypting File System The Encrypting File System of Windows XP allows you to store data securely within files and folders by encrypting the data in the NTFS files and folders.The encrypted files are accessible only by the user who has encrypted them and may be recovered only by the designated recovery agent. Because EFS is integral to the file system, it is transparent to your users when accessing files and difficult to bypass.Your mobile computers are excellent candidates for using EFS because laptops are often a target for theft, and your private data will be remain secure and be inaccessible to the thief. Files and folders can be encrypted or decrypted only on NTFS volumes. EFS stores data securely on the local computer’s volumes, but when copying a file over the network from an encrypted network folder to a local encrypted folder it is decrypted, transferred, and then encrypted again.This means that the contents of the file are transported over the wire and are susceptible to being sniffed by Network Monitor or another protocol analyzer and being compromised. Because of this, if you are working in a highly secure environment, such as a military or governmental agency, or working remotely, you may want to consider combining Internet Protocol security (IPSec) along with EFS to provide optimal security. Although the encrypting and decrypting of files is mostly transparent to your users, it is fairly complex process. Each file has a unique randomly generated file encryption key created, which is used to encrypt the file and is needed to decrypt the file’s data later.The file encryption key is then encrypted by your user’s public key, and the public key of each of your recovery agents also encrypts the file encryption key. (There are now at least two keys available to decrypt the file with). To decrypt a file, the file encryption key has to be decrypted first.Your user, who encrypted the file encryption key with his private key, decrypts the file encryption key that is used to decrypt the original file.Alternatively, the desig- nated recovery agents can also decrypt the file encryption key by using their own private key and thereby recover the encrypted file. The private key and EFS certificates used by EFS can be issued by a several sources, including automatically generated certificates, certificates created by Microsoft’s Certification Authority (CA), or third party CAs. Private keys are not stored in the Security Accounts Manager (SAM) or in a separate directory, but rather are stored securely in a protected key store. www.syngress.com 189_XP_11.qxd 11/12/01 10:40 AM Page 546 Understanding Windows XP Security • Chapter 11 547 Users may access their certificates via the Certificates MMC snap-in.The file recovery agent should, at least, export his private key and store a copy on floppy disk or CD-RW, where it may be safely stored for security reasons. Remember the following points about EFS: ■ Users can use EFS remotely only when both computers are members of the same Windows XP forest. ■ Encrypted files are not accessible from Macintosh clients. ■ Storing EFS certificates and private keys on smart cards are not currently supported. ■ Strong private key protection for EFS private keys is not currently supported. Before users are able to encrypt remote files on a server, an administrator must designate the server as trusted for delegation.This permits all users to encrypt server-based files.When a user accesses a server-based file, the file is decrypted and transferred over the network. Moving an encrypted file to a non- NTFS volume will result in the file becoming decrypted. Files or folders that are compressed cannot also be encrypted. If you encrypt a compressed file or folder, that file or folder will be uncompressed. Files that have the System attribute cannot be encrypted. Files in the %systemroot% folder and its subfolders also cannot be encrypted. When you encrypt a single file, you are asked if you want to encrypt the folder that contains it as well. If you choose to do so, all files and subfolders that are added to the folder in the future will be encrypted when they are added. When you encrypt a folder, you are asked if you want all files and subfolders within the folder to be encrypted as well. If you choose to do so, all files and subfolders currently in the folder are encrypted, as well as any files and subfolders that are added to the folder in the future. If you choose to encrypt the folder only, all files and subfolders currently in the folder are not encrypted. However, any files and subfolders that are added to the folder in the future are encrypted when they are added. If you want to prevent your users from utilizing EFS, you may try deleting the EFS recovery agent policy. If a system is reinstalled over an existing installa- tion of Windows XP that was using local accounts and EFS, files will not be accessible to the previous user.The original recovery agent’s certificate will be needed to decrypt the files. It is always best to specify a domain account as the recovery agent to avoid issues such as this. www.syngress.com 189_XP_11.qxd 11/12/01 10:40 AM Page 547 548 Chapter 11 • Understanding Windows XP Security EFS may be used with Web Folders or servers supporting the WebDAV pro- tocol.With WebDAV, the encrypted file remains encrypted while it is being trans- ferred over the network. Creating an Encrypted File or Folder To encrypt a file or folder, follow these steps: 1. Browse to the file or folder that you want to encrypt. 2. Right-click the file or folder and select Properties. 3. On the General tab, click Advanced. 4. Click the check box, as shown in Figure 11.11, to select Encrypt contents to secure data. (Note: if Compress contents to save disk space is selected, it will be unchecked because encryption and compres- sion cannot both be used at the same time.) 5. Click OK in the Advanced Attributes window and then click OK in the file or folder properties window. 6. If you are encrypting a folder, you will be prompted in the Confirm Attribute Changes window to choose to Apply changes to this folder only or Apply changes to this folder, subfolders and files as shown in Figure 11.12. (Applying the changes to the folder only means that the folder is marked so that every file added to that folder in the future will be encrypted, whereas applying the changes to the folder, subfolder, and files means that all future files will be encrypted when added and all existing contents will be encrypted.) 7. If you are encrypting a file rather than a folder and the folder that the file resides in is not encrypted, you will be prompted in the Encryption Warning window to choose to Encrypt the file and the parent www.syngress.com Figure 11.11 Encrypting a File or Folder 189_XP_11.qxd 11/12/01 10:40 AM Page 548 Understanding Windows XP Security • Chapter 11 549 folder or Encrypt the file only, as shown in Figure 11.13. Additionally, there is a check box to select Always encrypt only the file to prevent this question in the future. (Encrypting the folder con- taining the encrypted file is recommended because there is the possibility that the file might become unencrypted when the file is modified.) 8. After you have encrypted the file or folder, you may click Details in the Advanced Attributes window to bring up the Encryption Details window shown in Figure 11.14. Here you see who may decrypt the file, and who the designated recovery agents are.You may click Add to add users who may decrypt the file.This is a new feature in Windows XP. www.syngress.com Figure 11.12 Confirmation Dialog Box while Encrypting a Folder Figure 11.13 Encryption Warning Figure 11.14 Encryption Details Window 189_XP_11.qxd 11/12/01 10:40 AM Page 549 [...]... Administrative Tools | Computer Management 2 Expand Local Users and Groups 3 Click Groups 4 In the right-hand pane, right-click the group that you want to modify and select Add to Group 5 Select the name of the user or group that you want to remove and click Remove www.syngress.com 557 189 _XP_ 11.qxd 5 58 11/12/01 10:40 AM Page 5 58 Chapter 11 • Understanding Windows XP Security 6 Click Add to add users to... group from www.syngress.com 189 _XP_ 11.qxd 11/12/01 10:40 AM Page 553 Understanding Windows XP Security • Chapter 11 compromising the integrity of your installed programs and the operating system as a whole Users are prohibited from modifying systemwide Registry settings ,Windows XP operating system files, and installed program files Users, by default, are allowed to shut down and restart workstations, but... Recovery console: Allow floppy copy and access to all drives and all folders s Shutdown: Allow system to be shut down without having to log on www.syngress.com 567 189 _XP_ 11.qxd 5 68 11/12/01 10:40 AM Page 5 68 Chapter 11 • Understanding Windows XP Security s Shutdown: Clear virtual memory pagefile s System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing s System objects: Default... Management 2 Expand Local Users and Groups 3 Click Groups 4 Right-click the group to be deleted and select Delete 5 Click Yes in the warning (see Figure 11.19) Figure 11.19 Delete Group You may also rename a group with Windows XP, which was not an option in Windows NT.To do so, right-click the group and select Rename Security Policies Local Security Policies allow you to define a set of permissions and behaviors... agent Select the account and click OK www.syngress.com 189 _XP_ 11.qxd 11/12/01 10:40 AM Page 569 Understanding Windows XP Security • Chapter 11 Figure 11.25 Security Options 7 Add additional recovery agents if desired and click Next 8 Click Finish Software Restriction Policies Software Restriction Policies allow you to define a default restriction policy through Security Levels and additional restrictions... in the IP Protocol 50 packet and sent to the destination Figure 11. 28 IP Security Policies www.syngress.com 571 189 _XP_ 11.qxd 572 11/12/01 10:40 AM Page 572 Chapter 11 • Understanding Windows XP Security Three default IPSec policies are defined by default: Client (respond only), Server (request security), and Secure Server (require security).These policies are fairly self-explanatory, but let’s take a... protect and allow only authorized incoming connections: To enable ICF on a network connection, perform the following steps: 1 Select Start | Control Panel, select Network and Internet Connections, and select Network Connections www.syngress.com 573 189 _XP_ 11.qxd 574 11/12/01 10:40 AM Page 574 Chapter 11 • Understanding Windows XP Security 2 Right-click the network connection you want to enable ICF on, and. .. semicolons) or click the Advanced to search for a user 8 If you manually type the names, you should use the Check Names button to verify that you have typed in the names correctly www.syngress.com 189 _XP_ 11.qxd 11/12/01 10:40 AM Page 557 Understanding Windows XP Security • Chapter 11 9 Click OK.You will see a dialog box like the one shown in Figure 11. 18 Figure 11. 18 Adding Members to a Group 10 Click Create... enforcing and utilizing account security in Windows XP You can use Security Groups for grouping your users into logical entities that you may use to allow or deny certain types of access, including access to folders and files or access to modify systemwide settings, such as changing the system time or starting and stopping services Groups are managed via the local users and www.syngress.com 189 _XP_ 11.qxd... passwords and are added to the Administrators group by default If this is a concern, Security Configuration Manager allows you control membership of the Administrators (or any other group) with Restricted Groups policy www.syngress.com 553 189 _XP_ 11.qxd 554 11/12/01 10:40 AM Page 554 Chapter 11 • Understanding Windows XP Security Table 11.2 shows some of the built-in Security Principal Groups of Windows XP. These . target folder and then delete it from the source folder. 189 _XP_ 11.qxd 11/12/01 10:40 AM Page 544 Understanding Windows XP Security • Chapter 11 545 and folders.Typing cacls at a command prompt. you want to remove and click Remove. www.syngress.com Figure 11. 18 Adding Members to a Group 189 _XP_ 11.qxd 11/12/01 10:40 AM Page 557 5 58 Chapter 11 • Understanding Windows XP Security 6. Click. to choose to Encrypt the file and the parent www.syngress.com Figure 11.11 Encrypting a File or Folder 189 _XP_ 11.qxd 11/12/01 10:40 AM Page 5 48 Understanding Windows XP Security • Chapter 11 549 folder