A description of Permissions in NT. Permissions in NT.
The default permissions in NT are loose to provide for easy use . To
make the system more secure, read "Securing Windows NT Installation"
(http://www.microsoft.com/NTServer/Basics/TechPapers/). With a few exceptions,
it suggests granting Administrators, Creator/Owner and System Full Control,
Everyone Read for all system and program files, and leaving registry permissions
alone. But be forewarned: unless you have the luxury of restricting programs to
those that have earned the NT logo, be prepared for some hassles if you do it.
And, Microsoft missed a few, in particular the need to remove Everyone Read from
the system logs, \%systemroot%\system32\config and its contents.
Help topics 'Special Access Directory Permissions' and 'Special Access File
Permissions' describe the 6 types of permission in the NT file system. Each can
be applied to directories and files on a top-down then individual basis. Windows
Explorer may be used (Properties) to apply ownership and permissions to
directories and files for small systems.
Under Windows NT, deny access takes precedence over grant access . When NT
checks permissions, it does so in one pass, not discriminating between users and
groups. As soon as any "deny access" permission is reached, the search
is terminated and access to the resource is denied. So, if Everyone No Access is
in the list for something, that's exactly what it means. (NT Everyone is not
Unix World! The only way to recover from that misconception is for an
administrator to forcibly take ownership of the item then amend the
permissions.) To give Owner full access and everyone ELSE read-only, grant
Creator/Owner Full Control, Users Read; to refuse access to everyone else,
simply omit any entry for Users. It is essential to retain System Full Control
of all NT system files, unless you enjoy plugging hard drives into other
machines to get them working again.
A useful structure for an independent user environment is to create a
directory \<username> with permission <username> Full Control, then
designate that as the user's root directory. The same permission should be
applied to \%systemroot%\System32\Profiles\<username> and all its
contents. If users are to maintain their own phone books, Users Read/Write is
needed for the \%systemroot%\System32\RAS directory, then <username> Full
Control for the <username>.pbk file in it when the user creates it.
Some programs with 16-bit code in them (e.g. WordPerfect 8) require Change
permission to the \Temp directory so they can store swap files (to bypass the
16-bit memory limit). Unfortunately, in NT this directory is used for sensitive
system files, so real security is not possible if such programs are used.
Legacy programs often assume full access to their system registry entries.
Regedt32 (Security) is used to apply permissions to individual registry entries.
If you get abnormal behavior of a program, try granting Everyone Full Control to
all the keys under the company's name in the Local Machine registry section.
(Backup the registry first, of course, for restore if it doesn't work.) For
example: WordPerfect 8 announces that ASCII files are an 'unsupported format'
unless Users have Full Control of the Corel key and all its subkeys; Storm's
EasyPhoto terminates with 'lego not found' unless Users have Full Control of the
Storm registry. Most TWAIN systems require Users Change access to \WinNT and all
Twain*/Twunk* files in it.
You can get what look like permission or sharing problems if you use the
Internet Explorer Connection Wizard to set up Internet connections - Fax enabled
can prevent modem access etc. You should delete all IE-generated connections and
establish new ones with the NT Dial-up Networking system, not the IE system.
Individual account connections should be set up in user phone lists, not the
(default) system list, especially if users store their passwords. (This can be
forced by granting only Administrator and System access to rasphone.pbk)
Reports on groups, users, ownership and permissions are not available from
Microsoft , but are available from others. See
http://www.microsoft.com/security/default.asp for links to these and other
advanced NT security resources.
Windows Privacy Tools - http//www.privacywindows.com