CHAPTER 6
SECURING FILE RESOURCES
Chapter Scenario:
WWI is in
continent. You will be designing security for the deployment of five software applications:
Due to the misconceptions about how EFS works, WWI wants to disable EFS within the
wideworldimporters.tld domain.
Only authorized users can install the software and that only authorized users can modify the
installation points.
Storage Locations
and QuarkXPress.
Software Requirements
Wide World Importers wants to deploy the following software packages, and you’ve been
asked to design security for the applications:
software distribution at all offices. Office 2000 installed on all corporate desktops.
flyers. Only members of the Graphics department should be able to install the software
packages from the distribution point in
======================================================================
winsec6.html PAGE 2 2002/04/15
maintaining the default graphics stored in the Common Graphics folder.
to ensure that all literature has the same look.
Print Security
WWI recently purchased an Agfa Proset 9800 film printer for the Graphics department.
WWI wants to ensure that only members of the Graphics department can print to the Agfa Proset 9800.
Planning for Protection of Confidential Data
WWI wants to prevent users from encrypting local data by using EFS.
Ensure that the EFS is set up properly, some users used EFS and were unable to access the data.
Lesson 1:
Securing Access to File Resources
When you design security for file resources, consider
Designing Share Security
Share permissions are used to secure network access to data stored on a server. Share permissions
are flexible in that they aren’t limited to a specific file system. You can establish shares for folders
located on file allocation table (FAT, FAT32, NTFS, and CD-ROM file systems CDFS volumes.
*** 4 types of shared
folder locations :
***
FAT
FAT32
NTFS
CD-ROM
======================================================================
winsec6.html PAGE 3 2002/04/15
For example, if share permissions for the Project folder are configured to deny Read access to
members of the Sales group, the share permissions would only come into effect if the Sales group
is connecting to the Project folder over the network. If seated at the server itself, a user could
read and execute any file in the Project folder. It’s only by combining share permissions with
NTFS permissions that you achieve a totally secure file access solution.
Configuring Share Permissions
You can enable a shared folder by editing the folder properties.
When you enable a shared folder, you can limit the maximum number of sessions that are allowed.
To configure more precise permissions, click Permissions.
Full Control. This permission allows the assigned security principal to create, delete, and
modify any content within the shared folder. In addition, if it’s located on an NTFS partition,
Full Control permission allows the security principal to take ownership of files and folders
and to change permissions on the files or folders within the shared folder.
Change. This permission allows a security principal to read, write, create or modify any
content within the shared folder.
Read. This permission allows a security principal to read, copy, or execute any content
within the shared folder.
Changes to Shares in Windows 2000
In Windows 3.1, Windows 95, Windows 98 and Windows NT, if you assigned a logical drive
letter to a share, you could only establish a fake root directory at the folder that was shared. For
example, if you used the command:
Net^use^h:^\\server\home\brian
the drive mapping when you connect to the H drive would be h:\brian>. If you wanted the Brian
folder to appear as the root folder, you had to share the Brian folder separately.
In Windows 2000 the default behavior is different. Typing the above net use command results in the
root being established at the Brian folder. In other words, if you switched to drive H, you’d see h:\>
as the command prompt. This provides additional security because the user won’t be able to navigate
to any folders above or at the same level in the folder hierarchy.
======================================================================
winsec6.html PAGE 4 2002/04/15
Making the Decision
Do the following when designing Security systems to make them more secure:
Remove the default share permission that assigns Everyone the Full Control permission. You can
consider the giving Users no more than Change Permissions.
Assign share permissions to domain local groups, not user accounts. By assigning permissions to
domain local groups, you can manage share permissions by modifying group memberships rather
than by editing the permissions of each shared folder.
Assign the maximum permissions that a security principal will require for the folder hierarchy below
the shared folder. When you define share permissions, inspect the entire folder hierarchy contained
within the shared folder.
Applying the Decision
You need to establish two separate shares, one for default
applications in
for the Graphics department in
\\Washington\Applications Share:
Users: Read. Users don’t require any permissions other than Read permissions to find
and run application software.
Administrators: Full Control. Administrators require Full Control permissions to modify
permissions on files and to update files. If Administrators aren’t required to change
permissions, you could implement Change Permissions for Administrators instead of Full
Control.
The above permissions allow users to read and install applications. Administrators are able to modify
files and change permissions.
\\Dallas\Applications Share:
To meet the security requirements for share permissions in
privileges to Lisa Jacobson, David Jaffe, Stefane Knorr, and Linda Kobara required you to define
a different set of share permissions for \\Dallas\Applications.
Graphics Users: Change. Need to be able to submit new graphic files to the Common Graphics
folder.
======================================================================
winsec6.html PAGE 5 2002/04/15
Graphics Admins: Change. This domain local group contains four users: Lisa, David, Stefan, and
Linda.: Full Control.
They must be able to modify permissions on files and to update
files.
If they do not need to change permissions, you can change the Full Control to Change.
Planning NTFS Security
While share permissions affect only network users, NTFS permissions affect both network users
and users who are at the computer console. The ability to set permissions on files gives you more
flexibility when you design your security model for file access.
NOTE: This raises the question of why share permissions are even required. Remember that to
connect to a network resource, you must have an entry point. The share provides this entry point,
and you can secure it by using share permissions.
Changes in the Windows 2000 NTFS File System
Windows 2000 introduces functionality in the NTFS file system that isn’t found in Windows NT.
Encryption. File-level and directory-level encryption is supported in Windows 2000
through the Encrypting File System (EFS). EFS allows files and folders to be encrypted so
that only the user who performed the encryption can decrypt the protected files. Or the
designated EFS agent.
Quotas. NTFS allows storage space restrictions to be set on a per volume basis. You can
apply these quotas on a per user basis to limit the amount of disk space in which a user can
store data on a volume.
Permission inheritance. Permissions configured at a parent folder propagate to subfolders
and file objects within the parent folder.
NOTE: If permissions for a resource are inherited, you can’t remove them directly. You must
copy the inherited permissions to the folder, thus breaking the inheritance, and then remove the
individual Access Control Entry (ACE) from the Discretionary Access Control List (DACL).
Assessing NTFS Permissions
You can define NTFS permissions at either the folder or file level. For folders, you can assign the
following permissions in the Security tab of the folder’s Properties dialog box: Full Control, Modify,
Read& Execute, List Folder Contents, Read and Write.
======================================================================
winsec6.html PAGE 6 2002/04/15
The predefined NTFS permissions are complications of several special permissions, including:
Traverse Folder/Execute Folder. Traverse Folder allows or denies navigating through
folders, even though the user doesn’t have permissions to access files or folders within that
folder.
List Folder/Read Data. List Folder allows or denies viewing file names and subfolder
names within the folder and applies to folders only.
Read Attributes. Allows or denies Viewing the attributes of a file or folder.
Read Extended Attributes. Allows or denies viewing the extended attributes of a file or folder
specific programs define the extended attributes.
Create Files/Write Data. Within a folder.
Create Folder/Append Data. Making changes to the end of the file.
Write Attributes. Allows or denies changing the attributes of a file or folder, such as read-only
and hidden attributes.
Write Extended Attributes. Viewing the extended attributes of a file or folder.
Delete Subfolders and Files. When applied at a parent folder.
Delete. File or folder.
Read Permissions. Reading permissions assigned to file or folder.
Change Permissions. Modifications of the permissions assigned to a file or folder.
Take Ownership. Allows or denies taking ownership of the file or folder.
NOTE: The owner of a file or folder can always change permissions, even if the current
permissions explicitly deny access to the owner of the file or folder.
Synchronize. Allows or denies a thread to synchronize with another thread that may
signal the original thread. This permission applies only to multithreaded, multiprocessed
programs.
*** See the default
Special Permissions on page 183 ***
Making the Decision
The following factors will affect your NTFS permission design:
systems security.
======================================================================
winsec6.html PAGE 7 2002/04/15
If multiple access rights are required to a resource, create a custom domain local group for
each type of access. The level of access for each user will be based on that user’s group
memberships.
example, a folder that inherits an ACE that denies write access to the Finance domain local
group. While at the folder, Sally, a member of the Finance domain local group, is allowed write
access. She can then modify the document’s contents because the write ACE is evaluated
before the deny ACE. The processing of the ACEs terminates when it’s determined that Sally
has the necessary permissions to modify the folder’s contents.
in the same grouping.
before any inherited ACEs.
templates that set prescribed NTFS permissions for specific folders in a Windows 2000 installation.
computers within the container where the Group Policy is applied.
Applying the Decision
For the software deployment at the
consistent for the entire directory structure. This allows you to define NTFS permissions at a
higher level in the directory structure.
Users: Read & Execute. You don’t need to apply separate NTFS permissions. The Read &
Execute permissions allow users to read the data in the folder and the execute programs.
Administrators: Full Control. Administrators require Full Control permissions.
Combining Share and NTFS Security
An important aspect of securing files access is understanding the interaction of share and NTFS
permissions. One set of permissions doesn’t necessarily take precedence over the other. Instead,
the most restrictive set becomes the effective permissions for the resource.
======================================================================
winsec6.html PAGE 8 2002/04/15
Because individual share permissions or NTFS permissions may vary depending on the group
memberships of the security principal, you should perform this evaluation separately for each
security principal.
If a member of the Marketing department attempts to access a file in the Data folder over the
network, the permissions are evaluated as follows:
get the shared permission of READ.
Users group and the Marketing group. The NTFS permission for the data folder would be
Modify. You combine the two NTFS permissions of Read and Modify and choose the least
restrictive, or Modify.
restrictive, so the user’s effective permissions would be Read.
In general, your strategy should be to designate either share permissions or NTFS permissions
as the primary permissions when you set your security. Evaluate all folders below a shared folder
to determine the highest level of permissions that a security group requires and set the share
permissions at that level.
Should I Just Leave the Default Share Permissions in Place?
Probably not. When you create a new share, the default share permissions include a single entry
that assigns Full Control permission to the Everyone group.
The Full control permission under NTFS includes three additional abilities over the Modify
permission:
· Delete files and folders you don’t have permissions to
· Take ownership of a file
· Change permissions of a file.
A more effective set of default permissions are:
· Administrators. Full control
· Users: Change, unless they only need Read, then change to READ.
· Making the Decision
======================================================================
winsec6.html PAGE 9 2002/04/15
Set share permissions at the highest level of permissions required for the tree below.
Use NTFS permissions to define precise access control to file resources. Because NTFS
permissions allow protection of both files and folders, define your security by using NTFS
permissions. Share permissions don’t provide the required flexibility and should only be
considered as an entry point to the file system.
Always use the NTFS file system for data. If you don’t use NTFS as your file system, you’re
limited to share permissions.
Evaluate whether Full Control is appropriate. The Full Control permission allows security
principals to redefine security for a resource.
Applying the Decision
The Dallas and Washington folders combine Share permissions and NTFS and do not assign
excessive permissions.
While you could have left share permissions for WWI at the default of Everyone = FC, would
be foolish.
WWI must document the users permissions thoroughly to ensure easier troubleshooting.
Lesson Summary:
You must perform the design of share and NTFS permissions by inspecting both sets of
permissions.
The effective permissions for any resources are based on the most restrictive settings when
comparing the share permissions to the NTFS permissions.
When designing file security, always base the share permissions on the maximum level of
permissions required by a security principal for the directory structure. This ensures that share
permissions never restrict access that NTFS permissions are attempting to provide.
======================================================================
winsec6.html PAGE 10 2002/04/15
Lesson 2:
Securing Access to Print Resources
When you design secure access to print resources, consider not only who is allowed to print to
a particular printer but also the security of data as it’s transmitted to the printer.
Assessing Printer Security
You assign printer security by defining permissions when a printer is shared. The permissions
you can assign for a printer include:
the printer process the jobs.
documents and pause or delete documents in the print queue. By default, this permission is
assigned to the special group named Creator Owner.
change a printer’s properties.
Many times, though, security requirements for a printer may be more encompassing than
simply defining print permissions.
For physical security, print devices can be located in a secure place that may require security
cards or biometric input to access the device.
To prevent transmission interception of a print job by a network sniffer, you can deploy
Internet Protocol Security (IPSec) to protect data print streams to the server hosting the
printer.
Network sniffers are able to view the contents of data packets as they are transmitted
across the network if the packets are not encrypted.
To implement IPSec, you must define IPSec policies that require IPSec for any data
transmissions sent to the print server. The printer must have the cable attached to the
printer (USB, parallel or serial).
======================================================================
winsec6.html PAGE 11 2002/04/15
Print Security Design Decisions
=======================================================================
To Do the Following
=======================================================================
Restrict access to the Change the default permissions to only allow the
printer to specific groups specific domain local group Print permissions.
of users
Delegate administration Make the security principal a member of the Print
of a printer Operators group.
To restrict to a specific printer, assign the
Manage Printers permissions to the security
Principal.
Prevent inspection of Use IPSec between the clients and the print
Print jobs server.
Locate printers that print confidential data
in restricted areas of the office.
Attach the printers directly to the print server.
Network-attached printers currently are incapable
Of performing IPSec operations.
=======================================================================
Applying the Decision
The only security that WWI requires is to prevent employees who aren’t members
of the Graphics department from using the Agfa Proset 9800 printer. You can easily
accomplish this by changing the default share permissions for the printer.
Graphic Department = Print only.
Because the jobs sent to the printer are all magazine layouts and graphics that will be for
public consumption, you don’t need to protect data transmissions to the film printer.
Lesson Summary:
sometimes confidential documents must be secured to prevent inspection of the output.
placement, and using IPSec where required to prevent inspection of the print job stream.
======================================================================
winsec6.html PAGE 12 2002/04/15
Lesson 3:
Planning EFS Security
Encrypting File System (EFS) allows you to secure files that are stored locally. In addition
to EFS you must make up a plan for recovering data. Poor EFS planning can result in
permanent loss of data.
Overview of the EFS Process
EFS is only used on NTFS file systems, not on FAT. Knowing how the EFS process
takes place will help you in the following cases:
Determining which user has encrypted a file by using EFS
Determining who can recover an EFS encrypted file.
Encrypting EFS Data
The data encryption process takes place any time a user sets the encryption attribute on
a file or folder or when the user saves the file that has the encryption attribute enabled.
PROCESS:
A File Encryption Key is generated for each file that is to be encrypted. This File Encryption
Key is then used to encrypt the clear text document into an encrypted text format.
NOTE: The encrypted document now has two additional header fields, the Data Decryption
Field (DDF) and the Data Recovery Field (DRF). The DDF contains an encrypted copy of
he File Encryption Key that only the user who encrypted the file can decrypt. The DRF
contains an encrypted copy of the File Encryption Key that only the designated
EFS recovery agent can decrypt.
The File Encryption Key is encrypted with the User’s EFS Encryption public key. This
ensures that only the user who holds the matching EFS Encryption private key can decrypt
the File Encryption Key. The encrypted File Encryption Key is then stored in the DDF.
WARNING: EFS encrypted files can’t be shared between users because of the way the File
Encryption Key is protected. Only the user who encrypted the file will have the private key
required to decrypt the File Encryption Key. This prevents the sharing of EFS encrypted files.
======================================================================
winsec6.html PAGE 13 2002/04/15
The File Encryption Key is encrypted with the EFS recovery agent’s EFS Recovery public
key. This action ensures that only the user who holds the matching EFS Recovery private
key can decrypt the File Encryption Key. The encrypted File Encryption Key is then stored
in the DRF.
It’s possible to have more than one EFS recovery agent defined for a domain or Organizational
Unit (OU). In this case, multiple DRFs are associated with a file. The File Encryption Key is
encrypted once for each EFS recovery agent. Each recovery agent will only be able to
decrypt the DRF encrypted with her EFS Recovery Public Key.
WARNING: EFS only protects data stored on an NTFS partition. It doesn’t provide network
transport security. In other words, if you open an EFS-encrypted file on a remote server, the
file contents are transmitted to you over the network in clear text. To protect the transmission
of the file, you must use IPSec to protect the contents as they are transferred to your computer.
Decrypting EFS Data
Once a file is encrypted, only the user who encrypted the file or a designated EFS recovery
agent can open the file and view its contents. The process differs between the user and the EFS
recovery agent.
Decryption by the Original User
The user’s EFS Encryption private key is used to Decrypt the File Encryption Key stored in the
DDF.
The file Encryption Key is used to decrypt the encrypted document.
NOTE: The decrypted clear text document is then opened with the application associated with the
document. To the user it appears that the document “just opened”. The user doesn’t see any
different behavior when opening an encrypted or nonencrypted file.
======================================================================
winsec6.html PAGE 14 2002/04/15
Decryption by an EFS Recovery Agent
The only difference is that the EFS Recovery Agents private key is used to decrypt the file stored
in the DRF.
Designating an EFS Recovery Agent
A major design issue when you deploy EFS is selecting the account that will be the EFS recovery
agent. If you don’t define the EFS recovery agent, EFS recovery attempts might fail.
The Initial EFS Recovery Agent
The default recovery agent in Windows 2000 is the Administrator.
The EFS recovery certificate is self-issued, which means that it isn’t acquired from a certificate
authority but is created by the operating system.
The public key for EFS encryption is the public key associated with the Administrator account
of the first domain controller (DC ) installed onto the domain.
Initially, the only computer that has the associated private key is the initial DC in the domain.
Unless you export the private key to a safe location or configure the Administrator account to
have a roaming profile and then populate the roaming profile with the contents of the
Administrator’s profile from the initial DC, you could lose the private key. Losing the private
key will prevent you from recovering EFS encrypted files.
Do not take the public key to another machine, you may compromise its authenticity.
The private key is stored in the local user profile in secured storage. Only when you configure
a roaming profile is information stored in the user profile shared among multiple computers.
WARNING: If you configure the roaming profile for the Administrator account and populate
the information for the account from a DC other than a member server or the initial DC, you
will lose the initial EFS recovery agent private key permanently, which will prevent you from
decrypting any files encrypted with the EFS recovery agent’s public key.
======================================================================
winsec6.html PAGE 15 2002/04/15
Configuring a Custom EFS Recovery Agent:
A more effective method of configuring the EFS recovery agent is to define a new account as
the EFS recovery agent. This new account needs to have an EFS Recovery certificate but
doesn’t have to be a member of the Administrators group in the domain. You get this from a
Windows 2000
Configuring an Empty Encrypted Data Recovery Agent Policy
You may also choose to prevent EFS encryption on your network by deleting all current EFS
recovery agent certificates in the Encrypted Data Recovery Agent policy. Without defined
encrypted data recovery agents, it’s impossible to use EFS encryption.
This is known as an empty policy without a Recovery Agent. The policy exists and is applied,
but no values are assigned from it.
*** See the chart on
page 199 *** IMPORTANT
Applying the Decision
WWI wants to prevent the use of EFS encryption. You do this by deleting the Recovery agent
from the Default Domain Policy. If there’s no defined EFS recovery agent, EFS encryption is
disabled on the domain member computers.
Active Directory Users and Computers/Computer/Windows settings/Security/Public Key
Policies/Encrypted Data Recovery Agents
Assessing Recovery of encrypted Files
To decrypt an encrypted file, you must be the user who encrypted the file or be a designated
recovery agent. The best way to deploy an EFS recovery solution is to complete the following
steps:
======================================================================
winsec6.html PAGE 16 2002/04/15
Create a new account to perform the request for the EFS recovery certificate.
Configure the permissions on the EFS Recovery Certificate template to allow the new account
to have Enroll permissions in Active Directory Sites and Services.
Request an EFS recovery certificate when logged on as the new account.
Export the key and the corresponding private key to a PKCS#12 and protect the file with a
strong password.
Store the PKCS#12 file in a secure location, such as a safe.
Import the public key into the Default Domain Policy in the Encrypted Data Recovery Agent
Policy.
Delete the new account.
Determining the Required Private Keys
EFSINFO
· /u User information
· /R Recovery agent information.
· /c Displays certificate thumbprint information.
· /I Continues performing the specified operation even after errors have occurred.
· /Y Displays your current EFS certificate thumbprint on the local PC.
· /S Performs the specified operation on directories in the given directory and all
subdirectories.
NOTE: The Cipher.exe command allows the launching of bulk encryption and decryption
processes./e= encrypt, /d= decrypt.
Applying the Decision
The files that were encrypted before the computers were rebuilt may still be recoverable.
Because WWI did not specify a recovery agent, the default Administrator Recovery agent
may be in place.
Lesson Summary:
======================================================================
winsec6.html PAGE 17 2002/04/15
CLASSROOM EXERCISES:
Logon as the Administrator and on C: create a folder test and make a word document and
encrypt it.
Logon as a user and do the following:
User will be able to delete it,Yes, confusing.
Not View it
Open it, Yes
Move It no.
Copy it No.
Why can the user delete it? Because they have probably Full Control at the root of the folder.
How to Fix it up:
Make Everyone R for that folder @ the share level.
The user will not be able to delete it then.
How to Set up 2 printers with
different priorities:
Create 2 new printers in Control Panel.
Add a printer and Leave the defaults as is.
The second printer create a Managers Group and give them the Print Only permission. Then
remove the Everyone Group from the second printer. This will make the managers group be the
only uses able to access the printer.
EFS: