Controlling Resource Permissions
Everyone knows that it is important to lock down the resources on the network. The resources that need to be locked down include folders and the files that are contained in them, as well as some Registry keys that are located on servers and workstations throughout the enterprise. We can't forget those Active Directory objects that reside on domain controllers. All of these resources need to be locked down so that users that should not have access to them, can't access them. To control the permissions on these resources, you have multiple options. Some options are more attractive than others, but a look at all options should be investigated.
Resource Permissions 101
In order to have a decent discussion regarding resource permissions, I must clarify which resources I will attack and how the resources are protected with permissions. There are numerous resources on every network, so there is no way that I can tackle all of them. However, I will discuss the key resources that you will want to control.
Before we tackle the list of resources, I want to clarify something that seems to confuse even seasoned administrators. There are two types of permissions that can be configured on a resource. There are NTFS permissions and share permissions. The permissions that we are going to discuss are the NTFS permissions. The share permissions really don't provide much security over the resource, as these permissions only control access into the shared folder, instead of providing granular access control to subfolders and files that are contained in the share. To clarify where each of these permissions are configured, share permissions are configured using the Share Tab, as shown in Figure 1.
Figure 1: Share permissions control entry into the shared folder from the network
The NTFS permissions are associated with the Security Tab, as shown in Figure 2.
Figure 2: NTFS permissions are located and configured on the Security tab
The Security Tab is not available on computers that don't have NTFS volumes configured. These volumes that are not NTFS are configured as FAT or FAT32 file systems.
The resources that have NTFS permissions associated with them include:
- Registry keys
- Active Directory objects
This list of resources is important since only these resources can have an Access Control List (ACL) on a Windows system. In this article, we are going to focus on how to modify permissions on folders, files, and Active Directory objects.
Manually Configuring Resource Permissions for Files and Folders
As I stated earlier, you can go to the Security tab on a file or folder to access the list of permissions. There are some key issues to keep in mind when setting up manual permissions for these resources.
First, when you are establishing permissions for files and folders, it is always best to set up permissions for groups, not individual user accounts. Second, you need to establish the level of access for the file and/or folder. As Figure 3 indicates, there are some standard permissions that can be set without going into the Advanced permissions for the account.
Figure 3: Standard permissions can be set for each account for the resource
Figure 4 illustrates that you can also go into the Advanced permissions, providing very granular levels of permissions for each resource.
Figure 4: Advanced permissions allow for granular control over access to resource
Clicking the Edit button shown in Figure 4 will allow you to see the full list of detailed Advanced permissions. This is not a great way to manage resources, as it causes significant overhead on the configuration, management, and troubleshooting of access to resources.
Manually Configuring Resource Permissions for Active Directory Objects
The process of manually configuring Active Directory Objects is similar, but there is a Wizard that can help with the overall configuration. This is a very beneficial Wizard, as there are over 1000 individual Advanced permissions on some Active Directory Objects, such as organizational units, as shown in Figure 5.
Figure 5: Partial list of permissions for an organizational unit
To access the Wizard, simply right-click on the node that needs to be configured. This will expose the Delegate Control menu option. When this is selected, the Delegation of Control Wizard dialog box appears, as shown in Figure 6.
Figure 6: Delegation of Control Wizard allows for ease of configuration of permissions on Active Directory Objects
This wizard allows you to specify "who" (user or group) will have "what" level of access (permissions) to the objects in Active Directory.
it is possible to use the Security Tab for the Active Directory Objects like folder/file configuration. However, this is a daunting task that can puzzle even the most seasoned administrator.
Configuring Resource Permissions using Group Policy
When it comes to managing resource permissions with Group Policy, you can only manage files and folders, not Active Directory Objects. (Registry key permissions can also be managed using Group Policy). The settings for controlling these permissions are in the Computer Configuration portion of a Group Policy, as shown in Figure 7.
Figure 7: The File System node allows for configuration of file and folder permissions using Group Policy
To use this option, you just need to create and link a Group Policy Object (GPO) to a node that contains the computer account that you want to configure. When this is done, edit the GPO and right click on the File System node. By selecting the Add File menu option, you will be able to browse to or type in the path to the file/folder that you want to manage permissions on. Once you add in the path, you will be shown the Security tab for that resource, as shown in Figure 8.
Figure 8: Security permissions can be set on files and folders in a GPO
Although these permissions are possible, it is not suggested to use Group Policy to modify or establish permissions on these resources due to performance of application. It is a proven issue that too many permissions being established using Group Policy will slow down the initial logon and could also slow down the system during the periodic background refresh interval. If these settings are used, they should only be used sparingly on a few resources.
Configuring Resource Permissions using Scripting
After much research and analysis, I have determined that using scripting for establishing resource permissions is a very inefficient way of setting up permissions for both files/folders, as well as for Active Directory Objects. However, I do want to mention some tools that can help with this activities, if you still desire to use scripting.
For your file and folder permission control using scripting, you can use CACLS. CACLS allows you to set and get permissions for files and folders. This is a free Microsoft tool and can be used stand alone or within a VB or other desired script.
For your Active Directory object permissions, you can use the new PowerShell options. PowerShell is new and is available for Windows XP and above. PowerShell has the power to control Active Directory permissions and much, much more.
With both of these options, the masters of scripting and PowerShell that I spoke with informed me that although these options are available, it is easier and more efficient to use the standard methods to set and control permissions. However, scripting has a lot of power and use, so if you want more information on these options, I would direct you to the following sites:
Controlling network resources and their permissions are extremely important for the protection of your company resources. If you need to control HR files, company secrets, groups, organizational units, or any other resources, you will need to set and manage the file permissions associated with each resource. You have many options at your disposal, but deciding on which option to use can make a large impact in the overall efficiency and manageability of your network. Manual methods are not all that easy or efficient, but they get the job done with accuracy and without any overhead on the computers at boot time. Group Policy is another option, but make sure you limit this to only a few files and folders, as application of these permissions can take a long time. Scripting is a final option, but make sure you calculate whether scripting if the answer for you, as the time to develop and test the script might take longer than just setting the permissions manually.