Home > Articles

  • Print
  • + Share This
This chapter is from the book

Monitoring, Managing, and Troubleshooting Access to Files and Folders

The NTFS file system for Windows XP Professional offers several accessibility features that help administrators maintain and safeguard applications and data. Although you can somewhat control access to shared network folders by managing share permissions, Windows XP NTFS provides a very robust access control solution. In addition to offering administrators more granularity of security access control over files and folders than network share permissions, NTFS permissions reside at the file system level, which allows administrators to manage only one set of access control settings for both network users and local users. For troubleshooting resource access, you can enable auditing for folders and files residing on NTFS volumes.

NTFS Security: Users and Groups

You can apply NTFS security permissions to resources like files, folders, and printers for specific users or groups of users. Windows XP Professional installs four local users by default: Administrator, HelpAssistant, SUPPORT_xxxxxxxx (the x's represent a unique number for your Windows XP system), and Guest. The Guest user account and the SUPPORT_xxxxxxxx account are disabled by default. The Administrator user account is all powerful on the local machine and cannot be deleted, although it can be renamed.

Nine local groups are installed automatically: Administrators, Backup Operators, Guests, HelpServicesGroup, Network Configuration Operators, Power Users, Remote Desktop Users, Replicator, and Users. The Power Users group is not present in any edition of Windows 2000 Server or Windows .NET Server; it exists only as a Local group in Windows XP Professional. The Administrators account is all powerful because it is a member of the Administrators group, and you cannot remove the Administrator user account from membership in the Administrators group. Table 3.1 outlines the Local groups that are installed by default when you first install Windows XP Professional.

Table 3.1 Local groups installed by default in Windows XP Professional.

Local Group

Role

Administrators

Group members possess full administrative control for managing the local system, local users, and Local groups.

Backup Operators

Group members have the rights to back up and restore files and folders on the local system.

Guests

Group members can't make permanent alterations to their desktop settings. The default Guest account is automatically a member of this group. By default, group members possess no specific rights or permissions on objects. If the local computer joins a Windows domain, the Global Domain Guests group automatically becomes a member of the Local Guests group.

HelpServicesGroup

Members of this group can log on to the system and use helper applications to diagnose system problems. This group is used in conjunction with the HelpAssistant and SUPPORT_xxxxxxxx user accounts.

Network Configuration

Members in this group can have some administrative privileges Operators to manage configuration of networking features.

Power Users

Group members can add new local user accounts and change existing local user accounts. Members can also create shared folders and shared printers on the network. Power Users retain administrative powers with some restrictions. Thus, Power Users can run legacy applications in addition to certified applications.

Remote Desktop Users

Members in this group are granted the right to log on using the Remote Desktop or Terminal Services client software.

Replicator

This group supports file replication within a Windows domain.

Users

Group members can perform tasks only after an administrator has specifically granted them rights to do so. They can access resources on only those objects for which an administrator has granted them permissions. When user accounts get created, each new user automatically becomes a member of the Local Users group. If the local computer becomes a member of a Windows domain, the Global Domain Users group automatically becomes a member of the Local Users group.


Special Built-in Security Principals

Special built-in security principal entities apply to any user account that happens to be using a Windows XP computer in a particular manner at a given point in time. For example, when a user logs on to a Remote Desktop session, the security principal Terminal Server User gets applied to his user account for the duration of the Remote Desktop session until he logs off. When a user logs on to a computer remotely over the network, that user's account gets the Network security principal applied to it until he disconnects from that network connection. Table 3.2 outlines the various user-related built-in security principals for Windows XP Professional. Figure 3.2 displays both user-related and computer-, process-, and service-related built-in security principals for a Windows XP domain member computer.

Figure 3.2 Windows XP built-in security prinicipals can be displayed from the Select User Or Group dialog box.

Table 3.2 Built-in security principals installed by default under Windows XP Professional.

Built-in Security Principal

Role

Everyone

Includes all users who access the computer. The best practice is to avoid using this group. If you enable the Guest account, any user can become authorized to access the system, and the user inherits the rights and permissions assigned to the Everyone group.

Authenticated Users

These users have valid user accounts on the local system, or they possess a valid user account within the domain of which the system is a member. It is preferable that you use this group over the Everyone group for preventing anonymous access to resources. The Guest account is never considered as an Authenticated User.

Creator Owner

A user who creates or takes ownership of a resource. Whenever a member of the Administrators group creates an object, the Administrators group is listed as the owner of that resource in lieu of the actual name of the user who created it.

Creator Group

A placeholder for an access control entry (ACE) that can be inherited.

Network

Any user accounts from a remote computer that access the local computer via a current network connection.

Interactive

Any user accounts who are logged on locally.

Anonymous Logon

Any user accounts that Windows XP did not validate or authorize. Users cannot log on to the system both as an Interactive user and an Anonymous Logon User at the same time.

Dialup

Any user accounts that are currently connected via dial-up networking.

Remote Interactive Logon

Any user who logs on to the computer using a Remote Desktop (Terminal Services) client connection.

Terminal Server User

Any user who accesses the computer using a Remote Desktop (Terminal Services) client connection.


NTFS Security: Basic and Advanced Permissions

NTFS security permissions can be assigned to both users and groups and are applied to resources such as folders, files, printers, and other objects. NTFS permissions are broken down into access control list (ACL) settings and access control entries (ACEs). The ACL details "who" (user or group) is granted access to an object. ACEs detail the specific permission entries (read, write, and so on) for each specific object (folder or file, for example). NTFS permissions for Windows XP can be very complex and granular when you use advanced permissions. Basic permissions are much more simple; they enable you to allow or deny access to resources based on six fundamental levels: Read, Read and Execute, List Folder Contents (applies to folders only), Write, Modify, and Full Control. Advanced (or special) permissions enable you to fine-tune permission settings for allowing or denying such activities as reading or writing extended object attributes.

Basic NTFS Permissions

Basic permissions are actually comprised of predefined advanced NTFS permissions and are applied per user and per group. Individual file permissions differ slightly from the permissions that apply to folders. Table 3.3 highlights the basic permissions available for files, whereas Table 3.4 outlines the basic permissions available for folders.

Table 3.3 Basic NTFS security permissions applicable to files.

Permission

Description

Full Control

Allows/denies full access to the file. Includes the ability to read, write, delete, modify, change permissions, and take ownership of the file.

Modify

Allows/denies the ability to read, write, delete, modify, and read permissions for the file.

Read & Execute

Allows/denies specified users and groups the ability to execute the file and read its contents, read its attributes and extended attributes, and read its permissions.

Read

Allows/denies the same permissions as Read & Execute except for Execute File.

Write

Allows/denies the ability to write data to the file, create files and append data, and write attributes and extended attributes.


Table 3.4 Basic NTFS security permissions applicable to folders.

Permission

Description

Full Control

Allows/denies full access to objects within the folder. Includes the ability to read, write, delete, modify, change permissions, and take ownership of the folder.

Modify

Allows/denies the ability to read, write, delete, modify, and read permissions for the folder.

Read & Execute

Allows/denies specified users and groups the ability to traverse the folder, execute files within the folder, list its contents, read its contents, read its attributes and extended attributes, and read its permissions.

List Folder Contents

Allows/denies essentially the same permissions as Read & Execute. Allows/denies the ability to display files and subfolders, but this permission does not affect a user's ability to run (execute) an application program as the Read & Execute permission does.

Read

Allows/denies the same permissions as List Folder Contents except for Traverse Folder and Execute File.

Write

Allows/denies the ability to create files and write data, create folders and append data, and write attributes and extended attributes.


TIP

The List Folder Contents permission is inherited by folders, but not by files, and it should appear only when you view folder permissions. Read & Execute is inherited by both files and folders, and is always present when you view file or folder permissions. By default, NTFS security permissions are inherited from an object's parent. An administrator can manually override the default inheritance and can explicitly configure permission settings.

Advanced NTFS Permissions

NTFS advanced permissions are the building blocks for basic permissions. In Windows XP, advanced permissions allow administrators to have very granular control over exactly what types of access users can have over files and folders. Advanced permissions are somewhat hidden from view. They allow administrators to fine-tune ACE (security) settings. The Security tab in a file or folder's Properties dialog box notifies you when advanced permissions are present. Click the Advanced button to view, add, modify, or remove advanced permissions. At the bottom of the Security tab, Windows XP displays a notification just to the right of the Advanced button that says For Special Permissions Or For Advanced Settings, Click Advanced.

After you click Advanced, you see the Advanced Security Settings dialog box, which shows each access control setting that has been applied per user and per group. To view individual advanced permission entries, click one of the users or groups listed and then click the Edit button. The Permission Entry dialog box, shown in Figure 3.3, appears. It gives administrators very fine control over the ability of individual users and groups to manipulate data and program files that are stored on NTFS drive volumes. Table 3.5 shows the list of advanced NTFS permissions available under Windows XP.

Figure 3.3 The Permission Entry dialog box for the Samples NTFS folder.

Table 3.5 Advanced NTFS security permissions for both files and folders.

Permission

Description

Full Control

Grants the Allow setting for all basic and advanced NTFS security permissions including the entries for Change Permissions and Take Ownership.

Traverse Folder/Execute File

Allows or denies moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders (applies to folders only). Traverse Folder takes effect only when the group or user is not granted the Bypass Traverse Checking user right in the Group Policy snap-in. (By default, the Everyone group is given the Bypass Traverse Checking user right). The Execute File permission allows or denies running application program files.

List Folder/Read Data

Allows or denies viewing file names and subfolder names within the folder, and allows or denies viewing data in files.

Read Attributes

Allows or denies viewing the attributes—such as read-only, hidden, and archive—of a file or folder.

Read Extended Attributes

Allows or denies viewing the extended attributes of a file or folder. Some extended attributes are defined by application programs and can vary by application.

Create Files/Write Data

Allows or denies creating files within a folder, and allows or denies making changes to a file and overwriting the existing data.

Create Folders/Append Data

Allows or denies creating folders within a folder, and allows or denies making changes to the end of a file, but not changing, deleting, or overwriting existing data.

Write Attributes

Allows or denies changing the attributes—such as read-only or hidden—of a file or folder.

Write Extended Attributes

Allows or denies changing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program. Some extended attributes are defined by application programs and can vary by application.

Delete Subfolders and Files

Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file.

Delete

Allows or denies deleting the file or folder. If you don't have the Delete permission on a file or folder, you can still delete it if you have been granted Delete Subfolders And Files permission on the parent folder.

Read Permissions

Allows or denies reading the permissions that exist on a file or folder.

Change Permissions

Allows or denies changing permissions—such as Full Control, Read, and Modify—on the file or folder.

Take Ownership

Allows or denies taking ownership of a file or folder. The owner of a file or folder can always change permissions on it, even if other permissions have been assigned to safeguard the file or folder.


From this dialog box, you can perform the following:

  • Change the Name so that this permission entry applies to some other user or group.

  • Modify the Apply Onto drop-down list to specify exactly where these advanced permissions should apply.

  • Alter the actual permission entries themselves by marking or clearing the Allow or Deny checkbox for each permission that you want to affect.

TIP

To change NTFS security permissions, you must be the owner of the file or folder whose permissions you want to modify, or the owner must grant you permission to make modifications to the object's security settings. Groups or users who are granted Full Control on a folder can delete files and subfolders within that folder regardless of the permissions protecting those files and subfolders. If the checkboxes for the Security tab under Permissions are shaded, the file or folder has inherited the permissions from the parent folder. By clearing the Inherit From Parent The Permission Entries That Apply To Child Objects checkbox, you can copy those inherited permissions and turn them into explicit permissions, or you can remove them entirely and manually establish new explicit permissions. This checkbox is located at the bottom of the Advanced Security Settings dialog box.

NTFS security permissions are cumulative. Users obtain permissions by having them assigned directly to their user accounts, in addition to obtaining permissions via group memberships. Users retain all permissions as they are assigned. If a user named Dan has the Allow Read permission for the Graphics folder, and if Dan is a member of the Users group, which has been assigned Allow Write permission for the same folder, Dan has both the Allow Read and Allow Write permissions. Permissions continue to accumulate. However, Deny entries always override Allow entries for the same permission type (Read, Modify, Write, and so on).

Default NTFS Security Permissions

Under Windows XP, by default, all NTFS-formatted drive volumes are assigned Allow Read and Execute as special permissions for the Everyone group for the root of each drive volume. Folders and subfolders within each drive volume do not automatically inherit this default permission setting. These defaults are different than the defaults for previous versions of Windows. When you install Windows XP Professional on an NTFS volume, the %systemroot% folder (for example, C:\Windows) is automatically assigned special default security permissions for the following groups: Administrators, System, and Creator Owner.

CAUTION

If you upgrade from Windows NT 4 Workstation to Windows XP Professional, all existing users become members of the Local Power Users group under Windows XP. This default upgrade behavior ensures that existing users can run noncertified applications under Windows XP, because Windows XP permissions for members of the Users group are more restrictive than under Windows NT 4.

More stringent NTFS security permissions now get applied to the root of all NTFS drive volumes whenever you upgrade to Windows XP, format a drive volume as NTFS under Windows XP, or use the convert.exe command on a drive volume under Windows XP. The new default NTFS security permissions are outlined here and illustrated in Figure 3.4:

  • System—Full Control with inherited permissions from parent folder

  • Administrators—Full Control with inherited permissions from parent folder

  • Creator Owner—Full Control with inherited permissions from parent folder

  • Everyone—Read and Execute with no inherited permissions from parent folder

  • Users—Read and Execute with inherited permissions from parent folder

Figure 3.4 The Advanced Security Settings dialog box showing the default NTFS permissions for the root of a drive volume converted to NTFS.

CAUTION

You should not change the default security settings for the %systemroot% folder and its subfolders. Modifying the default permissions for the Windows XP Professional system files can have very adverse effects on the system. In addition to not changing its default permissions, you should never attempt to compress or encrypt the %systemroot% folder or any of its subfolders. Compression or encryption placed on the system folders can render Windows XP Professional unstable or possibly unbootable.

NTFS Permission Conflicts

Obviously, a user may be a member of several different groups. You can apply NTFS permissions to both users and groups for access control over resources such as files and folders. For security permissions assigned to a user that conflict with other security permissions that have been granted to groups, of which the user is also a member, the most liberal permissions take precedence for that user. The one overriding exception is any explicit Deny permission entry. Deny permissions always take precedence over Allow permissions.

TIP

Just as Deny permissions always take precedence over Allow permissions, explicit permissions always override inherited permissions.

NTFS Permissions vs. Share Permissions

Because share permissions apply to network access only, they can serve only to complicate and possibly confuse access control settings when you apply them on top of NTFS security permissions, which take effect at the file system level. If share permissions and NTFS permissions conflict, the most restrictive permissions apply. For example, suppose that you have set share permissions on the shared folder named C:\Samples, and have set the share permissions for the Users group to Allow Read. At the same time, suppose that you also have NTFS permissions set on that folder, and have applied the Allow Change permission for the Users group on that folder in NTFS. Now you have conflicting permissions: Allow Read at the share level and Allow Change at the NTFS level. The net result is that members of the Users group are granted the ability only to read the files within that folder when accessing it over the network; they cannot make any changes to those files, because the most restrictive permissions always win.

As you can see, conflicting permissions may make it difficult to decipher which permissions users are granted when they are accessing files over the network. Therefore, the best practice is to place all shared network data and applications on NTFS drive volumes and set the appropriate security permissions for users and groups at the NTFS level. Do not change the default shared folder permissions; leave them at Full Control for the Everyone group. The most restrictive permissions apply, so all NTFS permissions "flow through" the network share. NTFS security settings can then apply equally to both local users and network users, and administrators have to manage only one set of permissions.

Users and Groups: Local Accounts vs. Domain Accounts

In Windows networking environments, user accounts and group accounts always participate in one of two security contexts: workgroup security (also known as peer-to-peer networking) and domain security. Workgroup security is the default security context for individual and networked Windows 2000 Professional and Windows XP Professional computers that are not members of a Windows domain. Workgroups are logical groupings of computers that do not share a centrally managed user and group database. Local users and groups are managed from each computer's Local Users And Groups folder within the Computer Management Console. You must maintain users and groups separately on each computer. No centralized management scheme exists within a workgroup environment; duplicate user and group accounts must exist on each computer to grant and control access permissions on each workstation's individual resources. User and group accounts are stored within a local database on each Windows XP Professional computer.

In a Windows domain network environment, on the other hand, the domain acts as a central administration point for managing users, groups, and security permissions. A domain is simply a logical grouping of computers that share a centrally managed database. Duplicate user and group accounts are unnecessary and unwarranted within the domain security context. Users simply log on to the domain from any domain member computer, and their Domain group memberships, along with their user rights, follow them wherever they travel throughout the domain.

A Windows Active Directory domain maintains a domain-wide database of users and groups that is referred to as the directory. The Active Directory database is physically stored on domain controller computers. The Active Directory database can contain much detailed information about its users. The Active Directory database is replicated and synchronized with all the other domain controllers within a domain. Under Windows Active Directory domains, group memberships travel with users throughout the entire forest.

Windows XP User Permissions vs. User Rights

In Windows XP, users are granted two types of access control settings:

  • Permissions—Windows XP permissions pertain to what the user can do to objects (for example, permissions for reading, creating, modifying, or deleting files, folders, or printers). Windows XP objects include a wide variety of items in addition to files, folders, and printers, including processes, threads, ports, devices, and Registry keys.

  • Rights—Windows XP user rights determine what privileges the user has to interact with the operating system (for example, shut down the system, install software, log on locally, log on over the network, and so on). Administrators for Windows XP Professional computers can modify the default rights for users through the Local Security Settings snap-in of the Microsoft Management Console (MMC).

Controlling Access to Files and Folders by Using Permissions

Users gain access to NTFS files and folders by virtue of being granted explicit or implicit (inherited) permissions for those resources directly to their user account, or through access permissions granted to groups to which the users belong. To assign Read Only security permissions to a user or a group for a specific folder, follow these steps:

  1. Right-click the folder on which you want to apply permissions and select either the Sharing And Security option or the Properties option.

  2. Click the Security tab.

  3. If the permissions checkboxes for the user or group are grayed out, this means that those permissions are being inherited from a parent folder. To set your own permissions and not allow permissions to be inherited, click the user and/or group that you want to work with and click the Advanced button. Clear the checkbox labeled Inherit From Parent The Permission Entries That Apply To Child Objects. Include These With Entries Explicitly Defined Here. As soon as you clear that checkbox, a Security message box will appear, shown in Figure 3.5.

Figure 3.5 The Security message box for disallowing inherited NTFS permissions.

  1. For permissions that are not being inherited, skip this step. Click Copy to copy the permissions that were being applied to the file or folder through inheritance and make the permission explicit, click Remove to completely remove all the permissions that were being applied through inheritance, or click Cancel to leave the inherited permissions in place. Click OK to close the Advanced Security Settings dialog box and return to the Security tab of the object's properties sheet.

  2. If the user(s) or group(s) to which you want to assign permissions do not currently appear, click the Add button.

  3. From the Select Users Or Groups dialog box, shown in Figure 3.6, type the group or user to which you want to assign permissions in the Enter The Object Names To Select text box. Click the Check Names button to verify that you have entered the correct names for the users or groups. Optionally, you may click the Advanced button to generate a list of users and groups from which to choose, as shown in Figure 3.7. Click the Find Now button to generate the list of users and groups. Select the users and/or groups you want to apply permissions to. Click OK for the advanced Select Users Or Groups dialog box.

Figure 3.6 The Select Users Or Groups basic dialog box.

Figure 3.7 The Select Users Or Groups advanced dialog box.

  1. Click OK for the basic Select Users Or Groups dialog box.

  2. Verify that the Allow checkboxes are marked for the Read & Execute, List Folder Contents, and Read permissions, as shown in Figure 3.8.

Figure 3.8 The Security tab of an NTFS folder showing permissions for users and groups.

  1. Click OK to accept your settings.

Denying Access to a Resource

Deny permissions always override Allow permissions, so you can be assured that after you establish Deny permissions for a particular user or group on a resource, no other combination of Allow permissions through group memberships can circumvent the Deny permission. To assign Deny security permissions to a user or a group for a specific folder, follow these steps:

  1. Right-click the folder on which you want to apply permissions and select Properties.

  2. Click the Security tab.

  3. If permissions are being inherited for the user and/or group that you want to work with, click the Advanced button and clear the checkbox labeled Inherit From Parent The Permission Entries That Apply To Child Objects. Include These With Entries Explicitly Defined Here. Click Copy or Remove for the inherited permission entries, and click OK for the Advanced Security Settings dialog box.

  4. If the user(s) or group(s) to which you want to assign permissions do not currently appear, click the Add button.

  5. Type in the group(s) or user(s) that you want to assign permissions to from the Select Users Or Groups dialog box.

  6. Click OK.

  7. Click the Deny checkbox for each permission entry that you wish to explicitly disallow.

  8. Click OK to accept your settings.

If you deny the Read permission for a group on a particular folder, any member of that group is denied the ability to read the contents of that folder. When you assign Deny permissions for a user or a group on a file or folder, as soon as you click OK in the Properties dialog box, a Security message box, shown in Figure 3.9, appears. It reminds you that Deny permissions take precedence over Allow permissions.

Figure 3.9 A Security message box requests confirmation that you want to set a Deny permissions entry.

Click Yes in the Security message box to have the new Deny permissions take effect. When users who are members of a group that is assigned Deny permissions for reading a folder attempt to gain access to that folder, they are greeted by an Access Is Denied message box, shown in Figure 3.10.

Figure 3.10 The Access Is Denied message box.

Optimizing Access to Files and Folders

The best practice is to always assign NTFS security permissions to groups rather than to individual users. You should place users into appropriate groups and set NTFS permissions on those groups. In this manner, permissions are easier to assign and maintain.

NTFS Permissions: Moving and Copying Files and Folders

Moving or copying files and folders from an NTFS drive volume to network drives or other media that are non-NTFS volumes results in the loss of all NTFS security permission settings for the objects moved or copied. The result of moving or copying NTFS files and folders to different NTFS folders varies depending upon whether the objects are being moved or copied, and depending upon the destination drive volume. Table 3.6 shows the different effects on NTFS permissions when copying files and folders versus moving files and folders.

Table 3.6 NTFS permissions that are retained or inherited when you move and copy files and folders.

Type of Transfer

Effective Permissions after Move or Copy

Moving within the same NTFS volume

Files and folders that are moved retain their permissions from the source folder.

Moving to a different NTFS volume

Files and folders that are moved inherit their permissions from the destination folder.

Copying within the same NTFS volume

Files and folders that are copied inherit their permissions from the destination folder.

Copying to a different NTFS volume

Files and folders that are copied inherit their permissions from the destination folder.


The standard Windows XP Xcopy.exe command-line utility offers /O and /X options that retain an object's NTFS permissions, in addition to inheriting the destination folder's permissions. The /X switch also retains any auditing settings (which are discussed later in this chapter). To retain only an object's source permissions without inheriting any permissions from the destination folder, use the Scopy.exe tool or the Robocopy.exe tool from the Windows 2000 Professional Resource Kit, or the Windows 2000 Server Resource Kit.

Viewing Effective Permissions

Prior to Windows XP, there was no simple way to determine quickly which effective permissions a user actually had by evaluating implicit permissions against explicit permissions, and by comparing a user's own assigned permissions to his or her inherited permissions from his or her group memberships. Now, under Windows XP, an easy method exists for determining effective NTFS permissions right from the Advanced Security Settings dialog box. To display effective permissions for a user or a group, perform the following steps:

  1. Right-click an NTFS folder and select Sharing And Security.

  2. Click the Security tab and then click the Advanced button.

  3. From the Advanced Security Settings dialog box, click the Effective Permissions tab.

  4. Click the Select button to choose a user or a group for which you want to display effective permissions. Type in the user, group, or security principal name and click OK.

  5. View the effective permissions for the user, group, or security principal that you selected, as shown in Figure 3.11.

Figure 3.11 The Effective Permissions tab displays effective NTFS security permissions for users and groups for specific folders and files.

Taking Ownership of Files and Folders

A user who has ownership of a file or folder can transfer ownership of it to a different user or to a group. Administrators can grant users the ability to take ownership of specified files and folders. In addition, administrators have the authority to take ownership of any file or folder for themselves. Object ownership cannot be assigned to others; a user must have permission to take ownership of an object.

Changing ownership of files and folders can become necessary when someone who is responsible for certain files and folders leaves an organization without granting any other users permissions to them. To take ownership of a folder as an administrator, follow these steps:

  1. Log on to the system as the administrator or an equivalent user.

  2. Right-click the folder from Windows Explorer or My Computer and select Properties.

  3. Click the Security tab.

  4. Click the Advanced button.

  5. Click the Owner tab in the Advanced Security Settings dialog box.

  6. Click the name of the person in the Change Owner To section to change the folder's ownership.

  7. If you also want the ownership to change for the subfolders and files, mark the Replace Owner On Subcontainers And Objects checkbox.

  8. Click OK for the Advanced Security Settings dialog box.

  9. Click OK for the Properties dialog box.

How Upgrading to Windows XP Affects File Sharing Behavior

Windows NT 4 Workstation computers and Windows 2000 Professional computers, whether members of a workgroup or a domain, maintain their workgroup or domain membership, respectively, and retain the classic file sharing and security user interface when they are upgraded to Windows XP Professional. Simple File Sharing is disabled. NTFS security permissions and shared folder permissions are not changed after the upgrade.

Windows 98 and Windows ME computers that have "per share" sharing permissions as members of a workgroup always have Simple File Sharing enabled by default after they are upgraded to Windows XP Professional. Shared folders that have passwords assigned to them are removed; shared folders that have blank passwords remain shared after the upgrade. Windows 98 and Windows ME systems that are logged on to a Windows domain with share-level access enabled are joined to that domain when they are upgraded using the Windows XP Setup program, and Simple File Sharing is disabled after the upgrade.

Auditing System and Network Events

Windows XP Professional enables administrators to audit both user and system events enabling various auditing policies. When auditing is enabled for specific events, the occurrence of the events triggers a log entry in the Windows XP Professional Security Log. You view the security log with the Event Viewer snap-in of the MMC. By default, auditing is turned off. Before you enable auditing, you should formulate an audit policy to determine which workstations will employ auditing and which events will be audited on those systems. When planning the events to audit, you also need to decide whether you will audit successes and/or failures for each event.

Auditing for the local Windows XP system is enabled through the Local Security Settings snap-in of the MMC, shown in Figure 3.12. You must initially turn on auditing from the Local Security Settings Console for each type of event that you want to monitor.

Figure 3.12 The Local Security Settings Console.

You can audit several types of events, such as the following:

  • File and folder access

  • Logons and logoffs

  • System shutdowns and restarts

  • Changes to user and group accounts

  • Changes attempted on Active Directory objects if the Windows XP Professional computer is a member of a Windows Active Directory domain

When you track successful events, you can gauge how often different resources are used. This information can be useful when you are planning for future resource allocation. By tracking failed events, you can become aware of possible security intrusions. Unsuccessful logon attempts, attempts to change security permissions, or efforts to take ownership of files or folders may all point to someone trying to gain unauthorized access to the system or to the network. If such attempts occur at odd hours, these events take on an even more suspicious tone. You must be a member of the Administrators group to turn on audit policies; if your computer is connected to a network, network policy settings may prohibit you from configuring audit settings. To enable auditing on a Windows XP Professional system, follow these steps:

  1. Launch the Local Security Policy MMC snap-in from the Start|All Programs|Administrative Tools folder.

  2. At the Local Security Settings Console, expand the Local Policies folder and then click Audit Policy.

  3. Double-click the audit policy setting that you want to enable; the dialog box for the audit event will display, as shown in Figure 3.13. To enable auditing of object access, double-click the Audit Object Access policy.

Figure 3.13 The Audit Object Access Properties dialog box.

  1. Click the Success checkbox, the Failure checkbox, or both checkboxes.

  2. Click OK.

  3. Close the Local Security Settings Console.

After you have turned on audit tracking for object access events, you need to specify which files, folders, or other objects you want to audit. You should be fairly selective about which ones you choose to audit. If you have enabled auditing for successes as well as failures, the system's Security Event log may become filled very quickly if you are auditing heavily used files and folders. You can only audit object access for files and folders that are stored on NTFS volumes. To enable audit logging for specific files, folders, or other objects (such as printers), follow these steps:

  1. Log on to the system as the administrator or an equivalent user.

  2. Right-click the object from Windows Explorer, My Computer, or Printers And Faxes, and select Properties.

  3. Click the Security tab.

  4. Click the Advanced button.

  5. Click the Auditing tab in the Advanced Security Settings dialog box.

  6. Click the Add button.

  7. Type in the user or group that you want to track for accessing the object and then click OK. The Auditing Entry dialog box, shown in Figure 3.14, appears.

Figure 3.14 The Auditing Entry dialog box.

  1. Select each access event that you want to track by marking each event's associated Successful checkbox, Failed checkbox, or both checkboxes.

  2. By default, audit settings apply to the current folder, subfolders, and files. You can change this behavior by clicking the Apply Onto drop-down list.

  3. Click OK for the Auditing Entry dialog box.

  4. Click OK for the Advanced Security Settings dialog box.

  5. Click OK for the object's Properties dialog box.

After you have properly set up auditing, all events that meet your auditing criteria are logged into the system's Event Viewer Security Log. You access the Event Viewer Console from Start|Administrative Tools|Event Viewer or by right-clicking the My Computer desktop icon and selecting Manage. You'll find the Event Viewer beneath the System Tools folder in the Computer Management Console. By selecting the Security Log, you can view all of the auditing events that the system has recorded based on the parameters you have set. If a user deletes an object, for example, that event is listed with all the pertinent information in the security log, shown in Figure 3.15. Double-clicking an event in the log displays the detailed information.

Figure 3.15 An Event Properties window from the Event Viewer security log.

  • + Share This
  • 🔖 Save To Your Account