Windows 2000 includes several special identities that are known by the security subsystem. Some of the special identities are:
■ System
■ Creator Owner ■ Everyone ■ Network ■ Interactive
The System special identity represents the local computer’s oper- ating system. The Creator Owner special identity is used on directories. Any users who create files or directories in a directory that has Creator Owner permissions inherit the permissions given to Creator Owner for the files or directories they create. The Everyone, Network, and Interactive groups cannot be modified, nor can you view the members of these groups. The Everyone group contains all current and future users of the network, including guests and members of other domains. The Network group consists of users who are given access to a resource over the network. The Interactive group is the opposite of the Network group; it consists of users who access a resource by logging on to the resource locally. These groups are available when you assign rights and permissions to resources.
Designing & Planning…
%UserProfile% Full Control Users have full control over their Profile directories.
All Users\Documents Modify Users have Modify permission on the shared documents location.
All Users\Application Modify Users have Modify permission on the Data shared application data location. %windir%\Temp Synchronize, Users have these permissions on the
Traverse, Add per-machine temp directory so that File, Add Profiles do not have to be loaded in Subdir order for service-based applications to
get the per-User temp directory of an impersonated user.
c:\ Not changed During setup, Windows 2000 does during setup not change the permissions on the root directory, since doing so would affect all objects underneath root, which is not desirable during setup. The last item in Table 2.1 states that Users may have Write permissions to the root of the hard drive.This is possible because setup does not change the existing permissions for the root when Windows 2000 is installed. If you installed
Windows 2000 to an NTFS partition on a clean system, the root is configured with default permissions, and it assigns the Everyone group Full Control.This occurs when the clean system is formatted during setup. It is important that you remember that Everyone has Full Control of the root directory so that you make the changes necessary for your environment.
Table 2.2 compares the default access control settings given to the Users and Power Users groups for objects on the file system.The permissions for directories apply to directories, subdirectories, and files, unless stated otherwise in the
Remarks column.
Table 2.1Continued
Access
Table 2.2File System Default Access Control Settings for Users and Power Users
Default Users’ Default Power File System Access Control Users’ Access
Object Settings Control Settings Remarks
boot.ini No Permissions Read & Execute N/A ntdetect.com No Permissions Read & Execute N/A ntldr No Permissions Read & Execute N/A ntbootdd.sys No Permissions Read & Execute N/A autoexec.bat Read & Execute Modify N/A config.sys Read & Execute Modify N/A \ProgramFiles Read & Execute Modify N/A
%windir% Read & Execute Modify Power Users can write new files in this direc- tory, but they cannot modify files that were installed during setup. All Power Users inherit Modify permission on the newly created files. %windir%\*.* Read & Execute Read & Execute Permission applies only
to files in the %windir% directory, not any other subdirectories.
%windir%\ Read & Execute Read & Execute Permission applies only config\*.* to files in the
%windir%\config direc- tory, not any other sub- directories. Power Users can write new files in this directory, but they cannot modify files that were installed during setup. All Power Users inherit Modify permis- sion on the newly created files.
%windir%\ Read & Execute Read & Execute Permission applies only cursors\*.* to files in the %windir%\
curses directory, not any other subdirectories. Power Users can write new files in this direc- tory, but they cannot modify files that were installed during setup. All Power Users inherit Modify permission on the newly created files. %windir%\ Synchronize, Modify N/A
Temp Traverse, Add File, Add Subdir
%windir%\ List Modify N/A repair
%windir%\ Read & Execute Modify Power Users can write addins (directories/ new files in this direc-
subdirectories) tory, but other Power Read & Execute Users have only Read (files) permissions for those
files.
%windir%\ Read & Execute Modify Power Users can write Connection (directories/ new files in this direc- Wizard subdirectories) tory, but other Power Read & Execute Users only have Read (files) permissions for those
files.
%windir%\ Read & Execute Read & Execute Permission applies only fonts\*.* to files in the %windir%\
fonts directory, not any other subdirectories. Power Users can write new files in this direc- tory, but they cannot modify files that were installed during setup.
Table 2.2Continued
Default Users’ Default Power File System Access Control Users’ Access
All Power Users inherit Modify permission on the newly created files. %windir%\ Read & Execute Read & Execute Permission applies only help\*.* to files in the %windir%\
help directory, not any other subdirectories. Power Users can write new files in this direc- tory, but they cannot modify files that were installed during setup. All Power Users inherit Modify permission on the newly created files. %windir%\ Read & Execute Read & Execute Permission applies only inf\*.* to files in the %windir%\
inf directory, not any other subdirectories. Power Users can write new files in this direc- tory, but they cannot modify files that were installed during setup. All Power Users inherit Modify permission on the newly created files. %windir%\ Read & Execute Modify Power Users can write java (directories/ new files in this direc-
subdirectories) tory, but other Power Read & Execute Users have only Read (files) permissions for those
files.
%windir%\ Read & Execute Read & Execute Permission applies only media\*.* to files in the %windir%\
media directory, not any other subdirectories. Power Users can write
Table 2.2Continued
Default Users’ Default Power File System Access Control Users’ Access
Object Settings Control Settings Remarks
new files in this direc- tory, but they cannot modify files that were installed during setup. All Power Users inherit Modify permission on the newly created files. %windir%\ Read & Execute Modify Power Users can write msagent (directories/ new files in this direc-
subdirectories) tory, but other Power Read & Execute Users have only Read (files) permissions for those
files. %windir%\ Read & Execute Read & Execute N/A security
%windir%\ Read & Execute Modify Power Users can write speech (directories/ new files in this direc-
subdirectories) tory, but other Power Read & Execute Users have only Read (files) permissions for those
files.
%windir%\ Read & Execute Read & Execute Permission applies only system\*.* to files in the %windir%\
system directory, not any other subdirectories. Power Users can write new files in this direc- tory, but they cannot modify files that were installed during setup. All Power Users inherit Modify permission on the newly created files. %windir%\ Read & Execute Modify Power Users can write twain_32 (directories/ new files in this direc-
subdirectories) tory, but other Power Read & Execute Users have only Read (files) permissions for those
files.
Table 2.2Continued
Default Users’ Default Power File System Access Control Users’ Access
%windir%\ Read & Execute Modify Power Users can write web (directories/ new files in this direc-
subdirectories) tory, but other Power Read & Execute Users have only Read (files) permissions for those
files.
%windir%\ Read & Execute Modify Power Users can write system32\ new files in this direc-
tory, but they cannot modify files that were installed during setup. All Power Users inherit Modify permission on the newly created files. %windir%\ Read & Execute Read & Execute Permission applies only system32\*.* to files in the %windir%\
system32 directory, not any other subdirectories. %windir%\ List List N/A
system32\ config
%windir%\ Read & Execute Read & Execute N/A system32\
dhcp
%windir%\ No Permissions No Permissions N/A system32\
dllcache
%windir%\ Read & Execute Read & Execute N/A system32\
drivers
%windir%\ Read & Execute Modify Power Users can write system32\ (directories/ new files in this direc- catroot subdirectories) tory, but other Power Read & Execute Users have only Read (files) permissions for those
files.
Table 2.2Continued
Default Users’ Default Power File System Access Control Users’ Access
Object Settings Control Settings Remarks
%windir%\ Read & Execute Modify Power Users can write system32\ias (directories/ new files in this direc-
subdirectories) tory, but other Power Read & Execute Users have only Read (files) permissions for those
files.
%windir%\ Read & Execute Modify Power Users can write system32\mui (directories/ new files in this direc-
subdirectories) tory, but other Power Read & Execute Users have only Read (files) permissions for those
files.
%windir%\ Read & Execute Read & Execute Permission applies only system32\ to files in the %windir%\ OS2\*.* system32\OS2 directory, not any other subdirec- tories. Power Users can write new files in this directory, but they cannot modify files that were installed during setup. All Power Users inherit Modify permis- sion on the newly created files.
%windir%\ Read & Execute Read & Execute Permission applies only system32\ to files in the %windir%\ OS2\DLL\*.* system32\OS2\DLL direc- tory, not any other sub- directories. Power Users can write new files in this directory, but they cannot modify files that were installed during setup. All Power Users inherit Modify permis- sion on the newly created files.
Table 2.2Continued
Default Users’ Default Power File System Access Control Users’ Access
Object Settings Control Settings Remarks
%windir%\ Read & Execute Read & Execute Permission applies only system32\ to files in the %windir%\ RAS\*.* system32\RAS directory, not any other subdirec- tories. Power Users can write new files in this directory, but they cannot modify files that were installed during setup. All Power Users inherit Modify permis- sion on the newly created files.
%windir%\ Read & Execute Modify Power Users can write system32\ (directories/ new files in this direc- shellext subdirectories) tory, but other Power Read & Execute Users have only Read (files) permissions for those
files.
%windir%\ Read & Execute Read & Execute Permission applies only system32\ to files in the %windir%\ viewers\*.* system32\viewers direc-
tory, not any other sub- directories. Power Users can write new files in this directory, but they cannot modify files that were installed during setup. All Power Users inherit Modify permis- sion on the newly created files.
%windir%\ Read & Execute Modify Power Users can write system32\ (directories/ new files in this direc- wbem subdirectories) tory, but other Power Read & Execute Users have only Read (files) permissions for those
files.
Table 2.2Continued
Default Users’ Default Power File System Access Control Users’ Access
Object Settings Control Settings Remarks
%windir%\ Read & Execute Modify N/A system32\
wbem\mof
%UserProfile% Full Control Full Control N/A All Users Read Modify N/A All Users\ Modify Modify N/A Documents
All Users\ Modify Modify N/A Application
Data
You can view permissions for the file system from Windows Explorer by right-clicking the object, choosing Properties, and then selecting the Security tab, as shown in Figure 2.3. Clicking Advanced displays the Access Control set- tings for the directory and the level to which the permissions apply, as shown in Figure 2.4. Selecting View/Edit shows the granular permissions available for the selected group, as shown in Figure 2.5. Other items available from the Advanced button include the Auditing and Owner tabs.
Table 2.2Continued
Default Users’ Default Power File System Access Control Users’ Access
Object Settings Control Settings Remarks
Table 2.3 shows the default access control settings for objects in the Registry for Users and Power Users when Windows 2000 is installed to a clean system. Permissions apply to the object and all child objects unless the child object is listed in the table as a separate item.
Figure 2.4Access Control Settings for the %Windir%\Repair Directory
Table 2.3Registry Default Access Control Settings for Users and Power Users
Default Users’ Default Power Access Control Users’ Access Registry Object Settings Control Settings
HKEY_LOCAL_MACHINE\Software Read Modify HKEY_LOCAL_MACHINE\Software\ Read Read Classes\helpfile
HKEY_LOCAL_MACHINE\Software\ Read Read Classes\.hlp
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\Command Processor
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\ Read Read Software\Microsoft\Cryptography\
Providers\Trust
HKEY_LOCAL_MACHINE\ Read Read Software\Microsoft\Cryptography\
Services
HKEY_LOCAL_MACHINE\ Read Read Software\Microsoft\
Driver Signing
HKEY_LOCAL_MACHINE\ Read Read Software\Microsoft\
EnterpriseCertificates
HKEY_LOCAL_MACHINE\ Read Read Software\Microsoft\
Non-Driver Signing
HKEY_LOCAL_MACHINE\ No Permissions No Permissions Software\Microsoft\NetDDE
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\Ole
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\Rpc
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\Secure
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\Windows NT\
CurrentVersion\DiskQuota
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\Windows NT\
CurrentVersion\Drivers32
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\Windows NT\
CurrentVersion\Font Drivers
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\Windows NT\
CurrentVersion\FontMapper
HKEY_LOCAL_MACHINE\ Read Read Software\Microsoft\
Windows NT\CurrentVersion\ Image File Execution Options
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\Windows NT\
CurrentVersion\IniFileMapping
HKEY_LOCAL_MACHINE\Software\ Read via the Read via the Microsoft\Windows NT\ Interactive Interactive Special CurrentVersion\Perflib Special Identity Identity
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\Windows NT\
CurrentVersion\SecEdit
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\Windows NT\
CurrentVersion\Time Zones
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\Windows NT\
CurrentVersion\Windows
Table 2.3Continued
Default Users’ Default Power Access Control Users’ Access Registry Object Settings Control Settings
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\Windows NT\
CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\Windows NT\
CurrentVersion\AsrCommands
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\Windows NT\
CurrentVersion\Classes
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\Windows NT\
CurrentVersion\Console
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\Windows NT\
CurrentVersion\EFS
HKEY_LOCAL_MACHINE\Software\ Read Read Microsoft\Windows NT\
CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\ Read Read Software\Microsoft\Windows NT\
CurrentVersion\Svchost
HKEY_LOCAL_MACHINE\Software\ Read Read Policies
HKEY_LOCAL_MACHINE\System Read Read
HKEY_LOCAL_MACHINE\System\ No Permissions No Permissions CurentControlSet\Control\
SecurePipeServers\winreg
HKEY_LOCAL_MACHINE\System\ Read Modify CurentControlSet\Control\
Session Manager\Executive
HKEY_LOCAL_MACHINE\System\ Read Modify CurentControlSet\Control\
TimeZoneInformation
HKEY_LOCAL_MACHINE\System\ No Permissions No Permissions CurentControlSet\Control\WMI\
Security
Table 2.3Continued
Default Users’ Default Power Access Control Users’ Access Registry Object Settings Control Settings
HKEY_LOCAL_MACHINE\Hardware Read via the Read via the Everyone Special Everyone Special Identity Identity
HKEY_LOCAL_MACHINE\SAM Read via the Read via the Everyone Special Everyone Special Identity Identity
HKEY_LOCAL_MACHINE\Security No Permissions No Permissions HKEY_USERS\.DEFAULT Read Read
HKEY_USERS\.DEFAULT\Software\ No Permissions No Permissions Microsoft\NetDDE
HKEY_CURRENT_CONFIG Permissions are Permissions are equal to the equal to the permissions on permissions on HKEY_LOCAL HKEY_LOCAL _MACHINE\ _MACHINE\ CurrentControlSet\ CurrentControlSet\ HardwareProfiles\ HardwareProfiles\ Current Current
HKEY_CURRENT_USER Full Control Full Control HKEY_CLASSES_ROOT Permissions are Permissions are
equal to the equal to the combination of combination of HKEY_LOCAL HKEY_LOCAL _MACHINE\ _MACHINE\ Software\ Software\ Classes and Classes and HKEY_CURRENT HKEY_CURRENT _USER\Software\ _USER\Software\ Classes Classes
You can view security permissions for items in the Registry using regedt32.exe, as shown in Figure 2.6.You cannot use regedit.exe to view security permissions. After you select a Registry key, you can view and/or change the permissions for the key, as shown in Figure 2.7.
Table 2.3Continued
Default Users’ Default Power Access Control Users’ Access Registry Object Settings Control Settings
Please be careful when modifying the registry. One modification to which you should pay special attention is the Replace Permissions on Existing Subkeys check box shown in Figure 2.6. Checking this box propagates all your permis- sions (correct or not) to all subkeys.You could easily make a mistake and lock down the permissions for an entire registry key with one click of the mouse.