<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=3//-->
<!--PAGES=098-100//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="096-098.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="100-103.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H4 ALIGN="LEFT"><A NAME="Heading18"></A><FONT COLOR="#000077">Permissions for NT Files and Directories</FONT></H4>
<P>The <I>NT file system</I> (NTFS) supports granular DAC. Each file in the NTFS is an object. Every NT object has a security descriptor consisting of the object&#146;s unique identifier and a pair of access control lists. The security descriptor for an object is initialized when the object is created. Figure 3.2 shows the components of the security descriptor.</P>
<P><A NAME="Fig2"></A><A HREF="javascript:displayWindow('images/03-02.jpg',498,474 )"><IMG SRC="images/03-02t.jpg"></A>
<BR><A HREF="javascript:displayWindow('images/03-02.jpg',498,474)"><FONT COLOR="#000077"><B>Figure 3.2</B></FONT></A>&nbsp;&nbsp;Contents of the NT security descriptor.</P>
<P>The security descriptor contains a DAC ACL component and a SYSTEM ACL component. Normal NT user and group access rights for an object are stored in the DAC ACL. Each entry (ACE) in a DAC ACL identifies a particular user or group SID along with the access permissions granted to that subject. The special NT user SYSTEM, which represents the operating system itself, has a separate ACL. These two distinct ACLs are described in the next few sections.
</P>
<P><FONT SIZE="+1"><B>DAC Access Control Lists</B></FONT></P>
<P>NT distinguishes between <I>standard</I> permissions and <I>special</I> permissions. Access permissions for an object are normally defined using the standard permissions that are logical groupings of special permissions. Consider the more low-level special permissions first.</P>
<P>Special permissions are similar to permission bits found in UNIX with two additions. First, an explicit option enables the subject to change the object&#146;s access permissions. If you have this permission for an object, even if you are not the object&#146;s owner, you will be allowed to modify its permissions. Unlike most UNIX systems, NT allows for the possibility that the object&#146;s owner may not be the only user who is allowed to change the permissions of an object. For example, user Joe may want users Bill and Jane to be able to set permissions on files that they work on together. Next, special permission can be granted to take ownership of an object. By default, the owner of the object controls its permissions. Taking ownership of an object is a powerful permission and is normally limited to the object&#146;s owner. The Administrator is allowed to take ownership of any object. Table 3.2 describes the special NT file permissions.</P>
<TABLE WIDTH="100%"><CAPTION ALIGN=LEFT><B>Table 3.2</B> NT Special Permissions
<TR>
<TH COLSPAN="3"><HR>
<TR>
<TH WIDTH="20%" ALIGN=LEFT VALIGN="BOTTOM">Permission
<TH WIDTH="30%" ALIGN=LEFT>Allowed Action If Object Is a File
<TH WIDTH="50%" ALIGN=LEFT VALIGN="BOTTOM">Allowed Action If Object Is a Directory
<TR>
<TH COLSPAN="3"><HR>
<TR>
<TD>R
<TD>Read contents of file
<TD>View file and subdirectory names
<TR>
<TD>X
<TD>Execute file as a program
<TD>Can change to subdirectories
<TR>
<TD>W
<TD>Change file contents
<TD>Add, rename, create files and subdirectories
<TR>
<TD>D
<TD>Delete file
<TD>Delete directory and subdirectories
<TR>
<TD>P
<TD>Change file permissions
<TD>Change directory permissions
<TR>
<TH COLSPAN="3"><HR>
</TABLE>
<P>Standard permissions are summarized in Table 3.3. Notice that the intent is to provide more meaningful terms for users to administer access permissions than the granular special permissions. Whether in practice these higher level abstractions are easier for systems administrators is a matter of opinion.
</P>
<TABLE WIDTH="100%"><CAPTION ALIGN=LEFT><B>Table 3.3</B> NT Standard Permissions
<TR>
<TH COLSPAN="3"><HR>
<TR>
<TH WIDTH="20%" ALIGN=LEFT VALIGN="BOTTOM">Permission
<TH WIDTH="40%" ALIGN=LEFT VALIGN="BOTTOM">Allowed Action If Object Is a File
<TH WIDTH="40%" ALIGN=LEFT>Allowed Action If Object Is a Directory
<TR>
<TH COLSPAN="3"><HR>
<TR>
<TD>No Access
<TD>None
<TD>None
<TR>
<TD>List
<TD>Not applicable
<TD>RX
<TR>
<TD>Read
<TD>RX
<TD>RX
<TR>
<TD>Add
<TD>Not applicable
<TD>WX
<TR>
<TD>Add &#38; Read
<TD>Not applicaable
<TD>RWX
<TR>
<TD>Change
<TD>RWXD
<TD>RWXD
<TR>
<TD>Full Control
<TD>All
<TD>All
<TR>
<TH COLSPAN="3"><HR>
</TABLE>
<P>Notice that the List and Add permissions have no interpretation for individual files. These permissions are meaningful only for directories. Recall from the discussions on UNIX permissions that a number of special meanings are applied to the permission bits depending on whether the object is a file or directory. The interpretations for the NT standard permissions are shown in Table 3.4 for files and Table 3.5 for directories.
</P>
<TABLE WIDTH="100%"><CAPTION ALIGN=LEFT><B>Table 3.4</B> Interpretation of NT Standard Permissions for Files
<TR>
<TH COLSPAN="3"><HR>
<TR>
<TH WIDTH="20%" ALIGN=LEFT>Permission
<TH WIDTH="80%" ALIGN=LEFT>Interpretation
<TR>
<TH COLSPAN="3"><HR>
<TR>
<TD>No Access
<TD>Under no circumstances is the user allowed access to the file.
<TR>
<TD>Read
<TD>Permission to execute the file, open the file, or display the file&#146;s attributes.
<TR>
<TD VALIGN="TOP">Change
<TD>Permission to append to or change data in the file, to display the file&#146;s owner and permissions, plus the Read permissions.
<TR>
<TD VALIGN="TOP">Full Control
<TD>Equivalent to Change with the additional capability to take ownership of the file.
<TR>
<TH COLSPAN="3"><HR>
</TABLE>
<P>
</P>
<TABLE WIDTH="100%"><CAPTION ALIGN=LEFT><B>Table 3.5</B> Interpretation of NT Standard Permissions for Folders
<TR>
<TH COLSPAN="3"><HR>
<TR>
<TH WIDTH="20%" ALIGN=LEFT>Permission
<TH WIDTH="80%" ALIGN=LEFT>Interpretation
<TR>
<TH COLSPAN="3"><HR>
<TR>
<TD>No Access
<TD>Under no circumstances is the user allowed access to the file.
<TR>
<TD VALIGN="TOP">List
<TD>Users can list files and subdirectories to which they have access but cannot list files or subdirectories to which they do not have explicit access in this folder.
<TR>
<TD VALIGN="TOP">Read
<TD>Permission to list files or subdirectories, execute programs, change into subfolders, and display attributes of files or subfolders.
<TR>
<TD VALIGN="TOP">Add
<TD>Files can be added to the folder. Neither Read nor List are implied by this permission.
<TR>
<TD>Add &#38; Read
<TD>Includes Add permissions and Read permissions combined.
<TR>
<TD VALIGN="TOP">Change
<TD>Permissions granted by Read augmented to include creation of subfolders and files, changing file or folder attributes, and deletion of the folder&#146;s files and subfolders.
<TR>
<TD VALIGN="TOP">Full Control
<TD>Equivalent to Change with the additional capability to change permissons of the folder itself and to take ownership of the directory itself.
<TR>
<TD COLSPAN="3"><HR>
</TABLE>
<P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="096-098.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="100-103.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->