Class 3: Sept 17 Oops: is some stuff in other file? Mies van der Rohe (IBM plaza, IIT): "less is more" windows: more is less?? NTFS permissions, continued NTFS examples inheritance: default, can be broken basic 5/6 Full Control Modify Read & Execute List Folder Contents Read Write Can be applied to as many users/groups as you want fine-grained Traverse Folder/Execute File (mysterious) List Folder/Read Data Read Attributes Read Extended Attributes Create Files/Write Data Create Folders/Append Data Write Attributes Write Extended Attributes Delete Subfolders and Files Delete Read Permissions Change Permissions Take Ownership Synchronize various groups (pld, CREATOR OWNER, etc) CREATOR OWNER: when a folder has CREATOR OWNER rights, each file created in that folder inherits these rights but they apply to the actual owner. inheritance & rights: normally, rights are inherited from the creating folder. my no_inheritance example (why did I need that?) and rights to the file within it. What to do about someone else's file in your folder, if you don't have the right to delete it. If you own the folder, you can TAKE the right to "delete subfolders and files" effective permissions allow/deny: deny takes precedence security of permissions: pretty good. Ways around: inappropriate setting, overgenerous service Booting off a floppy: does this get you in? Maybe. File system efficiency Backup & Restore ================================== 3. Some windows miscellany Where is the DESKTOP??? My Documents?? Find the actual folders GUI versus cmd taskmgr registry (start up regedit) User Rights (below) Lab: * check the status of "Hide extensions for known file types" * create two accounts, try to create a file readable by only one of the accounts. can Owner read the file? can Owner change the permissions or Take Ownership? * try making the desktop read-only * kill & restart explorer.exe, using taskmgr ================================================================================== ================================================================================== The song "Reinstalling Windows", by Les Barker Note that I cannot "chdir" into a directory without Traverse permission Permissions utilities: google for "ntfs permission utilities" sysinternals.com site is good AccessEnum demo: ok accesschk c:/pld/430 accesschk -r c:/windows Not just files but essentially all Windows objects can have permissions: files & folders shares registry entries services printer terminal services connections group policy objects Some of these have different types of permissions Disk quotas User disk space New accounts: alice, bob find out if either is in Power Users add Alice, if she is not (or take away) disable writing to Desktop How gracefully does Windows handle this? ===================================================== The Windows Registry; regedit, regedt32 .reg files # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom. # Double-click the Autorun value, and type 0 for its value. Lots of values! Some relate to me: they are part of my PROFILE!! ===================================================== Configuring the start menu (important part of controlling what programs are available) User Rights Assignment: set with Local Security Policy tool See Appendix B Access this computer from the network Allow logon through terminal services Log on as a batch job Log on as a service Log on locally Deny access to this computer from the network Deny logon as a batch job Deny logon as a service Deny logon locally Deny logon through Terminal Services Privileges Act as part of the operating system * Add workstations to domain Adjust memory quotas for a process Back up files and directories ** Bypass traverse checking Change the system time Create a pagefile Create a token object Create permanent shared objects * Debug programs Enable computer and user accounts to be trusted for delegation Force shutdown from a remote system Generate security audits Impersonate a client after authentication Increase scheduling priority Load and unload device drivers Lock pages in memory Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Profile single process Profile system performance Remove computer from docking station Replace a process level token Restore files and directories Shut down the system Synchronize directory service data Take ownership of files or other objects ================================================== 4. Deployment of an installation What is a DOMAIN?? How are client machines authenticated? User accounts must be added to the domain! This means: one master password database instantaneous password update (compare propagating passwd file every night) new users, passwd changes can be secure Domain logon process Servers: Authentication & domain management Fundamental network services File servers Web & Application servers print servers & standalone networked printers List of services from Win2k3: File server Print server Application server (web, database, db+web) Mail server Terminal server (remote desktop access) Remote access/VPN server Domain controller DNS server DHCP server Streaming media server WINS server (certificate authority) Basics of Authentication Standalone Windows: impractical in a lab setting Network authentication Single Signon logon, filesystem, email, ... Windows DOMAIN: a logical group of networked computers that share a central directory database of user account/security info.... domain v standalone machines Domains and GROUP POLICY: can set options on all machines in the domain user PROFILES What's in a profile? What do we need individual user accounts for? Why can't everyone log into the lab workstations as GUEST? * private disk space [but not everyone has this] * email access (a form of private disk space?) * user config settings [window layout, desktop background, etc] * browser history, cache, etc Privacy issue: if everyone DOES log in as GUEST, each user sees the previous user's browser history, for example. ========================= Configuration issue: folder display extensions for known files: =============================================================