|
![]() |
![]() |
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() |
![]() |
![]() |
To access the contents, click the chapter and section titles.
Intrusion Detection: Network Security beyond the Firewall
Permissions for NT Files and DirectoriesThe NT file system (NTFS) supports granular DAC. Each file in the NTFS is an object. Every NT object has a security descriptor consisting of the objects unique identifier and a pair of access control lists. The security descriptor for an object is initialized when the object is created. Figure 3.2 shows the components of the security descriptor.
The security descriptor contains a DAC ACL component and a SYSTEM ACL component. Normal NT user and group access rights for an object are stored in the DAC ACL. Each entry (ACE) in a DAC ACL identifies a particular user or group SID along with the access permissions granted to that subject. The special NT user SYSTEM, which represents the operating system itself, has a separate ACL. These two distinct ACLs are described in the next few sections. DAC Access Control Lists NT distinguishes between standard permissions and special permissions. Access permissions for an object are normally defined using the standard permissions that are logical groupings of special permissions. Consider the more low-level special permissions first. Special permissions are similar to permission bits found in UNIX with two additions. First, an explicit option enables the subject to change the objects access permissions. If you have this permission for an object, even if you are not the objects owner, you will be allowed to modify its permissions. Unlike most UNIX systems, NT allows for the possibility that the objects owner may not be the only user who is allowed to change the permissions of an object. For example, user Joe may want users Bill and Jane to be able to set permissions on files that they work on together. Next, special permission can be granted to take ownership of an object. By default, the owner of the object controls its permissions. Taking ownership of an object is a powerful permission and is normally limited to the objects owner. The Administrator is allowed to take ownership of any object. Table 3.2 describes the special NT file permissions.
Standard permissions are summarized in Table 3.3. Notice that the intent is to provide more meaningful terms for users to administer access permissions than the granular special permissions. Whether in practice these higher level abstractions are easier for systems administrators is a matter of opinion.
Notice that the List and Add permissions have no interpretation for individual files. These permissions are meaningful only for directories. Recall from the discussions on UNIX permissions that a number of special meanings are applied to the permission bits depending on whether the object is a file or directory. The interpretations for the NT standard permissions are shown in Table 3.4 for files and Table 3.5 for directories.
|
![]() |
Products | Contact Us | About Us | Privacy | Ad Info | Home
Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc. All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited. |