Managing NTFS Permissions
Use Process Monitor to eliminate administrative rights and allow applications to run with the least amount of privileges.
December 15, 2009
Eliminating administrative rights is an easy way to prevent viruses, adware, and other annoyances from being installed on your systems. If you’re logged on to a computer as an administrator, all the processes you run have full control of the system, which is a huge security risk. For example, if you view a questionable website as an administrator, adware on that site can easily install and infect the computer. If you view the same website as a user, the adware won’t have installation rights and therefore will be prevented from installing.
Microsoft provides a free tool called Process Monitor that you can use to manage NTFS permissions. Process Monitor lets you eliminate administrative rights and configure applications to run with the least amount of privileges. I frequently use this tool on my organization’s Citrix servers; you can also use it with all Windows Server and workstation OSs.
Process Monitor monitors your computer’s registry, as well as the files and folders on your computer, and reports on everything affected by the running processes. The software is the next generation of two Sysinternals programs called Filemon and Regmon. Process Monitor saves time because it lets you monitor your registry and files simultaneously, whereas Filemon and Regmon required individual monitoring. You can download Process Monitor at technet.microsoft.com/en-us/sysinternals/bb896645.aspx.
In order to run applications with the least amount of privileges, you must first understand application permissions. When you install an application, the installation process typically creates a folder in the Program Files directory and adds some registry entries for the application. Many applications require that you have full access to the application files and registry entries to be able to run the software. In general, the Users group has read-only access to application folders and registry keys—which is why you often get an error message when you try to run an application as a user. An easy way to tell if you’re running into a permission problem is to run the application as both a user and an administrator. If the program runs under administrator but not user, a permission issue exists. You can solve most permission problems by modifying the NTFS permissions on your files, folders, and registry keys.
Some applications require low-level kernel and hardware access and are difficult if not impossible to run as a user. If you use Process Monitor to resolve all the permission issues it finds and still can’t run an application as a user, you might need to check with the software vendor to determine if any other options exist.
Incorrect NTFS permissions can have a negative effect on your OS and applications. For example, incorrect permissions can loosen your security, and incorrect registry entries can cripple a machine. Don’t give too much access to the Users group. Users shouldn’t have full control of the Windows folder or any other root or system levels of the Windows file structure and registry. For security reasons, it’s best to grant access on a folder by folder or registry key by registry key basis.
Process Monitor takes out all the guesswork and shows you exactly where a denial of access is occurring, by individual file, folder, or registry key. Before you run Process Monitor, be sure to take a complete system backup. In addition, you might want to test this procedure on a test machine before applying it in a production environment.
To use Process Monitor to manage your NTFS permissions, follow these steps:
Start Process Monitor; it will start capturing events automatically.
Log on as a user, and open the application you want to manage.
When the application fails to run or generates an error, stop the capture.
Within Process Monitor, perform an Access Denied search. The search results will show the files, folders, and registry keys that are being denied access.
Right-click the item that’s being denied, and select Jump To. This action will open the corresponding folder or registry key.
Right-click the file, folder, or registry key being denied; then, select Properties, open the Security tab, and set the NTFS permissions to give the Users group full access. If the Users group doesn’t exist, add it and configure it for full access.
Repeat Steps 4 through 6 to adjust the permissions for each Access Denied item that Process Monitor found.
Test each application while still logged on as a user. If the permission problem is resolved, the application will run correctly. If the application still won’t run, repeat Steps 1 through 6.
In addition to troubleshooting permissions, I use Process Monitor to find the files and registry entries that a particular piece of software is using. The tool is useful in helping determine a file’s location. For example, I’ve used Process Monitor to locate reports that were running in the background of my company’s accounting software. Without this tool, I would have had to go through more than a hundred reports to determine which one needed to be updated.
About the Author
You May Also Like