A description of Permissions in NT.Permissions in NT.

John Savill

March 4, 1999

3 Min Read
ITPro Today logo in a gray background | ITPro Today

A. The default permissions in NT are loose to provide for easy use (seeMicrosoft Knowledge Base ArticleQ148437).To make the system more secure, read "Securing Windows NTInstallation" (http://www.microsoft.com/NTServer/Basics/TechPapers/).With a few exceptions, it suggests granting Administrators, Creator/Owner andSystem Full Control, Everyone Read for all system and program files, andleaving registry permissions alone. But be forewarned: unless you have theluxury of restricting programs to those that have earned the NT logo, beprepared for some hassles if you do it. And, Microsoft missed a few, inparticular the need to remove Everyone Read from the system logs,%systemroot%system32config and its contents.

Help topics 'Special Access Directory Permissions' and 'Special Access FilePermissions' describe the 6 types of permission in the NT file system. Each canbe applied to directories and files on a top-down then individual basis.Windows Explorer may be used (Properties) to apply ownership and permissions todirectories and files for small systems.

Under Windows NT, deny access takes precedence over grant access (articleQ102608).When NT checks permissions, it does so in one pass, not discriminating betweenusers and groups. As soon as any "deny access" permission is reached,the search is terminated and access to the resource is denied. So, if EveryoneNo Access is in the list for something, that's exactly what it means. (NTEveryone is not Unix World! The only way to recover from that misconception isfor an administrator to forcibly take ownership of the item then amend thepermissions.) To give Owner full access and everyone ELSE read-only, grantCreator/Owner Full Control, Users Read; to refuse access to everyone else,simply omit any entry for Users. It is essential to retain System Full Controlof all NT system files, unless you enjoy plugging hard drives into othermachines to get them working again.

A useful structure for an independent user environment is to create adirectory with permission Full Control, thendesignate that as the user's root directory. The same permission should beapplied to %systemroot%System32Profiles and all itscontents. If users are to maintain their own phone books, Users Read/Write isneeded for the %systemroot%System32RAS directory, then FullControl for the .pbk file in it when the user creates it.

Some programs with 16-bit code in them (e.g. WordPerfect 8) require Changepermission to the Temp directory so they can store swap files (to bypass the16-bit memory limit). Unfortunately, in NT this directory is used for sensitivesystem files, so real security is not possible if such programs are used.

Legacy programs often assume full access to their system registry entries.Regedt32 (Security) is used to apply permissions to individual registryentries. If you get abnormal behavior of a program, try granting Everyone FullControl to all the keys under the company's name in the Local Machine registrysection. (Backup the registry first, of course, for restore if it doesn'twork.) For example: WordPerfect 8 announces that ASCII files are an'unsupported format' unless Users have Full Control of the Corel key and allits subkeys; Storm's EasyPhoto terminates with 'lego not found' unless Usershave Full Control of the Storm registry. Most TWAIN systems require UsersChange access to WinNT and all Twain*/Twunk* files in it.

You can get what look like permission or sharing problems if you use theInternet Explorer Connection Wizard to set up Internet connections - Faxenabled can prevent modem access etc. You should delete all IE-generatedconnections and establish new ones with the NT Dial-up Networking system, notthe IE system. Individual account connections should be set up in user phonelists, not the (default) system list, especially if users store theirpasswords. (This can be forced by granting only Administrator and System accessto rasphone.pbk)

Reports on groups, users, ownership and permissions are not available fromMicrosoft (articleQ137848),but are available from others. Seehttp://www.microsoft.com/security/default.asp for links to these andother advanced NT security resources.

Contributed by John Sankey

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like