HostedDB - Dedicated UNIX Servers

A description of Permissions in NT.

A description of Permissions in NT.

The default permissions in NT are loose to provide for easy use (see Microsoft Knowledge Base Article Q148437). To make the system more secure, read "Securing Windows NT Installation" (http://www.microsoft.com/NTServer/Basics/TechPapers/). With a few exceptions, it suggests granting Administrators, Creator/Owner and System Full Control, Everyone Read for all system and program files, and leaving registry permissions alone. But be forewarned: unless you have the luxury of restricting programs to those that have earned the NT logo, be prepared for some hassles if you do it. And, Microsoft missed a few, in particular the need to remove Everyone Read from the system logs, \%systemroot%\system32\config and its contents.

Help topics 'Special Access Directory Permissions' and 'Special Access File Permissions' describe the 6 types of permission in the NT file system. Each can be applied to directories and files on a top-down then individual basis. Windows Explorer may be used (Properties) to apply ownership and permissions to directories and files for small systems.

Under Windows NT, deny access takes precedence over grant access (article Q102608). When NT checks permissions, it does so in one pass, not discriminating between users and groups. As soon as any "deny access" permission is reached, the search is terminated and access to the resource is denied. So, if Everyone No Access is in the list for something, that's exactly what it means. (NT Everyone is not Unix World! The only way to recover from that misconception is for an administrator to forcibly take ownership of the item then amend the permissions.) To give Owner full access and everyone ELSE read-only, grant Creator/Owner Full Control, Users Read; to refuse access to everyone else, simply omit any entry for Users. It is essential to retain System Full Control of all NT system files, unless you enjoy plugging hard drives into other machines to get them working again.

A useful structure for an independent user environment is to create a directory \<username> with permission <username> Full Control, then designate that as the user's root directory. The same permission should be applied to \%systemroot%\System32\Profiles\<username> and all its contents. If users are to maintain their own phone books, Users Read/Write is needed for the \%systemroot%\System32\RAS directory, then <username> Full Control for the <username>.pbk file in it when the user creates it.

Some programs with 16-bit code in them (e.g. WordPerfect 8) require Change permission to the \Temp directory so they can store swap files (to bypass the 16-bit memory limit). Unfortunately, in NT this directory is used for sensitive system files, so real security is not possible if such programs are used.

Legacy programs often assume full access to their system registry entries. Regedt32 (Security) is used to apply permissions to individual registry entries. If you get abnormal behavior of a program, try granting Everyone Full Control to all the keys under the company's name in the Local Machine registry section. (Backup the registry first, of course, for restore if it doesn't work.) For example: WordPerfect 8 announces that ASCII files are an 'unsupported format' unless Users have Full Control of the Corel key and all its subkeys; Storm's EasyPhoto terminates with 'lego not found' unless Users have Full Control of the Storm registry. Most TWAIN systems require Users Change access to \WinNT and all Twain*/Twunk* files in it.

You can get what look like permission or sharing problems if you use the Internet Explorer Connection Wizard to set up Internet connections - Fax enabled can prevent modem access etc. You should delete all IE-generated connections and establish new ones with the NT Dial-up Networking system, not the IE system. Individual account connections should be set up in user phone lists, not the (default) system list, especially if users store their passwords. (This can be forced by granting only Administrator and System access to rasphone.pbk)

Reports on groups, users, ownership and permissions are not available from Microsoft (article Q137848), but are available from others. See http://www.microsoft.com/security/default.asp for links to these and other advanced NT security resources.

Contributed by John Sankey


This FAQ is copyright © 1999 John Savill (SavillTech Ltd). No part of this document should be reproduced, distributed or altered without my written permission. Contact Information.