Understanding Windows File Permissions

File permissions are an important concept in computer security. We only want to give access to certain files and directories to those who need it. While we think about how we want users to access files and folders, we should also think about how the concept of permissions carries over to other areas of your life. Maybe you've locked down your social media posts to only people you trust, or given a copy of your house key to a relative in case of an emergency. For now. We're going to focus on one small building block, file permissions. In Windows, files and directory permissions are assigned using access control lists or ACLs. Specifically, we're going to work with discretionary access control lists or DACLs. Windows files and folders can also have system access control lists or SACLs assigned to them. Stackles are used to tell Windows that it should use an event log to make a note of every time someone accesses a file or folder. You can think of a Dackle as a note about who can use a file and what they're allowed to do with it. Each file or folder will have an owner and one or more Dackles. Let's take a look at an example. In Windows Explorer, I have opened up my home directory. If we right-click on desktop and select properties, we can see the properties dialog for our desktop directory. Then if we go to Security tab, we can see the permissions window here. The top box contains a list of users and groups, and the bottom box has a list of the permissions that each user group has been assigned. What do each of these permissions do? It changes a bit depending on whether the permission is assigned to a file or a directory. Don't worry, it all makes sense soon. Let's do a rundown of these permissions. Read, the read permission lets you see that a file exists and allows you to read its contents. It also lets you read the files and directories in a directory. Read and execute. The read and execute permission lets you read files, and if the file isn't executable, you can run the file. Read and execute includes read, so if you select read and execute, read will automatically be selected. List folder contents. List folder contents is an alias for read and execute on a directory. checking one will check the other it means that you can read and execute files in that directory right the right permission lets you make changes to a file it might be surprising to you but you can have right access to a file without having read permission to that file the right permission also lets you create sub directories and write to files in the directory Modify. The modify permission is an umbrella permission that includes read, execute, and write. Full control. A user or group with full control can do anything they want to the file. It includes all of the permissions of modify and adds the ability to take ownership of a file and change its ACLs. Now, when we click on my username, we can see the permissions for Cindy. which show that I'm allowed all of these access permissions. If we want to see which ACLs are assigned to a file, we can use a utility designed to view and change ACLs called iCACLs, or improved change ACLs. Let's take a look at my desktop first. So iCACLs Desktop. Well, that looks useful, but what does it mean? I can see the user accounts that have access to my desktop, and I can see that my account is one of them. But what about the rest of this stuff? These letters represent each of the permissions that we talked about before. Let's take a look at the help for icackles. I bet that'll explain things. So icackles slash question mark. All right, there's a description of what each one of these letters means. The F shows that I have full control of my desktop folder. iCACLS calls this full access, and we saw this in the GUI earlier as full control. These are the same permission. What do these other letters mean? NTFS permissions can be inherited as we saw from the iCACLS help. OI means Object Inherit and CI means Container Inherit. If I create new files or objects inside my desktop folder, they'll inherit this DAQL. If I create new directories or containers in my desktop, they'll also inherit this DAQL.

Maybe you've locked down your social media posts to only people you trust, or given a copy of your house key to a relative in case of an emergency. For now. We're going to focus on one small building block, file permissions.

In Windows, files and directory permissions are assigned using access control lists or ACLs. Specifically, we're going to work with discretionary access control lists or DACLs. Windows files and folders can also have system access control lists or SACLs assigned to them.

Stackles are used to tell Windows that it should use an event log to make a note of every time someone accesses a file or folder. You can think of a Dackle as a note about who can use a file and what they're allowed to do with it. Each file or folder will have an owner and one or more Dackles. Let's take a look at an example.

In Windows Explorer, I have opened up my home directory. If we right-click on desktop and select properties, we can see the properties dialog for our desktop directory. Then if we go to Security tab, we can see the permissions window here.

The top box contains a list of users and groups, and the bottom box has a list of the permissions that each user group has been assigned. What do each of these permissions do? It changes a bit depending on whether the permission is assigned to a file or a directory. Don't worry, it all makes sense soon.

Let's do a rundown of these permissions. Read, the read permission lets you see that a file exists and allows you to read its contents. It also lets you read the files and directories in a directory. Read and execute. The read and execute permission lets you read files, and if the file isn't executable, you can run the file.

Read and execute includes read, so if you select read and execute, read will automatically be selected. List folder contents. List folder contents is an alias for read and execute on a directory. checking one will check the other it means that you can read and execute files in that directory right the right permission lets you make changes to a file it might be surprising to you but you can have right access to a file without having read permission to that file the right permission also lets you create sub directories and write to files in the directory Modify.

The modify permission is an umbrella permission that includes read, execute, and write. Full control. A user or group with full control can do anything they want to the file.

It includes all of the permissions of modify and adds the ability to take ownership of a file and change its ACLs. Now, when we click on my username, we can see the permissions for Cindy. which show that I'm allowed all of these access permissions.

If we want to see which ACLs are assigned to a file, we can use a utility designed to view and change ACLs called iCACLs, or improved change ACLs. Let's take a look at my desktop first. So iCACLs Desktop. Well, that looks useful, but what does it mean? I can see the user accounts that have access to my desktop, and I can see that my account is one of them.

But what about the rest of this stuff? These letters represent each of the permissions that we talked about before. Let's take a look at the help for icackles.

I bet that'll explain things. So icackles slash question mark. All right, there's a description of what each one of these letters means.

The F shows that I have full control of my desktop folder. iCACLS calls this full access, and we saw this in the GUI earlier as full control. These are the same permission. What do these other letters mean? NTFS permissions can be inherited as we saw from the iCACLS help.

OI means Object Inherit and CI means Container Inherit. If I create new files or objects inside my desktop folder, they'll inherit this DAQL. If I create new directories or containers in my desktop, they'll also inherit this DAQL.

Transcript for:Understanding Windows File Permissions

Transcript for:
Understanding Windows File Permissions