Windows file permissions: more is less

Windows permissions are kind of like that. The core security model certainly is sufficient to comply with even the most demanding security policies. The permissions are so flexible you are really only limited by your creativity. The problem is that not enough people take advantage of these features.

Consider for example, some of the things you could potentially do:

* You could remove certain file extension mappings for specific users by denying them read access to the registry keys that contain the mappings;
* With some applications that don't provide per user settings you can sometimes accomplish the same thing with granular user permissions on the registry keys themselves;
* You can set access permissions on programs such as the command prompt so that they are only available to certain users, and only if they are logged in interactively at the console;
* You can set permissions on much more than files and registry keys - you can also set permissions on named and anonymous pipes, directory objects, processes and threads, services, printers, network shares, and kernel objects;
* You can set one access control list for a folder, another for its subfolders (even if they don't exist yet), and yet another for the files in the folder (again even if they don't exist). That means you could have a directory that allows executables but any new file in the directory is by default denied execution.

You never really see people doing stuff like this, but the users aren't all to blame.

For the rest of the article, click Here