1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Windows file permissions: more is less

Discussion in 'News' started by tripwire45, May 20, 2005.

  1. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    179
    287

    Windows file permissions: more is less



    Windows permissions are kind of like that. The core security model certainly is sufficient to comply with even the most demanding security policies. The permissions are so flexible you are really only limited by your creativity. The problem is that not enough people take advantage of these features.

    Consider for example, some of the things you could potentially do:

    * You could remove certain file extension mappings for specific users by denying them read access to the registry keys that contain the mappings;
    * With some applications that don't provide per user settings you can sometimes accomplish the same thing with granular user permissions on the registry keys themselves;
    * You can set access permissions on programs such as the command prompt so that they are only available to certain users, and only if they are logged in interactively at the console;
    * You can set permissions on much more than files and registry keys - you can also set permissions on named and anonymous pipes, directory objects, processes and threads, services, printers, network shares, and kernel objects;
    * You can set one access control list for a folder, another for its subfolders (even if they don't exist yet), and yet another for the files in the folder (again even if they don't exist). That means you could have a directory that allows executables but any new file in the directory is by default denied execution.

    You never really see people doing stuff like this, but the users aren't all to blame.

    For the rest of the article, click Here
     
    Certifications: A+ and Network+
porta2_tags:

Comments

    1. Phoenix
      Phoenix
      I do believe u can also set TCP filters to only allow certain traffic on a network interface, then limit that at the registry level on a per user basis, so some users just cant use the network connection really
      atleast, you used to be able to, as thats what i did before i had a firewall/router to stop my brother hogging my bandwidth with P2P hehe, there may well be an easier way these days for it :) (Prob windows firewall or something, i think Local Security policy can lock this down too now, dont know as dont live with my brother anymore so its not an issue hehe)

    Share This Page