Windows XP home file permissions

• Previous message: Andreas Wollschlaeger: "Re: The difference between SSLeay and OpenSSL??"
• Next in thread: Max Polk: "Re: Windows XP home file permissions"
• Reply: Max Polk: "Re: Windows XP home file permissions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Max Polk <maxpolk@lycos.com>
Date: Sat, 30 Mar 2002 18:36:59 GMT

This is an article about file permissions in Windows XP home edition.

I found the program cacls.exe listed deep in some Microsoft technical
bulletin, and after some investigation, found out that you frequently
need this command to set up multi-user accounts on Windows XP home.

** TYPES OF USERS

The Windows XP home version omits several security and permission
features you get with Windows XP professional. First of all, you only
two general kinds of accounts, administrators and limited accounts.

The safer way to use Windows XP home is to set up one administrator
account to be used only for installing software, and set up multiple
limited accounts to be used for all users, including the administrator,
for ordinary usage.

When you do this, you can make each user's personal folders and settings
visible only to that user. Select this open when setting up the users.
Also ensure each user has a password, especially the administrator
account.

Remember, security is not just about malicious people, it's also about
avoiding accidents. Making files private is not just about avoiding
personal embarassment, it's also about accidental disclosure of
passwords and other things that may be laying around in files. Making
files private also helps avoid accidental deletion of files.

** FILE PERMISSIONS FOR EVERYONE

After you install a program as the administrator, you may find out that
certain databases or files need to be writable by limited users. Many
older programs still write things where the application is installed.
To make things work for limited users, you may need to change file
permissions.

>From Windows Explorer, right click on a directory and you will see under
the "Sharing" tab the area "Local sharing and security". In Windows XP
home, you have one option called "Make this folder private", and
frequently it is disabled.

However, you can still change access detailed file and directory
permissions by using the "cacls.exe" command located in the Windows
system directory. Try typing "cacls" and it shows its usage
instructions.

Let's say the administrator installs a game into "C:\games\wildfun" that
needs to be writable by various limited accounts. I have a older
Windows 95 game that creates subdirectories in where the program is
installed for each new user. Such a game failed under the limited user
because the file permission was too restrictive. The game ran, because
the files were readable, but there was no ability to create or overwrite
files.

As an experiment, I logged in to a machine named "BOZO" as user "Clown"
as the administrator, created a new directory "C:\games\wildfun" and
looked at what permissions were given that directory. This is what I
saw:

C:\>mkdir c:\games\wildfun

C:\>cacls c:\games\wildfun
c:\games\wildfun BUILTIN\Administrators:F
                 BUILTIN\Administrators:(OI)(CI)(IO)F
                 NT AUTHORITY\SYSTEM:F
                 NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
                 BOZO\Clown:F
                 CREATOR OWNER:(OI)(CI)(IO)F
                 BUILTIN\Users:R
                 BUILTIN\Users:(OI)(CI)(IO)(special access:)
                                           GENERIC_READ
                                           GENERIC_EXECUTE

                 BUILTIN\Users:(CI)(special access:)
                                   FILE_APPEND_DATA

                 BUILTIN\Users:(CI)(special access:)
                                   FILE_WRITE_DATA

Wow. I see 5 kinds of users and 6 types of file permissions above.

The 5 users or kinds of users listed above are:

  1. BUILTIN\Administrators
  2. NT AUTHORITY\SYSTEM
  3. BOZO\Clown
  4. CREATOR OWNER
  5. BUILTIN\Users

The 6 file permissions listed above are:

  1. F
  2. (OI)(CI)(IO)F
  3. R
  4. (OI)(CI)(IO)(special access:)
          GENERIC_READ
          GENERIC_EXECUTE
  5. (CI)(special access:)
          FILE_APPEND_DATA
  6. (CI)(special access:)
          FILE_WRITE_DATA

Because we KNOW WHAT WE WANT, let's let everyone do anything to this
directory. It's simple. User the cacls command, and give all users
full control:

C:\>cacls c:\games\wildfun /t /g "builtin\users:f"
Are you sure (Y/N)?y
processed dir: c:\games\wildfun

C:\>cacls c:\games\wildfun
c:\games\wildfun BUILTIN\Users:(OI)(CI)F

The cacls command took a "/t" option to work on all directories and
subdirectories, and it took a "/g" option to grant the following users
the type of access specified. The type of user I specified was "builtin
\users" meaning everybody, and the access I granted was "F" for full
control.

Afterwards, I typed the same command with no options, just cacls and the
directory name, to list permission on that directory, and it shows the
new file permissions I just granted, that "c:\games\wildfun" has
"BUILTIN\Users" given "F" full control, and that the the control is
"(OI)" object inherit and "(CI)" container inherit, which is basically
that any files or subdirectory created later in "c:\games\wildfun" will
also inherit these same permissions.

After giving all users full control, the game then ran just fine.

** FILE PERMISSIONS FOR JUST YOU

Sometimes you want your personal files to remain private. The
"properties" on many directories under Windows Explorer do not allow you
to check the "Make this folder private".

For good backups, you may wish to keep all your personal files in one
directory. Since all personal files for user "Clown" default to the
"c:/Documents and Settings/Clown" directory, this makes for an easy
backup scheme.

But what if I have other directories that Windows XP home doesn't allow
me to secure with this "Make this folder private" option?

There is a solution after all. Use the cacls command, but this time,
grant permissions only to yourself.

Now on my machine "BOZO", logged in as user "Clown", who I am is:

    BOZO\Clown

This appends the user name to the machine name, with a backslash in
between. This is needed because others logging in from other computers,
such as "CANDY\Lollipop" which is the Lollipop user logging in from the
CANDY machine. Other user types don't use a machine name, they use
special names like "NT AUTHORITY" or "BUILTIN".

I used the cacls command granting full access to JUST MYSELF in the "C:
\ClownAround" directory:

cacls C:\ClownAround /t /g never\max:f

I'm all set, right? Wrong! When I did this, I found out that PGP,
which starts at system startup before I log, no longer could read needed
files my private directory.

After all, I did grant full permission to all users, why can't it read
it? It's simple, PGP starts and runs under the system account, not
under the user account. Hit "Control-Shift-Esc" and in the task manager
that comes up, go to the "Processes" tab.

If you are an ex-Windows 95/98/ME user, you might really like the task
manager that was around in Windows NT/2000.

Look at the "User name" column, and you will see that most processes are
not running under your user, they are running under "SYSTEM", "LOCAL
SERVICE", or "NETWORK SERVICE". Whereas my PGP system tray icon was
running under my user name, the PGP services were running under
"SYSTEM" and therefore were not users and could not read my files.

I changed the file permissions from granting ONLY myself full control,
to granting myself AND the system full control. It looks like this:

cacls C:\ClownAround /t /g "nt authority\system:f" "never\max:f"

Notice the quotation marks around "nt authority\system:f"? It's because
there's a space between "nt" and "authority" and we want to group them
together into a single command-line argument to pass to cacls. Without
it, it thinks you are granting "nt", then then it thinks you are
granting "authority\system:f", and it has no clue what either of these
might mean.

Now, I'm all finished. PGP can read the files as the system account,
but not all users.

Now since there's only one administrator (you did take my advice, now,
didn't you?), there's little chance somebody can install software that
runs as the system account that then reads my private files.

My findings seem adequate for my use. If there are further details
about all of this, or an explanation of all these built in and nt
authority special kinds of users, I would like to know. For the time
being, you have quite a bit of control simply using cacls and granting
full control to either all users, or just you and the system.

I grant this to the public domain. -- Max Polk (maxpolk@lycos.com)

• Next message: Richard Anderson: "Choosing secure passwords - Feedback solicited"
• Previous message: Andreas Wollschlaeger: "Re: The difference between SSLeay and OpenSSL??"
• Next in thread: Max Polk: "Re: Windows XP home file permissions"
• Reply: Max Polk: "Re: Windows XP home file permissions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]