Evaluating Effective Access


This post is also taken from the “Understanding and Troubleshooting Dynamic Access Control” and serves as a good refresher for how to determine a users effective permissions.  This material is not new, but the concept is dated and finding this information on Microsoft’s web site is becoming increasingly more difficult.  This post only covers NTFS and share permissions.  It does not include evaluating permissions that use Central Access Policy or Dynamic Access control.  We’ll save that for another post.

There are a few concepts you should understand to set you up for success for evaluating effective access.  Let’s start with those.


Access Token

Windows creates an access token for each user that logs on to the computer.  The authentication token contains the security identifier (SID) of the user and SIDs of all the groups to which the user belongs, directly or indirectly as in the case of nested groups. Windows uses this access token to determine if a permission entry’s principal applies to the principal accessing the share by comparing the SIDs within the token against the SID of the principal of each permission entry in the permission list.

A permission list contains one or more permission entries.  Each permission entry contains a principal, type, and access.  The principal is a SID to which the permission entry applies– typically a user or group.  The permission entry type describes whether the permission entry allows or disallows access.  The access portion of the permission entry describes the permissions a user performs when trying to use the file.  Therefore, these three components define how Windows protects a given resource.

Applicability

Windows only cares about permission entries that are applicable to the user attempting to access the resource.  Windows determines if a permission entry applies to the user by comparing the principal SID in the permission entries with the SIDs in the access token.  If the principal SID is present in the access token, then the permission entry applies to the user.  Windows includes that permission entry when evaluating access to the resource.

Explicit Access

A user encounters two points of access policy when accessing a file share hosted on a Windows file server: Share access policy and File access policy.  These access policies collective represent the permissions Windows uses to determine access to files in the share.  You determine effective access for the user by comparing the applicable permission entries in the file permissions list with the applicable permission entries in the share permissions list. Windows grants the access common between both lists to the user.  If the access requested by the user matches the access extended to the user by Windows, then Windows applies the permission type to the user, which is either allow or disallow the requested access.  This concept is known as explicit access because a permission entry appears in both lists that explicitly applies the access type to the request.

Implicit Access

However, there are some circumstances where permission entries do not share common access.  Typically, this occurs when neither of the permission lists contains a common permission entry that is applicable to the user.  Windows cannot grant explicit access and prevents access to the resource.  This behavior is known as implicit access.  Implicit access is the common reason why users cannot access a resource when the resource does not explicitly deny them access.

Share Access Policy (Share Permissions)

Share access policy, also referred to as share permissions; represent the basic access you can grant on a shared folder.  On a share, you can control access to the share using Read, Change, and Full Control permissions.  Windows creates these categories of access through a list of basic permissions.  Basic permissions are a combination of advanced permissions.

permissionMappingTable

File Access Policy (NTFS Permissions)

Files and folders stored on NTFS volumes use permissions. The file system is a hierarchy of files and folders. Files and folders throughout the hierarchy share a parent-child relationship. This hierarchy supports the flow of permission entries from the top-most parent to the bottom-most child. This flow of permission entries is known as inheritance.

There are two categories of NTFS permission entries: explicit and inherited. Explicit file permission entries are permission entries that you assign directly to the file or folder. Inherited file permission entries are permission entries that a resource receives from its parent by virtue of inheritance.

A folder is unique in that it can be subordinate to its parent folder — thereby acting as the child in the parent-child relationship. At the same time, the folder can act as the role of the parent in the parent-child relationship. This dual relationship role enables you to configure explicit file permission entries on the folder. Those explicit permission entries flow down the file system and become inherited file permission entries on all child files and folders. You can change how Windows propagates inherited permissions using the Advanced Security Settings editor.

Files and folders stored on NTFS volumes contain explicit and inherited permission entries. You use file permissions to determine effective access when not accessing files and folders through a share. When all the file permission entries types are Allow permission entry types, you use the least restrictive permissions (permission entries that give the user the most access) among all the file permission entries to determine effective local file access. Therefore, you determine effective access by combining all the applicable allow permission entries for the user. However, determining local effective access changes when a deny permission entry type exists among the permission entries.

Effective NTFS Access Scenario

Three users access a folder locally on a workstation with the following permission entries.

NTFSPermissionsTable

The first user, Alejandra is a member of the Users and Marketing groups.  Therefore, permission entries two and three apply to her when she accesses the folder.  Her effective access to the folder is Full Control (1).  Allow permission entries, explicit or inherited are combined. In this scenario, Windows allows Alejandra Read permissions (Read & execute and Read) because she is a member of the Users group and because she is a member of the Marketing group.  However, Windows also allows her Full Control because she is a member of the Marketing group.  Windows grants the least restrictive access when evaluating multiple Apply permission entries.

The second user, Kim is a member of the Users group.  Permission entry two is the only applicable permission entry.  Therefore, her effective access to the folder is Read (2).

LocalEffectiveAccess

The last user to access the folder is Harvey.  Harvey is a member of the Marketing group.  Permission entry one and three apply to Harvey when he accesses the folder.  Permission entry one is applicable because the trustee is Harvey.  Permission entry three applies as well because Harvey is a member of the Users and Marketing group.  However, Windows orders the permission entries so that deny permission entries occur before allow permission entries.  In this scenario, permission entry one denies access.  The access denied by the permission entry is Full Control.  Based on permission entry order, Windows denies Harvey access to the folder.  Harvey’s membership in the Marketing group is irrelevant because the explicit deny permission entry has precedence over all other permission entries (3).

Effective Share Access Scenario

Understanding effective access to the file system is a prerequisite to under understanding effective access when accessing files through a shared folder. When accessing a shared folder, Windows considers the file permission entries and share permissions to determine a user’s effective access to the folder.

ShareAndNTFSPermissionsTable

Effective access through shares evaluates file and share permissions together.  First, you evaluate the effective file permission entries.  Then, you evaluate the effective file permissions with the share permissions.  Permissions entries common between the effective file permission entries and the share permissions become the effective access when accessing the share.  If the permission entry exists in the file permissions list or the share permission list, but not both; then, Windows does not grant the access to the user.

The permissions lists in the previous table reflect both file permission entries and share permissions.  The first user, Alejandra accesses a file through a shared folder.  Alejandra is a member of the users and Marketing group.  The last example determined her effective file system access was Full Control.

To determine effective access through the share, evaluate the share and file permission entries together. Permission entries common between both lists are applicable to the user. Permission entries that appear in one list or the other are not applicable. The share permissions provide Alejandra Full Control access (1). These permissions are the same as the effective file permissions. The permission entries common in both permission lists are equivalent to Full Control; therefore, Alejandra’s effective access using the shared folder is Full Control (2).

ShareEffectivePermissions

Next, Kim accesses the files through the shared folder.  Kim is a member of the users group.  The effective file system access for her is Read.  Users have Change permissions on the share (3).  Noticeably, the permissions between the two lists are not identical.  You must translate the share permission into basic permission to determine the permission entries in common between the two lists.

The previous table indicates the Change share permission is a combination of basic permissions.  Those permissions include Modify, Read & execute, Read, and Write.  The effective file system access Read includes the Read & execute, and Read basic permission entries.  A comparison of the two lists shows permission entries common between both lists are Read and execute, and Read.  Modify and write permissions entries exist only in the file permissions list.  Windows determines these permissions are not applicable to Kim because they do not exist in both lists, given Kim’s group membership.  This results in Kim’s effective access as Read when using the shared folder (4).

Lastly, Harvey accesses the file through the shared folder.  Harvey is a member of the users and Marketing group.  The last example identified that Harvey’s effective file access denied Full Control.  Again, you compare permission entries from the user’s file system effective permissions and the permission entries on the share that are applicable to the user (share permissions or permission entries where the principal is the user or a group of which the user is a member).

The share permissions list includes a permission entry that allows everyone Change access and another permission entry that allows Marketing Full Control access (5).  A deny permission entry wins against any allow permission entries except when the deny permission entry is inherited and the allow permission entry is explicit.   Therefore, Harvey’s effective share access is deny Full Control (6).  The Marketing group’s Full Control share permissions are not applicable because of the explicit deny.


That’s it for evaluating effective permissions when NTFS and when combining NTFS and shared permissions.  I’ll break out one more to complete the series, which will take into account Central Access Policies when using Dynamic Access Control.

–Mike Stephens

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s