After watching a good friend of mine do an excellent job at teaching file and folder permissions for Windows, I thought it would be a good idea to share an excerpt of the “Understanding and Troubleshooting Dynamic Access Control” white paper I wrote in February 2013, that serves as a great refresher for understanding how Windows orders access control entries.
It is good to understand how to determine effective access across multiple points of access control. To determine effective access you compare information from the access token against each point of access control (Central Access Policy, share permissions, and NTFS permissions). The result of this comparison is the user’s effective access. Predicting the effective access of a resource helps you plan and configure permissions for those resources.
Precedence and Canonical Ordering
The Windows authorization sub system follows a set of rules that gives the appearance of preferring a permission entry type or access over a different permission entry type or access. However, the perception of precedence does not occur real-time— the rules of precedence are not enforced when the user access the resource. The permission entries are evaluated in order and access is allowed or disallowed based on that order. The Security settings or Advanced Security Settings editor accomplishes permission entry precedence by saving the permission entries in a specific order. The specific order in which permission entries are saved is known as canonical order.
Canonical ordering describes the ordering the Security settings or Advanced Security Settings editor uses to ensure access to resources observes a defined behavior with regard to the permission entry’s lineage and access type.
The permission entry’s lineage is the origin of the permission entry. Windows recognizes two types of permission entries that describe the permission entry’s lineage: explicit and inherited.
Permission entries that originate on the current resource are known as explicit permissions. Explicit permission entries are permission entries that you manage directly on the file or folder. The Security Settings and Advanced Security Settings editor orders explicit permission entries to the top of the permission entry list. All explicit permission entries are ordered before any other permission entry type.
Permission entries that originate higher in the resource’s lineage are known as inherited permissions. Inherited permission entries are explicit permission entries granted at some higher point in the resource’s hierarchy that propagate to the file or folders lower in the resource’s hierarchy. The Security Settings and Advanced Security Settings editor orders inherited permission entries after explicit permission entries.
Windows orders inherited permission entries in lineage order. Lineage order describes the order of inherited permissions where inherited permissions closest to the current folder are ordered before inherited permissions furthest from the current folder. Lineage ordering results in inherited permissions from the parent ordered before the grandparent. Inherited permissions from the grandparent are ordered before the great-grandparent. This ordering continues to traverse up the resource’s lineage until it reaches the end of the resource’s hierarchy or inheritance stops. Do not confuse lineage ordering with canonical ordering. Canonical ordering describes the entire ordering process Windows performs when saving permission and audit entries. Lineage ordering is a subset of canonical ordering that refers specifically to the way Windows orders inherited permissions based on position in the resource’s lineage.
Windows recognizes two access types for permission entries: Deny and Allow.
Deny access types
Deny access type permissions disallow users from performing the access configured in the permission entry. Access configured in permission entries typically characterizes as specific action a user performed on the resource such as read, modify, or delete.
The Security Settings and Advanced Security Settings editors order deny permission entries before allow permission entries when saving permissions. This order ensures that Windows evaluates deny permission entries first followed by allow permission entries. This ordering is combined with lineage ordering, which results in explicit deny permission entries ordered before explicit allow permission entries.
Windows orders inherited deny permissions before inherited allow permission entries at each point of inheritance in the resource’s lineage. Therefore, inherited parent permission entries are ordered together (inherited deny and inherited allow), and then inherited grandparent permission entries are ordered together (inherited deny and inherited allow), after inherited parent permission entries.
Allow access types
Allow access type permissions permit users to perform the access configured in the permission entry. Access configured in permission entries typically characterizes as specific action a user performs on the resource such as read, modify, or delete.
The Security Settings and Advanced Security Settings editors order allow permission entries after deny permission entries when saving permissions. This order ensures that Windows evaluates deny permission entries first followed by allow permission entries. This order is combined with lineage ordering, which results in explicit deny permission entries
Results of Canonical Ordering
Canonical ordering of permission entries accomplishes gives the perception of precedence when a user accesses a file or folder. Windows uses this precedence to establish deterministic behaviors with regard to authorization decisions. Well-defined behaviors allow you to determine effective permissions of a resource manually, without using the Effective Access tab.
Information from previous shows the order in which Windows saves permission entries. This order determines effective permissions based on how Windows handles each permission type (allow or deny). In summary, conical ordering yields the ordering in the earlier table. The ordering combined produces the following precedence you can use to determine effective permissions for a resource.
- An explicit deny permission entry always denies access to a resource
- An explicit allow permission entry permits access unless combined with an explicit deny permission entry, which then denies access to the resource.
- An inherited deny permission entry disallows access unless combined with an explicit allow permission entry or an inherited allow permission entry that is closer in lineage to the resource than the inherited deny, which then permits access to the resource.
- An inherited allow permission entry permits access unless combined with an explicit deny permission entry, or an inherited deny permission entry that is closer in lineage to the resource than the inherited allow, which then disallows access to the resource.
Windows canonically orders permission entries when saving the permission list. When Windows evaluate access to a resource, it evaluates each permission entry in list order.
The canonical ordering of access control entries is the heart of how IT professionals predict a user effective access to a resource. It is the reason why we have rules like “explicit wins over inherited” and many of the others phrases you hear when learning Windows access control. As a follow up, be sure to read the “Evaluating Effective Access” post.