Apr 1, 2009
Follow best practice for Windows file/folder security management
Nowadays, security concerns are increasing everywhere and we need to control who is accessing our information and when it is accessible. Windows provides a built-in way to access information and check user privileges to decide who can and who cannot access a document/folder.
This article describes best practice in using Windows built-in access control and how to avoid problems accessing files on a local PC or on DFS folders.
Each file/folder in Windows has security information. This information is accessible by selecting the file, right clicking on the mouse and selecting Properties (figure 1).
The Security tab contains an SID (a group/user Name) and a set of permissions (ACE). Changing these permissions is done via the edit button.
Here are the best practice rules for permission management:
Never remove the administrator entry: The administrator entry is used by the system to access file information. If the administrator rights to access the file are removed, a side effect could be that back-ups on this file are not carried out anymore. Moreover, if you need to ask the Helpdesk to recover a file, then the process will take longer and be more difficult.
Not allowing administrator access to your data does not make it more secure, instead it puts your data at risk.
Do not use the “deny” permission: If you do not want someone to access a folder/file, it is better to not give them the “allow” permission, rather than “denying” them access. This is due to the resolution method of access. Deny permissions are taken into consideration first. For example, if you are a member of IT-IS group and you deny folder access to IT-IS group but grant your login full access on the folder, then you will be denied access.
Use groups to give access to multiple persons: If you want to grant access to a given file/folder to members of your group, you should use the group permission. For example the default groups “Users
You should not add permissions to each user one by one. If someone leaves or joins the group then you would have to modify the permissions for every single file: this operation is time-consuming and error-prone.
Adding someone to a group is a straightforward operation done at a structural level (not the file level) and built-in, dynamic groups are automatically updated, i.e. a newcomer/departure will automatically be reflected in the corresponding “Users
All existing groups are available via the Win Services page: https://cern.ch/winservices/Services/GroupManager/GroupManager.aspx. And in e-groups: http://e-groups.cern.ch. These pages also allow you to create and manage your own groups.
Check user permissions in case of doubt: To verify if a given user/group has access to a folder, open the properties of the folder and select the “Security” tab. Then:
1. Click on the “Advanced” button (figure 2).
2. Open the “Effective Permission” tab (figure 3).
3. Click on “Select ...” and enter a user/group name in the pop up screen (figure 4).
4. Click on “OK” in the pop-up screen to display the permissions (figure 5).
For more information on file security and managing Access Control Lists (ACLs), please consult the “Managing ACL” page in the help pages of win-services website or in the following PDF: https://cern.ch/winservices/Help/Contents/Images/Security%20How-to/ACL_helpPage_v1.0.pdf.
About the author
Bruno Lenski, IT-IS