A version of this paper has been accepted for publication in the Journal of Network and Computer Applications (ISSN 1084-8045), published by Academic Press at 24-28 Oval Road, London NW1 7DX, UK.

SAT BETA 1.0 is available for evaluation. DOWNLOAD IT NOW!


Managing Windows NT file system permissions

A security analysis tool to master the complexity of Microsoft Windows NT file system permissions

K. Hanner, R. Hörmanseder
Institute for Information Processing and Microprocessor Technology (FIM), Johannes Kepler University, A-4040 Linz, Austria

One of the main tasks of an operating system is to share global resources among multiple users. Additionally, modern operating systems are able to control access to these resources in order to protect them against unauthorised user access. Windows NT makes use of access control lists (ACLs) to implement this feature. An ACL is a list of users and their permissions to access a specific object. It can be associated with any globally accessible object such as files, folders, registry keys, processes, pipe-endpoints and many others. However, the standard tools of Windows NT have limited functionality for managing these object permissions. For example, Windows NT only supports an object-centred view of these permissions. That means you can view and manipulate the permissions per object, but not per user. The subject of this paper is the realisation of a user-centred visualisation of object permissions. An application has been developed in the course of this project. It deploys several strategies for producing concise and clear representations of the permissions of a single user. An archive function maintains a history and you can therefore compare security settings from different times.  


1. Introduction

Microsoft Windows NT shares resources among multiple users. Such resources are objects like files, folders, registry keys, printers, pipes, processes etc. Windows NT is able to control access to these objects. For this purpose, an access control list (ACL) is associated with each of these objects. An ACL defines who is allowed to perform which operations on the object.

For example concerning a file C:\papers\SAT\v1001.doc within the NT file-system:

Every co-worker at the institute is a member of the group FIM-L. The members of this group FIM-L may read the file to discuss the contents. The authors of the document are allowed to change the document, and the group named Administrators has full access to the file.

So the ACL for the file is as follows:
FIM-LRead (RX)staff of FIM
HannerChange (RWXD)author of document
HoermansederChange (RWXD)author of document
AdministratorsFull Control (All)administrators
(The abbreviations for the NTFS file permissions are defined as follows: R=Read, W=Write, X=eXecute, D=Delete, P=change Permissions, O=take Ownership. For more information about permissions on files in NTFS see [1 p. 189ff])

We see that the ACL is closely in conjunction with the object. It is almost a part of the object itself. This leads to the following peculiarity in Windows NT:


2. Intention

In this paper we centre on file security, because files are a very commonly used kind of object. Files are also a good example, because even small systems have a large number of them. That is why the lack of a user-centred view for file permissions is so problematic and maybe sometimes even dangerous. To compound matters, Windows NT is a networking system, so the files and their associated ACLs are distributed among several computers. If all files and directories to which a user has access are listed, then the output will be long. No administrator has enough time to read and analyse a report of this length.

Apart from some command-line tools (e.g. perms, xcacls, showacls) in the Windows NT Server Resource Kit [2], a huge set of tools exists for supporting NT administrators for managing file permissions. (See [3] for a list of some of them.) Many of these tools have impressive functionality. Nevertheless, most do not include a user centred view of permissions. Even if a user centred view is supported, the representation of the results has not fully satisfied us, because there often is no adequate summary of the presented output. Ultimately they produce a large amount of output.

Our intention is to consider these problems and to produce a concise yet meaningful visualisation of user permissions. We have not integrated any other functionality (e.g. modify permissions, analysis of user privileges or audit-information, ....), which is available in many other tools.

These considerations lead to the development of SAT (Security Analysis Tool).

One primary design requirement was that SAT should distinguish between two kinds of rights:

SAT has to display both types (trustee rights and effective rights) on demand. In the examples presented in this paper we concentrate on effective rights, because we believe that they give a better overview and understanding of the rights of the user.


3. Design

This chapter describes the principal design decisions for SAT. The current implementation only analyses files, whereas the underlying concept also is applicable e.g. for NT Registry [6] permissions.

The structure and co-operation of the components can be seen in Figure 1.

3.1 Novell as a first model of thinking

A considerable number of NT administrators worked on Novell 3.x before, and so did the authors. We were used to handling file-security based on the "runtime inheritance" of the Novell file-system and the trustees in Novell [7, p. 210ff and 244-246]. The step to "create-time inheritance" of permissions in NTFS [8, Concepts and Planning, Chapter 4, "how NTFS Permissions work"] leads to a change in the "philosophy of administration". So from our previous knowledge we lack some of the special features of Novell.

3.2 Using a database

Unlike NT, Novell fileservers support a dual view of rights: Novell is able to present these two views because it stores, from a logical point of view, the information about file access rights with the object and with the user. The need to support these different views and an additional view showing effective permissions leads SAT to manage a database containing the ACLs.

3.3 Partitioning into asynchronous modules:

SAT has to deal with file access permissions not only of a single computer, but also with a whole computer network divided into logical clusters, which are called Windows NT domains (see [1, p. 127ff]). Thus online evaluation of file access permissions is not convenient because of the long execution time for scanning several hard disks on several computers.

A partition into two autonomous components solves this problem:

These two parts are separated chronologically from each other; the common interface is the database. While the scanner job is typically active at night or during weekends, the database frontend is an interactive application.

This architecture has still more potential: The scanner stores any number of scans in one database, which means it makes "snapshots" of the security settings. In other words, it maintains a history of the security settings. So it is possible to compare scans of different dates with each other, without having to restore the data from a backup.

3.4 Client-Server structure

The SAT scanner is a highly distributed application, which consists of a Controller-module, a Master-module and any number of Slave-modules. You can classify the functionality of these parts as follows: Note that all these parts may run on different computers. Figure 1 shows all modules of the SAT application and communication paths between them.

Figure 1: SAT structure

Figure 2: SAT Controller User-Interface


4. Filtering and compression

As mentioned before, the number of files can be (and will be, in most cases) extremely high. So clearly it is not enough to list all the files a user has access to. SAT filters the information and shows only security relevant details, particularly changes of security within the directory hierarchy. Furthermore, SAT is able to combine files with the same security settings. Five levels of compression define how files will be grouped together. The scanner of the SAT application includes most of these compression facilities, thus reducing the size of the database as well.

These compression levels imply loss of information. It is up to the user to find a tradeoff. Either he gets detailed information or a concise overview. Obviously a significant overview is more valuable for the administrator because, if the necessity arises to have a look at the full details, everything (except an overview) can be found via the standard tools of Windows NT.

Because of create-time inheritance used in NTFS ([1, p. 208]), every file has an ACL of its own. After creation of the file, its security is independent of changes in directory-permissions. Therefore during the lifetime of a disk-volume, changes of the security and file-moves lead to a set of files, which do not comply with the actual inheritance structure of permissions. The size of this set depends on different security needs as well as the quality of the predefined NTFS security structure and the strictness of the administration.

Novell experts will notice that their system does not have these compression and overview problems, because the file security information is already stored as Trustees in compressed form within the file-system (Keywords: Trustees, run time inheritance, Bindary [7]). In Novell, special rights for single files are assigned only as an exception.

4.1 Compression within the slave component

SAT supports five levels of compression within the analysing slave component:
level name short description sample output
0 minimum no compression, all files are
displayed including full filenames
(This level uses a lot of space in the
database and should therefore be used
only on selected and small volumes!)
v1000.doc   [RWXD--]
v1001.doc   [RWXD--]
actual.bmp  [RWXD--]
old_03.bmp  [R-X---]
clip01.txt  [RWXD--]
clip02.txt  [RWXD--]
1 low all files with same extension are
grouped together only if they all
have same permissions
     *.doc  [RWXD--]
actual.bmp  [RWXD--]
old_03.bmp  [R-X---]
     *.txt  [RWXD--]
2 medium all files with same file-extension and
same permissions are grouped
 2   *.doc  [RWXD--]
 1  *.bmp   [R-X---]
 1   *.bmp  [RWXD--]
 2   *.txt  [RWXD--]
3 high all files with the same permissions
are grouped together
 1   *.*    [R-X---]
 5   *.*    [RWXD--]
4 maximum ignore all files, analyse only directories -
All compression types are supported on the level of user/groups, because the whole SAT-system concentrates on a user-centred view of file security.

4.2 Compression within the SAT Viewer

The interactive SAT Viewer displays the file rights based on previous security scans. Additionally, the Viewer adds further output compression functionality.

The following examples are based on compression level 2, which is a good choice for user-volumes.

4.2.1 Full security image (No compression)

The Viewer shows all data that has been collected in the security scan.
 FIM\Hanner, Effective rights, Full Security Image
  C:\papers\SAT            [RWXD--] [RWXD--]
  C:\papers\SAT\2 *.doc    [RXWD--]
  C:\papers\SAT\1 *.bmp    [RWXD--]
  C:\papers\SAT\1 *.bmp    [R-X---]
  C:\papers\SAT\2 *.txt    [RWXD--]

4.2.2 Only changes

Because all files in the example directory inherit an ACL stating that user Hanner has Change(RWXD) permissions on every file in the directory, only the exceptions to this rule are displayed:
 FIM\Hanner, Effective rights, Only Changes
  C:\papers\SAT            [RWXD--] [RWXD--]
  C:\papers\SAT\1 *.bmp    [R-X---]

4.2.3 Only Changes plus Optimisation

In some situations, all or almost all files or subdirectories change their permissions. Assuming there is a collection of private user-directories within a main directory named USERS. All users have List-Permissions(RX)() in USERS (probably) through a group. One level below in the directory hierarchy only the user himself has permissions on his personal directory.

So compression level "Only changes" leads to a long list of exceptions when looking at \USERS, because almost every user-directory is included with "no permissions" in the listing.

 FIM\Hoermanseder, Effective rights, Only Changes
  I:\users              [R-X---] [------]
  I:\1 *.ckm            [R-X---]
  I:\Administrator      [------] [------]
  I:\divUser            [------] [------] 
  I:\users\hanner       [R-X---] [R-X---]
  I:\users\hoermanseder [RWXD--] [RWXD--]
  I:\users\muehlbacher  [------] [------]
Please note that the directory of user Hanner is an exception, because user Hoermanseder has read-access within it. Additionally user Hoermanseder has read-access on the only file in directory I:\users. (This file with name ~ftpsvc~.ckm is for directory annotation when accessing the directory via the Microsoft FTP-Server.)

When level "Only Changes + Optimisation" is selected, the Viewer detects that the inheritance of List-rights from \USERS to its subdirectories makes the listing longer. Therefore the Viewer displays these rights in small letters, indicating that these rights are not inherited. So from this point the assumption is that user Hoermanseder has no permissions in all subdirectories and files of \USERS. The Viewer only has to show the changes to this assumption. The listing only has to include two directories, because only the directory Hoermanseder as personal user directory and the directory of user Hanner are not compatible with this assumption.

 FIM\Hoermanseder, Effective rights, Only Changes + Optimisation
  I:\users              [r-x---] [------]
  I:\1 *.ckm            [R-X---]
  I:\users\hanner       [R-X---] [R-X---]
  I:\users\hoermanseder [RWXD--] [RWXD--]


5. Implementation characteristics

Both the SAT scanner and viewer use Microsoft Open Database Connectivity (ODBC) for communication with the database. This makes the usage independent from the underlying database system. One is free to use a low cost solution (e. g. Microsoft Access) or a high performance database server such as SQL Server or Oracle.

The distributed modules of the SAT scanner communicate with each other via Remote Procedure Calls (RPCs). It is therefore easy to support any network protocol.

The Master- and Slave-modules are implemented as Windows NT services. A service is a background process running in a certain user context. This leads to the following conclusions:

The setup program installs the whole SAT application or only selected components. After this basic installation the Master- and Slave-services have to be configured manually. For this purpose you can use the "Service Config" utility, which is part of the SAT software. Please note that ODBC must be installed on machines where Master- and Viewer applications will execute.

Very often a scan covers only a part of the computers from a set of domains. SAT takes this fact into consideration. If a domain database (e.g. from a trusted domain) is not scanned, the Viewer nevertheless correctly displays all names of groups (and users) which are assigned permissions on the scanned NTFS-volumes. Obviously the relationship of users and groups of a domain is only included in the output, if the domain-database has been analysed.


6. Sample outputs and results

In this section we try to give some screenshots to show how the Viewer works. For clarification, all of the following screendumps correspond to previous examples. To simplify matters, each example only presents a small section of a full output.

6.1 Compression Level 1 (low), Effective Rights, Full Security Image

Figure 3 shows the effective rights of the user FIM\hanner on disk C: of the computer Mail. Due to compression level 1 of the scanner, files with the same extension are only grouped together if they also have the same rights. This is very convenient if one wants a detailed view on a small set of exceptions.

Because of the full display of the security image, all files and directories the user Hanner has access to will be displayed. This sample corresponds to the first description of ACLs in chapter 1 (Introduction) and to the description of compression level 1 in chapter 4.1 (Compression within the slave component).

The security of the file old_03.bmp has been changed specifically for this sample to show the functionality of compression level 1, so please do not ponder on the reason for this security-setting.

Figure 3: Effective rights of user FIM\hanner on disk C, level of compression = 1

On the left side of the Viewer in Figure 3 there is the list of all domains analysed (only FIM in this example) and the special groups and accounts (Everyone, CreatorOwner, Interactive, Network, Dialup, System [9, p. 45]), which may also be assigned permissions. The other accounts document special errors like rights assigned to an already deleted account. Directories which could not be analysed by the scanner due to insufficient rights are summarised under the account "No Access". This has been mentioned already in chapter 5 (Implementation characteristics).

6.2 Compression Level 1 (low), Effective Rights, Only Changes

Figure 4 shows the rights of the same user on the same disk with the compression option "Only Changes" turned on. As you can see, the number of files listed is less than the output before, due to the fact that only exceptions are displayed. This functionality has already been discussed in chapter 4.2 (Compression within the SAT Viewer).

Figure 4: Show only changes in NTFS security

6.3 Compression Level 3 (high), Effective Rights, Only Changes + Optimisation

This example has already been presented in section 4.2.3. As a result of using compression level 3, file-extensions are omitted. Figure 5 shows that user Hoermanseder not only has change(RWXD)-permissions in his personal home-directory, but also has Read(RX)-permissions in the home-directory of user Hanner. Additionally it can be seen that the user is also allowed to read the directory InetPub and all files/directories beneath.

Figure 5: Effective rights, compression level 3 and optimisation of the presented overview

The optimisation recognises that it does not make sense to assume that user Hoermanseder has Read(RX)-permissions for all subdirectories in I:\USERS, because there are many other user-directories. User Hoermanseder does not have permissions for these directories. So the viewer shows that the user has permissions to read the directory, but has none beneath this level. Those permissions which are not inherited are displayed in small letters. Consequently, every file and directory beneath I:\USERS which can be accessed by user Hoermanseder is reported explicitly.

6.4 Exporting SAT data

The SAT-Viewer has builtin functionality to export the data to the clipboard. Because this information is in pure ASCII-format, data can be used in any wordprocessor starting from Notepad or WordPad. The output is almost the same as shown in the compression examples (chapter 4).

The following output corresponds exactly to the situation shown in the previous section 6.3.

  Account: FIM\Hoermanseder
  Kind of Rights: Effective rights
  Compression: Only Changes + Optimization
  Domain: FIM
  Computer: \\Aserv_nt\I$
  [R-X---] [R-X---]   I:\InetPub
  [r-x---] [------]   I:\users
  [R-X---]            I:\users\1 *.*
  [R-X---] [R-X---]   I:\users\hanner
  [RWXD--] [RWXD--]   I:\users\hoermanseder
This listing can be easily formatted with word-processor macros or a report-generator to produce a user-defined report. We still believe in the importance of printed reports and listings.

6.5 Runtime and size of a sample scan

We analysed a set of three domain-controllers (Server for routing and RAS with about 300 MB of allocated file-space, mail-server with Exchange and 850 MB files and a file-server with about 13 GB of files). These three servers hold a total of more than 240,000 files in 19,500 directories. The number of users and groups is about 90 and therefore quite small.

The resulting size of the MS-Access database is less than 15 MB when selecting compression mode 2 (medium). Due to the size of the file-server, the total scan lasts about one and a half hours.


7. Future plans

At the moment, the SAT application has, of course, some limitations and shortcomings. In addition to fixing some known bugs, we want to integrate remote installation functionality and make improvements of the analysis by using the concept of "dynamic ACL inheritance", which is available in NT 2000 and NT 4 with Security Configuration Editor [3] installed. The documentation of SAT is also somewhat poor at the moment.

Our long-term goal is to support an automatic comparison of successive scans and mark security-relevant differences between them.

The developed SAT application has not yet been released, because we see it as a prototype. [NEW SAT download] Nevertheless, those interested in this topic can download a first BETA test version for evaluation. [NEW SAT download] (Unfortunately, due to lack of personal resources, we can only support a small number of users.)



References included here are only examples. A variety of books and course material cover these topics.
  1. Tom Sheldon 1997. The Windows NT Security Handbook. Osborne McGraw-Hill, ISBN 0-07-882240-8
  2. Microsoft 1996. Microsoft Windows NT Server Resource Kit. Microsoft Press, ISBN 1-57231-344-7
  3. Administration tools and WWW-servers for download of evaluation or free versions:
  4. Charles B. Rutstein 1997. Windows NT Security. McGraw-Hill, ISBN 0-07-057833-8
  5. Microsoft 1996. Supporting Windows NT Server. Microsoft Press, 1294 Part No. 097-0001373
  6. Steven B. Thomas 1998. Windows NT 4.0 Registry. McGraw-Hill, ISBN 0-07-913655-9
  7. Novell NetWare Version 3.11 Concepts. Novell Part # 100-000931-001
  8. Microsoft NT 4.0 Server Online Help (\SUPPORT\BOOKS\SERVER.HLP)
  9. Nevin Lambert and Manish Patel 1997. Windows NT Security. Ziff-Davis Press, ISBN 1-562-76-457-8


About the authors

Kurt Hanner (hanner at fim.uni-linz.ac.at) did his diploma thesis at the Institute for Information Processing and Microprocessor Technology and received his MSc from the University of Linz 1998. He worked with McAfee and NAI. At present he is serving in the Austrian army.

Rudolf Hörmanseder (hoermanseder at fim.uni-linz.ac.at) received his MSc from the University of Linz 1983. In 1983 he joined the "Forschungsinstitut für Mikroprozessortechnik". Since 1997 he has been a member of the Institute for Information Processing and Microprocessor Technology (FIM). His fields of interest are operating systems and system-administration.

Maintained by Webmaster, 1999-11-23