Configuring Data Access

and Protection

Glenn Weadock
MDAA, MCAAA, MCT, MCSE, MCSA, MCITP, A+, SECURITY+

gweadock@i-sw.com www.i-sw.com
 Topics in
This Module NTFS permissions
Shared and public folders
Dynamic Access Control conditions
OneDrive sharing
NTFS Permissions
SIDs are like keys; permissions are
like locks
- SIDs go with users and groups
- Permissions go with objects

Permissions control who can do what

with resources:
- Files and folders
- Printers
- Organizational Units
- Group Policy Objects
We focus on NTFS permissions here,
as OU and GPO permissions are
beyond the scope of this course,
but the same basic principles apply
to these other resources.
NTFS (NT File System)

DACL = Discretionary Access Control List

- For controlling access

SACL = System Access Control List

- For controlling auditing

Each list has one or more entries

Principle of implicit denial
- Not on the list? You don’t get in
 Access Control Concepts

Security Access Token Access Control List

Security IDs (SIDs) Access Control Entries

---------------------------- ----------------------------
User: Harry Engineering: Allow Read
Group 1: Engineering Management: Allow Modify
Group 2: Denver Glenn: Deny Modify
(Glenn’s a troublemaker)
NTFS Permission Principles
Creators are owners and control access
Child folders inherit permissions by default
Inheritance can be overridden
(changed to explicit)
“Deny” beats “Allow”
- BUT a child folder Allow can override a
parent folder Deny
ACEs can specify groups or users
Permissions are cumulative
 If you move a file or folder to
another folder on the same volume,
it keeps its permissions.

In all other cases (move/copy), it

inherits permissions from the new
parent folder.
Basic and Advanced Permissions
Basic (“simple”) permissions are common
combinations of special permissions
- 95% of what we need
- Read, Read and Execute, and List Folder
Contents are default permissions
- Full Control means can take ownership,
change permissions (e.g. Documents)
- Modify includes ability to Delete

Advanced (“special”) permissions are more

granular values
Basic Permissions
Advanced Permissions
Effective Access Tab

Tab on Advanced Security page

Specify the user, group(s), device
- Play “What if?”

Calculates inherited + explicit permissions

Resolves conflicting group permissions
Omits share-level permissions
System files
and folders
have special
permissions to
help ensure
their security.
 If you copy a file to a non-NTFS
volume, such as a FAT32 or exFAT
flash drive, you lose the permissions.
Another Kind of ACL for Auditing
Permissions at the Command Line
ICACLS
- /grant
- /deny
- /reset

Get-Acl, e.g.:
- Get-Acl -Path “c:\folder” | FL
- $OldACL = Get-Acl -Path c:\foldername

Set-Acl, e.g.:
- Set-Acl -Path “c:\newfolder” -AclObject
$OldACL
Demo

NTFS permissions and multiple groups

Shared and Public Folders
File and printer sharing:
Ability to share files and printers on
local machine
ON by default for private and
domain networks
OFF by default for public networks
How to Change File and Printer Sharing

Settings > Network & Internet > Ethernet >

Change advanced sharing options
Network and Sharing Center > Change
advanced sharing settings
- Beware inconsistent verbiage

Windows Firewall
netsh advfirewall firewall set rule
group=“File and Printer Sharing” new
enable=yes
Demo

Activating File and Printer Sharing

Sharing Folders (Not Files!) via File Explorer

Method 1: Right-click, “Give access to”

- Specific people (find and select)
- Specify read or read/write access
- File Explorer, Share tab = same options

Method 2: R-click, Properties, Sharing,

Advanced Sharing
- Specify people and access, plus:
- Limit # of simultaneous users
- Caching (offline settings)
Sharing Folders via (Elevated) Command Line

Net share sharedstuff=c:\sharedstuff

Net share
Net share sharedstuff /delete
New-SmbShare –Name sharedstuff –Path
c:\sharedstuff
Get-SmbShare
Remove-SmbShare –Name sharedstuff
Public Folder Sharing

ON to share Public folder over the network

OFF to keep it unshared
Either way, folder is shared for users of
local machine
Demo

Sharing a folder over the network

What Are Share Permissions?

Remnant of a bygone era (pre-NTFS)

Full Control/Change/Read
Only applies to network path accesses
Combined with NTFS permissions: most
restrictive setting applies
Many administrators set these wide open
Dynamic Access Control Conditions
Limitations of NTFS and
share permissions:
Restrict access based only on user/group
identity (SIDs)
Can’t restrict based on other user or
computer attributes
Can’t restrict based on file attributes
A Bigger, Better Security Access Token

Typical Kerberos SAT has user SID and

group SIDs
For user claims and device claims,
need to expand the SAT
Group Policy to the rescue
Don’t need if you’re just using file
classifications
Creating an Access Condition
User Claim Types

Claim types are based on AD attributes

View AD attributes in:
- ADSI Edit
- AD Users and Computers
- AD Administrative Center
- Schema console
Demo

Viewing user attributes in AD

Device Claim Types

As with user claim types…

Claim types are based on AD attributes
Some attributes can apply to users and
computers, so be careful!
- Department
- Location
- etc.
Requirements for Dynamic Access Control

Windows Server 2012 schema

Server 2012+ file server with
FSRM installed
If using device claims:
- At least 1 Server 2012 or R2 DC per site
- Windows 8+ clients
 We can also use custom file
classifications to control access…
…but that’s a bit beyond the
scope of this course.
OneDrive Sharing
Types of online storage
from Microsoft:
OneDrive (for consumers = “personal”)
- Free with Microsoft account

OneDrive for Business

- Paid service (part of
Microsoft 365 or SharePoint)
Microsoft Azure
- Paid service (by subscription)
OneDrive for Consumers

Bits ship with Windows 10/11

Need Microsoft account to use
5 GB for free accounts
100 GB for $2/month
Plans can (and do!) change
Setting up OneDrive for Consumers

Set up a Microsoft account

Set up Windows 10/11 to log on with that
account or provide it when signing in to
OneDrive
Run the setup wizard
(Optionally) Set OneDrive to start with
Windows
OneDrive for Business

Latest sync client is unified

Based on SharePoint
Microsoft 365 (cloud); SharePoint
(on-premises)
Company name appears in File Explorer
File Explorer Integration

OneDrive appears in nav pane

- All folders appear by default
- Sync status, share status
- If not logged in, prompt appears

If multiple accounts, icon labels distinguish

work from personal
 You can make
OneDrive the default
save location for:
Desktop
Documents
Pictures
You can autosave to
OneDrive for:
Captured
screenshots
Captured photos
and videos
Sharing OneDrive Files

OneDrive.com
- Click file or folder, choose “Share”
• “Email” (share w/individual)
• “Get a link” (share w/anyone)
• “More” (social media services)

File Explorer
- Right-click file or folder, choose “Share”
- Enter email, click “Copy link” or
“More apps”
Sharing Options

Read permission by default

“Allow editing” permission
Set link expiration (OneDrive Premium)
How to Un-Share OneDrive Files?

OneDrive.com
- Click “Shared” in navigation pane
- Right-click shared folder or file
- Choose “Details”
- Links appear at right
- Choose “Manage access”
- Click “X” to disable a share link
“Fetch” Discontinued in Mid-2020
Good work! You’ve finished this course on
Windows 10/11 connectivity and storage!
I invite you to explore other courses
in this learning path. Meanwhile,
thanks for watching.