Understanding Windows Permissions

Microsoft Windows is arguably the most widely used server system for small businesses. In terms of file storage, most small business environments use Windows. In this article, we will explore how Windows implements permissions on file systems.

To safeguard against data theft, it is important that small business owners have an idea or understanding of who has access to sensitive data. Most Operating Systems have built-in complex sets of permission settings that can be applied through group memberships, explicit deny or allow permissions, and inherited permissions. But who actually has access to your sensitive data?

With Microsoft Windows, when users create files and folders, an owner is assigned to the created object. With this assignment, the owner has two permissions: Read and Write. What this means is that even if someone later assigns an explicit deny rule to that file or folder, the owner still has the Read and Write permission. This is because the implicit rights granted by the owner attribute has precedence over other permissions. The security implication of this is that if a user is set as the owner of a folder and their effective permissions allows them to browse, they can grant other rights to see items in the folder and below.

To avoid this, it is important to make sure that users are not granted owner permissions to folders containing sensitive data. The owner attribute should be set to an administrative group. That way, only privileged accounts can change file and folder permissions.