Geek School: Learning Windows 7

Exploring Advanced Windows 7 Features: Folder Virtualization, Security Identifiers, and File Encryption

This installment of Geek School delves into more sophisticated aspects of Windows 7 administration. We will examine Folder Virtualization, the role of Security Identifiers (SIDs) and permissions, and the functionality of the Encrypting File System (EFS).

Reviewing the Geek School Series on Windows 7

For a comprehensive understanding, it’s beneficial to review the preceding articles in this Windows 7 focused Geek School series.

Introducing How-To Geek School
Upgrades and Migrations
Configuring Devices
Managing Disks
Managing Applications
Managing Internet Explorer
IP Addressing Fundamentals
Networking
Wireless Networking
Windows Firewall
Remote Administration
Remote Access
Monitoring, Performance and Keeping Windows Up To Date

These articles provide a foundational understanding of the concepts we will build upon today.

Understanding Folder Virtualization

Folder Virtualization allows administrators to redirect user profile folders to a network location. This centralizes data storage and simplifies backup procedures.

By virtualizing folders, user data isn’t stored locally, enhancing security and manageability.

The Importance of SIDs and Permissions

Each user account in Windows is assigned a unique Security Identifier (SID). This identifier is crucial for managing access control and permissions.

Permissions determine what actions a user can perform on files and folders. Properly configured permissions are essential for maintaining system security.

Securing Data with the Encrypting File System

The Encrypting File System (EFS) provides a method for encrypting individual files or folders. This protects sensitive data from unauthorized access.

EFS utilizes a user’s login credentials to encrypt and decrypt files, ensuring only authorized individuals can view the contents.

Further articles in this series will continue to explore advanced Windows 7 features throughout the week. Stay tuned for more in-depth coverage.

Folder Virtualization

With the release of Windows 7, a new feature called libraries was introduced. This allowed users to consolidate access to files stored in various locations on their computer into a single, centralized view.

Specifically, the libraries functionality enabled the inclusion of folders from anywhere on the system into one of four pre-defined libraries: Documents, Music, Videos, and Pictures. These libraries are readily accessible through the Windows Explorer navigation pane.

It’s important to understand two key aspects of this library feature:

Adding a folder to a library doesn’t involve moving the folder itself; instead, a link is created pointing to its original location.
To incorporate a network share into your libraries, it must first be made available for offline access. Alternatively, symbolic links can be utilized as a workaround.

To begin adding a folder to a library, navigate to the desired library and select the "Locations" link.

Following this, click on the "Add" button.

A window will appear. Locate the folder you wish to include within the library.

Finally, click the "Include folder" button to finalize the process.

The process is now complete.

Security Identifiers Explained

Within the Windows Operating System, SIDs (Security Identifiers) are employed to uniquely represent every security principal. These SIDs are essentially variable-length strings composed of alphanumeric characters, used to identify machines, users, and groups. Each time permissions are granted to a file or folder for a user or group, the corresponding SID is incorporated into the ACL (Access Control List).

Although SIDs are fundamentally stored in binary format, like all other data objects, they are presented in a more human-readable syntax when displayed within Windows. Typically, SIDs aren't directly visible; a common scenario where they appear is after a user account has been deleted following the granting of permissions to a resource, at which point the SID remains within the ACL.

Understanding the SID Format

The representation of a SID adheres to a specific syntax, comprised of several distinct parts. Let's examine these components:

A prefix of ‘S’
A structure revision number
A 48-bit identifier authority value
A variable number of 32-bit sub-authority, or relative identifier (RID), values

To illustrate, we will dissect a sample SID, as shown in the image, to gain a clearer understanding of its structure.

Deconstructing the SID:

‘S’ – Every SID begins with the character ‘S’, serving as an indicator to Windows that the following string is indeed a SID.

’1′ – The second element of a SID is its revision number, denoting the version of the SID specification. This ensures backward compatibility should the specification undergo changes. Currently, with Windows 7 and Server 2008 R2, the SID specification remains at revision 1.

’5′ – The third section, known as the Identifier Authority, defines the scope within which the SID was generated. The possible values for this section include:

0 – Null Authority

1 – World Authority

2 – Local Authority

3 – Creator Authority

4 – Non-unique Authority

5 – NT Authority

’21′ – The fourth component represents sub-authority 1. A value of ’21’ signifies that the subsequent sub-authorities identify either the Local Machine or a Domain.

’1206375286-251249764-2214032401′ – These constitute sub-authorities 2, 3, and 4, respectively. In this instance, they identify the local machine, but could alternatively represent a Domain identifier.

’1000′ – Sub-authority 5, the final component of our SID, is the RID (Relative Identifier). The RID is unique within its security principal; it's important to note that user-defined objects, those not provided by Microsoft, typically have a RID of 1000 or higher.

Understanding Security Principles

A security principle is defined as any entity possessing a Security Identifier, or SID. This encompasses a range of elements, including users, computers, and groups. Security principles can operate within a local environment or within the broader domain context.

Local security principles are administered via the Local Users and Groups snap-in, accessible through Computer Management. This can be launched by right-clicking the computer shortcut found in the Start menu and selecting "Manage."

Managing Local Security Principles

Adding a new user security principle is accomplished by navigating to the Users folder. From there, a right-click initiates a menu, allowing you to select "New User."

User account properties can be modified by double-clicking on the user's name. The "Member Of" tab within these properties allows you to assign the user to one or more Security Groups.

Creating Security Groups

To establish a new security group, access the Groups folder located on the right-hand side of the Local Users and Groups snap-in. A new group can then be created by right-clicking within the whitespace and choosing "New Group."

Share Permissions and NTFS Permissions

Within Windows operating systems, two distinct types of file and folder permissions are utilized. These are Share Permissions and NTFS Permissions, often referred to as Security Permissions. Effective security for shared folders is typically achieved through a combined application of both Share and NTFS Permissions.

It’s crucial to understand that the more restrictive permission setting will always govern access. For instance, if Share Permissions grant the "Everyone" group read-only access, while NTFS Permissions would normally allow modifications, the Share Permissions will override, preventing users from making changes.

The Local Security Authority (LSASS) manages resource access based on these permissions. Upon logging in, each user receives an access token containing their Security Identifier (SID). When a resource is accessed, LSASS compares this SID against the Access Control List (ACL) to determine whether access should be granted or denied.

Given the inherent differences between these permission types, a clear understanding of their appropriate use is essential. Let's explore each in detail.

Share Permissions:

Share Permissions are exclusively enforced for users accessing resources across a network. They are not applicable to local access, such as through Terminal Services.
These permissions are applied universally to all files and folders within the shared resource. For more refined control, supplementing Share Permissions with NTFS Permissions is recommended.
For volumes formatted with FAT or FAT32, Share Permissions represent the sole available restriction mechanism, as NTFS Permissions are unsupported on these file systems.

NTFS Permissions:

NTFS Permissions are limited to volumes formatted with the NTFS file system.
It's important to note that NTFS Permissions are cumulative in nature. A user’s overall effective permissions are determined by combining their directly assigned permissions with those inherited from any groups to which they belong.

Revised Sharing Permissions in Windows 7

With the release of Windows 7, a simplified sharing method was introduced. The traditional permission levels of Read, Change, and Full Control were streamlined to Read and Read/Write. This change aimed to facilitate easier file sharing, particularly for users less familiar with computer systems.

This simplified approach is accessible through the context menu, enabling straightforward sharing within a Homegroup network.

Sharing Beyond the Homegroup

For sharing resources with individuals outside of the Homegroup, the “Specific people…” option remains available. Selecting this option presents a more detailed dialog box.

Within this dialog, users can precisely define which users or groups will have access to the shared resource.

Understanding the Permissions

As noted, only two permission levels are provided. These permissions collectively establish a basic, yet functional, security framework for folders and files.

Read permission grants users the ability to view files, but prevents them from making any alterations or deletions.
Read/Write permission provides full access, allowing users to open, modify, and delete files as needed.

Essentially, Read offers view-only access, while Read/Write provides complete control.

Legacy Sharing Permissions

The previous sharing dialog offered a wider range of options, including the ability to share a folder using an alternative name. It also provided control over concurrent connections and caching configurations. This functionality hasn't been removed in Windows 7; instead, it’s accessible through a feature called “Advanced Sharing”.

Accessing a folder’s properties via a right-click menu reveals the “Advanced Sharing” settings located within the sharing tab.

Selecting the “Advanced Sharing” button necessitates local administrator privileges to configure the settings familiar from earlier Windows versions.

Clicking the “Permissions” button presents the three standard permission levels.

Permission Level Details

Read permission grants the ability to view, open files and subdirectories, and run applications. However, it prevents any modifications.
Modify permission encompasses all the capabilities of Read permission, plus the ability to create files and subdirectories, delete folders, and alter file data.
Full Control provides unrestricted access, allowing all actions permitted by the previous permissions. Additionally, it enables modification of NTFS permissions, but only on folders formatted with NTFS.

These permission levels offer granular control over resource access.

NTFS Permissions

NTFS Permissions provide a highly detailed level of control over files and folders within a Windows environment. However, this extensive granularity can initially appear complex for those unfamiliar with the system. Permissions can be configured both on individual files and on entire folders.

To establish NTFS Permissions for a specific file, locate the file, right-click to access its context menu, and select 'Properties'. From there, navigate to the 'Security' tab.

The 'Edit' button facilitates modification of NTFS Permissions for designated Users or Groups.

Given the numerous NTFS Permissions available, a breakdown is helpful. Let's begin by examining the permissions applicable to files.

Full Control grants the ability to read, write, modify, execute, alter attributes, manage permissions, and assume ownership of the file.
Modify permits reading, writing, modifying, executing, and changing the file’s attributes.
Read & Execute allows viewing file data, attributes, owner information, and permissions, as well as running the file if it is an executable program.
Read enables opening the file, viewing its attributes, owner, and permissions.
Write allows data to be written to the file, appended to it, and its attributes to be read or altered.

Folder NTFS Permissions offer a slightly different set of options, which we will now explore.

Full Control provides the ability to read, write, modify, and execute files within the folder, change attributes, manage permissions, and take ownership of the folder and its contents.
Modify allows reading, writing, modifying, and executing files within the folder, and altering the attributes of the folder and its contents.
Read & Execute enables displaying the folder’s contents, viewing data, attributes, owner information, and permissions for files within, and running files contained within.
List Folder Contents permits displaying the folder’s contents and viewing data, attributes, owner information, and permissions for files within, as well as running files within.
Read allows displaying file data, attributes, owner information, and permissions.
Write allows writing data to files, appending to them, and reading or changing their attributes.

Summary

Essentially, user names and groups are represented by a unique alphanumeric string known as a SID (Security Identifier). Both Share and NTFS Permissions are linked to these SIDs.

Share Permissions are only evaluated when access is attempted over a network, while NTFS Permissions, combined with Share Permissions, provide a more refined security layer for resources accessed both across the network and locally.

Gaining Access to a Shared Resource

Having explored the two primary methods for content sharing between PCs, let's examine how to actually access these resources across a network. The process is straightforward. Simply enter the following into your browser's address bar.

\\computername\sharename

Remember to replace 'computername' with the host PC’s name and 'sharename' with the specific share's designation.

While effective for infrequent connections, this method isn't ideal for larger organizations. Requiring users to manually connect using this approach would be impractical. A more efficient solution is to map network drives for each user.

This allows administrators to instruct users to save their files to a designated drive, such as the “H” drive, rather than detailing the connection process for each share.

To map a drive, launch Computer and select the “Map network drive” option.

Subsequently, input the Universal Naming Convention (UNC) path for the desired share.

You might be wondering if this configuration needs to be repeated on every workstation. Fortunately, that is not the case. A batch script can be created to automatically map drives during user logon, and then deployed through Group Policy.

Let's break down the command’s components:

The net use command is utilized for drive mapping.
An asterisk (*) is employed to automatically assign the next available drive letter.
The share to which the drive will be mapped is then specified. Note the use of quotation marks to accommodate spaces within the UNC path.

Utilizing the Encrypting File System for File Encryption

Within Windows, a feature is incorporated that allows for the encryption of files residing on a volume formatted with NTFS. This functionality ensures that only the authorized user – you – possesses the capability to decrypt and access the file's contents.

To initiate file encryption, locate the desired file and activate the context menu by right-clicking on it. From this menu, select the "Properties" option.

Following this, click on the "Advanced" button to proceed.

Within the Advanced Attributes window, activate the checkbox labeled "Encrypt contents to secure data". Subsequently, confirm your selection by clicking "OK".

The system will then prompt you to apply the newly configured settings.

While the primary intention is to encrypt the selected file, an option is also presented to encrypt the encompassing parent folder, if desired.

Observe that, upon successful encryption, the file icon will change to display a green color.

Consequently, access to the file will be restricted to your user account. Other users on the same computer will be unable to open or view its contents. Encryption keys are utilized in this process, employing public key cryptography.

It is vitally important to safeguard these encryption keys. Losing them results in permanent data loss, as file recovery becomes impossible.

Assignments for Study

This outlines the required learning objectives for the current assignment.

Core Concepts to Master

A foundational understanding of permission inheritance and how effective permissions are calculated is essential.

Students should thoroughly investigate these concepts to ensure complete comprehension.

Required Reading

Detailed information regarding these topics can be found within the official Microsoft documentation.

Careful review of this document is a necessary component of the assignment.

BranchCache Technology

Investigation into BranchCache is required.

Students must understand the functionality of BranchCache and the scenarios where its implementation would be beneficial.

Printer Sharing

The principles of printer sharing should be understood.

Furthermore, students should be able to articulate the advantages of enabling printer sharing within a network environment.

Successful completion of this assignment requires a comprehensive grasp of these key areas.

Topics

More

Geek School: Learning Windows 7 - Resource Access