Wow. There is a huge amount of info being discussed in this topic. Good questions.
You are not the only user of your computer. Every time you allow the Windows operating system to update itself, a "user" named TrustedInstaller goes to work. For your protection, TrustedInstaller is not allowed access to your user generated files. System is another "user". I'll leave it at that for simplicity.
Do you have the User Account Control set to the default value?
I see. Okay, I'll rephrase as I'm the only human user!
Presumably "TrustedInstaller" isn't separate, but counts as something under the user "System"? Files have security settings for
Authenticated Users
SYSTEM
Administrators (NA-PC\Administrators)
Users (NA-PC\Users)
[Just to confuse things, folders seem to be different:
SYSTEM
NA (NA-PC\NA)
Administrators (NA-PC\Administrators)]
So the only one of those who isn't "me" is SYSTEM, which I can understand is my Windows 7 OS. The others
just complicate things for me. Suppose there were different settings/permissions for
Authenticated Users
Administrators (NA-PC\Administrators)
Users (NA-PC\Users)
- since I am all three, which one would apply when I clicked "delete"? I'm back to not understanding what is actually going on and how the OS works and treats my files... Sorry if I seem dense. In my case surely there is only a need for "Administrator", not the others. And I don't need complicated granular control of files.
Just checked - yes, it is at default, which is defined as "Don't notify me when I make changes to Windows settings."
(Though it often still does, e.g. renaming a file in some HD locations.)
Human user
That was the reaction that I was hoping for
But hopefully, the analogy was useful.
TrustedInstaller is separate. It is not the same as SYSTEM nor is it a subset of SYSTEM. Check most any sub-folder in the Windows folder and you should see that SYSTEM is granted different security rights than TrustedInstaller.
My knowledge about the TrustedInstaller as a "user" was gained thru observation. It was a somewhat simplistic example and the analogy that the TrustedInstaller is a user might be flawed. I have read a few papers that attempted to explain various security concepts like Security Tokens and Integrity Levels... and yet, I'm none the wiser. Fortunately, it does not bother me to read stuff that I don't fully understand. Sometimes that info comes back to mind and a few things start to fall into place.
I don't know enough to address your questions/statements about these groups...
Authenticated Users
Administrators (NA-PC\Administrators)
Users (NA-PC\Users)
...but that won't stop me from rambling on
The following info is a guess based on observation, experimentation and my readings.
This info could easily be wrong:
I think that Authenticated Users mostly deals with remote connections. That is, if you were to connect Windows Explorer from another computer to your computer, then Authenticated Users would come into play. At first glance, you might think that it would be safer to remove that group from files/folders - thinking that you don't want anyone to get to files/folders remotely. If I fully understood Microsoft's security model, I could say that removing that group did make things more secure. But I don't know enough to say that. Also, there might come a day when you do want to connect one computer to another computer (e.g. when moving things to a new computer). It would be a nightmare to put the Authenticated Users group back on all of the files/folders where Microsoft had it. It is best to leave it as is.
More specific to your question on deleting a file:
If you were connected to the computer from another computer, then deleting the file might be allowed if you connected as an member of the Authenticated Users group. If you deleted the file while sitting at the computer, then that might be allowed since you are a member of the User group. If the file being deleted is in a protected area like the Program Files folder, then the deletion might be allowed since you are a member of the Administrators group. You might not be able to delete the file via any of those means if the file is in use by one or more apps.
More guessing - but I'm pretty sure of this:
For your day to day operation of the computer, your are seen as a User. When something important (risky) needs to be done, that operation is elevated to the administrator level. Now do you see why you do need this granularity?
Not guessing:
For user that turn off the User Account Control - most every operation is done at the risky administrator level.
Let's say that you surfed to yahoo.com*. It is a somewhat reputable website. People probably would not say that you deserved to get infected because you surfed to a questionable website - and yet, yahoo.com infected lots of computers during the last part of 2014. These infections came in thru Flash based adverts. The yahoo.com servers were not infected, but 3rd party servers that delivered the adverts were compromised (and some still are). Most antivirus apps could not keep up with the quick pace at which variations of the infections were being served up. These infections required no user interaction (the user saw no warning and did not authorize changes to the system). For those that kept the User Account Control turned on, the infection could only do things at the user level. (That is not exactly true, but for simplicity, I'll leave it at that.) For those that turned the User Account Control off, the infection had full admin rights and could do "risky stuff" without any warning or prompts to the user.
*just one of thousands of websites serving up ransomware infections.
> Sorry if I seem dense.
You do not seem dense to me. You are tackling topics that most just ignore - or worse, make drastic changes to without understanding the implications.
Your're right: those folders don't have "Authenticated Users" or "NA (NA-PC\NA)" but they have two extra ones: "CREATOR OWNER" and "TrustedInstaller".
So there are even more different types of "Group or user names" than I first thought... And different folders have different combinations of them, with different sets of permissions, different ticks in the "Allow" or "Deny" columns... Yikes.
Malware in all it's forms has become very sophisticated in recent years. By default software runs with the same rights and permissions as the user account it is running under. If that software is trusted then all is well, at least for the most part. But if that software is malicious, and it is almost impossible to avoid this, then you have a problem. If your account has full and unrestricted access to all files then that malicious software will as well. You can be sure that it will take full advantage of this for it's benefit and your cost.
At the turn of the century it was acceptable for expert users to have full and immediate access. But with the introduction of XP the NT platform operating systems came into the hands of novice users who knew little of computers and didn't want to learn. And most of them were running under an admin account. That is a dangerous combination, particularly when malware is on the rise. By the time Vista was released this situation was deemed unacceptable as a default state.
It had always been a best practice to use a limited account for general use, reserving an admin account for when it was really needed. With a limited account you limited the possibility of accidentally making potentially dangerous mistakes. And even experts make mistakes. And when running under a limited account malware is limited in it's potential for damage. But many users, particularly those who would have benefited the most, found this too inconvenient. Thus they used an admin account at all times.
Thus UAC was introduced with the release of Vista. It provides most of the benefits of using a limited account but with fewer inconveniences. When logged in with an admin account you actually had only the rights and privileges of a limited account. Only by request do you attain full access.
UAC is a good compromise between security and convenience. Even when using an elevated admin account there are still restrictions on particularly sensitive areas. But it is always possible for an admin user to access these areas if necessary.
Security always has it's price and that price is paid in part in loss of convenience. But at a time when malware is becoming an ever greater danger that price is in my view a worthwhile one.
Wise computer users accept this loss in convenience in the same way they use a seat belt when riding in a car. In the early days of seat belts there was widespread resistance to them. They were considered too inconvenient. Now most people use them, if for no other reason it is required by law.
Thanks. What you say makes sense. I suppose my problem is that all the security/permissions stuff that seems to be attached to files and folders (but is not, as someone else pointed out) should ideally either be invisible to the end user (which it might have been if I hadn't run into problems with it) or be simple to understand, or explained in some way, so you know what to do when things go wrong, and what the implications of actions are. I'm trying to understand the basics of how it works, and the fact that it's not consistent (e.g. clicking on different files and folders and looking at the security tab shows different headings, in different orders, and have different ticks leading to hundreds of possible combinations per file, and no indication of what "the default" should be, or how to reset it to that if things have changed).
I used to understand it with the older versions of Windows, where it was just one or two tick boxes on file properties that I needed to pay attention to, but now there are hundreds of combinations of user groups and where the tick boxes are for each one for a single file, and I don't know if they can cause problems when sharing files, or transferring them to a new OS etc. The changes you mention make some sense (though I can't help but feel it has been implemented in a very clunky way, because it seems like I can't understand it easily without going to external sources). Or maybe it's just me! I just want to know that my files are the same as they ever were (i.e. aren't having extra permission gunk added, which looks like it has been when you right click Properties), and they won't ever lock me out from accessing them because of something Windows does to them. I can see it is a very abstract topic, I was hoping I'd be able to visualise things in a more concrete way, probably my incorrect expectation at play there! Many thanks.
Windows security system seems very complex because it is in fact very complex. And it is in fact far more complex than it seems on the surface. All modern operating systems are. Considering what it must do it is hard to image it being otherwise.
The average user isn't expected to understand Windows and NTFS security. In fact I would suggest they shouldn't even try unless they care to take the time to do it properly, and that is going to take time and effort. But this is the day of instant everything and people want to know everything right away without serious effort.
There is an old saying that is very relevant here:
"A little knowledge is a dangerous thing".
I have seen so many cases on forums where someone has learned a little about NTFS security and then tried to apply this limited knowledge, and got themselves into serious trouble. What you don't know can hurt you.
The security information in the MFT has meaning only while a file remains in the volume. When copied elsewhere it will usually take on the security attributes of the folder it is copied to. This is very much simplified.
Quote