|29 Oct 2010||#1|
| || |
Windows7 ACLs - How do you deal with it?
I liked what I've seen from this forum so I decided to register and become involved
My issue has to do with folder/file security.
I've been using Windows 7 x64 for a few weeks now (coming from XP) and I've noticed that all file-level security seems to revolve around a single entity "Authenticated Users" when UAC is turned on. My goal is to make this as easy as possible, but secure; ease of access for admins, but read only access to data files for standard users. I've found this from my observations while running as an admin w/UAC on:
-If folder/file has "authenticated users" ACL as read-only access or removed completely then explorer will no longer prompt for folder/file deletion confirmation when using the right-click menu and send the item directly to the recycle bin. However, it will prompt for administrator permission (not deletion confirmation) when using the delete key! Another however, it will prompt for both deletion confirmation and administrator permission when using the shift+delete key combo.
-I can, of course, add the <created admin username> to the item with full control and be back as usual, but I'm looking for a way to keep my ACLs lean and allow portability from one system to the next (such as the same account not being on that machine and external drives).
What is the best way to secure data without adding the <created admin username> to 1000's of files and folders and without having to give administrator permission every time the admin wants to delete something? Along with keeping "users" as read-only. Should I keep "authenticated users" as modify and just create another group, add user accounts to that, and mark the ACL as deny modify? I see that authenticated users & interactive are now listed in the users group so I can't just deny the users group.
The other issue comes into to play when I run my backup scripts...UAC is killing me!
....I know what I can do, but I'm looking for ideas to see what you've come up with.
I hope that was clear
Thanks for your input!
|My System Specs|
|29 Oct 2010||#3|
| || |
Hello, Nucleus7, Welcome to Seven Forums.
To answer your question "How would I deal with it?" I'm the only person that uses my PC but I have two accounts set up. One, is my password protected administrator account, which I keep logged off at all times and rarely use. The other one is my standard user account. This is the one I use all the time. It is not password protected. If anybody wants or needs to use my computer, I activate the built-in Guest account. The guest account is pretty restrictive, as you can't do much with it. Even at that, I've taken away all privileges of the guest account to access the C:\users folder completely. I keep nothing in the public folder.
|My System Specs|
|Similar help and support threads for2: Windows7 ACLs - How do you deal with it?|
|Better Deal?||Chillout Room|
|ACLs, partitions and users profiles||Installation & Setup|
|Setting of the ACLs for the root directory of a logical partition||Installation & Setup|
|what a deal (lol)||Chillout Room|
|Windows7 64 reading windows7 32 drive?||General Discussion|
|Windows 7 RC corrupting ACLs||System Security|