Windows7 ACLs - How do you deal with it?

Nucleus7 · 29 Oct 2010

Hey everyone.....
I liked what I've seen from this forum so I decided to register and become involved

My issue has to do with folder/file security.

I've been using Win7 x64 for a few weeks now (coming from XP) and I've noticed that all file-level security seems to revolve around a single entity "Authenticated Users" when UAC is turned on. My goal is to make this as easy as possible, but secure; ease of access for admins, but read only access to data files for standard users. I've found this from my observations while running as an admin w/UAC on:

-If folder/file has "authenticated users" ACL as read-only access or removed completely then explorer will no longer prompt for folder/file deletion confirmation when using the right-click menu and send the item directly to the recycle bin. However, it will prompt for administrator permission (not deletion confirmation) when using the delete key! Another however, it will prompt for both deletion confirmation and administrator permission when using the shift+delete key combo.

-I can, of course, add the <created admin username> to the item with full control and be back as usual, but I'm looking for a way to keep my ACLs lean and allow portability from one system to the next (such as the same account not being on that machine and external drives).

So..........
What is the best way to secure data without adding the <created admin username> to 1000's of files and folders and without having to give administrator permission every time the admin wants to delete something? Along with keeping "users" as read-only. Should I keep "authenticated users" as modify and just create another group, add user accounts to that, and mark the ACL as deny modify? I see that authenticated users & interactive are now listed in the users group so I can't just deny the users group.

The other issue comes into to play when I run my backup scripts...UAC is killing me!

....I know what I can do, but I'm looking for ideas to see what you've come up with.
I hope that was clear

Thanks for your input!

Lordbob75 · 29 Oct 2010

You should be able to set this in the Group Policy Editor (if you have Professional and up). Not sure how, so you would have to play around with it.

~Lordbob

mborner · 29 Oct 2010

Hello, Nucleus7, Welcome to Seven Forums.
To answer your question "How would I deal with it?" I'm the only person that uses my PC but I have two accounts set up. One, is my password protected administrator account, which I keep logged off at all times and rarely use. The other one is my standard user account. This is the one I use all the time. It is not password protected. If anybody wants or needs to use my computer, I activate the built-in Guest account. The guest account is pretty restrictive, as you can't do much with it. Even at that, I've taken away all privileges of the guest account to access the C:\users folder completely. I keep nothing in the public folder.

Nucleus7 · 03 Nov 2010

Thanks...I guess I just have to clutter up the ACL list.