New
#1
Windows7 ACLs - How do you deal with it?
Hey everyone.....
I liked what I've seen from this forum so I decided to register and become involved
My issue has to do with folder/file security.
I've been using Win7 x64 for a few weeks now (coming from XP) and I've noticed that all file-level security seems to revolve around a single entity "Authenticated Users" when UAC is turned on. My goal is to make this as easy as possible, but secure; ease of access for admins, but read only access to data files for standard users. I've found this from my observations while running as an admin w/UAC on:
-If folder/file has "authenticated users" ACL as read-only access or removed completely then explorer will no longer prompt for folder/file deletion confirmation when using the right-click menu and send the item directly to the recycle bin. However, it will prompt for administrator permission (not deletion confirmation) when using the delete key! Another however, it will prompt for both deletion confirmation and administrator permission when using the shift+delete key combo.
-I can, of course, add the <created admin username> to the item with full control and be back as usual, but I'm looking for a way to keep my ACLs lean and allow portability from one system to the next (such as the same account not being on that machine and external drives).
So..........
What is the best way to secure data without adding the <created admin username> to 1000's of files and folders and without having to give administrator permission every time the admin wants to delete something? Along with keeping "users" as read-only. Should I keep "authenticated users" as modify and just create another group, add user accounts to that, and mark the ACL as deny modify? I see that authenticated users & interactive are now listed in the users group so I can't just deny the users group.
The other issue comes into to play when I run my backup scripts...UAC is killing me!
....I know what I can do, but I'm looking for ideas to see what you've come up with.
I hope that was clear
Thanks for your input!