New
#1
Need help understanding users and permissions to secure new system
Hello! I am migrating from a Windows XP SP+ system to a new Windows 7 64-bit
system. I have repartitioned my drive to have a new E: partition so that I can
keep my user data separate from the OS. I did this in accordance with this page:
Move Your Data to a Safer, Separate Partition in Windows 7 - PCWorld
Someone noted in the comments to this page
"One bit of advice I would like to add: Once you've moved your user folders to that new partition, check the ACLs (access control lists) of your user folders to be sure that they have the permissions as you want them to be. After I moved the data folders on my computer to a separate data partition, all users were able to see each others' data. The ACLs appear on the Security tab of the folders' properties."
I am now checking them, and I am confused by what I see. There are
four group or user names listed in the Security tab for each folder:
Authenticated user
SYSTEM
Administrators
Users
Am I correct in assuming that
Authenticated user = Anyone who has successfully logged in with a password
Administrators = Anyone who has an administrator account, including the
built-in Administrator account
Is Users a superset or subset of 'Authenticated users?' Is every authenticated
user also a User, or are Users only those people who have logged in without a
password?
I'm also trying to understand the file permissions that are allowed. There
is a 'Read & execute' permission that is allowed for all groups. Is there any
way to have a file be executable but not readable?
I assume that Administrators should have access to everything (and will
probably get it anyway regardless of what setting I choose), but what
about items in the SYSTEM group?
What does the Read attribute really mean? The help on "Permission
Entry Dialog Box" mentions three types of read permissions: Read Data,
Read Attributes, and Read Extended Attributes. I'm hoping that Read
really means Read Attributes (seeing that the file is there) rather than
Read Data (view the contents of the file).
In any case, it looks like my folders all currently allow Modify,
Read & execute, List folder contents, Read, and Write for every
Authenticated user, which is not what I would want. I'm guessing
that I should turn off Modify and Write (since those are the permissions
for non-Authenticated users), but I'd appreciate some feedback on Read.
While my old machine runs XP, I've never learned to much about Windows'
permissions, since I'm the sole user of the machine. Now that I'm moving
to a laptop and creating several accounts, I know I need to be more
paranoid about security. But I'm really most comfortable in the UNIX
world, where I'm used to the user-group-others paradigm. So any
insights will be appreciated.