Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Need help understanding users and permissions to secure new system


10 Feb 2011   #1

Windows 7 Home Premium 64-bit
 
 
Need help understanding users and permissions to secure new system

Hello! I am migrating from a Windows XP SP+ system to a new Windows 7 64-bit
system. I have repartitioned my drive to have a new E: partition so that I can
keep my user data separate from the OS. I did this in accordance with this page:

Move Your Data to a Safer, Separate Partition in Windows 7 - PCWorld

Someone noted in the comments to this page

"One bit of advice I would like to add: Once you've moved your user folders to that new partition, check the ACLs (access control lists) of your user folders to be sure that they have the permissions as you want them to be. After I moved the data folders on my computer to a separate data partition, all users were able to see each others' data. The ACLs appear on the Security tab of the folders' properties."

I am now checking them, and I am confused by what I see. There are
four group or user names listed in the Security tab for each folder:

Authenticated user
SYSTEM
Administrators
Users

Am I correct in assuming that

Authenticated user = Anyone who has successfully logged in with a password
Administrators = Anyone who has an administrator account, including the
built-in Administrator account

Is Users a superset or subset of 'Authenticated users?' Is every authenticated
user also a User, or are Users only those people who have logged in without a
password?

I'm also trying to understand the file permissions that are allowed. There
is a 'Read & execute' permission that is allowed for all groups. Is there any
way to have a file be executable but not readable?

I assume that Administrators should have access to everything (and will
probably get it anyway regardless of what setting I choose), but what
about items in the SYSTEM group?

What does the Read attribute really mean? The help on "Permission
Entry Dialog Box" mentions three types of read permissions: Read Data,
Read Attributes, and Read Extended Attributes. I'm hoping that Read
really means Read Attributes (seeing that the file is there) rather than
Read Data (view the contents of the file).

In any case, it looks like my folders all currently allow Modify,
Read & execute, List folder contents, Read, and Write for every
Authenticated user, which is not what I would want. I'm guessing
that I should turn off Modify and Write (since those are the permissions
for non-Authenticated users), but I'd appreciate some feedback on Read.

While my old machine runs XP, I've never learned to much about Windows'
permissions, since I'm the sole user of the machine. Now that I'm moving
to a laptop and creating several accounts, I know I need to be more
paranoid about security. But I'm really most comfortable in the UNIX
world, where I'm used to the user-group-others paradigm. So any
insights will be appreciated.


My System SpecsSystem Spec
.

11 Feb 2011   #2

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro with Media Center
 
 

Hi FluffyBunny, welcome to the Seven Forums.

First, the difference between Users and Authenticated Users is that Users only contain users of that local PC, whereas Authenticated Users also contain the domain or Active Directory users. This Microsoft TechNet article explains more: Appendix D - User and Group Accounts

The read attribute means the user can view the contents of the file.

Personally I find those instructions you linked to be not so good. It's OK if you only want to relocate Documents folder but then it gets very complicated. I would rather use one of these methods:
Kari
My System SpecsSystem Spec
11 Feb 2011   #3

Windows 7 Home Premium 64-bit
 
 

Quote   Quote: Originally Posted by Kari View Post
Hi FluffyBunny, welcome to the Seven Forums.

First, the difference between Users and Authenticated Users is that Users only contain users of that local PC, whereas Authenticated Users also contain the domain or Active Directory users. This Microsoft TechNet article explains more: Appendix D - User and Group Accounts

The read attribute means the user can view the contents of the file.

Personally I find those instructions you linked to be not so good. It's OK if you only want to relocate Documents folder but then it gets very complicated. I would rather use one of these methods:
Kari

I only care about relocating the files under C:\Users\AccountName, so I
hope what I already did will be good enough for now. However, would it
be safe for me to do OPTION TWO of the first link above,

To Change the Default User Profile Location of New User Accounts

It would be nice if all new accounts would create their folders
on the E: drive by default. I already have an E:\Users folder
for them to be stored in.

Finally, can you recommend any good books that discuss
these issues in more depth? I only have O'Reilly's
"Windows 7 Annoyances" so far. It has some good
information, but is not always that well organized,
and doesn't cover every topic. I have read good
reviews of "Windows Inside Out" but when I leafed
through it at the store, I wasn't sure it went into enough
depth. (I don't remember seeing much discussion of
drive partitioning, and I'm pretty sure it had no discussion
of virtualization, another topic I'm interested in, since I'd
like to run Ubuntu in VirtualBox eventually.) Thanks for
your feedback!


My System SpecsSystem Spec
.


11 Feb 2011   #4

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro with Media Center
 
 

That option 2 in Brink's tutorial does exactly what you want to, locates all new user profiles to another drive.

About the literature. Windows 7 Inside Out is my favorite Windows 7 book, it goes quite deep (Windows 7 Inside Out). Here's a free eBook: Download details: Windows 7 Product Guide. And, IMO the best Windows 7 learning material: Windows 7 Training | Windows 7 Certification | Windows Vista Training | Training Portal.

Not knowing how familiar you are with Ubuntu and VirtualBox, here's a complete walk-through: Linux - Install on Windows 7 Virtual Machine using VirtualBox

Kari
My System SpecsSystem Spec
11 Feb 2011   #5

Windows 7 Home Premium 64-bit
 
 

Kari,

>That option 2 in Brink's tutorial does exactly what you want to, locates all new user profiles to another drive.

Excellent; I'll try that.

>About the literature. Windows 7 Inside Out is my favorite Windows 7 book, it goes quite deep (Windows 7 Inside Out). Here's a free eBook: Download details: Windows 7 Product Guide. And, IMO the best Windows 7 learning material: Windows 7 Training | Windows 7 Certification | Windows Vista Training | Training Portal.

Thanks for the list. I'll take another look at "Windows Inside Out."

>Not knowing how familiar you are with Ubuntu and VirtualBox, here's a complete walk-through: Linux - Install on Windows 7 Virtual Machine using VirtualBox

I have some experience with Ubuntu, but haven't tried VirtualBox yet.
I have bookmarked the walk-through for future reference.

Many thanks for your quick feedback! I should be okay for now.
After getting these issues fixed up, it will be time to take the plunge
and connect to a network. I'll start a new topic if any issues arise
with that. Thanks again.
My System SpecsSystem Spec
11 Feb 2011   #6

Windows 7 Home Premium 64-bit
 
 

Alas, it appears that I spoke too soon. First, I changed the
ProfilesDirectory entry in regedit and then tried to create a
new account. When I did so, the new account name did not
appear in EITHER C:\Users or E:\Users (where I wanted it).
I even tried rebooting to make sure the changes in regedit
had taken effect, but even after a reboot, creating a new
account did not create any new folders in either directory.

Then I tried changing the permissions of the folders I had
already moved to E:\Users (for a total of three accounts -
these were existing accounts, not the one I just created).
For each folder, for the authenticated users and ordinary
users, I tried to Deny the Modify, Read & execute, List
folder contents, and Read and Write permissions. But when
I tried to click Apply or OK, I got an "Error Applying Security"
dialog:

An error occurred when applying security information to

E:\Users\admin\Contacts

Access is denied.

(Note: Account admin is an administrative account.)
If I click Continue, it shows the dialog a couple more times
and then it goes away. It comes back again if I try to click
OK on the main Properties windows. If I click Cancel a couple
of times, I get the "Windows Security" dialog

Stopping the propagation of permission settings leads to an
inconsistent state, in which some objects have the settings but
others don't. If you made the change by mistake, you should
apply the correct change immediately to achieve a consistent
state.

If I click OK to dismiss the dialog, I can't get out of the Properties
window. If I click Edit, Advanced, or Cancel, nothing happens, so
it appears I can't undo the 'mistake.' I can't close the window with
Alt-F4 either. How can I get out of this mess? (Hopefully without
leaving all my files visible to the world?) I find it very disturbing that
Windows 7 can so easily be put into an unusable state.
My System SpecsSystem Spec
11 Feb 2011   #7

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro with Media Center
 
 

Before panicking, please answer this: Did you log in to that new account you created before checking if the profile / folder existed?

The user folders are not created when you create an account. They are first created when the new user logs in the first time. You simply can not see the new user's folder in \Users before the account has been logged in at least once because the folder does not exist yet. More here.

Kari
My System SpecsSystem Spec
11 Feb 2011   #8

Windows 7 Home Premium 64-bit
 
 

Aha! Thank you for that key piece of information. I had
in fact NOT logged into the newly created account. When
I logged into that account and opened up Explorer, I found
that a new set of folders had been created in E:\Users, as
I originally hoped. Yay!! One problem solved! And one
lesson learned.

Now can I get back to panicking about my file permissions? :-)
When I logged back into the admin account, I found I'm
still stuck in the same dialog box. Any suggestions you
can offer will be greatly appreciated.
My System SpecsSystem Spec
11 Feb 2011   #9

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro with Media Center
 
 

Take your time, you are free to panic now In the mean time, I ask some permission gurus to take a look at your issue.

Kari
My System SpecsSystem Spec
13 Feb 2011   #10

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

Hi! FluffyBunny, welcome to 7F

I am not an expert, by any means, but this should help give you full access.

  • Start Windows7 in safe mode (Turn on/re-boot, and tap F8 till windows menu come up).
  • Select safe mode.
  • Once started open windows explorer right click C:/ drive, properties. Then select Security tab.

In Group or user names, select each one (at a time) then Edit. You have to have the SYSTEM group listed.

  • Click each box under Allow so that there is a check mark in each box.
  • Go to advanced, Then the Owner tab, change from Administrators (your user name\Administrators) (what ever it's called) to your login name by using edit.
  • Then shut down and re-start in normal mode.

This should give you full control over your machine, and calm you down to where you can think straight again.



This is where I am not sure how this will turn out because I only have one drive.
PANIC TIME AGAIN!

Now in order to have permission to access the E:\ drive or whatever drive you would like to access; you would go to the respective Drives properties >Security tab.

Your users should be listed, then edit each one as you did for the C:\ drive. If they are not, then we will have to create them.

You can always go back to any of your Drive's properties >Security tab >Edit Group or user names, and remove/un-check any allow boxes to restrict permissions.

Since you have Home Premium this tutorial may only work with method 2 or 3. Drive Access - Restrict or Unrestrict in Vista, and Windows 7- Vista Forums

There are these two also:
http://www.sevenforums.com/tutorials...-accounts.html
User Accounts - Add or Remove from Groups

I did not want to throw too much at you, but we may have to get into sharing theses Drives.
My System SpecsSystem Spec
Reply

 Need help understanding users and permissions to secure new system




Thread Tools



Similar help and support threads for2: Need help understanding users and permissions to secure new system
Thread Forum
Facebook pushes all users onto more secure connection by default Security News
Understanding how website's infect your system. System Security
Permissions And Users General Discussion
I am terrible at understanding permissions? General Discussion
System Administrator..Permissions..Users name can't change...HELP General Discussion
Security Permissions for Users System Security
Any way to apply different permissions to users Network & Sharing

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 02:46 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33