Chapter 5 notes
Metadata is any part of a file that’s information about the file, rather than the file data itself. For example, the time the file was created, the file permissions, the file attributes, etc.
Attributes are flags Windows allows you to set on a file to change how it’s treated.
| Read-only | |
| Hidden |
| Archive | |
| Index | |
| Compress | |
| Encrypt |
Basic file/folder permissions table:
| Full control | Modify + can take ownership of other people’s files and can change permissions on files |
| Modify | Read + Write + can delete files, cannot change permissions or seize ownership of files |
| Read and execute | Read + List folder contents |
| List folder contents | Can traverse the folder (list files in it), can open subfolders, can view attributes/permissions, can execute files, cannot read files |
| Read | Can read files, can view attributes/permissions, cannot traverse folders or execute files |
| Write | Can create files, can write to files, can create folders, can modify attributes, cannot delete files |
Encrypting File System (EFS) lets you encrypt files. It’s entirely different from Bitlocker, another Microsoft product that’s designed to encrypt entire hard drives.
An Access Control List (ACL) is a list of users/groups and the permissions assigned to those identities or “security principals”. Each folder and file has its own ACL.
In Windows, setting the Deny permission usually overrides anything else, including explicitly granted Allow permissions. Using it is generally frowned on in production networks because of the hard-to-debug problems this can cause.
Allow permissions generally stack. If one of your groups gives you read and another gives you full control, you’ll have full control.
The exception to this is file sharing. When you’re accessing a file share like \\hvserver100\ISOs, the most restrictive set of permissions between NTFS and SMB applies. So if you only give Everyone read permissions in the SMB advanced sharing window for the ISOs share, but give yourself Full Control in the C:\ISOs NTFS permissions, you’ll only have read permissions when you access the file share. If you log in to HVServer100 and go to C:\ISOs in the file browser, you’ll be able to use your full NTFS permissions.
NTFS permissions will still stack on each other when you access an SMB share.
Because of this, standard procedure is to grant the Everyone group Full Control in the Advanced Sharing window and then tighten permissions in the NTFS permissions window.
Explicit permissions (permissions set directly on a file or folder) override implicit permissions (permissions inherited from the folder above). An explicit Allow overrides an implicit Deny.
When you create a folder/file, it inherits the permissions of the folder it’s created in. When you copy a folder/file to a different place on the same drive, or when you copy or move a folder/file to another drive, it forgets its permissions and inherits the permissions of the folder it’s copied into.
The only time a folder/file keeps its permissions is when you move it to a different place on the same drive.
“Auditing” in the Windows world usually means logging.
| Domain | |
| Private | |
| Public |
When you enable File and Printer Sharing on a PC, it starts responding to SMB requests.
\\ paths (for example, \\DC01\appdeploy) are called UNC paths. The \\ tells Windows that you’re pointing it at an SMB share.
You can substitute an IP address for a server name in UNC paths, for example \\10.1.1.10\appdeploy.
Any shares with a name that ends in $ are hidden. They won’t show up if you go to \\DC01\, but you can access them if you have Admin permissions and browse to the full path (\\DC01\C\$, for example). You can see hidden shares, including the ones created by default, in the Shared Folders MMC snap-in and in PS with the Get-SMBShare command.
NFS is the open-source equivalent of SMB. Linux and Mac generally still support SMB, and Windows generally supports NFS, but configuration is more difficult.
Access-based Enumeration is a setting that hides folders in shares from people who don’t have access to them.
User and folder quotas limit the amount of space one user or one folder can occupy on a file server. A hard quota blocks writing more files after the limit is reached, while a soft quota just warns the user and sends alerts to an admin.
File screens block certain file types from being uploaded to a share. For example, you could block video files from being uploaded to your file server.
FAT32 and ExFAT generally don’t allow you to set complicated permissions since they’re meant for portable drives.