Windows file permissions: more is less
Too complex by half
I have a funny story. A while back I was showing my son the cool speech recognition features in Microsoft Word. I got out my laptop, went through the configuration and training process by dictating into the microphone.
My son, twelve, could barely hold back the laughter as he listened to me read to my computer various excerpts from books such as the Wizard of Oz and Aesop's fables. He was just waiting for the chance to make fun of me. What I didn't realize was that the cheap microphone in my laptop is hardly sufficient for speech recognition purposes and the results were disastrous.
This is what happened: I opened up a blank word document, and spoke into the microphone. Microsoft Word did start entering text into the document but it was nothing like what I spoke. For example I said "Testing speech recognition" and MS Word typed "Resting white house Santa Ana."
Of course my son who had been already struggling to hold back suddenly burst in laughter at the nonsense it produced. The microphone picked up his laugh and interpreted it as the phrase "and the redneck score that many job I can eat the body to be."
Naturally, this made us both laugh, which resulted in the phrase "Barter dismay as boleslav bigoted and it might be what the public into." We laughed more and then Word gave us even more to laugh at.
Microsoft is really good at producing software with amazing features that no one ever uses. Microsoft Word is loaded with powerful editing tools and robust customization features, yet I still use just the default toolbars, and I still send faxes with "Elegant Fax" cover sheets. I write as part of my profession yet I rarely use any features that aren't already available in WordPad.
Windows permissions are kind of like that. The core security model certainly is sufficient to comply with even the most demanding security policies. The permissions are so flexible you are really only limited by your creativity. The problem is that not enough people take advantage of these features.
Consider for example, some of the things you could potentially do:
- You could remove certain file extension mappings for specific users by denying them read access to the registry keys that contain the mappings;
- With some applications that don't provide per user settings you can sometimes accomplish the same thing with granular user permissions on the registry keys themselves;
- You can set access permissions on programs such as the command prompt so that they are only available to certain users, and only if they are logged in interactively at the console;
- You can set permissions on much more than files and registry keys - you can also set permissions on named and anonymous pipes, directory objects, processes and threads, services, printers, network shares, and kernel objects;
- You can set one access control list for a folder, another for its subfolders (even if they don't exist yet), and yet another for the files in the folder (again even if they don't exist). That means you could have a directory that allows executables but any new file in the directory is by default denied execution.
You never really see people doing stuff like this, but the users aren't all to blame.
Back when I was a software developer a friend told me that if my users make common mistakes with my software then my software is probably broken. He explained that software design greatly contributes to user mistakes. Some designs set users up to make the same mistakes over and over. For example, how many times have you sent an email and forgot to send the attachment?
Windows permissions are powerful but they set up users to make the same mistakes over and over. The complexity and terminology alone are enough to trip up even experienced users. Sure, once you master terms like ACLs, ACEs, DACLs, SACLs, SIDs, RIDs, and SDDL, it gets a lot easier, but then you have to think about things like inheritance, protected ACL's, trust, and impersonation.
So it really should be no surprise how often I see systems with nothing more than the default permission settings.
I'm not saying the complexity is bad. The complexity is the power. But you have to ask yourself that if so many users fail to take advantage of these features, maybe something broken.
Humans actually deal quite well with complexity. Usually all it takes is a good metaphor, visualization, or object model. Look at Window Explorer - a file system can be complex but few users have problems getting used to Explorer's folder and document model. But once you start using terms like Discretionary Access Control List most of us tend to tune out.
You see, for most purposes people simply don't need added complexity. Many systems have two roles - users and admins. Therefore, most files will either be user files or admin files. Most often, you will want users to have limited access to files and admins to have full access. Windows tries to simplify things with generic access permissions such as Read and Write, but this obviously isn't enough.
The file permissions user interface in Explorer does little to hide the complexity or to make it more understandable for users. Despite all of Microsoft's research into user interface design, over the years little has changed with the permissions dialog box. This is what bugs me the most about that box:
- It takes too many mouse clicks to do any advanced permissions editing on a file or directory.
- It is way too much work to do any significant permissions editing in Explorer.
- In the basic permission settings box, they tried to simplify things, but checking one box sometimes automatically checks others. However, unchecking it doesn't uncheck the others.
- I always have to read twice the sentence, "Apply these permissions to objects and/or containers within this container only."
- The "This folder, subfolders and files" drop-down list takes way too much thought.
- There is a Clear All button, but how about a Select All button? Oh wait, all you have to do is check the Full Control permission. Of course, unchecking that box doesn't uncheck the others, hence the need for a Clear All button.
- In an attempt to make things consistent, they combined both file and folder settings on the same box, but it's hard to see the relationship between Traverse Folder and Execute File.
- Microsoft added an Effective Permissions tab, but this may not always be accurate. It does not take into account how the user logs in. It also does not take into account when you deny Delete permissions on a file but its parent allows Delete Subfolders and Files.
- And finally, my favorite of them all is that there are check boxes for both allow and deny permissions. You cannot check both boxes, but you can uncheck them both, it means that you neither allow nor deny them those permissions, which really means that you deny them.
Many admins don't even bother with Explorer and go straight to the command prompt to adjust file permissions. Windows has the built-in Cacls.exe tool to accomplish this but it has some significant limitations. Microsoft's Xcacls.exe and Xcacls.vbs tools are much more robust, but hardly intuitive. With so many command-line options and non-standard abbreviations, it's hard to use the tools without referring to the help reference at least once. Third-party tools such as FileACL and SetACL are much better, but still suffer from complexity. These tools are definitely not for average users. All of the command-line tools get very difficult to use when trying to set complex inherited ACL's.
For the ultimate in control, Microsoft provides the Security Descriptor Definition Language (SDDL). This language is sparsely documented and far from intuitive, but is actually quite powerful for specifying permissions. If you aren't intimidated by the permission string "D:(A;ID;0x1200a9;;;BU)(A;ID;0x1301bf;;;PU)(A;ID;FA;;;BA)(A;ID;FA;;;SY)" well then, SDDL is just right for you.
There's no doubt that Windows permissions are complex. Microsoft has at least improved things by using better default permissions so we don't have to bother with it as much. But considering how powerful these capabilities are if customized by users, it might be worth it for them to spend some time rethinking the metaphors and the user interface.
Back to the complexity of Microsoft Word for a moment, however. I did find a better microphone headset and retrained MS Word's speech recognition feature. Just like Windows permissions, it turned to be pretty good and quite capable once you know how to use it.
Mark Burnett is an independent researcher, consultant, and writer specializing in Windows security. He is the author of Hacking the Code: ASP.NET Web Application Security (Syngress), co-author of the best-selling book Stealing The Network: How to Own the Box (Syngress), and co-author of Maximum Windows 2000 Security (SAMS Publishing). He is a contributor and technical editor for Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle. Mark speaks at various security conferences and has published articles in Windows IT Pro Magazine (formerly Windows & .NET Magazine), Redmond Magazine, Information Security, Windows Web Solutions, Security Administrator and various other print and online publications. Mark is a Microsoft Windows Server Most Valued Professional for Internet Information Services.