Why not simply itemize all of the permission interpretations and allow users to individually grant or deny these? The NT and UNIX designers alike were making a tradeoff for simplicity over granularity. Rather than explicitly creating a permission for more than a dozen different access rights, grouping and overloading were allowed to simplify the administrator’s task.

You also can assign the permission Special Access for a file that gives the designated user the ability to explicitly specify individual special permissions (R, W, X, D, and P) for the object.

The Windows NT interface for viewing or changing permissions can be confusing to read. When you view the permissions for an object, the permissions are itemized for each subject (user or group). Each line in the lower portion of the display shows the subject and the access permissions. The access permissions include the standard permission name and two sets of special permissions. The first set itemizes special permissions allowed on subfolders (subdirectories), and the second set lists the special permissions for files within the current folder. These sets are not always equal as Tables 3.4 and 3.5 show.

A user can gain access either through permissions granted individually to the user or with permissions defined for any groups to which the user belongs. Access permissions are interpreted with the least privilege principle. Any expressly denied permission overrides any granted permissions. For example, if a user belongs to a group that has read access, but the user is explicitly entered in an ACE with No Access, the user will not be allowed to access the object. No Access overrides any other permissions.

You should know that access control can be specified for other objects in the NT environment including printers. Not all of the access control options identified are available for all objects, however.

NT Registry Permissions

The NT Registry is the main repository for storing system configuration information. As applications are added to the system, additional Registry entries are created. It is safe to say that the Registry is mysterious to even experienced systems administrators. Microsoft has responded to some security advisories by creating new Registry entries or by recommending changes to default values stored in the Registry.

Because the Registry is so critical to the operation of NT itself, a set of access control permissions is defined for Registry entries. Each entry in the Registry consists of a key and a value. Technically, the value can be a complex expression such as a string of characters. Entries are arranged hierarchically, much like a file system. Unfortunately, many parts of the Registry must be readable by all users. Not all users should be allowed to change Registry entries. Just as the NTFS supports standard and special permissions, the Registry has three standard access permissions and 10 special access permissions. Table 3.6 summarizes the standard Registry permissions, and Table 3.7 describes the special permissions.

Just as file access permissions are set by default for NT, Registry permissions are also configured when NT is installed.

How Hackers Get around Access Control

Postings in cyberspace as well as recent books have detailed some of the attacks and recommended configurations for NT systems (Sheldon, 1997; Anonymous, 1997; Klander, 1997). Chapter 10, “Intrusion Detection for NT,” is devoted exclusively to describing what can go wrong on NT systems and why intrusion detection is needed despite NT’s C2 rating. The literature on problems with UNIX systems is immense, with Garfinkel and Spafford (1996) on most recommended reading lists.

In Part 2 of this book, some specific hack attacks will be detailed. For the purposes of this chapter, it is sufficient to state that access control problems can be narrowed down to one of two cases:

•  Access control rules defined for an object are too permissive, and the hacker exploits a weakness introduced by this configuration. This situation can be the result of a configuration problem by the vendor, by the administrator, or by a program when it creates the object.

•  A user can increase rights or privileges, with the goal of gaining Administrative or root access. Remember, this is usually the result of a software bug.