Introducing access control in Windows
The Windows approach to security is discretionary: each securable system resource-each file or printer, for example-has an owner who has discretion over who can and cannot access the resource. Usually, a resource is owned by the user who creates it. If you create a file, for example, you are the file's owner under ordinary circumstances. (Computer administrators, however, can take ownership of resources they didn't create.)
Note:
To exercise full discretionary control over individual files, you must store those files on an NTFS volume. For the sake of compatibility, Windows 10 supports the FAT and FAT32 file systems used by early Windows versions and many USB flash drives, as well as the exFAT file system used on some removable drives. However, none of the FAT-based file systems support file permissions. To enjoy the full benefits of Windows security, you must use NTFS.
What are security identifiers?
Windows security relies on the use of a security identifier (SID) to identify a user. When you create a user account on your computer (local account or Microsoft account), Windows assigns a unique SID to that account. The SID remains uniquely associated with that user account until the account is deleted, whereupon the SID is never used again-for that user or any other user. Even if you re-create an account with identical information, a new SID is created.
A SID is a variable-length value that contains a revision level, a 48-bit identifier authority value, and a number of 32-bit subauthority values. The SID takes the form S-1-x-y1-y2- . . . . S-1 identifies it as a revision 1 SID; x is the value for the identifier authority; and y1, y2, and so on are values for subauthorities.
You'll sometimes see a SID in a security dialog box (for example, on the Security tab of a file's properties dialog box) before Windows has had time to look up the user account name. You'll also spot SIDs in the hidden and protected $RECYCLE.BIN folder (each SID you see in this folder represents the Recycle Bin for a particular user) and in the registry (the HKEY_USERS hive contains a key, identified by SID, for each user account on the computer), among other places. The easiest way to determine your own SID is with the Whoami command-line utility. For details, see the following tip.
Not all SIDs are unique (although the SID assigned to your user account is always unique). A number of commonly used SIDs are constant among all Windows installations. For example, S-1-5-18 is the SID for the built-in Local System account, a hidden member of the Administrators group that is used by the operating system and by services that sign in using the Local System account.
To determine which users have access to a resource, Windows assigns a security identifier (SID) to each user account. Your SID (a gigantic number guaranteed to be unique) follows you around wherever you go in Windows. When you sign in, the operating system first validates your user name and password. Then it creates a security access token. You can think of this as the electronic equivalent of an ID badge. It includes your user name and SID, plus information about any security groups to which your account belongs. Any program you start gets a copy of your security access token.
Learn about your own account with Whoami
Windows includes a command-line utility called Whoami (Who Am I?). You can use Whoami to find out the name of the account that's currently signed in, its SID, the names of the security groups of which it's a member, and its privileges. To use Whoami, open a Command Prompt window. (You don't need elevated privileges.)
Then, to learn the name of the signed-in user, type whoami. (This is particularly useful if you're signed in as a standard user but running an elevated Command Prompt window-when it might not be obvious which account is currently "you.") If you're curious about your SID, type whoami /user. For a complete list of Whoami parameters, type whoami /?.
With User Account Control (UAC) turned on, administrators who sign in get two security access tokens-one that has the privileges of a standard user and one that has the full privileges of an administrator.
Whenever you attempt to walk through a controlled "door" in Windows (for example, when you connect to a shared printer), or any time a program attempts to do so on your behalf, the operating system examines your security access token and decides whether to let you pass. If access is permitted, you notice nothing. If access is denied, you get to hear a beep and read a refusal message.
In determining whom to let pass and whom to block, Windows consults the resource's access control list (ACL). This is simply a list of SIDs and the access privileges associated with each one. Every resource subject to access control has an ACL. This manner of allowing and blocking access to resources such as files and printers is essentially unchanged since Windows NT.
What are ACLs?
Each folder and each file on an NTFS-formatted volume has an ACL (also known as DACL, for discretionary access control list, and commonly called NTFS permissions). An ACL comprises an access control entry (ACE) for each user who is allowed access to the folder or file. With NTFS permissions, you can control access to any file or folder, allowing different types of access for different users or groups of users.
To view and edit NTFS permissions for a file or folder, right-click its icon and choose Properties. The Security tab lists all the groups and users with permissions set for the selected object. Different permissions can be set for each user, as you can see by selecting each one.
To make changes to the settings for any user or group in the list, or to add or remove a user or group in the list, click Edit. (Use caution. Setting NTFS permissions without understanding the full consequences can lead to unexpected and unwelcome results, including a complete loss of access to files and folders. Before you delve into the inner workings of NTFS permissions on the Security tab, be sure to try the safer and less complicated homegroup sharing or the Share With command.
The access granted by each permission type is as follows:
- Full Control Users with Full Control can list contents of a folder, read and open files, create new files, delete files and subfolders, change permissions on files and subfolders, and take ownership of files.
- Modify Allows the user to read, change, create, and delete files but not to change permissions or take ownership of files.
- Read & Execute Allows the user to view files and execute programs.
- List Folder Contents Provides the same permissions as Read & Execute but can be applied only to folders.
- Read Allows the user to list the contents of a folder, read file attributes, read permissions, and synchronize files.
- Write Allows the user to create files, write data, read attributes and permissions, and synchronize files.
- Special Permissions The assigned permissions don't match any of the preceding permission descriptions. To see precisely which permissions are granted, click Advanced.
UAC, which was introduced in Windows Vista, adds another layer of restrictions based on user accounts. With UAC turned on, applications are normally launched using an administrator's standard user token. (Standard users, of course, have only a standard user token.) If an application requires administrator privileges, UAC asks for your consent (if you're signed in as an administrator) or the credentials of an administrator (if you're signed in as a standard user) before letting the application run. With UAC turned off, Windows works in the same (rather dangerous) manner as pre-Windows Vista versions: administrator accounts can do just about anything (sometimes getting those users in trouble), and standard accounts don't have the privileges needed to run many older programs.
Permissions and rights
Windows distinguishes two types of access privileges: permissions and rights. A permission is the ability to access a particular object in some defined manner-for example, to write to an NTFS file or to modify a printer queue. A right is the ability to perform a particular system-wide action, such as signing in or resetting the clock.
The owner of a resource (or an administrator) assigns permissions to the resource via its properties dialog box. For example, if you are the printer owner or have administrative privileges, you can restrict someone from using a particular printer by visiting the properties dialog box for that printer. Administrators set rights via the Local Security Policy console. For example, an administrator could grant someone the right to install a device driver. (The Local Security Policy console is available only in the Pro and Enterprise editions of Windows 10. In the Home edition, rights for various security groups are predefined and unchangeable.)
User accounts and security groups
The backbone of Windows security is the ability to uniquely identify each user. While setting up a computer-or at any later time-an administrator creates a user account for each user. The user account is identified by a user name and is normally secured by a password, which the user provides when signing in to the system. Windows then controls, monitors, and restricts access to system resources on the basis of the permissions and rights associated with each user account by the resource owners and the system administrator.
Account type is a simplified way of describing membership in a security group, a collection of user accounts. Windows classifies each user account as one of two account types:
- Administrator Members of the Administrators group are classified as administrator accounts. By default, the Administrators group includes the
first account you create when you set up the computer and an account named Administrator that is disabled and hidden by default. Unlike other account types,
administrators have full control over the system. Among the tasks that only administrators can perform are the following:
- Create, change, and delete user accounts and groups
- Install and uninstall desktop programs
- Configure automatic updating with Windows Update
- Install an ActiveX control
- Install or remove hardware device drivers
- Share folders
- Set permissions
- Access all files, including those in another user's folder
- Take ownership of files
- Copy or move files into the %ProgramFiles% or %SystemRoot% folders
- Restore backed-up system files
- Grant rights to other user accounts and to themselves
- Configure Windows Firewall
- Standard user Members of the Users group are classified as standard user accounts. A partial list of tasks available to standard user accounts includes
- Change the password and picture for their own user account
- Use desktop programs that have been installed on the computer
- Install system and driver updates using Windows Update
- Install and run modern apps from the Windows Store
- Install approved ActiveX controls
- Configure a secure Wi-Fi connection
- Refresh a network adapter and the system's IP address
- View permissions
- Create, change, and delete files in their document folders and in shared document folders
- Restore their own backed-up files
- View the system clock and calendar, and change the time zone
- Set personalization options, such as themes, desktop background, and so on
- Select a display dots-per-inch (DPI) setting to adjust text size
- Configure power options
- Sign in in Safe Mode
- View Windows Firewall settings
Assigning an appropriate account type to the people who use your computer is straightforward. At least one user must be an administrator; naturally, that should be the person who administers the computer. All other regular users should each have a standard user account.
What happened to the Administrator account?
Every computer running Windows has a special account named Administrator. In versions of Windows before Windows 7, Administrator was the primary account for managing the computer. Like other administrator accounts, the Administrator account has full rights over the entire computer. But in Windows 10, the Administrator account is disabled by default.
In Windows 10, there's seldom a need to use the Administrator account instead of another administrator account. With default settings in Windows, the Administrator account does have one unique capability: it's not subject to UAC, even when UAC is turned on for all other users. All other administrator accounts (which are sometimes called Protected Administrator accounts) run with standard-user privileges unless the user consents to elevation. The Administrator account runs with full administrative privileges at all times and never needs your consent for elevation. (For this reason, of course, it's rather risky. Any application that runs as Administrator has full control of the computer-which means applications written by malicious or incompetent programmers can do significant damage to your system.)
And the Guest account?
Historically, the built-in Guest account has provided a way to offer limited access to occasional users. Not so in Windows 10. Although this account still exists, it is disabled by default, and the supported tools for enabling it (the Local Users And Groups console, for example) do not work as expected. In our experience, trying to trick Windows 10 into enabling this capability is almost certain to end in frustration. In the cloud-centric world of Windows 10, the Guest account no longer works as it used to and enabling it can cause a variety of problems. A better solution (if your guests don't have their own device that can connect to your wireless network) is to set up a standard account for guest use.
Security groups allow a system administrator to create classes of users who share common privileges. For example, if everyone in the accounting department needs access to the Payables folder, the administrator can create a group called Accounting and grant the entire group access to that folder. If the administrator then adds all user accounts belonging to employees in the accounting department to the Accounting group, these users will automatically have access to the Payables folder. A user account can belong to one group, more than one group, or no group at all.
In large networks based on Active Directory domains, groups can be a valuable administrative tool. They simplify the job of ensuring that all members with common access needs have an identical set of privileges. We don't recommend creating or using groups other than the built-in Administrators and Users groups on standalone and workgroup-based computers, however.
Permissions and rights for group members are cumulative. That means that if a user account belongs to more than one group, the user enjoys all of the privileges accorded to all groups of which the user account is a member.