Default permissions for the MachineKeys folders
This article describes default permissions for the MachineKeys folders.
Original product version: В Windows Server 2003
Original KB number: В 278381
Summary
The MachineKeys folder stores certificate pair keys for both the computer and users. Both Certificate services and Internet Explorer use this folder. The default permissions on the folder may be misleading when you attempt to determine the minimum permissions that are necessary for proper installation and the accessing of certificates.
Default permissions for MachineKeys folder
The MachineKeys folder is located under the All Users Profile\Application Data\Microsoft\Crypto\RSA folder. If the administrator didn’t set the folder to the minimum level, a user may receive the following errors when generating a server certificate by using Internet Information Server (IIS).:
- Failed to Generate Certificate Request
- Internal Server Error (The Private Key that you are importing might require a cryptographic service provider that is not installed on your system)
The following settings are the default permissions for the MachineKeys folder:
- Administrators (Full Control) This folder only
- Everyone (Special) This folder only
Permissions for Everyone group
To view the special permissions for the Everyone group, right-click the MachineKeys folder, select Advanced on the Security tab, and then select View/Edit. The permissions consist of the following permissions:
- List Folder/Read Data
- Read Attributes
- Read Extended Attributes
- Create Files/Write Data
- Create Folders/Append Data
- Write Attributes
- Write Extended Attributes
- Read Permissions
Select the Reset Permissions on all Child objects and enable propagation of inheritable permissions check box. The administrator doesn’t have full control on child objects to protect a user’s private part of the key pair. But the administrator can still delete certificates for a user.
For more information, see the following article:
Windows 2003 NTFS and Share Permissions
The concept of permissions in a Microsoft environment is one of the more confusing subjects that certification candidates face, but a very necessary topic to know as many of Microsoft’s certification exams test on this. This guide aims to help you understand the different the various types of permissions and how to use them in a Windows 2003 environment.
NTFS file permissions are used to control the access that a user, group, or application has to folders and files. They are referred to as NTFS permissions because a drive must be formatted with NTFS in order to utilize these permissions.
NTFS File Permissions:
NTFS file permissions are used to control the access that a user, group, or application has to files. This first table displays the available permissions for files.
| Full Control | Read, write, modify, execute, change attributes, permissions, and take ownership of the file. |
| Modify | Read, write, modify, execute, and change the file’s attributes. |
| Read & Execute | Display the file’s data, attributes, owner, and permissions, and run the file (if it’s a program or has a program associated with it for which you have the necessary permissions). |
| Read | Display the file’s data, attributes, owner, and permissions. |
| Write | Write to the file, append to the file, and read or change its attributes. |
Windows 2000 & 2003 have the option of denying a user or users a particular permission. For example, if you wanted to make sure that Bob is unable to read any file, then simply deny him read permissions. Permissions are cumulative, except for Deny, which overrides everything. By cumulative, we mean that a user’s effective permissions are the result of combining the user’s assigned permissions and the permissions assigned to any groups that the user is a member of. For example, if Bob is assigned Read access to a file, and the «sales» group that Bob is a member of has Write permissions assigned, Bob’s effective permissions is are Read and Write for that file.
NTFS Folder Permissions:
NTFS Folder permissions determine the access that is granted to a folder and the files and subfolders within that folder. These permissions can be assigned to a user or group. The following table displays the different permissions for folders.
| Full Control | Read, write, modify, and execute files in the folder, change attributes, permissions, and take ownership of the folder or files within. |
| Modify | Read, write, modify, and execute files in the folder, and change attributes of the folder or files within. |
| Read & Execute | Display the folder’s contents and display the data, attributes, owner, and permissions for files within the folder, and run files within the folder (if they’re programs or have a program associated with them for which you have the necessary permissions). |
| List Folder Contents | Display the folder’s contents and display the data, attributes, owner, and permissions for files within the folder, and run files within the folder (if they’re programs or have a program associated with them for which you have the necessary permissions). |
| Read | Display the file’s data, attributes, owner, and permissions. |
| Write | Write to the file, append to the file, and read or change its attributes. |
The Read & Execute and List Folder Contents folder permissions appear to be exactly the same, however, they are inherited differently, thus are different permissions. Files can inherit the Read & Execute permissions but can’t inherit the List Folder Contents permission. Folders can inherit both.
File permissions override folder permissions. For example, let’s say that Bob has read access to a file called file.txt which is located in a folder that he has no access to. In this case, the file will be invisible to the Bob and since he cannot list the folder contents, he would have to access the file using the UNC path or the logical file path.
Copying, Moving, and Inheritance:
The next table shows what happens to files when they are copied or moved within or across NTFS partitions.
| Moving within a partition | Does not create a new file — simply updates location in directory. File keeps its original permissions. |
| Moving across a partition | Creates a new file and deletes the old one. Inherits the target folders permissions. |
| Copying within a partition | Creates a new file which inherits permissions of target folder. |
Files moved from an NTFS partition to a FAT partition do not retain their attributes or security descriptors, but will retain their long filenames.
Special Access File Permissions:
Windows 2000 & 2003 also support special access permissions which are made by combining other permissions. The following tables will show special access permissions and the recipes to make them.
| File Special Permissions | Full Control | Modify | Read & Execute | Read | Write |
| Traverse Folder/Execute File | X | X | X | ||
| List Folder/Read Data | X | X | X | X | |
| Read Attributes | X | X | X | X | |
| Read Extended Attributes | X | X | X | X | |
| Create Files/Write Data | X | X | X | ||
| Create Folders/Append Data | X | X | X | ||
| Write Attributes | X | X | X | ||
| Write Extended Attributes | X | X | X | ||
| Delete Subfolders and Files | X | ||||
| Delete | X | X | |||
| Read Permissions | X | X | X | X | X |
| Change Permissions | X | ||||
| Take Ownership | X | ||||
| Synchronize | X | X | X | X | X |
Special Access Folder Permissions:
Below are the special access permissions for folders.
| Folder Special Permissions | Full Control | Modify | Read & Execute | List Folder Contents | Read |
| Traverse Folder/Execute File | X | X | X | X | |
| List Folder/Read Data | X | X | X | X | X |
| Read Attributes | X | X | X | X | X |
| Read Extended Attributes | X | X | X | X | X |
| Create Files/Write Data | X | X | |||
| Create Folders/Append Data | x | x | |||
| Write Attributes | X | X | |||
| Write Extended Attributes | X | X | |||
| Delete Subfolders And Files | X | ||||
| Delete | X | X | |||
| Read Permissions | X | X | X | X | X |
| Change Permissions | X | ||||
| Take Ownership | X | ||||
| Synchronize | X | X | X | X | X |
Remember that file permissions override the permissions of its parent folder. Anytime a new file is created, the file will inherit permissions from the target folder.
Share Permissions:
Shares are administered through the MMC, My Computer or through Explorer and permissions can be set on a share in the «Share Permissions» tab. Share level permissions only apply when a file or folder is being accessed via the network and do not apply to a user logged into the machine locally. The following are the different share-level permissions:
| Read | View files and subdirectories. Execute applications. No changes can be made. |
| Change | Includes read permissions and the ability to add, delete or change files or subdirectories |
| Full Control | Can perform any and all functions on all files and folders within the share. |
The Deny permission can also be applied to shares. The Deny permission overrides all others. When folders on FAT and FAT32 volumes are shared, only the share level permissions apply as these systems do not support file and directory (NTFS) permissions. When folders on NTFS volumes are shared, the effective permission of the user will be the most restrictive of the NTFS and share permissions. This means that if Bob is trying to access a file called mystuff located on myshare and he has share permissions of read and file permissions of full control, his effective permissions would be read. Conversely, if his share permissions are full control and his file permissions are read, he will still only have read permissions to mystuff.
Effective Permissions Tool in Windows 2003:
Determining effective permissions can get confusing, especially on enterprise networks. In Windows 2003, Microsoft included a new feature that helps sort this mess out. If you go to the Advanced properties of the Security tab for NTFS resources, there is a tab titled «Effective Permissions» which allows you to calculate the permissions that apply to users or groups. This tool does not take share permissions into account.
Best Practices:
The way companies manage their permissions will vary based on their needs. In any event, a lot of planning should be done before implementing permissions systems in order to avoid a lot of headaches later. Below are some best practices for using permissions.
When setting permissions, you want to minimize the amount of administration required. Imagine if you had to manage the permissions on every file on your network for every user. It would be an administrative nightmare. For this reason, unless absolutely necessary, assign permissions to groups and place users in the relevant group. The same should be done for share permissions as well.
Avoid using Deny permissions except in the following types of cases:
- Use Deny permissions to exclude a subset of a group which has Allowed permissions.
- Use Deny to exclude one special permission when you have already granted full control to a user or group.
You definitely should not ever use Deny permissions for the everyone group because that includes administrators.
Keep in mind that priveledges (rights) can sometimes override permissions.
Note: While the permissions systems in Windows 2000 and 2003 are nearly identical, there are a few differences. One of the biggest permissions differences between Windows 2000 and 2003 was the default security settings. Windows 2000 shipped with full control for the everyone group (NTFS and share permissions), guest account was enabled, etc. Windows 2003 was locked down better in its default state. For more information on this, read Changes to Default Settings Make Windows Server 2003 More Secure (Part 1).
What are the windows 2003 permissions
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Answered by:
Question
I have an issue but I am not sure if these are the designs of the file server permissions. I have one user who has the modify rights to modify/read and create folders in a share folder. In the share folder, she had created a subfolder; so she should be the owner of the subfolder and her security permission is modify. By right, modify does not have the rights to assign the permission to other users but as owner, she does. Does this mean that the folder owner supersede the security? And is this possible to avoid this? eg. folder owner but does not have the rights to assign permissions to other user to access. Thanks a lot.
Answers
>>Does this mean that the folder owner supersede the security?
If the user is the Owner of the folder, he or she should have Full Control permissions to the folder,
which means the user can do anything to the folder.
>>And is this possible to avoid this? eg. folder owner but does not have the rights to assign permissions to other user to access.
As far as I know, unless we deprive the user of the ownership, we can’t achieve this.
Regarding file and folder permissions, the following article can be referred to for more information.
