Simple File Permissions

[GreenLED]

I'm looking to simplify the fire permission matrix in Windows. As I see it, there should only be 3 listed users/groups with access to a file/folder. Root (a.k.a. the admin), the user (a.k.a. let's clal him John) and the system (I don't even like having this extra one, but it seems necessary). Has someone come up with some sort of simplified approach to the file permission system in Windows, there are WAY too many users/groups with access, that can lead (and I'm sure has) to utter confusion and a administration nightmare. Please be constructive in your response. If you haven't tried it, and think it's a waste of time, I'd rather you not respond. Hopefully some others can benefit from the responses to this post.

Also, if someone could clarify the difference and the point of having the modify AND write permission, it seems very -- extra, although i'm sure it has some tangible benefits.

[GrofLuigi]

Shameless plug...

I've done it, but I'm still in doubt is it worth it. Mostly because I haven't found out anything about the actual format the permissions are stored in (mostly, whether "Inherit..." means less permissions stored. I think it does not.).

Otherwise, only two security principals: Administrators and System (anywhere on the system partition, with some exceptions). My username (even in registry) is not owning anything.

Other partitions: Everyone full access.

When the services configured to run under "weak" accounts (Local Service, Network Service) are disabled or their owner changed to Local System, the two "weak" accounts aren't started on boot. No problems, except for Distributed transaction coordinator gruntling, but who uses that anyway.

I still don't advise doing it, mostly because you "weaken" security (in Microsoft's sense of the word).

GL

[Andromeda43]

There are two programs, floating around on the internet, , , "Take Ownership" and "Grant Administrator Privileged" that can make you the owner of any file or folder in Windows XP, Vista or Win-7.

The latter is an extended version of the former.

They both add themselves to the Right Click Context Menu. Find a file you want to 'deal with', right click it and "Take Ownership" of that file and it's YOURS.

I do that often when Windows tells me I don't have permission to delete or rename a file.

Good Luck,

B)

Edited June 6, 2011 by Andromeda43

[GreenLED]

Well, I like the first solution, but what I'm really looking fo here is maybe a unix clone as far as file permissinos go. YES, I know it's not going to operate the same, obviously, but I think maybe some more research could be done on this, as far as testing and development. Those programs sound interesting (and scary). There MUST BE (and I'm sure there is) a way to simplify this hodgepodge of mess. The fact that the system is overly-complicated is not an issue of debate for me. And as you say, the speed increase and performance aspect is there as well. Maybe we can start by looking at the linux system and see if it's doable. I'm glad someone has researched this a bit, looks promising coming up with a solution.

[GrofLuigi]

You can't change the system of permissions in Windows (its structure and the way it works) because every bit of Windows enforces it. You'd have to rewrite the entire operating system. You can only play with users and groups. But even if you 'play nice' Windows has many undocumented traps which you have no way of knowing they exist. And that's even before Vista/7...

GL

[Joseph_sw]

thanks for accessenum references, especialy useful to kill tons deny policies on registries.

[GrofLuigi]

Another interesting program of that nature is DumpSec.

GL