Basic Data Protection in Windows

For all intents and purposes, we’ll be taking a look at three different types of data protection. They can be used independently or in conjunction to reach the desired level of protection.

The most basic of all data protection methods uses a file or folder’s attributes flags to hide the file from display. This does not provide a very good level of protection. Common system settings can be used to reveal these files. Due to the inherent inefficiencies in this method, I feel it warrants nothing more than a mention.

The next layer of protection occurs at the file system level. The NTFS file system that ships with Windows 2000 and newer provides protection that was not available in earlier FAT file systems.

This method of protection makes use of Access Control Lists (ACLs) that are attached to files or folders to determine who is allowed access. Since it is written directly to the disk, this method provides security even when a drive is removed from a machine.

There are two types of ACL protection. Traditional ACLs list individual users who have access. More recent versions use a role-based access control that serves permissions to groups instead. Windows is capable of using both.

Each accessible object, either a file or a folder, has an identifier assigned to its ACL that grants a combination of Read, Write, or Execute permissions to the assigned users or groups. In other words, not only can you restrict access completely, but you also have the ability to limit what actions can be performed on a specific file or folder. The identifier is then written as an attribute for the file or folder.

Implementing ACL securities in Windows is extremely quick and efficient. This provides a moderate level of security. While data access is controlled under the operating system, the file’s contents are still intact and unaltered. This means that a dedicated threat could still extract the data. However, for most security settings, this is a negligible risk.

In Windows, these permissions can be changed from a file's or folder’s Properties dialog. To begin, you’ll need to make sure that you are not using Simple File Sharing as these settings will not be available to you if Windows is managing your file security. Use the following steps to disable Simple File Sharing.

1. Click the Start button and open My Computer from the Start menu.
2. Select Folder Options… from the Tools menu to open the Folder Options dialog box.
3. On the View tab, locate the Advanced settings list and scroll to the last entry.
4. Deselect the option labeled Use simple file sharing (Recommended).
5. Select Apply and OK to close all open dialogs.

File and folder security settings will be available immediately. You can open any File or Folder Properties dialog to see a newly available Security tab.

From this tab, you will be able to allow or deny specified actions for each user or group on your computer. Let’s take a look at the more advanced settings.

Clicking the Advanced button will open a dialog that reveals more advanced settings to help you customize your data protection. There are several tabs that contain settings for specific areas of ACL protection.

The first tab allows you to customize the Special Permissions. This set of permissions defines what security settings are inherited from the parent object and which are passed down to child objects. This ensures that settings permissions for a folder will allow settings to propagate to the files and folder it contains.

Special Permissions are used to selectively override permission settings for an object.

The next tab allows you to set the Auditing procedures for the specified object. Auditing is a method of tracking access attempts on the object. It is controlled by Local Policy Settings (Group Policies), Domain Security Policies, or both depending upon the environment. If auditing policies are in place, an event will be written to the event log for each matching access attempt.

Your computer must be a member of a domain or have Local Security Policies enabled in order to utilize the Auditing feature. Auditing must also be enabled globally prior to creating Audit policies in order to prevent errors.

You can enable local auditing from within the Group Policy Editor in the following steps. You may need to install the Group Policy snap-in first.

1. Select the Start button and choose Control Panel from the Start menu.
2. Select Performance and Maintenance and then select Administrative Tools.
3. Double-click Local Security Policy to open the Local Security Settings.
4. In the left pane, expand Local Policies and select Audit Policy.
5. Double-click items in the right pane to enable Audit events.

Once you have enabled audit objects events you can then select which events to monitor for your files and folders.

The remaining two tabs, Owner and Effective Permissions respectively, allow you to further control more advanced permission settings by defining a file's or folder’s owner and allowing you to determine what specific actions may or may not be performed on the object.

From the Owner tab, you can select an object’s owner. By default, the owner has full control over the object. He or she may perform any action on the object and change any of its security settings. Other users or groups have either inherited or assigned permissions based on these settings.

Within the Effective Permissions tab, you can further customize which specific actions are granted to specific users or user groups for an object and its children. With these settings you can form very specific security policies to fit your exact needs. You may grant or restrict any action that can be performed on or with your object.

By taking advantage of the NTFS file system and making use of ACLs and security policies, you can effectively create a moderate level of security for controlling access to your data. While this is far from foolproof, it will keep your files and folders out of the wrong hands and keep your data from prying eyes.

Need a better security solution without paying an arm and a leg? Stayed tuned for my next article when I will show you the more advanced security methods provided by Windows.