Windows access control

Hoe does Windows Security Work?

A while back, I wrote some about securing access to your Windows server or workstation.  Today I will look at that in a bit more depth.

On Windows servers, or workstations that have file sharing enabled, the idea is to allow users on other computers to have access to files on the server or workstation.  This allows the use of databases, shared spreadsheets and other files, and so on.

While this is desirable, it also raises the issue of denying access to those same files and directories, to people that should not have access to them.  This is where access control come in.

In Windows, you have the ability to set the permissions for folders, and individual files, to control who can read and/or write them.  There may be different permissions for different users, or groups.  So, you may set a directory, for example, so that your IT department can do anything in it, and other users may only read what is in there.

Before getting into how this is done, I want to say a little about part of the terminology used.  In setting up access control there is an option for "Everyone".  In this case, "Everyone" does not really mean everyone.  What it means, is all authenticated users.  In other words, users who have a login account on the machine or server.  The group "Guest" is what truly means anyone at all, whether they can authenticate, or not.

To set access control, right-click on the folder or file, select Properties, and go to the Security area.  In the security area, the upper part shows the list of who has been granted access.  The lower part shows what access has been granted to the user or group that is highlighted in the upper part.

In our example, then, the users in the IT department would be added in the top part.  Each of them would then be given the "Full Control" permissions.  Then, the "Everyone" group would be added, and only the "Read" access would be given to them.

That is the basics of setting up access control.  There is more that can be done, such as creating an IT Department group, and adding the appropriate members to it.  Then you just have to add the IT Department group with full control, and the Everyone group as read only.  Different files in a folder may have different permissions, also.  Each requirement is different, and each needs to be evaluated and setup to meed the requirements.

For assistance with your Windows or Linix Severs and Desktops or related products contact us at CCS Retail Systems Support.


Leave a Reply