"Common sense is the metaphysics of savages" — Bertrand Russell

The other day I had a weird customer support issue on windows vista, where a guy couldn't launch xplorer² from its shortcut icon. Instead of starting the program windows complained that Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item. I have heard of a lot of weird things in my life on the support desk but this was one of the most baffling. How can you be effective administrator and have denied access to any resource or file? Welcome to the weird and wonderful world of windows file and folder access permissions.

In the old days file permissions were controlled with simple concepts like read-only and system attributes. These access control methods weren't designed with multiple users and computer networks in mind. Nowadays file attributes are all but ignored at the filesystem level. Their modern replacement is an over-engineered mind-boggling system with strange terms like DACLs and ACEs. What on earth is a Discretionary Access Control List and how can I use it to manage my file security?

The file sharing idea in windows was probably inspired by UNIX permissions. There you can have a file that only the owner can modify, whereas everybody else can only read. Except if you are administrator/super-user and you can take ownership of anybody else's file. Thus in windows you can have many different user groups (the owner, the local administrators, plain local users, users from other computers/domains etc) and assign different access permissions to each one. By default you can't read My Documents folder of other users on a PC (you will get access is denied error messages) unless you are logged as the administrator, but you have full control over your own documents.

What if you want to allow a fellow user to read or even modify your files? The simplest system offered is simple file sharing where to share a file you just place it under this special C:\Documents and Settings\All Users\Documents folder where everyone on your computer has full access. The down side is that first the real file storage location now has changed, and second it is all-or-nothing sharing.

For better control, disable the (usually on by default) simple sharing mode from Folder options (clear the checkbox on the right picture). Then the property page of files and folders will include a Security tab where you can fine-tune access permissions. The file owner can change these permissions and so can local administrators. But you can do special tricks like enable a single user to have read only access to some of your files, something that simple file sharing can do. Remember that in windows vista and windows 7 you are almost never running as true administrator even from an administrative logon, unless you use "run as administrator" to launch explorer or xplorer². So make sure you have the right permissions if you get any more access is denied errors when trying to modify file security. In extremely dodgy situations you can add the Everyone group — which represents local and network users,

and their wives — and assign full access to it.

Closing the security subject here are some relevant topics we have discussed before:

• If you want to disable access to some of your files to everyone including administrators use file encryption
   
• To share folders with other computers on the network use sharing and security context menu command to assign a network share with the desired permissions. Then other users from remote computers will get network access.
   
• Limited authority users cannot write and thus cannot harm system folders and DLLs, because they don't have the necessary security clearance. So if you have a normal user account and use it daily you will limit the harm from viruses and worms that may intrude your computer through internet or email.

Post a comment on this topic