Windows NT/2000/XP/2003/Vista/7/2008/8/2012 systems offers security features that are not available on older Windows systems. Windows NT/2000/XP/2003/Vista/7/2008/8/2012 supports user and group names, domains, file attributes and file access control lists. The MKS Toolkit on Windows NT/2000/XP/2003/Vista/7/2008/8/2012 now provides facilities for displaying and using this kind of information.
On each Windows NT/2000/XP/2003/Vista/7/2008/8/2012 system, the Security Account Manager (SAM) maintains a security account database. This database contains information about all user and group accounts on the machine. On networked systems, both individual workstations and collections of workstations can be grouped together to share a common user account database (SAM database). These workstations are considered to be members of a domain (which has a specific domain name) and their common account database is administered by an Windows NT/2000/XP/2003/Vista/7/2008/8/2012 Domain Server. This configuration allows a user to log into any of these workstations using a single account. The SAM database accessed at login time depends on whether the user wants to log into the workstation or into the domain. The user can select the database in the login dialog window.
User and group accounts have a name and a number. The user and group names have a format of "DomainName\Username", and are known as security identifiers (SID). A standard notation for SIDs makes it easy to visualize the components in the SID. This format is:
S is the letter S and identifies that this string is a SID r is the revision level i is the value known as "identifier-authority" s is a subauthority value
There are several SID values that have built-in or well known values including the following:
S-1-5-32-500 Administrator user S-1-5-32-544 Administrators group S-1-5-32-545 Users group S-1-1 Everyone
On Windows NT/2000/XP/2003/Vista/7/2008/8/2012, SID values are used in all security operations including file access and ownership. Files on the NTFS file system have an owner, a group and usually a Discretionary Access Control List (DACL). The DACL contains a list of Access Control Entries where each entry specifies accessibility of a specific user or group account.
- User and Group Identifiers
Since SID numeric values are so large that they do not fit into the MKS Toolkit's implemented range of numeric user and group ID (that is, 0 to 64K), an internal mapping table is used to store the SIDs and the index into this table is used for the numeric values of the user and group ID. Thus, if a MKS Toolkit utility displays or uses a numeric user or group ID, this value is the table index. This value is not very useful to the user since every utility builds its own table every time it is executed.
- User and Group Names
Files on networked file systems may have ownership, group or DACL information containing SIDs that are not recognized by security manager in the user's current domain. In this case, the user and/or group name corresponding to the SID cannot be obtained so the SID value is used instead in the format of the standard SID notation defined above.
Since SID values are usually very large, the TK_NTSECURITYINFO_SID_TERSE environment variable can be set causing the SID values to be shortened. In this case all the subauthority values, except the last one, are replaced by the string "-...-".
- The /etc/passwd File
Older versions of the MKS Toolkit obtained user and group information from the password file $ROOTDIR/etc/passwd and the group file $ROOTDIR/etc/group. Newer MKS Toolkit versions running on Windows NT/2000/XP/2003/Vista/7/2008/8/2012 now use the native system security information instead of these password and group files. For example, typing
on the shell command line is replaced by the home directory of user testusr. (This directory was initialized when the user account was created using Windows NT/2000/XP/2003/Vista/7/2008/8/2012's UserManager Administrative Tool.) This security information is stored in the Windows NT/2000/XP/2003/Vista/7/2008/8/2012 SAM database on the primary domain server.
These security features can be disabled (See NOTES).
- The chacl command
The chacl command changes Access Control Entries (ACEs) in the Access Control List (ACLs) on files or directories, and various other Windows NT/2000/XP/2003/Vista/7/2008/8/2012 objects.
- The lsacl command
The lsacl command lists object access control lists for a specified object. Most objects under Windows NT/2000/XP/2003/Vista/7/2008/8/2012 have ACLs controlling permissions to operate on that object.
- The ls command
The Windows NT/2000/XP/2003/Vista/7/2008/8/2012 version of the ls command has been enhanced to display the owner and group names of files if the file's SIDs can be obtained and if these SIDs have an associated name in the SAM database. If the file has an SID associated with it, but the name of the SID cannot be determined, the value of the SID is displayed. This can happen when the current user is not in the domain that was used when the file was created. If the file does not have an SID (for example, on non-NTFS file systems), or if the file security information cannot be accessed because the file is locked by another process, then the user and/or group names appear as <unavail>.
The ls command also has an additional option (
-X) which allows you to display the file's DACL and the file's attributes. By specifying ls -X a or ls -X A, the file's attributes are displayed. By specifying ls -X d or ls -X D, the entries in the file's DACL are displayed. The lowercase letters specify the terse format and the uppercase letters specify the verbose format.
- The find command
The find command now supports user and group names specified in the
-user, -group, -nouser, or -nogroupoptions. Thus, to find all files owned by the user name testusr in the current directory tree, you can use:
find . -user testusr -print
The find command also supports a
-acloption. This option specifies a pattern and an optional access mask and matches if the file has a name in its Access Control List which matches the pattern and the access mask information also matches.
By default, the MKS Toolkit tries to use the Windows NT/2000/XP/2003/Vista/7/2008/8/2012 security information whenever possible. Obtaining this information requires additional overhead and may significantly decrease performance especially on network drives. You can turn off the Windows NT/2000/XP/2003/Vista/7/2008/8/2012 security enhancements by setting the TK_NTSECURITYINFO_OFF environment variable to any value.
MKS Toolkit for Power Users
MKS Toolkit for System Administrators
MKS Toolkit for Developers
MKS Toolkit for Interoperability
MKS Toolkit for Professional Developers
MKS Toolkit for Enterprise Developers
MKS Toolkit for Enterprise Developers 64-Bit Edition
MKS Toolkit 9.5 Documentation Build 3.