At the file system level, security for Windows 7 is most often handled by assigning permissions
to a file or folder. Permissions specify whether a user or group is
allowed to access a file or folder and, if access is allowed, they also
specify what the user or group is allowed to do with the file or
folder. For example, a user may be allowed only to read the contents of
a file or folder, while another may be allowed to make changes to the
file or folder.
Windows 7 offers a basic set of six permissions for folders, and five permissions for files:
Full Control— A user or group can perform any of the actions listed. A user or group can also change permissions.
Modify—
A user or group can view the file or folder contents, open files, edit
files, create new files and subfolders, delete files, and run programs.
Read and Execute— A user or group can view the file or folder contents, open files, and run programs.
List Folder Contents (folders only)— A user or group can view the folder contents.
Read— A user or group can open files, but cannot edit them.
Write— A user or group can create new files and subfolders, and open and edit existing files.
There is also a long list of so-called special permissions
that offers more fine-grained control over file and folder security.
(I’ll run through these special permissions a bit later; see “Assigning Special Permissions.”)
Permissions
are often handled most easily by using the built-in security groups.
Each security group is defined with a specific set of permissions and
rights, and any user added to a group is automatically granted that
group’s permissions and rights. There are two main security groups:
Administrators—
Members of this group have complete control over the computer, meaning
they can access all folders and files; install and uninstall programs
(including legacy programs) and devices; create, modify, and remove
user accounts; install Windows updates, service packs, and fixes; use
Safe mode; repair Windows; take ownership of objects; and more.
Users—
Members of this group (also known as standard users) can access files
only in their own folders and in the computer’s shared folders, change
their account’s password and picture, and run programs and install
programs that don’t require administrative-level rights.
In
addition to those groups, Windows 7 also defines up to a dozen others
that you’ll use less often. Note that the permissions assigned to these
groups are automatically assigned to members of the Administrators
group. This means that if you have an Administrator account, you don’t
also have to be a member of any other group to perform the task’s
specific to that group. Here’s the list of groups:
Backup Operators—
Members of this group can access the Backup program and use it to back
up and restore folders and files, no matter what permissions are set on
those objects.
Cryptographic Operators— Members of this group can perform cryptographic tasks.
Distributed COM Users— Members of this group can start, activate, and use Distributed COM (DCOM) objects.
Event Log Readers— Members of this group can access and read Windows 7’s event logs.
Guests—
Members of this group have the same privileges as those of the Users
group. The exception is the default Guest account, which is not allowed
to change its account password.
HomeUsers— Members of this group have access to resources shared using Windows 7’s new Homegroup networking feature.
IIS_IUSRS— Members of this group can access an Internet Information Server website installed on the Windows 7 computer.
Network Configuration Operators—
Members of this group have a subset of the administrator-level rights
that enables them to install and configure networking features.
Performance Log Users—
Members of this group can use the Windows Performance Diagnostic
Console snap-in to monitor performance counters, logs, and alerts, both
locally and remotely.
Performance Monitor Users—
Members of this group can use the Windows Performance Diagnostic
Console snap-in to monitor performance counters only, both locally and
remotely.
Power Users—
Members of this group have a subset of the Administrators group
privileges. Power users can’t back up or restore files, replace system
files, take ownership of files, or install or remove device drivers. In
addition, power users can’t install applications that explicitly
require the user to be a member of the Administrators group.
Remote Desktop Users— Members of this group can log on to the computer from a remote location using the Remote Desktop feature.
Replicator— Members of this group can replicate files across a domain.