Contents
Overview 1
Lesson: Overview of Securing Files 2
Lesson: Windows Access Control 6
Lesson: Creating ACLs Programmatically 19
Lesson: Protecting ASP.NET Web
Application Files 27
Review 38
Lab 6: Securing Files with ACLs 39

Module 6: Securing File
System Data




Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or

transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2001 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail,
JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and
Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.



Module 6: Securing File System Data iii


Instructor Notes
This module provides students with an explanation of how to manage user input
in a secure way. The methods for checking user input, and a discussion of the
consequences of not performing those checks, are the focus of this module.
After completing this module, students will be able to secure their Web
applications by validating user input.
After completing this module, students will be able to:

!
Identify the reasons for securing the Web application implementation files.
!
Describe how Microsoft
®
Windows
®
access control mechanisms are used to
protect file system data.
!
Set ACLs on files and folders by using a script.
!
Use Microsoft ASP.NET Web.config files to restrict access to files in an
ASP.NET Web application.

To teach this module, you need the following materials:
!
Microsoft
®
PowerPoint
®
file 2300A_06.ppt
!
HTML and Flash animation files: 2300A_06_A05_1664.htm,
2300A_06_A05_1664.swf

To prepare for this module:
!
Read all of the materials for this module.
!

Complete the lab.
!
Practice the steps for the demonstrations.
!
Read Chapter 3, “Windows 2000 Security Overview,” in Designing Secure
Web-Based Applications for Microsoft Windows 2000 by Michael Howard
(Redmond, Microsoft Press
®
), 2000.
!
Read the article, “Access Control Model,” which is available at

dsce_ctl_mfxc.htm.
!
Read the Microsoft MSDN
®
article, “HOWTO: Control Access to a
Windows NT, Windows 2000, and Windows XP Service,” which is
available at
article.asp?ID=KB;EN-US;Q180116&.
!
Read the MSDN article, “Setting User Security,” which is available at

wmisdk/us_sec_8ozd.asp.
!
Read the TechNet article, “Default Access Control Settings in Windows
2000,” which is available at
default.asp?url=/TechNet/prodtechnol/windows2000serv/maintain/security/
secdefs.asp.
!

Read the TechNet article, “Working with Access Control Lists,” which is
available at
TechNet/prodtechnol/winxppro/reskit/prdd_sec_jynl.asp.

Presentation:
90 minutes

Lab:
30 minutes
Required materials
Preparation tasks
iv Module 6: Securing File System Data


How to Teach This Module
This section contains information that will help you to teach this module.
Lesson: Overview of Securing Files
This section describes the instructional methods for teaching each topic in this
lesson.
Discuss the weaknesses in a system that lead to attacks on Web application
implementation files.


This topic briefly covers security settings that are configured in the Microsoft
Windows
®
operating system, in Internet Information Services (IIS), and within
a Web application in the Web.config file. Do not go into the details of security
settings with this topic.
Lesson: Windows Access Control

This section describes the instructional methods for teaching each topic in this
lesson.
While explaining the elements of security descriptors, such as security
identifiers (SIDs) and Access Control Entries (ACEs), tell students that each
element has a structure and Application Programming Interfaces (APIs)
associated with it. Open Microsoft Visual Studio
®
.NET Help and look for the
“Access Control” topic. Step through each element and show the structure and
APIs associated with each element.
This multimedia presentation describes the elements of security descriptor.

Windows operating system protects securable resources from unauthorized
access by employing discretionary access control, which is implemented
through discretionary access control lists (DACLs). Tell students that the terms
DACLs and access control lists (ACLs) are usually used interchangeably.
This topic covers the best practices that can be used for securing Web
application files.
Some parts of this practice are performed only by the instructor, and some parts
are performed by students along with the instructor. Make sure that your pace is
slow when students are performing the steps along with you so that they are
able to understand the procedure and perform the steps.
Why Are Web
Application
Implementation Files
Attacked?
How to Protect Web
Application
Implementation Files
Overview of a Security

Descriptor
Multimedia: Security
Descriptors
Setting File ACLs
Best Practices
Instructor-Led Practice:
Viewing and Setting
ACLs on a File
Module 6: Securing File System Data v


Lesson: Creating ACLs Programmatically
This section describes the instructional methods for teaching each topic in this
lesson.
This lesson can be introduced by asking students how to move an ACL-secured
Web application from one computer (for example, from a development
computer to a test or production computer). Try to move the discussion toward
using automated methods for setting ACLs.
When explaining the syntax of calcs.exe, open the command prompt window,
type the command c:\Cacls ManualAcl.htm, and show the output to the class.
Windows Management Instrumentation (WMI) is a management infrastructure
in Microsoft Windows 2000 that supports monitoring and controlling system
resources through a common set of interfaces. WMI provides a logically
organized, consistent model of Windows operation, configuration, and status.
WMI is a common programmatic interface that can be used for managing the
configuration of and the querying of computers, devices, and subsystems. WMI
can also be used to configure many different software components, including
IIS settings, file system settings and attributes, security settings, and the Active
Directory
®

directory service.
Open Visual Studio .NET Help. Search for “Win32_Account” and show the
students the WMI structures for all of the relevant security descriptor elements.
Read Chapter 3, “Windows 2000 Security Overview,” in Designing Secure
Web-Based Applications for Microsoft Windows 2000 by Michael Howard
(Redmond, Microsoft Press
®
), 2000.
For more information about WMI, read Chapter 5, “WMI Security,” in
Windows Management Instrumentation by Matthew Levy and Ashley Meggitt
(Indianapolis, New Riders press), 2002.
Use this demonstration to show the students how to create a Microsoft
Visual Basic
®
, Scripting Edition (VBScript) file that can be used to add ACLs
to a file.
Lesson: Protecting ASP.NET Web Application Files
This section describes the instructional methods for teaching each topic in this
lesson.
Use Windows Explorer and browse to the Machine.config file to show students
where the file is located.
Also, open Visual Studio .NET Help and show the students the Help
information available for the System.Configuration namespace.
Open the Machine.config file and step through the entries in the HttpHandlers
and HttpModules sections.
Open the Machine.config file and step through the HttpForbiddenHandler
entries. Using Microsoft .NET Framework IL Disassembler (ILDASM), show
the students the implementation for the HttpForbiddenHandler class.
Perform the steps for IIS configuration for the students.
Using Cacls.exe to Set

ACLs
Overview of WMI
Using WMI to Set ACLs
Demonstration: Setting
ACLs Using WMI
Overview of the .config
Files
ASP.NET Request
Processin
g

The
HttpForbiddenHandler
Class
vi Module 6: Securing File System Data


Use this demonstration to show students how to create a VBScript file that can
be used to add ACLs to a file.

Lab 6: Securing Files with ACLs
In this lab, students will secure ASP Web application files by using ACLs.
Students will also configure and secure Microsoft ASP.NET Web applications
by using the <authorization> configuration element in a Web.config file.
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
Lab Setup

To complete this lab, students can either continue working in the Tailspin Toys
Visual Studio .NET projects that they have already created, or they can start
with new files. Students must also create a local Windows 2000 user account
named WebUser.
!
Create the Web applications for the ASP exercises
1. Copy all of the contents of the ASP starter folder install_folder\Labfiles\
Lab06\ASP\Starter\TailspinToys to the TailspinToys IIS virtual directory at
C:\Inetpub\wwwroot\TailspinToys.
2. Copy all of the contents of the ASP starter folder install_folder\Labfiles\
Lab06\ASP\Starter\TailspinToysAdmin to the TailspinToysAdmin IIS
virtual directory at C:\Inetpub\wwwroot\TailspinToysAdmin.

!
Create the Web applications for the ASP.NET exercises
1. Copy all of the contents of the ASP.NET folder install_folder\Labfiles\
Lab06\ASPXVB\Starter\TailspinToys.NET to the TailspinToys.NET IIS
virtual directory at C:\Inetpub\wwwroot\TailspinToys.NET.
2. Copy all of the contents of the ASP.NET folder, install_folder\Labfiles\
Lab06\ASPXVB\Starter\TailspinToysAdmin.NET, to the
TailspinToysAdmin.NET IIS virtual directory at C:\Inetpub\wwwroot\
TailspinToysAdmin.NET.

Demonstration:
Using the
HttpForbiddenHandler
Class
Module 6: Securing File System Data vii



!
Configure IIS authentication
1. Run the IIS administrative tool.
2. Expand the computer node and the Default Web Site node in the tree.
3. Right-click the TailspinToysAdmin virtual directory, and click Properties.
4. Click Directory Security.
5. In the Anonymous access and authentication control group, click Edit.
6. Clear the Anonymous access check box.
7. Click OK twice to save your changes.
8. Right-click the TailspinToysAdmin.NET virtual directory, and click
Properties.
9. Click Directory Security.
10. In the Anonymous access and authentication control group, click Edit.
11. Clear the Anonymous access check box.
12. Click OK twice to save your changes.

Lab Results
Performing the lab in this module introduces the following configuration
changes:
!
Adds a new local system user named WebUser
!
Modifies the DACL on the TailspinToysAdmin\Private folder
!
Adds a <location path="Private"> section to the TailspinToysAdmin.NET
project


Module 6: Securing File System Data 1



Overview
!
Overview of Securing Files
!
Windows Access Control
!
Creating ACLs Programmatically
!
Protecting ASP.NET Web Application Files

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
A Web application consists of files and folders that contain two types of data:
Web application data and data that is related to the implementation details of
the Web application. The Web application data includes files and folders that
are used to display information to users and to process user requests. The
implementation files and folders contain source code and other configuration
details about the Web application. It is important to secure both the Web
application data and the implementation data.
In this module, you will learn how to protect file system data that is a part of a
Web application. The two important security mechanisms that are covered in
this module are using access control lists (ACLs) and using configuration files.
After completing this module, you will be able to:
!
Identify the reasons for securing the Web application implementation files.
!

Describe how Microsoft
®
Windows
®
access control mechanisms are used to
protect file system data.
!
Set ACLs on files and folders by using a script.
!
Use Microsoft ASP.NET Web.config files to restrict access to files in an
ASP.NET Web application.

Introduction
2 Module 6: Securing File System Data


Lesson: Overview of Securing Files
!
Why Are Web Application Implementation Files
Attacked?
!
How to Protect Web Application Implementation Files

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Web application implementation files contain useful information about the Web
application, and therefore, it is important to secure these files from any type of

attack. One of the techniques that can be used for securing these
implementation files is to restrict access to them.
In this lesson, you will learn about the types of attacks that can occur on
implementation files.
After completing this lesson, you will be able to:
!
Describe the types of attacks that occur on Web application implementation
files.
!
Describe the types of file security that are available for Web application
implementation files.

Introduction
Lesson objectives
Module 6: Securing File System Data 3


Why Are Web Application Implementation Files Attacked?
!
Reasons for an attack on implementation files
"
Server scripts contain implementation code
"
Source code contains information about database
structure and contains connection strings, trusted user
names, and passwords
!
Weaknesses that might lead to attack
"
IIS server is not current with patches

"
Implementation files can be accessed through alternate
route
"
Configuration files are unprotected

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Web application implementation files contain useful information for attackers.
Server script files, such as .asp and .aspx files, contain implementation source
code that can be useful for determining a Web site’s architecture. This
implementation source code may also describe database structures. Source code
may also contain database connection strings, trusted user names and
passwords, and other configuration data that can be useful to an attacker.
Introduction
4 Module 6: Securing File System Data


Web application implementation files can become available to an attacker
through a variety of mechanisms. Some of these mechanisms are the results of a
weakness in the system. You can prevent most of the attacks on the Web
application implementation files by eliminating certain weaknesses that are
described in the following table.
Weakness Use

Internet Information
Services (IIS) server not

current with patches
Staying current with IIS patches helps to ensure a secure
server. Historically, there have been IIS holes that permit
access to implementation file source. For example,
appending ::$DATA to an .asp file Uniform Resource
Locator (URL) allows an attacker to access the .asp file
source code.
Alternate routes to the file Running more applications on the Web server than
required makes the Web application vulnerable to attack.
Running more applications provides alternate routes to
attackers to access the Web application data. For
example, Web application implementation files can also
be accessed through applications, such as File Transfer
Protocol (FTP) and Web Distributed Authoring and
Versioning (WebDAV). If a Web server is running these
applications and the applications have a weakness or
security hole, Web application implementation files can
be accessed by external users. You should disable all of
the applications that are not required on the server.
Unprotected configuration
files
File types that are not explicitly disallowed are
accessible through IIS by default. If you add any new file
types (for example, .inc files) to your Web application,
you must ensure that those file types are configured to be
secured in IIS.

Accessing
implementation files
Module 6: Securing File System Data 5



How to Protect Web Application Implementation Files
!
File and folder ACLs
"
Use Windows file security to set ACLs on the pages
and folders within a Web application
!
IIS security
"
IIS contains general permission settings that apply to all
users of the Web application
!
Web.config in ASP.NET
"
In an ASP.NET Web application, authentication and
authorization settings can be configured within the
Web.config configuration file

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
You can secure the Web application implementation files from attacks by
restricting user access on these files. Implementation files are the files that are
within a Web application.
You can restrict user access to the implementation files by using the following
file security measures:

!
File and folder ACLs
Windows file security is used to set ACLs on files and folders, thereby
controlling which users and groups can access the files and folders. IIS uses
the ACL settings when fulfilling a user request. Files and folders within a
Web application can be secured by using Windows operating system
features.
!
IIS security
IIS contains security settings for the files and folders that are located within
a Web application. These are general permission settings that apply to all of
the users of the Web application.
!
Web.config in ASP.NET
In an ASP.NET Web application, authentication and authorization settings
can be configured within the Web.config configuration file to secure folders
and individual pages.

Introduction
Restrict user access
6 Module 6: Securing File System Data


Lesson: Windows Access Control
!
Overview of a Security Descriptor
!
Multimedia: Security Descriptors
!
Setting File ACLs

!
Best Practices
!
Instructor-Led Practice: Viewing and Setting ACLs on
a File

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Microsoft Windows NT
®
, Microsoft Windows 2000, and Microsoft
Windows XP provide security features for controlling and monitoring who can
access resources that are in the operating system. An important security feature
that is provided by Windows is access control. Windows access control is used
to control access to Windows resources, including files and folders. The
security features that are covered in this lesson apply only to disk partitions that
are formatted with the NTFS file system. Other disk formats, including file
allocation table (FAT)16 and FAT32, do not support the security features that
are covered in this lesson.
After completing this lesson, you will be able to:
!
Describe the Windows access control mechanism.
!
Set ACLs on a file.
!
Define best practices for the security settings for common Web application
file types.


Introduction
Lesson ob
j
ectives
Module 6: Securing File System Data 7


Overview of a Security Descriptor
Securable
Object
Security Descriptor
Owner SID
Domain
Controller
Domain
Controller
Group SID
Domain
Controller
Domain
Controller
DACL SACL
ACE – ACCESS_DENIED_ACE
ACE – ACCESS_ALLOWED_ACE
ACE – ACCESS_DENIED_ACE
ACE – ACCESS_ALLOWED_ACE
ACE – SYSTEM_AUDIT_ACE
ACE – SYSTEM_AUDIT_ACE


*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Windows 2000 protects securable resources from unauthorized access by using
ACLs. An ACL is an access control structure that determines access rights to
secured resources. ACLs are a series of Access Control Entries (ACEs). Each
ACE lists a principal and contains the corresponding information about that
principal. An ACE also defines the operations that the principal can perform on
the secured resource. For example, some users might be granted read access,
while other users might be granted full access.
A securable object is a Windows object that has a security descriptor. A
security descriptor contains the security information for that securable object.
Securable objects include all of the named Windows objects. Some unnamed
Windows objects, such as processes and threads, can also have security
descriptors, and therefore, these objects also qualify as securable objects.
Securable objects include the following Windows objects:
!
Files and folders
!
Processes and threads
!
Registry keys
!
Windows services
!
Local or remote printers
!
Network shares

!
Directory service objects
!
Named pipes
!
Interprocess synchronization objects (events, mutexes, semaphores, and
waitable timers)

Introduction
Securable ob
j
ects
8 Module 6: Securing File System Data


Overview of a Security Descriptor (continued)
!
Security Identifier (SID)
"
Is a unique identifier that identifies a trustee
"
Each account has a SID, issued by a Windows domain
controller or computer
!
Access Control Entry (ACE)
"
Controls or monitors access to a securable object
!
Access Control List (ACL)
"

Is a list of ACEs associated with a securable object
!
Security Descriptor
"
Contains the security information for securable objects

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
A security identifier (SID) is a unique identifier that identifies a trustee. A
trustee is a user account, a group account, or a logon session.
Every user account has a SID that is issued by a Windows domain controller.
Each time a user logs on to a domain, a logon session is created. A logon
session contains an access token. An access token is assigned a user’s SID at
logon time. The user’s access token is then used to identify the user for
Windows security.
An ACE controls or monitors access to a securable object. An ACE consists of
a SID that is used to identify a trustee, the access rights of the ACE, the type of
ACE, and inheritance flags. ACEs can be inherited from parent objects to child
objects, such as from a folder to a subfolder. How or even whether an ACE is
inherited is controlled with the inheritance flags.
An access right is a bit flag that controls a particular set of operations that can
be performed on a securable object. Access rights are specific for each
securable object type. For example, a generic access right is GENERIC_READ
and a registry key has a specific KEY_SET_VALUE access right.
There are three types of ACEs, as described in the following table.
Type Purpose


Access-denied Denies access to the object for a trustee.
Access-allowed Allows access to the object for a trustee.
System-audit Generates an audit record when the object is accessed by the
trustee.

ACEs can be inherited from parent objects to child objects. For example, a
registry key can inherit ACEs from its parent key, and a file can inherit ACEs
from its parent folder.
Security identifier
Access Control Entry
Module 6: Securing File System Data 9


An ACE’s inheritance flags control how the ACE should be propagated to child
objects. ACE inheritance can be configured to propagate an ACE, but only to
child objects, only to child containers, to both child objects and containers, or to
not propagate at all.
An ACL is a list of ACEs that are associated with a securable object. There are
two types of ACLs: a discretionary ACL (DACL) and a system ACL (SACL).
A DACL contains ACEs that are used for allowing and denying a trustee
access, and DACLs may contain only access-allowed and access-denied ACEs.
A SACL contains ACEs that can be used for auditing object access by trustees,
and SACLs may contain only system-audit ACEs.
All securable objects have a security descriptor that contains the security
information for that object. A security descriptor consists of an owner SID, a
primary group SID, at most one DACL, and at most one SACL. The owner SID
is a user or group that has permission to read and control the DACL for the
security descriptor. The primary group SID is a requirement for

Portable

Operating System Interface for computing environments (POSIX)
compatibility, and it has no relevance for Windows security.
Access control list
Security descriptor
10 Module 6: Securing File System Data


Multimedia: Security Descriptors
Windows
Domain
Domain
Controller
SID
SID
Access
Token
Logon

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
This multimedia presentation describes the elements of security descriptor.
Introduction
Module 6: Securing File System Data 11


Setting File ACLs
!

Properties dialog box for files
and folders
!
Security tab
"
Is always displayed and
illustrates the security
descriptor for the object
"
Top portion displays the DACL
for the object and permits
adding and removing ACEs
"
Bottom portion displays an
abbreviated list of the access
rights for the currently selected
ACE
DACL
DACL
Access rights for
selected ACE
Access rights for
selected ACE

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
To view or modify the ACL for a file or folder, you can use the Properties

dialog box. The Properties dialog box displays a basic and an advanced
version of the ACL. The basic information of the ACL displays just the DACL.
The Properties dialog box for a file or folder is accessed from the shortcut
menu for the object, from within Windows Explorer. The Properties dialog
box displays the different property tabs based on the file type. The Security tab
is always displayed, and it illustrates the security descriptor for the selected
object.
Introduction
12 Module 6: Securing File System Data


The top portion of the Security tab displays the DACL for the selected object.
You can add and remove ACEs from the DACL by clicking on the Add or
Remove buttons. The bottom of the Security tab displays an abbreviated list of
the access rights for the currently selected ACE. For example, in the following
illustration, Everyone has Read and Execute permissions on the Module06.htm
file.

The Security tab
Module 6: Securing File System Data 13


Setting File ACLs (continued)
!
Advanced dialog box displays all of the security
descriptor details
!
Permissions tab
"
Displays the full DACL for the object and can be used

for adding, editing, or removing ACEs
"
Displays all of the possible access rights for the object
!
Auditing tab
"
Displays the SACL for the object and can be used for
adding, removing, and editing of the ACEs
!
Owner tab
"
Displays the owner SID for the object and can be used
for changing the owner

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
The Advanced button on the Security tab opens the Advanced dialog box. The
Advanced dialog box displays the complete security descriptor details, as
shown in the following illustration, whereas the Properties dialog box displays
a summary of the DACL.

Advanced dialog box
14 Module 6: Securing File System Data


The Permissions tab displays the full DACL for the object and can be used for
adding, editing, or removing ACEs. The Allow inheritable permissions from

parent to propagate to this object check box, located on the bottom of the
page, controls whether or not the object inherits its DACL from its parent.
Adding or editing an ACE through the Advanced dialog box also displays all
of the possible access rights for that object. The following table lists the
complete access rights that can be assigned to ACEs for a file or folder object.
Access right Description

Full Control All access rights.
Traverse Folder / Execute File The right to execute a file. For a folder, the right to
browse through a folder hierarchy.
List Folder / Read Data The right to read data from the file. For a folder, the
right to list the contents of the folder.
Read Attributes The right to read the attributes of the file or folder.
Attributes include read-only and hidden.
Read Extended Attributes The right to read the extended attributes of the file
or folder. Extended attributes vary by file type.
Create Files / Write Data The right to write data to the file. For a folder, the
right to add files and subfolders to the folder.
Create Folders / Append Data The right to append data to the file. For a folder, the
right to add subfolders.
Write Attributes The right to modify the attributes of the file or
folder. Attributes include read-only and hidden.
Write Extended Attributes The right to modify the extended attributes of the
file or folder. Extended attributes vary by file type.
Delete Subfolders and Files The right to delete subfolders and files, even if the
Delete right has not been granted on those
subfolders and files. (This right applies to folders
only.)
Delete The right to delete the file or folder.
Read Permissions Generic read rights.

Change Permissions The right to change the DACL for the file or folder.
Take Ownership The right to take ownership of the file or folder.

The Permissions tab
Module 6: Securing File System Data 15


The Auditing tab displays the SACL for the object and permits adding,
removing, and editing of the ACEs. The Allow inheritable auditing entries
from parent to propagate to this object check box, as shown in the following
illustration, controls whether or not the object inherits its SACL from its parent.
The Property dialog box for an individual ACE permits the setting of the
auditing flags, in addition to the setting of the inheritance flag.

The Owner tab, as shown in the following illustration, displays the owner SID
for the object. You can use the Owner tab to change the owner of the object.

The Auditing tab
The Owner tab
16 Module 6: Securing File System Data


Best Practices
# Everyone (R)
# Administrators (Full Control)
# System (Full Control)
Static content
(.htm, .txt, .gif, .jpg)
# Everyone (RX)
# Administrators (Full Control)

# System (Full Control)
Include files
(.inc, .shtm, .shtml)
# Everyone (RX)
# Administrators (Full Control)
# System (Full Control)
Scripts
(.asp, .aspx)
ACLs
ACLs
settings
settings
File type
File type
!
For ASP Web applications, use folder ACLs to secure Web
pages
!
For ASP.NET Web applications, use the <authorization> and
<location> sections to secure Web pages

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
You can secure Web application files by implementing best practices.
The following table includes best practices for configuring ACLs for common
Web application file types.
File type ACLs settings


Scripts (.asp, .aspx) Everyone (RX)
Administrators (Full Control)
System (Full Control)
Include files (.inc, .shtm, .shtml) Everyone (RX)
Administrators (Full Control)
System (Full Control)
Static content (.htm, .txt. gif, .jpg) Everyone (R)
Administrators (Full Control)
System (Full Control)

Active Server Pages (ASP) Web applications are best secured by setting ACLs
on the folders that are within the virtual directory. Web pages can then be
placed within those secured folders. Securing folders is less error prone than
securing individual Web pages. Any file that is added to a folder inherits that
folder’s security settings, whereas if a folder is not secured, each individual file
must be properly secured.
ASP.NET Web applications are best secured by using the <authorization>
section of a Web.config file. Security settings that are stored in a Web.config
file can be easily copied from computer to computer. The <location> element
can also be used within a Web.config file to secure all of the folders that are
within an ASP.NET Web application.
Introduction
Configure security
settings
ASP Web applications
ASP.NET Web
applications
Module 6: Securing File System Data 17



Instructor-Led Practice: Viewing and Setting ACLs on a File
Instructor will:
"
View the ManualAcl.htm file's ACL
"
Create a new computer user
"
Modify the ACL for the ManualAcl.htm
file
Student will:
"
View the ManualAcl.htm file in Internet
Explorer
Time: 10 minutes

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
In this practice, you will see how to view and modify the ACLs for a file by
using Windows Explorer. The Properties dialog box pages will be associated
with ACEs and DACLs.
!
View the ManualAcl.htm file’s ACL (instructor only)
1. In Windows Explorer, browse to the C:\Inetpub\wwwroot\
2300Demos\Mod06 folder.
2. Right-click the ManualAcl.htm file, and then click Properties.
3. Click the Security tab.

The Security tab displays the security descriptor for the file. The Security
tab initially displays the abbreviated DACL portion of the security
descriptor.
4. Click Advanced to display the complete security descriptor.
5. Click the Everyone user, and then click View/Edit to see all of the
permissions for that user.
6. Click Cancel three times to close all of the dialog boxes.

!
View the ManualAcl.htm file in Internet Explorer
• Open Microsoft Internet Explorer and browse to the
http://London/2300Demos/Mod06/ManualAcl.htm page.
The default access permissions for the file permit you to view the page.

Introduction