# GOOGLE IT SUPPORT PROFESSIONAL CERTIFICATE from [Google](https://www.coursera.org/google-certificates/it-support-certificate)

# <b>C3 [Operating Systems and You: Becoming a Power User](https://www.coursera.org/learn/os-power-user)</b>

[Bash kernel](https://github.com/takluyver/bash_kernel/tree/master) for Jupyter:

In [10]:
# !pip install --upgrade pip
# !pip install bash_kernel
# !python3 -m bash_kernel.install

[Powershell kernel](https://github.com/vors/jupyter-powershell) for Jupyter:

In [1]:
# !pip3 install powershell_kernel
# !python3 -m powershell_kernel.install
# !python3 -m powershell_kernel.install --powershell-command pwsh

Using powershell_command='pwsh'
Installing IPython kernel spec


# <b>3.1 Basic commands</b>

<center>
    <h2><b>Table 3.1 Basic Commands</b></h2>

|Purpose|PowerShell|Bash|
|-|-|-|
|<b>Escape character</b>|backtick \`|backslash \\|
|<b>Clear the screen</b>|||
||clear|clear|
||ctrl + L|ctrl + L|
||cls||
|<b>Help</b>|||
||Get-Help \<command>|\<command> --help|
||Get-Help \<command> -Full|man \<command>|
|<b>List Directories</b>|||
||ls|ls|
|list all|ls -Force|ls -a|
|list more details||ls -l|
|<b>Changing Directories</b>|||
|print working directory|pwd|pwd|
|change directory|cd \<path>|cd\<path>|
|move a dir above|cd ..|cd ..|
|move to a home dir|cd ~|cd ~|
|<b>Make Directories</b>|||
||mkdir new_folder|mkdir new_folder|
|a name of a dir with spaces|mkdir 'new dir'|mkdir 'new dir'|
||mkdir new\` dir\`|mkdir new\\ folder\\|
|<b>Command History</b>|||
||history|history|
||arrows up and down|arrows up and down|
||ctrl + R|ctrl + R|
||#||
|<b>Wildcards</b>|||
|any number of characters|*|*|
|<b>Copying Files & Directories<b/>|||
||cp \<src> \<dst>|cp \<src> \<dst>|
|copy multiple files at once|use * in \<source>|the same|
|copy a dir with the contents|cp \<src> \<dst> -Recurse|cp -r \<src> \<dst>|
|output info on the screen|-Verbose||
|<b>Moving and Renaming Files, Directories</b>|||
|move|mv \<src> \<dst>|mv \<src> \<dst>|
|rename|mv src_path == dst_path|mv src_path == dst_path|
|<b>Removing Files & Directories</b>|||
|remove a file|rm \<src> \<dst>|rm \<src> \<dst>|
|remove a file forcibly|rm \<src> \<dst> -Force| rm -f \<src> \<dst>|
|remove a dir|rm \<src> \<dst> -Recurse|rm -r \<src> \<dst>|

## Supplemental Reading for Windows CLI & Unix Bash

For more detailed information on the modern Windows CLI, PowerShell, see the 
[official PowerShell documentation](https://docs.microsoft.com/powershell/) and the [PowerShell 101 guide](https://docs.microsoft.com/powershell/scripting/learn/ps101/00-introduction). For more on the older Windows "Command Prompt" CLI (cmd.exe) please see the link [here](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/windows-commands).

If you want to check out more information on Bash, then click the link [here](https://www.gnu.org/software/bash/manual/bash.html).

## List Directories

### Windows

CLI - Command Line Interface

- Command Prompt: cmd.exe
- **PowerShell**: powershell.exe

Home directory is called **parent directory** (drive C) and it has **child directories**.

```powershell
ls C:\

# show all files including hidden ones
ls -Force C:\

# get help on the command
Get-Help ls

# get help in more detail
Get-Help ls -Full
```

### Linux

Home directory is called **root directory**:

```
/home/commi/Downloads
```

```bash
# list the files from root directory
ls /

# list more info
ls -l /

# list all files, including hidden ones
ls -a /

# you can combine flags
ls -la /

# help information
ls --help

# manual
man ls
```

## Changing Directories

**Absolute path** - one that starts from the main directory.

**Relative path** - the path from your current directory.

**Tab completion** - using `tab` button to complete the unput.

## Supplemental Reading for 'Size' vs 'Size of Disk' in Windows

**Windows Confidential: Just What Is ‘Size on Disk’?**

[Article](https://learn.microsoft.com/en-us/previous-versions/technet-magazine/hh148159(v=msdn.10)) 08/31/2016 Raymond Chen

_When you get the stats for the size of a folder, where, exactly, do those measurements come from?_

When you right-click to view the properties of a folder, the property sheet includes two values: Size and Size on disk. What exactly do these values mean? What are they measuring?

The property sheet performs a naïve recursive directory search for all files. It doesn’t try to filter out file names referring to the same underlying file by means of a hard link. If you don’t have access to a subdirectory, the recursive directory search will skip that subdirectory, and those files won’t be counted in the total folder size.

As it turns out, the recursive directory search has some smarts. Part of it is being smart on purpose: It detects reparse points and doesn’t recurse into them. Another part is being smart by accident: Symbolic links to files count as zero size. This isn’t because the directory search code is clever about the files. It’s because the directory entry for symbolic links reports them as having zero size. Now you know what files are counted, but where do those numbers come from?

**Size Matters**

The Size measurement is easy: It’s a running tally of the file sizes as reported by the FindFirstFile function in the WIN32_FIND_DATA.nFileSizeLow and nFileSizeHigh. Mind you, those values aren’t necessarily accurate either because of the way the NTFS file system updates directory entries. That’s a topic for another day, but the short version is that files still being written to may not report an accurate file size until the file handle is closed. Even then, it will only update the directory entry used to open the file.

The Size on disk measurement is more complicated. If the drive supports compression (as reported by the FILE_FILE_COMPRESSION flag returned by the GetVolumeInformation function) and the file is compressed or sparse (FILE_ATTRIBUTE_COMPRESSED, FILE_ATTRIBUTE_SPARSE_FILE), then the Size on disk for a file is the value reported by the GetCompressedFileSize function. This reports the compressed size of the file (if compressed) or the size of the file minus the parts that were de-committed and logically treated as zero (if sparse). If the file is neither compressed nor sparse, then the Size on disk is the file size reported by the FindFirstFile function rounded up to the nearest cluster.

The Windows 95 team originally developed the Size on disk algorithm. Their view of the file system world was biased by their MS-DOS background. There the only disk file system was FAT. There was no such thing as a hard link or alternate data stream. File contents were stored in units of clusters.

Those assumptions don't hold true for NTFS—not even the “file contents are stored in units of clusters” part. In NTFS, a file can actually consume zero clusters for its data by stashing itself into slack space in the master file table (MFT). (For more details on this, see “[The Four Stages of NTFS File Growth](https://blogs.technet.com/b/askcore/archive/2009/10/16/the-four-stages-of-ntfs-file-growth.aspx)”).

Naturally, the Size on disk algorithm doesn’t take into account other file system overhead, like the disk space occupied by the file name itself, directory entry information, file metadata and alternate data streams.

The values reported by Size and Size on disk aren’t meant to be a byte-for-byte accounting of the total impact of a directory on your disk free space. They’re just a rough estimate based on the assumption that most files are of the boring variety. By that, I mean no hard links and negligible use of alternate data streams. If you have a directory with numerous hard links—such as the Windows directory itself, for example—the values will be way off.

You can use Size on disk as a sniff-test to get a rough idea of the size of a directory, but remember that it’s a naïve calculation. If you need to keep careful tabs on disk consumption, you’d be better off using a feature like Disk Quotas, whose purpose is to more intelligently track disk consumption.

# <b>3.2 File and Text Manipulation</b>

<center>
    <h2><b>Table 3.2 File and Text Manipulation</b></h2>

|Purpose|PowerShell|Bash|
|-|-|-|
|**Display File Contents**|||
|show the doc one at a time|cat \<filename>|cat \<filename>|
|show the first 10 lines of the doc|cat \<filename> -Head 10|head \<filename>|
|show the last 10 lines of the doc|cat \<filename> -Tail 10|tail \<filename>|
|show page by page|more \<filename> + space|more \<filename> + space/arrows|
|show line by line|more \<filename> + Enter|more \<filename> + Enter|
|||less \<filename> + arrow keys|
|go to the beginning of the file||less \<filename> + g key|
|go to the end of the file||less \<filename> + G key|
|search for a word||less \<filename> + /word_search|
|quit|q|q|
|**Find in Files**|||
|searching within files|`sls` (string ls) or `Select-String`|`grep`|
|searching within directories|`ls 'path' -Recurse -Filter *.file_ext`|`grep -wr '*.file_ext' path`|
|searching in a file|`cat fname \| sls word`|`cat fname \| grep word`|
|**Input, Output, and the Pipeline**|||
|**stdin**|||
|||`cat < fname`|
|**stdout**|||
|write to a new file|`echo > fname`|`echo > fname`|
|append to the file|`echo >> fname`|`echo >> fname`|
|combine ops|`cat fname \| sls word > fname2`|`ls -la /etc \| grep bluetooth > test.txt`|
|**stderr**|||
|save error msg to a file|`rm secure_file 2> fname`|`rm secure_file 2> fname`|
|ignore error message|`rm secure_file 2> $null`|`rm secure_file 2> /dev/null`|

`1`: stdout - the output  
`2`: stderr - the error  
`$null`: nowhere in PS  
`/dev/null`: nowhere in Bash
    
See: `Get-Help about_redirection` in PowerShell

## Text editors

- Windows:
    - [notepad++](https://notepad-plus-plus.org/)
- Linux:
    - [nano](https://www.nano-editor.org/)
    - [vim](https://www.vim.org/)
    - [emacs](https://www.gnu.org/software/emacs/tour/)

# <b>3.3 Users, Administrators, and Groups</b>

|Purpose|PowerShell|Bash|
|-|-|-|
|check users|`Get-LocalUser`|`cat /etc/passwd`|
|check groups|`Get-LocalGroup`|`cat /etc/group`|
|check users with administrative rights|`Get-LocalGroupMember Administrators`|`sudo cat /etc/sudoers`|
|work as a root user||`su -` substitute user (`exit`)|
|**Passwords**|||
|change user password|`net user <name> 'password'`|`passwd <username>` (stored in `/etc/shadow`)|
||`net user <name> *` will hide password from screen||
|change pwd on the next logon|`net user <name> * /logonpasswordchg:yes`|`sudo passwd -e <uname>` (expire flag)|
|**Adding\removing users**|||
|add a new user|`net user <uname> * /add /logonpasswordchg:yes`|`sudo useradd <name>`|
|delete a user's account|`net user <name> /del`|`sudo userdel <name>`|
||`Remove-LocalUser <name>`||

## Windows GUI

- Computer Management: Control Panel -> Administrative Tools -> Local Users and Groups

- Add a new user: Users + right click `New user`

## Linux

In [1]:
cat /etc/passwd | grep root

root:x:0:0:root:/root:/bin/bash


User `root` with password `x` (stored in another file) with index `0:0`.

In [3]:
cat /etc/group | grep sudo

sudo:x:27:


- `x` is the group password which is the root's password by default,
- `27` is group id.

## Supplemental Reading: [Selecting Secure Passwords](https://learn.microsoft.com/en-us/previous-versions/tn-archive/cc875839(v=technet.10)?redirectedfrom=MSDN)

### Introduction

Although many alternatives for user authentication are available today, most users log on to their computer and remote computers using a combination of their user name and a password typed at their keyboard. There are products that use more secure technologies such as biometrics, smart cards, and one-time passwords available for all popular operating systems; but the reality is that many organizations still rely on passwords and they will continue to do so for years to come. Users often have many different computer accounts at work, for their cell phone, at their bank, with insurance companies, and so on. To make it easier to remember their passwords, users often use the same or similar passwords on each system; and given a choice, most users will select a very simple and easy-to-remember password such as their birthday, their mother's maiden name, or the name of a relative. Short and simple passwords are relatively easy for attackers to determine. Some common methods that attackers use for discovering a victim's password include:

- Guessing-The attacker attempts to log on using the user's account by repeatedly guessing likely words and phrases such as their children's names, their city of birth, and local sports teams.

- Online Dictionary Attack-The attacker uses an automated program that includes a text file of words. The program repeatedly attempts to log on to the target system using a different word from the text file on each try.

- Offline Dictionary Attack-Similar to the online dictionary attack, the attacker gets a copy of the file where the hashed or encrypted copy of user accounts and passwords are stored and uses an automated program to determine what the password is for each account. This type of attack can be completed very quickly once the attacker has managed to get a copy of the password file.

- Offline Brute Force Attack-This is a variation of the dictionary attacks, but it is designed to determine passwords that may not be included in the text file used in those attacks. Although a brute force attack can be attempted online, due to network bandwidth and latency they are usually undertaken offline using a copy of the target system's password file. In a brute force attack the attacker uses an automated program that generates hashes or encrypted values for all possible passwords and compares them to the values in the password file.

Each of these attack methods can be slowed down significantly or even defeated through the use of strong passwords. Therefore, whenever possible, computer users should use strong passwords for all of their computer accounts. Computers running versions of Windows based on Microsoft Windows NT, including Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, support strong passwords. In Windows, a strong password is a password that includes characters from at least three of the five groups in the following Character Classes table.

<center>
<b>Character Classes</b>

<div class="has-inner-focus"><table aria-label="Table 1" class="table table-sm">
<colgroup>
<col>
<col>
</colgroup>
<thead>
<tr class="header">
<th><p>Group</p></th>
<th><p>Example</p></th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Lowercase letters</p></td>
<td><p>a, b, c, ...</p></td>
</tr>
<tr class="even">
<td><p>Uppercase letters</p></td>
<td><p>A, B, C, ...</p></td>
</tr>
<tr class="odd">
<td><p>Numerals</p></td>
<td><p>0, 1, 2, 3, 4, 5, 6, 7, 8, 9</p></td>
</tr>
<tr class="even">
<td><p>Non-alphanumeric (symbols)</p></td>
<td><p>( ) ` ~ ! @ # $ % ^ &amp; * - + = | \ { } [ ] : ; " ' &lt; &gt; , . ? /</p></td>
</tr>
<tr class="odd">
<td><p>Unicode characters</p></td>
<td><p>€, Γ, ƒ, and λ</p></td>
</tr>
</tbody>
</table></div>

**Note**: Space characters do not fall under any of these five groups and do not count towards the password complexity requirements.

The passwords of particularly sensitive accounts such as those used by administrators or senior executives or for running critical network services should be composed from four or even all five of these groups. On the other hand, passwords that must be used by human beings must be easily remembered; the loss of an executive or critical administrator account password could be devastating. This document describes how passwords are stored in the Windows family of operating systems and gives guidance to Administrators on how to maximize the security of their passwords.

These contradictory requirements can be overcome by thinking about pass phrases rather than passwords. Every version of Windows that supports strong passwords supports the use of spaces and punctuation symbols in account passwords. For example, "I re@lly want to buy 11 Dogs!" is a valid pass phrase. With more than twenty characters it is a very long pass phrase, and it includes characters from 4 of the 5 possible groups. It is also easy to remember! Most password cracking tools assume the password will never exceed 14 characters, which is the limit that DOS network boot disks, Microsoft Remote Installation Services (RIS) Pre eXecutable Environment (PXE) boot disks, and older LAN Manager clients (Win9x) must utilize. Even without complexity, a very long password (>14 characters, up to 128 characters) can be the best possible protection against having an especially sensitive password broken.

Note: Do not use the example passwords within this document. Although the password discussed above, "I re@lly want to buy 11 Dogs!", is very long and complex, attackers may add it and other sample passwords in this document to their attack tools.

If administrators have legacy systems, RIS, or similar requirements to adhere to, or if they simply dislike dealing with an especially lengthy password, using a shorter password with complex characters offers good protection. However, keep in mind the longer the password the more difficult it is to break. And 

> adding both complexity and length makes it the most difficult of all to break. 

Establishing password policies for your organization will help to protect your users from attackers who try to impersonate them, thereby protecting your organization from the loss, exposure, or corruption of sensitive information.

This document explains how passwords are stored in the Windows family of operating systems, gives guidance to administrators on how to maximize the security of their passwords, and explains to users how to create new passwords that meet the complexity requirements and are still easy to remember.

The document includes information and guidance on the following topics:

- Additional details about password cracking.

- How Windows stores passwords including information about LAN Manager (LM) hashes and NTLM hashes.

- Description of Unicode characters and using Unicode characters by entering ALT key combinations.

- Requirements for legacy systems such as Windows 98.

- Establishing a password policy for your organization.

- Communicating password complexity to end users, which includes text that is ready for you to customize and forward to the people who work in your organization.

- Resources for additional information including links to Web sites with related information that may help you to establish strong password policies in your organization.

### Before You Begin

Before proceeding with the discussion of password policy creation it is important that you have a solid understanding of how password hashes are created and stored by the Windows operating system family. It will also be helpful for you to fully understand other concepts related to password complexity such as entropy, Unicode characters, and ALT characters.

### Password Storage in Windows

By default, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 never store user passwords in plaintext. Instead, passwords are stored using two different password representations, commonly called "**hashes**." The first, the **LAN Manager (LM) hash**, is much less secure than the second, the **NTLM hash**. The reason for storing both representations is for backward compatibility with older applications and operating systems such as Windows 98.

#### The LAN Manager (LM) Hash

The LM hash is technically speaking not a hash at all. It is computed as follows:

- Convert all lowercase characters in the password to uppercase

- Pad the password with NULL characters until it is exactly 14 characters long

- Split the password into two 7 character chunks

- Use each chunk separately as a DES key to encrypt a specific string

- Concatenate the two cipher texts into a 128-bit string and store the result

As a result of the algorithm used to generate the LM hash, the hash is very easy to break. First, even a password longer than 8 characters can be attacked in two discrete chunks. Second, the entire lowercase character set can be ignored. This means that most password cracking tools will start by cracking the LM hashes and then simply vary the alpha characters in the cracked password to generate the case-sensitive passwords. Note that in order to log on to a computer running Windows 2000, whether remotely or locally, you will need to use the case-preserved password.

#### The NTLM Hash

The NTLM hash is also known as the **Unicode hash** because it supports the full Unicode character set. The NTLM hash is calculated by taking the plain text password and generating a **Message Digest 4 (MD4) hash** of it. The MD4 hash is what is actually stored in either the **Active Directory database** or the local **Security Accounts Manager (SAM) database**. The NTLM hash is much more resistant to brute force attacks than the LM hash. Brute forcing an NTLM hash takes several orders of magnitude longer than brute forcing the NTLM hash of the same password.

### Entropy

Entropy is a measure of disorder in a system. The level of entropy in a password is determined by how random it is in terms of the range and order of characters in it. When selecting a password that is resistant to cracking, it is important that you carefully pick your entropy and where it appears in the password. Most brute force password cracking tools start out by search for alphanumeric characters and symbols present on most keyboards such as ` ~ ! @ # $ % ^ & * ( ) _ - + = (sometimes called the "upper row symbols" because they appear on the top row of most U.S. keyboards). With that knowledge you can make a password more resistant to cracking by using different symbols such as these: [ ] { } < >. You increase their resistance to cracking even further by using ALT key combinations. 

> Note that due to the way LM hashes are created, putting a symbol as the only entropy in the eighth position of an eight character password only has a small impact on password complexity. For maximum entropy and complexity, non-alphanumeric characters need to be present throughout the password.

### Using Unicode Characters in ALT Key Combinations

Most users should have no problem finding pass phrases that they can easily remember, but for particularly sensitive accounts such as those with domain administrator privileges it is highly recommended that Unicode characters are included in the passwords using ALT key combinations. These are characters that do not appear on standard U.S. keyboards. You enter them by holding down the `ALT` key (or the `FN` and the `ALT` key on most laptop computers) and typing a three- or four-digit number on the numeric keypad (the numeric overlay keypad on a laptop computer).

The use of these types of characters greatly strengthens passwords in two ways: 

- First, password cracking tools are often unable to test the vast majority of these types of characters. 
- Second, the use of these characters greatly increases the range of characters that may appear in your password, which strengthens the potential complexity of the password by many orders of magnitude. 

When using ALT key combinations it is very important that you remember the leading zero, if present, because leaving the zero off results in a different character. For example, `ALT+128` is `Ç`, while `ALT+0128` is `€`. The rest of this section focuses on four digit codes, which access the entire Unicode character set, and ignore the three digit codes, which only access the extended ASCII character set.

The following table lists the numerical values that can be used as ALT key combinations. Recommended values are between 0128 and 1024. Each cell in the table below shows either a single value or a range of values. For example, the first cell shows "0128-0159." This means that you could use any value between 0128 and 0159, such as ALT+0135, which corresponds to the Unicode character "‡".

<center>
<b>Recommended ALT Code to Use for ALT Key Combinations</b>

<div class="has-inner-focus"><table aria-label="Table 2" class="table table-sm">
<colgroup>
<col>
<col>
<col>
<col>
</colgroup>
<tbody>
<tr class="odd">
<td><p>0128-0159</p></td>
<td><p>0306-0307</p></td>
<td><p>0312</p></td>
<td><p>0319-0320</p></td>
</tr>
<tr class="even">
<td><p>0329-0331</p></td>
<td><p>0383</p></td>
<td><p>0385-0406</p></td>
<td><p>0408-0409</p></td>
</tr>
<tr class="odd">
<td><p>0411-0414</p></td>
<td><p>0418-0424</p></td>
<td><p>0426</p></td>
<td><p>0428-0429</p></td>
</tr>
<tr class="even">
<td><p>0433-0437</p></td>
<td><p>0439-0447</p></td>
<td><p>0449-0450</p></td>
<td><p>0452-0460</p></td>
</tr>
<tr class="odd">
<td><p>0477</p></td>
<td><p>0480-0483</p></td>
<td><p>0494-0495</p></td>
<td><p>0497-0608</p></td>
</tr>
<tr class="even">
<td><p>0610-0631</p></td>
<td><p>0633-0696</p></td>
<td><p>0699</p></td>
<td><p>0701-0707</p></td>
</tr>
<tr class="odd">
<td><p>0709</p></td>
<td><p>0711</p></td>
<td><p>0716</p></td>
<td><p>0718-0729</p></td>
</tr>
<tr class="even">
<td><p>0731</p></td>
<td><p>0733-0767</p></td>
<td><p>0773-0775</p></td>
<td><p>0777</p></td>
</tr>
<tr class="odd">
<td><p>0779-0781</p></td>
<td><p>0783-0806</p></td>
<td><p>0808-0816</p></td>
<td><p>0819-0893</p></td>
</tr>
<tr class="even">
<td><p>0895-0912</p></td>
<td><p>0914</p></td>
<td><p>0918-0919</p></td>
<td><p>0921-0927</p></td>
</tr>
<tr class="odd">
<td><p>0929-0930</p></td>
<td><p>0933</p></td>
<td><p>0935-0936</p></td>
<td><p>0938-0944</p></td>
</tr>
<tr class="even">
<td><p>0947</p></td>
<td><p>0950-0955</p></td>
<td><p>0957-0959</p></td>
<td><p>0961-0962</p></td>
</tr>
<tr class="odd">
<td><p>0965</p></td>
<td><p>0967-1024</p></td>
<td><p>&nbsp;</p></td>
<td><p>&nbsp;</p></td>
</tr>
</tbody>
</table></div> 

Not all Unicode characters increase password complexity because they are automatically converted to ASCII characters, resulting in a weakened password instead. The following table shows character codes that should not be used in a password and the ASCII character to which they are converted.

<center>
<b>ALT Code Not to Use for ALT Key Combinations</b>

<div class="has-inner-focus"><table aria-label="Table 3" class="table table-sm">
<colgroup>
<col>
<col>
<col>
</colgroup>
<thead>
<tr class="header">
<th><p>ALT Code</p></th>
<th><p>Unicode Character</p></th>
<th><p>Resulting Character</p></th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>0175</p></td>
<td><p>¯</p></td>
<td><p>_</p></td>
</tr>
<tr class="even">
<td><p>0190</p></td>
<td><p>¾</p></td>
<td><p>_</p></td>
</tr>
<tr class="odd">
<td><p>0222</p></td>
<td><p>Þ</p></td>
<td><p>_</p></td>
</tr>
<tr class="even">
<td><p>0254</p></td>
<td><p>þ</p></td>
<td><p>_</p></td>
</tr>
<tr class="odd">
<td><p>0101</p></td>
<td><p>e</p></td>
<td><p>E</p></td>
</tr>
<tr class="even">
<td><p>0200</p></td>
<td><p>È</p></td>
<td><p>E</p></td>
</tr>
<tr class="odd">
<td><p>0202</p></td>
<td><p>Ê</p></td>
<td><p>E</p></td>
</tr>
<tr class="even">
<td><p>0203</p></td>
<td><p>Ë</p></td>
<td><p>E</p></td>
</tr>
<tr class="odd">
<td><p>0232</p></td>
<td><p>è</p></td>
<td><p>E</p></td>
</tr>
<tr class="even">
<td><p>0234</p></td>
<td><p>ê</p></td>
<td><p>E</p></td>
</tr>
<tr class="odd">
<td><p>0235</p></td>
<td><p>ë</p></td>
<td><p>E</p></td>
</tr>
<tr class="even">
<td><p>0100</p></td>
<td><p>d</p></td>
<td><p>D</p></td>
</tr>
<tr class="odd">
<td><p>0208</p></td>
<td><p>Ð</p></td>
<td><p>D</p></td>
</tr>
<tr class="even">
<td><p>0240</p></td>
<td><p>ð</p></td>
<td><p>D</p></td>
</tr>
<tr class="odd">
<td><p>0117</p></td>
<td><p>u</p></td>
<td><p>U</p></td>
</tr>
<tr class="even">
<td><p>0217</p></td>
<td><p>Ù</p></td>
<td><p>U</p></td>
</tr>
<tr class="odd">
<td><p>0218</p></td>
<td><p>Ú</p></td>
<td><p>U</p></td>
</tr>
<tr class="even">
<td><p>0219</p></td>
<td><p>Û</p></td>
<td><p>U</p></td>
</tr>
<tr class="odd">
<td><p>0249</p></td>
<td><p>ù</p></td>
<td><p>U</p></td>
</tr>
<tr class="even">
<td><p>0250</p></td>
<td><p>ú</p></td>
<td><p>U</p></td>
</tr>
<tr class="odd">
<td><p>0251</p></td>
<td><p>û</p></td>
<td><p>U</p></td>
</tr>
<tr class="even">
<td><p>0192</p></td>
<td><p>À</p></td>
<td><p>A</p></td>
</tr>
<tr class="odd">
<td><p>0193</p></td>
<td><p>Á</p></td>
<td><p>A</p></td>
</tr>
<tr class="even">
<td><p>0194</p></td>
<td><p>Â</p></td>
<td><p>A</p></td>
</tr>
<tr class="odd">
<td><p>0195</p></td>
<td><p>Ã</p></td>
<td><p>A</p></td>
</tr>
<tr class="even">
<td><p>0224</p></td>
<td><p>à</p></td>
<td><p>A</p></td>
</tr>
<tr class="odd">
<td><p>0225</p></td>
<td><p>á</p></td>
<td><p>A</p></td>
</tr>
<tr class="even">
<td><p>0226</p></td>
<td><p>â</p></td>
<td><p>A</p></td>
</tr>
<tr class="odd">
<td><p>0227</p></td>
<td><p>ã</p></td>
<td><p>A</p></td>
</tr>
<tr class="even">
<td><p>0065</p></td>
<td><p>A</p></td>
<td><p>A</p></td>
</tr>
<tr class="odd">
<td><p>0114</p></td>
<td><p>r</p></td>
<td><p>R</p></td>
</tr>
<tr class="even">
<td><p>0174</p></td>
<td><p>®</p></td>
<td><p>R</p></td>
</tr>
<tr class="odd">
<td><p>0121</p></td>
<td><p>y</p></td>
<td><p>Y</p></td>
</tr>
<tr class="even">
<td><p>0221</p></td>
<td><p>Ý</p></td>
<td><p>Y</p></td>
</tr>
<tr class="odd">
<td><p>0253</p></td>
<td><p>ý</p></td>
<td><p>Y</p></td>
</tr>
<tr class="even">
<td><p>0255</p></td>
<td><p>ÿ</p></td>
<td><p>Y</p></td>
</tr>
<tr class="odd">
<td><p>0120</p></td>
<td><p>x</p></td>
<td><p>X</p></td>
</tr>
<tr class="even">
<td><p>0215</p></td>
<td><p>×</p></td>
<td><p>X</p></td>
</tr>
<tr class="odd">
<td><p>0111</p></td>
<td><p>o</p></td>
<td><p>O</p></td>
</tr>
<tr class="even">
<td><p>0210</p></td>
<td><p>Ò</p></td>
<td><p>O</p></td>
</tr>
<tr class="odd">
<td><p>0211</p></td>
<td><p>Ó</p></td>
<td><p>O</p></td>
</tr>
<tr class="even">
<td><p>0212</p></td>
<td><p>Ô</p></td>
<td><p>O</p></td>
</tr>
<tr class="odd">
<td><p>0213</p></td>
<td><p>Õ</p></td>
<td><p>O</p></td>
</tr>
<tr class="even">
<td><p>0216</p></td>
<td><p>Ø</p></td>
<td><p>O</p></td>
</tr>
<tr class="odd">
<td><p>0242</p></td>
<td><p>ò</p></td>
<td><p>O</p></td>
</tr>
<tr class="even">
<td><p>0243</p></td>
<td><p>ó</p></td>
<td><p>O</p></td>
</tr>
<tr class="odd">
<td><p>0244</p></td>
<td><p>ô</p></td>
<td><p>O</p></td>
</tr>
<tr class="even">
<td><p>0245</p></td>
<td><p>õ</p></td>
<td><p>O</p></td>
</tr>
<tr class="odd">
<td><p>0248</p></td>
<td><p>ø</p></td>
<td><p>O</p></td>
</tr>
<tr class="even">
<td><p>0105</p></td>
<td><p>i</p></td>
<td><p>I</p></td>
</tr>
<tr class="odd">
<td><p>0204</p></td>
<td><p>Ì</p></td>
<td><p>I</p></td>
</tr>
<tr class="even">
<td><p>0205</p></td>
<td><p>Í</p></td>
<td><p>I</p></td>
</tr>
<tr class="odd">
<td><p>0206</p></td>
<td><p>Î</p></td>
<td><p>I</p></td>
</tr>
<tr class="even">
<td><p>0207</p></td>
<td><p>Ï</p></td>
<td><p>I</p></td>
</tr>
<tr class="odd">
<td><p>0236</p></td>
<td><p>ì</p></td>
<td><p>I</p></td>
</tr>
<tr class="even">
<td><p>0237</p></td>
<td><p>í</p></td>
<td><p>I</p></td>
</tr>
<tr class="odd">
<td><p>0238</p></td>
<td><p>î</p></td>
<td><p>I</p></td>
</tr>
<tr class="even">
<td><p>0239</p></td>
<td><p>ï</p></td>
<td><p>I</p></td>
</tr>
<tr class="odd">
<td><p>0169</p></td>
<td><p>©</p></td>
<td><p>C</p></td>
</tr>
<tr class="even">
<td><p>0099</p></td>
<td><p>c</p></td>
<td><p>C</p></td>
</tr>
</tbody>
</table></div>

### Password Age and Reuse

Users should also change their passwords frequently. Even though long and strong passwords are much more difficult to break than short and simple ones, they can still be cracked. An attacker who has enough time and computing power at his disposal can eventually break any password. In general, passwords should be changed within 42 days, and old passwords should never be reused.

### Developing a Password Policy for Your Organization

This section provides the following step-by-step instructions for enhancing security by creating and communicating a password policy for your organization.

- Identifying what computer operating systems are present on your organization's network

- Understanding what the limitations are for those operating systems

- Defining what the technical requirements for passwords will be on your organization's network.

- Determining how much formality is appropriate regarding the documentation and communication of the password policy for your organization

- Documenting the password policy in writing

- Communicating the password policy to the users before implementing it on your systems

- Implementing the password policy on your organization's computer systems

- Reminding users on an ongoing basis about importance of observing the password policy and other corporate security policies.

#### Identifying Existing Operating Systems

In order to specify password policies that will not cause problems for any users logging on to computers in your organization you need to know what operating systems they are using. It is possible that you already know exactly what operating systems are in use on your network. If you don't then you need to find out. You do not need to know how many of each, you do not need to create a precise inventory of all the systems on your network at this time. To be able to design a suitable password policy you only need to know if there are any legacy systems present. Computers running Windows 95, Windows 98, or Windows Millennium Edition are the legacy operating systems that you are most likely to encounter on your network.

To identify what computer operating systems are in use on your organization's network you can ask your users to check which version they are running for you, or you can walk up to each computer and check yourself. Regardless of who does the checking, this is the process:

- Click `Start`, and then click `Run`.

- In Open, type `winver.exe`, and then click `OK`. The version number is displayed in the `About` Windows dialog box.

#### Understanding the Limitations of Some Operating Systems

As explained earlier, computers running Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 all support long and strong passwords. Computers running Windows 95, Windows 98, and Windows Millennium Edition do not. If any of the computers on your network are running any of these versions of Windows, then your password policy will have to accommodate these computers.

For organization that include computers running Windows 95, Windows 98, or Windows Millennium Edition, then the user passwords cannot be longer than 14 characters and cannot include characters generated through ALT key combinations.

If all computers in your organization are running Windows NT 4.0, Windows 2000, Windows XP, or Windows Server 2003, then user passwords can be up to 128 characters long and those passwords can include characters generated through ALT key combinations.

#### Defining Technical Requirements for Passwords

For computers running Windows 2000, Windows XP, and Windows Server 2003, you can enforce up to five settings related to password characteristics.

In this step, we provide you with the setting definitions and our recommendation for these settings. You will decide what values your organization will enforce.

<center>
    <b>Technical Requirements for Passwords</b>

<div class="has-inner-focus"><table aria-label="Table 4" class="table table-sm">
<colgroup>
<col>
<col>
<col>
</colgroup>
<thead>
<tr class="header">
<th><p>Setting</p></th>
<th><p>Description</p></th>
<th><p>Recommendation</p></th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>Enforce password history</strong></p></td>
<td><p>Determines the number of unique new passwords a user must use before an old password can be reused. It can be set between 0 and 24; if set to 0, then enforce password history is disabled.</p></td>
<td><p>For most organizations, set to 24 passwords remembered.</p></td>
</tr>
<tr class="even">
<td><p><strong>Maximum password age</strong></p></td>
<td><p>Determines how many days a password can be used before the user is required to change it. It can be set between 0 and 999; if set to 0, then passwords never expire. Setting this too low may cause a great deal of frustration for your users, setting it too high or disabling it will give potential attackers more time to try to break users' passwords.</p></td>
<td><p>For most organizations, set to 42 days.</p></td>
</tr>
<tr class="odd">
<td><p><strong>Minimum password age</strong></p></td>
<td><p>Determines how many days a user must keep their new password before they can change it. This setting is designed to work with the <strong>Enforce password history</strong> setting so that users cannot quickly reset their password 24 times and then change their password back to the old password. It can be set between 0 and 999; if set to 0, then users will be able to immediately change their password right after changing it.</p></td>
<td><p>For most organizations, set to 2 days.</p></td>
</tr>
<tr class="even">
<td><p><strong>Minimum password length</strong></p></td>
<td><p>Determines how short passwords can be. Although computers running Windows 2000, Windows XP, and Windows Server 2003 support passwords up to 128 characters, this setting can only be set between 0 and 14 characters. If it is set to 0, then users are allowed to have blank passwords; this value should never be used.</p></td>
<td><p>Set to 8 characters.</p></td>
</tr>
<tr class="odd">
<td><p><strong>Passwords must meet complexity requirements</strong></p></td>
<td><p>Determines whether or not password complexity is enforced.<br>
When this setting is enabled user passwords will have the following requirements:<br>
</p>
<ul>
<li><p>The password is at least six characters long.</p></li>
<li><p>The password contains characters from three of the following five categories: English uppercase characters (A - Z); English lowercase characters (a - z); base 10 digits (0 - 9); non - alphanumeric (For example: !, $, #, or %); Unicode characters.</p></li>
<li><p>The password does not contain three or more characters from the user's account name. If the account name is less than three characters long then this check is not performed because the rate at which passwords would be rejected would be too high. When checking against the user's full name several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes/hyphens, underscores, spaces, pound-signs and tabs. For each token that is three or more characters long, that token is searched for in the password, and if it is present, the password change is rejected. For example, the name "Erin M. Hagens" would be split into three tokens: "Erin," "M," and "Hagens." Since the second token is only one character long it would be ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password. All of these checks are case insensitive.</p></li>
</ul></td>
<td><p>Enable this setting.</p></td>
</tr>
</tbody>
</table></div>

#### Documenting Your Organization's Password Policy

Next, you need to decide how formal you want to be when documenting your organization's password policy.

At a minimum, write down the settings that will be enforced on the computers in your organization's network.

Some organizations may want to record the policy in a formal policy statement. If you feel that this level of formality is suitable for your organization, you may want to take a look at the links to sample policies that appear in "Related Information" later in this document.

Some organizations may have regulatory requirements for documenting these sorts of corporate policies. If you believe that your organization has regulatory requirements, you ought to have the policy reviewed by your organization's legal counsel before implementing it and communicating it to your users.

### Communicating the Password Policy to Users

Any important policy change needs to be clearly communicated to the people who work at your organization. When changing or implementing password policies, it is extremely important that you clearly explain to the people impacted what you are doing and why.

#### Sample Password Policy for Your Use

The following text is designed for you to copy and distribute to the people you work with. Although it is ready for use as is, you may want to change specific terms to better match your own needs and specific password policy requirements.

You will notice that this sample text does not discuss or recommend the use of ALT key combinations; this is because their use may be too demanding for many users. ALT key combination use is recommended for technically savvy users who have powerful or sensitive accounts, such as administrators.

To organization members:

Weak and blank passwords are one of the easiest ways for attackers to break into your computer and our organization's network. Passwords that are used for years at a time, or passwords that are reused frequently, are also much more likely to be discovered by an attacker.

To increase the protection of your account on the network, you are required to use strong passwords when accessing corporate computer systems. You will be required to change your password periodically, and you will be required to use passwords that do not match your previous passwords.

A strong password is a password that is at least eight characters long and uses characters from three of the five following groups:

- Lowercase letters
- Uppercase letters
- Numbers (for instance, 1, 2, 3)
- Symbols (for instance, @, =, -, and so on)
- Unicode characters

Your passwords will also not be able to contain three or more consecutive letters from your user account name. You will be required to change your password every 42 days, and you will not be able to reuse passwords.

When you change your password, your new password will automatically be checked for complexity and it will be compared to your previous passwords. This may sound like a frustrating situation and you may be tempted to write down your password and paste it to your desk, computer monitor, or some other easily accessed location. However, the moment you do that you are exposing your computer and our entire organization to tremendous risk as anyone could walk up to your computer and log on to the network using your credentials. Therefore, never write down your passwords. Instead, create passwords that are easy to remember.

Below you'll find some more background information about password security as well as specific advice on how to create strong passwords that are easy to remember.

**Using Pass Phrases**

Perhaps it might be easier to think in terms "pass phrases" rather than "passwords." If your computer is running Windows NT 4.0 or earlier, Windows 2000, Windows XP, and Windows Server 2003, passwords up to fifteen or more characters are supported, including spaces. Therefore, "You can try to break this until the cows come home!" is a perfectly valid pass phrase that will be extremely difficult for an attacker to break even using the best password cracking tool around. If your computer is running one of the operating systems mentioned above, try to use a very long pass phrase that includes a mix of uppercase letters, lowercase letters, numbers, and symbols.

Note that you should not actually use the example passwords within this document, although the password discussed above, "You can try to break this until the cows come home " is very long attackers may add it and other sample passwords in this document to their attack tools. These are examples, you should always create your own unique passwords.

**More Password Tips**

The following information provides tips and do's and don'ts for creating and remembering passwords and password phrases.

- **Use more than one word**
Instead of only using the name of someone you know, such as "Allison", choose something about that person no one else knows about, for instance, "AllisonsBear" or "AlliesBear".

- **Use symbols instead of characters**
Many people tend to put the required symbols and numbers at the end of a word they know, for instance, "Allison1234". Unfortunately, this is relatively easy to break. The word "Allison" is in a lot of dictionaries that include common names; once the name is discovered, the attacker has only four more relatively easy characters to guess. Instead, replace one or more of the letters within the word with symbols that you'll easily recall. Many people have their own creative interpretations of what letter some symbols and numbers resemble. For example, try substituting "@" for "A", "!" for "l", a zero (0) for an "O", a `$` for an "S", and a "3" for an "E". With substitutions such as these, "@llis0nbe@r", "A!!isonB3ar", and "A//i$onBear" are all recognizable to you, but they would be extremely difficult to guess or break. Look at the symbols on your keyboard and think of the first character that comes to mind-it might not be what someone else would think of, but you will remember it. Use some of those symbols as substitutions for your passwords from now on.

- **Choose events or people that are on your mind**
To remember a strong password that will have to change in several months, try selecting an upcoming personal or public event. Use this as an opportunity to remind yourself about something pleasant that is going on in your life, or a person whom you admire or love. You won't be likely to forget the password if it is funny or endearing. Make it unique to you. Be sure to make it a phrase of two or more words, and continue to slip in your symbols. For example: "J0hn$Gr@du@tion".

- **Use phonetics in the words**
In general, password dictionaries used by attackers search for words embedded inside your password. As mentioned before, don't hesitate to use the words, but make sure you liberally sprinkle those words with embedded symbols. Another way to trump the attacker is to avoid spelling the words properly, or use funny phonetics that you can remember. For instance, "Run for the hills" could become "R0n4dHiLLs!" or "R0n 4 d Hills!" If your manager's name happens to be Ron, you might even get a chuckle each morning typing this in. If you are a lousy speller, you are ahead of the game already.

- **Don't be afraid to make the password long**
If you remember it better as a full phrase, go ahead and type it in. Longer passwords are much harder to break. And even though it is long, if it is easy for you to remember, you will probably have a lot less trouble getting into your system, even if you aren't the best typist in the world.

- **Use first letters of a phrase**
To create an easy-to-remember and strong password, begin with a properly capitalized and punctuated sentence that is easy for you to remember. For example: "My daughter Kay goes to the International School." Next, take the first letter of each word in your sentence, preserving the capitalization used in the sentence. In the example above "MdKgttIS" would be the result. Finally substitute some non-alphanumeric characters for some of the letters in the password. You might use an "@" to replace an "a" or use an "!" to replace an "L". After one such substitution the example password above would be "MdKgtt!S"-a very difficult password to break, yet a password that is easy for you to remember, as long as you can recall the sentence on which the password is based.

**Do's:**

- Combine letters, symbols, and numbers that are easy for you to remember and hard for someone else to guess.

- Create pronounceable passwords (even if they are not words) that are easier to remember, reducing the temptation to write down your password.

- Try out using the initial letters of a phrase you love, especially if a number or special character is included.

- Take two familiar things, and then wrap them around a number or special character. Alternatively, change the spelling to include a special character. In this manner, you get one unfamiliar thing (which makes a good password because it is easy for you and you alone to remember, but hard for anyone else to discover). Here are a few examples:

    "Phone + 4 + you" = "Phone4you" or "Fone4y0u"

    "cat + * + Mouse" = "cat*Mouse" or "cat*Mou$e"

    "attack + 3 + book" = "attack3booK" or "@tack3booK"

**Don'ts:**

- Don't use personal information such as derivatives of your user ID, names of family members, maiden names, cars, license tags, telephone numbers, pets, birthdays, social security numbers, addresses, or hobbies.

- Don't use any word in any language spelled forward or backward.

- Don't tie passwords to the month, for example, don't use "Mayday" in May.

- Don't create new passwords that are substantially similar to ones you've previously used.

### Implementing the Password Policy in Your Organization

Now that you have specified, documented, and communicated the new password policy, it is time to implement the password policies on your network. For information about enforcing password usage, see ["Password must meet complexity requirements"](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh994562(v=ws.10)?redirectedfrom=MSDN).

### Related Information

For more information about developing a password policy, see the following:

- ["Password Policy"](https://go.microsoft.com/fwlink/?linkid=22205) on the SANS (SysAdmin, Audit, Network, Security) Web site. SANS has advice on creating formal corporate security policies and samples policies.

- ["Sample Generic Policy and High Level Procedures for Passwords and Access Forms"](https://go.microsoft.com/fwlink/?linkid=22206) on the National Institute of Standards (NIST) Web site. NIST has a sample password policy that many government agencies have used as the foundation for developing their own policies.

For more information about password policies, see the following:

- ["Account Passwords and Policies"](https://go.microsoft.com/fwlink/?linkid=22208) on the Microsoft TechNet Web site.

# <b>3.4 File Permissions</b>

|Purpose|PowerShell|Bash|
|-|-|-|
|check ACLs|`icacls <path to folder>`||
||`icacls /?` read on `icacls`||
|check permissions|`icacls 'C:\FolderName'`|`ls -l`|
|**Modifying Permissions**|||
|give permissions|`icacls 'C:\FolderName' /grant 'Everyone:(OI)(CI)(R)'`|`sudo chmod ugo+rwx fname` (change mode)|
|||`sudo chmod 777 fname`|
|withdraw permission|`icacls 'C:\FolderName' /remove 'Everyone:(OI)(CI)(R)'`|`sudo chmod ugo-rwx fname`|
|||`sudo chmod 000 fname`|
|change owner||`sudo chown uname fname`|
|change group||`sudo chgrp uname fname`|
||||
||||
||||
||||
||||
||||
||||
||||
||||
||||
||||
||||

## Windows

**Access Control Lists (ACLs)**
- **Discretionary Access Control Lists (DACLs)** - who can use a file and what they're allowed to do with it,
- **System Access Control Lists (SACLs)** - are used to tell Windows that it should use an event log to make a note of every time someone accesses a file or folder.

- `Read` - lets you see that a file exists and allows you to read its contents. It also lets you read the files and directories in a directory. 
- `Read and execute` - lets you read files and if the file is an executable, you can run the file. `Read and Execute` includes read, so if you select `Read and Execute`, read will automatically be selected. 
- `List folder contents` is an alias for `Read and Execute` on a directory. Checking one will check the other. It means that you can read and execute files in that directory. 
- `Write` lets you make changes to a file. It might be surprising to you, but you can have write access to a file without having read permission to that file. The `Write` permission also lets you create subdirectories and write to files in the directory. 
- `Modify` permission is an umbrella permission that includes `read`, `execute`, and `write`. 
- `Full control` - a user or group with full control can do anything they want to the file. It includes all the permissions of `Modify` and adds the ability to take ownership of a file and change its ACLs. 

Now, when we click on My username, we can see the permissions for Cindy,
Play video starting at :3:23 and follow transcript3:23
which show that I'm allowed all of these access permissions. If we want to see which ACLs are assigned to a file, we can use a utility designed to view and change ACLs called icalcs, or improved change ACLs. Let's take a look at my desktop first. icalcs desktop. Well, that looks useful, but what does it mean? I can see the user accounts that have access to my desktop and I can see that my account is one of them. But what about the rest of this stuff? These letters represent each of the permissions that we talked about before. Let's take a look at the help for icalcs. I bet that'll explain things. icalcs/? There's a description of what each one of these letters means.
Play video starting at :4:24 and follow transcript4:24
The F shows that I have full control of my Desktop folder. icalcs causes full access. We saw this in the GUI earlier as full control. These are the same permission. What are these other letters mean? NTFS permissions can be inherited as we saw from the icalcs help. OI means object inherit, and CI means container inherit. If I create new files or objects inside my desktop folder, they'll inherit this DACL. If I create new directories or containers in my desktop, they'll also inherit this DACL.

### Guest Users

- users who can use computer without a password, they are in the group "Everyone"
- all the users except for the guests are in the "Authenticated Group"

### Supplemental Reading for [Windows ACL](https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control-lists?redirectedfrom=MSDN)

An [access control list](https://learn.microsoft.com/en-us/windows/desktop/SecGloss/a-gly) (ACL) is a list of [access control entries](https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control-entries) (ACE). Each ACE in an ACL identifies a trustee and specifies the [access rights](https://learn.microsoft.com/en-us/windows/win32/secauthz/access-rights-and-access-masks) allowed, denied, or audited for that trustee. The [security descriptor](https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptors) for a [securable object](https://learn.microsoft.com/en-us/windows/win32/secauthz/securable-objects) can contain two types of ACLs: a DACL and an SACL.

A [discretionary access control list](https://learn.microsoft.com/en-us/windows/desktop/SecGloss/d-gly) (DACL) identifies the trustees that are allowed or denied access to a securable object. When a [process](https://learn.microsoft.com/en-us/windows/desktop/SecGloss/p-gly) tries to access a securable object, the system checks the ACEs in the object's DACL to determine whether to grant access to it. If the object doesn't have a DACL, the system grants full access to everyone. If the object's DACL has no ACEs, the system denies all attempts to access the object because the DACL doesn't allow any access rights. The system checks the ACEs in sequence until it finds one or more ACEs that allow all the requested access rights, or until any of the requested access rights are denied. For more information, see [How DACLs control access to an object](https://learn.microsoft.com/en-us/windows/win32/secauthz/how-dacls-control-access-to-an-object). For information about how to properly create a DACL, see [Creating a DACL](https://learn.microsoft.com/en-us/windows/desktop/SecBP/creating-a-dacl).

A [system access control list](https://learn.microsoft.com/en-us/windows/desktop/SecGloss/s-gly) (SACL) allows administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in an SACL can generate audit records when an access attempt fails, when it succeeds, or both. For more information about SACLs, see [Audit generation](https://learn.microsoft.com/en-us/windows/win32/secauthz/audit-generation) and [SACL access right](https://learn.microsoft.com/en-us/windows/win32/secauthz/sacl-access-right).

Don't try to work directly with the contents of an ACL. To ensure that ACLs are semantically correct, use the appropriate functions to create and manipulate ACLs. For more information, see [Getting information from an ACL](https://learn.microsoft.com/en-us/windows/win32/secauthz/getting-information-from-an-acl) and [Creating or modifying an ACL](https://learn.microsoft.com/en-us/windows/win32/secauthz/creating-or-modifying-an-acl).

ACLs also provide access control to Microsoft Active Directory service objects. Active Directory Service Interfaces (ADSI) include routines to create and modify the contents of these ACLs. For more information, see [Controlling object access in Active Directory Domain Services](https://learn.microsoft.com/en-us/windows/desktop/AD/controlling-access-to-objects-in-active-directory-domain-services).

### Supplemental Reading: File and Folder Permissions

Applies To: Windows 7, Windows Server 2008 R2

The following table lists the access limitations for each set of special NTFS permissions.

<div class="has-inner-focus"><table aria-label="Table 1" class="table table-sm">
<colgroup>
<col>
<col>
<col>
<col>
<col>
<col>
<col>
</colgroup>
<thead>
<tr class="header">
<th>Special permissions</th>
<th>Full Control</th>
<th>Modify</th>
<th>Read &amp; Execute</th>
<th>List Folder Contents (folders only)</th>
<th>Read</th>
<th>Write</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Traverse Folder/Execute File</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p></p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>List Folder/Read Data</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<td><p>Read Attributes</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>Read Extended Attributes</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<td><p>Create Files/Write Data</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p></p></td>
<td><p></p></td>
<td><p></p></td>
<td><p>x</p></td>
</tr>
<tr class="even">
<td><p>Create Folders/Append Data</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p></p></td>
<td><p></p></td>
<td><p></p></td>
<td><p>x</p></td>
</tr>
<tr class="odd">
<td><p>Write Attributes</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p></p></td>
<td><p></p></td>
<td><p></p></td>
<td><p>x</p></td>
</tr>
<tr class="even">
<td><p>Write Extended Attributes</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p></p></td>
<td><p></p></td>
<td><p></p></td>
<td><p>x</p></td>
</tr>
<tr class="odd">
<td><p>Delete Subfolders and Files</p></td>
<td><p>x</p></td>
<td><p></p></td>
<td><p></p></td>
<td><p></p></td>
<td><p></p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>Delete</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p></p></td>
<td><p></p></td>
<td><p></p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<td><p>Read Permissions</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
</tr>
<tr class="even">
<td><p>Change Permissions</p></td>
<td><p>x</p></td>
<td><p></p></td>
<td><p></p></td>
<td><p></p></td>
<td><p></p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<td><p>Take Ownership</p></td>
<td><p>x</p></td>
<td><p></p></td>
<td><p></p></td>
<td><p></p></td>
<td><p></p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>Synchronize</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
<td><p>x</p></td>
</tr>
</tbody>
</table></div>

> Important: Groups or users granted Full Control permission on a folder can delete any files in that folder regardless of the permissions protecting the file.

**Additional considerations**

Although List Folder Contents and Read & Execute appear to have the same special permissions, these permissions are inherited differently. List Folder Contents is inherited by folders but not files, and it should only appear when you view folder permissions. Read & Execute is inherited by both files and folders and is always present when you view file or folder permissions.

In this version of Windows, the Everyone group does not include the Anonymous Logon group by default, so permissions applied to the Everyone group do not affect the Anonymous Logon group.

Additional references: [Managing Permissions](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732880(v=ws.11)?redirectedfrom=MSDN)

## Linux

### `chmod`

`chmod ugo+rwx fname`:
- `u`ser 
- `g`roup
- `o`ther users<br>
<br>
- `r`ead or `4`
- `w`rite or `2`
- e`x`ecute or `1`
- `-` disabled
- `s`etUID or `4`

You can alsi write like this:

`chmod 754 fname`:
- 7 is 4+2+1 for user
- 5 is 4+1 for group
- 1 is 1 for other users

### View permissions

In [3]:
ls -l

total 524
-rw-r--r-- 1 commi commi      0 Aug 26 02:27 Administrative
-rw-r--r-- 1 commi commi 423827 Aug 26 13:38 C2_The_Bits_and_Bytes_of_Computer_Networking.ipynb
-rw-r--r-- 1 commi commi 100600 Aug 30 00:59 C3_Operating_Systems_and_You.ipynb
drwxr-xr-x 3 commi commi   4096 Aug 26 02:27 [0m[01;34mdata[0m
drwxr-xr-x 2 commi commi   4096 Aug 26 14:39 [01;34mmaterials[0m


`-rw-r--r-- 1 commi commi      0 Aug 26 02:27 Administrative`

- `-` means "a regular file"
- `d` means "directory"

Then groups by three:

- `rw-` permission of the USER (`commi`)
- `r--` permission of the GROUP (`commi`)
- `r--` permission of all OTHER users

### SetUID, SetGID, Sticky Bit

#### SetUID

Changing root rights for users without giving them sudo rights.

```bash
sudo useradd example
sudo passwd example
ls -l /etc/shadow
```

`-rw-r----- 1 root shadow 1180 Aug 31 21:05 /etc/shadow`

So this file with the password is owned by root.

SetUID enables files to be run by the permissions of the owner of the file. In this case, when you run the password command, it's being run as root:

```bash
ls -l /usr/bin/passwd
```

`-rwsr-xr-x 1 root root 68248 Mar 23 17:40 /usr/bin/passwd`

Here `s` stands for `SetUID`. When the `s` is substituted where a regular bit would be, it allows us to run the file with the permissions of the owner of the file. To enable the setuid bit, you can do it symbolically (`s`) or numerically ('4'):

```bash
cd /tmp/
touch file1.txt
sudo chmod u+s file1.txt
# or
sudo chmod 4755 file1.txt
ls -l file1.txt 
```

`-rwsrw-r-- 1 commi commi    0 Aug 31 17:27 file1.txt`

|Purpose|PowerShell|Bash|
|-|-|-|
||||
||||
||||
||||
||||
||||
||||
||||
||||
||||
||||
||||
||||
||||
||||
||||
||||
||||
||||
||||