Which Windows file system has strong security features?

NTFS (New Technology File System)

NTFS or New Technology File System is the standard file system of Microsoft Windows NT and its descendants, Windows 2000, Windows XP, Windows 7 and Windows Servers. NTFS is a descendant of HPFS, the file system designed by Microsoft and IBM for OS/2 as a replacement for the older FAT file system of MS-DOS. The improvements over FAT was support for meta-data and the use of advanced data structures in order to improve performance, reliability, and disk space utilization. NTFS incorporates these plus additional extensions such as security access control lists and file system journaling. In NTFS everything that has anything to do with a file (name, creation date, access permissions, and even contents) is written down as meta-data. Internally, NTFS uses binary trees in order to store the file system data; although complex to implement, this allows fast access times and decreases fragmentation. A file system journal is used in order to guarantee the integrity of the file system itself (but not of each individual file). Systems using NTFS are known to have improved reliability, a particularly important requirement considering the unstable nature of the older versions of Windows NT.

NTFS has gone through an evolution of versions, starting from v.1.0 in mid-1993 with Windows NT 3.1, then v.1.1 in 1994 for NT 3.5, then v.1.2 for NT4 in 1996 (some times referred to as NTFS 4.0), v.3.0 for Windows 2000 in year 2000 (some times referred to as NTFS 5.0), up to v.3.1 for Windows XP in 2001 (some times referred to as NTFS 5.1).

The central system structure of the NTFS file system is the master file table (MFT). NTFS keeps multiple copies of the critical portion of the MFT to protect against corruption and data loss. Like FAT and FAT32, NTFS uses clusters to store data files. However, the size of the clusters is not dependent on the size of the disk or partition. A cluster size as small as 512 bytes can be specified, regardless of whether a partition is 6 GB or 60 GB. Using small clusters not only reduces the amount of wasted disk space, but also reduces file fragmentation, a condition where files are broken up over many non-contiguous clusters, resulting in slower file access. Because of its ability to use small clusters, NTFS provides good performance on large drives. Finally, the NTFS file system supports hot fixing, a process through which bad sectors are automatically detected and marked so that they will not be used.

In theory, the maximum NTFS volume size is 264− 1 clusters. However, the maximum NTFS volume size as implemented in Windows XP Professional is 232− 1 clusters partly due to partition table limitations. For example, using 64 kB clusters, the maximum Windows XP NTFS volume size is 256 TBs. Using the default cluster size of 4 kB, the maximum NTFS volume size is 16 TB. Because partition tables on master boot record (MBR) disks only support partition sizes up to 2 TB, dynamic volumes must be used to create NTFS volumes over 2 TB. As designed, the maximum NTFS file size is 16 EB (16 × 10246 or 264 bytes). As implemented, the maximum NTFS file size is 16 TB. With Windows 8, the maximum NTFS file size is 256 TB.

NTFS Compressed Files

NTFS allows files to be compressed to save space either by compressing an entire NTFS volume, or on a file-by-file basis. Using NTFS compression, you can compress individual folders or files, or everything on a particular drive using the NTFS file system. In doing so, a file is decompressed automatically when it is read, and compressed when it is saved or closed. Compressing data allows you to save disk space and archive folders, without having to rely on additional software to compress and decompress files.

When data is compressed on an NTFS drive, only the file system can read it. When a program attempts to open a file that's been compressed, the file system's compression drive must first decompress the file before making it available.

New Technology File System

NTFS is a significant advancement in terms of data storage. It allows for long filenames, almost unlimited storage, and a more efficient method of accessing information. It also provides for much greater latency in deleted files: that is, deleted files stick around a lot longer in NTFS than they do in FAT. The following items are unique to NTFS. Instead of keeping the filenames in folder files, the entire file structure of NTFS is retained in a flat file database called the MFT:

improved support for metadata

advanced data structuring improves performance and reliability

improved disk space use with a maximum disk size of 7.8 TB, or 264 sectors; sector sizes can vary in NTFS and are most easily controlled using a third-party partitioning tool such as Partition Magic.

greater security

What Is the New Technology File System?

NTFS is a proprietary file system developed by Microsoft Corporation for its newer Windows® operating systems, starting with Windows® NT 3.1 and Windows® 2000, including Windows® XP, Server 2003, Vista, 7, Server 2008, 8, 8.1, 10, and all their successors to date.

Formatting a volume with NTFS results in the creation of several metadata files such as the master file table ($MFT), $Bitmap, $LogFile, and others, which contain information about all the files and folders on the NTFS volume (Fig. 4.1).

NTFS supersedes the file allocation table (FAT) file system as the preferred file system for Microsoft Windows® operating systems. NTFS has several improvements over FAT and the high performance file system such as its support for metadata, compression, auditing, and the use of advanced data structures to improve performance and reliability. NTFS supports large volume size (256 TB vs. 2 TB for FAT32) and increased file size (16 TB vs. 4 GB for FAT32) in addition to powerful storage solutions such as RAID. In addition to this, additional extensions were developed, such as security access control lists and file system journaling. NTFS has the capability to encrypt or decrypt data, files, or folders and is considered the only file system on Windows® NT that allows you to assign permissions to individual files. NTFS uses a 16-bit unicode character system set to name files and folders allowing users from all over the world to use their native language to name files and folders. The main purpose for creating this new file system was maintaining the compatibility with the Macintosh hierarchical file system and to store additional data for each file called the metadata, which is what we are going to use to hide our confidential data [1,2].

File System

Windows supports a number of file systems including two Windows-specific file systems: NTFS and ReFS (in Windows Server 2012 and later). These file systems are improvements over the FAT file system previously used by MS-DOS. With the use of improved file systems, Windows increases its abilities to manage data at the file level and apply file system-specific functions.

NTFS is a file system that uses a database called a master file table (MFT) to store information about every file and directory stored in the file system. This replaces the file allocation table used by the FAT file system. NTFS does perform a little slower than FAT, but provides recoverability options and extended features such as compression, encryption, long file names, and the ability to apply permissions that makes the speed reduction worthwhile.

Tips & Tricks

ReFS is a new file system introduced with Windows Server 2012. For the most part, ReFS and NTFS are fairly similar, but there are some important differences that you need to be aware of. ReFS does not support the following NTFS functions:

Ability to boot from a ReFS partition

Compression

Disk quotas

Encryption

Extended attributes

Hard links

Object identifiers

Removable media

Short file names

Streams

ReFS supports very large file systems, scales very well, and supports Microsoft’s new Storage Spaces concept (a storage virtualization system). In addition, it supports some new mechanisms to help prevent file system corruption such as automatic detection of errors in file metadata and autocorrection using redundant copies. This level of error detection and correction can also be applied to the files themselves as well as the metadata making ReFS a file system that supports very large file systems with a high level of integrity.

Alternate Data Streams (ADS)

NTFS supports multiple data streams for files and folders. Files are composed of unnamed streams that contain the actual file data besides additional named streams (mainfile.txt:one-stream). All streams within a file share the file's metadata, including file size. Since the file size does not change with the addition of ADSs, it becomes difficult to detect their existence. Open source forensics tools, such as The Sleuth Kit (TSK) can be used to parse MFT entries and reveal the existence of ADSs. Specifically, the TSK command fls can be used to list the files and the associated ADSs.

Short Filenames

On NTFS volumes, each time a user creates a file with a long filename, Windows Vista creates a second file entry that has a similar 8.3 short filename. Remember the old 8.3 limitation of FAT12 and FAT16? No? Well, filenames back then could only have a maximum of eight characters for the filename itself, plus a three-character extension. An example would have been genedocl.doc. With restrictions like that, it was very difficult to know what file contained what without a decent description in the filename. This all changed in the Windows world when NTFS came on. Now we have a maximum of 256 characters for our filenames.

On systems with a large number of files with long filenames that contain the same initial characters, the time required to create the files increases, thus file system performance is hurt. This is because NTFS bases the 8.3 filename on the first six characters of the long name. When you have a large number of files with similar long names under the same folder, this can cause problems. To reduce the time required to create files, use the FSUTIL command, as shown next, to disable the 8.3 short filename service. After disabling 8.3, don’t forget to restart the system.

fsutil behavior set disable8dot3 1

Data Compression

The NTFS file system provides Windows users with the ability to compress data on the disk, thereby saving space. When files, folders, or even whole NTFS volumes are compressed, Windows applies an industry standard algorithm to replace redundant data with a placeholder that takes up less room. Decompression is then handled on-the-fly by the OS when a particular piece of data is accessed by the user. Data objects that are compressed carry an attribute of “C” (and are often seen as blue) when viewed in Windows Explorer.

NTFS can also take advantage of something Macintosh users have enjoyed for years to save space—sparse files. Sparse files are files whose useful data area is given allocated space on the disk, whereas the portion of the file's data that is not required by the application to which the file belongs in essence is discarded by being placed in unallocated space. When the file is read, the specified portions of the file's code are read by an application, and the nonspecified portions are simply replaced with zeros in memory. This process allows for much larger files to be allocated much less space on disk, thereby conserving storage resources. Sparse files will be identified as such by most forensic tools, when tracking file cluster usage as shown in Figure 5.11.

Partition allocation size

Using the correct NTFS allocation unit size is a method to optimize the performance of the NTFS file system. If you store a new file on the file system, then a so-called cluster is allocated to store this file. If the file is large, then multiple clusters are allocated, and if the file is very small, NTFS has another option that does not require allocating a new cluster. We can ignore the details of how tiny files are stored for now. It is only important to remember that usually at least one cluster has to be allocated if you want to store a new file.

The cluster size influences the performance of the NTFS file system. Bigger clusters often have better performance but they waste disk space. A cluster is not shared by multiple files. If the cluster size is 4 KB and your file is only 1 KB, then you waste 3 KB of disk capacity—to use a very simplified example.

If you format a new NFTS file system, then the size of the partition determines the default cluster size. The default cluster size is documented in Microsoft Knowledge Base Article 140365. All disk partitions larger than 2 GB have a default cluster size of 4 KB. You can overwrite this setting and use one of the large cluster sizes—8 KB, 16 KB, 32 KB, and 64 KB.

In the “Partition Design” section on TechNet, Microsoft recommends using an NTFS allocation size unit of 64 KB for the file system with the Exchange databases. This provides performance benefits for the large sequential read operations of Exchange backups. The streaming online backup and the checksum verification of the database after a VSS backup tries to read the database file with an I/O size larger than the default 4 KB.

You do not have to change the default NTFS allocation unit size for the file system with the transaction log files. Performance tests have not indicated that using a larger allocation unit size for the log file volume provides benefits.

Users and file permissions

File permissions, such as read, write, and execute, control access to files. The types of permissions available depend on the file system being used.

Linux and UNIX permissions

Most Linux and UNIX file systems support the following file permissions:

•

Read (“r”)

•

Write (“w”)

•

Execute (“x”)

Each of these permissions may be set separately for the owner, group, or world. Figure 7.6 shows the output of a Linux “ls -la /etc” (list all files in the /etc directory, long output) command.

Figure 7.6. Linux “ls -la” Command.

The output in Figure 7.6 shows permissions, owner, group, size, date, and filename. Permissions beginning with “d” (such as “acpi”) are directories. Permissions beginning with “-” (such as at.deny) describe files. Figure 7.7 zooms in on files in /etc. highlighting the owner, group, and world permissions.

Figure 7.7. Linux /etc Permissions, Highlighting Owner, Group, and World.

The adduser.conf file in Figure 7.7 is owned by root and has “-rw-r--r--” permissions. This means adduser.conf is a file (permissions begin with “-”), has read and write (“rw-”) permissions for the owner (root), read (“r--”) permissions for the group (also root), and read (“r--”) permissions for the world.

Microsoft NTFS permissions

Microsoft NTFS (New Technology File System) has the following basic file permissions:

•

Read

•

Write

•

Read and execute

•

Modify

•

Full control (read, write, execute, modify, and delete)

NTFS has more types of permissions than most UNIX or Linux file systems. The NTFS file is controlled by the owner, who may grant permissions to other users. Figure 7.8 shows the permissions of a sample photo at C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.

Figure 7.8. NTFS Permissions.

To see these permissions, right-click an NTFS file, choose “properties,” and then “security.”

Privileged programs

On UNIX and Linux systems, a regular user cannot edit the password file (/etc/passwd) and shadow file (/etc/shadow), which store account information and encrypted passwords, respectively. But users need to be able to change their passwords (and thus those files), so how can they change their passwords if they cannot (directly) change those files?

The answer is setuid (set user ID) programs. Setuid is a Linux and UNIX file permission that makes an executable run with the permissions of the file's owner, and not as the running user. Setgid (set group ID) programs run with the permissions of the file's group.

Figure 7.9 shows the permissions of the Linux command /usr/bin/passwd, used to set and change passwords. It is setuid root (the file is owned by the root user, and the owner's execute bit is set to “s,” for setuid), meaning it runs with root (super user) permissions, regardless of the running user.

Figure 7.9. Linux setuid Root Program /usr/bin/passwd.

The passwd program runs as root, allowing users to change their passwords and thus the contents of /etc/passwd and /etc/shadow. Setuid programs must be carefully scrutinized for security holes, as attackers may attempt to trick the passwd command to alter other files. The integrity of all setuid and setgid programs on a system should be closely monitored.