CHAPTER 9

                   SECURING NETWORK RESOURCES            

 

 

Lesson 1:  Understanding NTFS Permissions

 

NTFS permissions are rules associated with objects that regulate which users can gain access

to an object and in what manner.

 

 

NTFS Permissions

 

Use NTFS permissions to specify which users and groups can gain access to files and folders,

and what they can do with the contents of the file or folder.  NTFS permissions are only available

on NTFS volumes.  NTFS permissions are not available on volumes that are formatted with the file

 allocation table (FAT) or FAT32 file systems.

 

NTFS security is effective whether a user gains access to the file or folder at the computer or over

the network.

 

 

**** See the permissions lists on page 264 and 256 ****

 

 

Access Control List

 

NTFS stores an access control list (ACL) with every file and folder on an NTFS volume.  The ACL

contains a list of all user accounts and groups that have been granted access for the file or folder,

s well as the type of access that they have been granted.

 

Then a user attempts to gain access to a resource, the ACL must contain an entry, called an access

control entry (ACE), for the user account or a group to which the user belongs.  The entry must

allow the type of access that is request (for example, Read access) for the user to gain access.  If no

ACE exists in the ACL, the user cannot gain access to the resource.

 

 

Multiple NTFS Permissions

 

You can assign multiple permissions to a user by assigning permissions for a resource to an individual

user account and to each group of which the user is a member.  You need to understand the rules and

priorities that are associated with how NTFS assigns and combines multiple permissions.

 

 

 

 

=====================================================================

 

winads9.html                                                   PAGE 2                                                    2002/02/22

 

 

 

 

Permissions are Cumulative

 

A users effective permissions for a resource are the sum of the NTFS permissions that you assign to

the individual user account and to all of the groups to which the user belongs.

 

 

File Permissions Override Folder Permissions

 

NTFS file permissions take priority over NTFS folder permissions.    A user can gain access to the

files for which he or she has permissions by using the full Universal Naming Convention (UNC) or

local path to open the file from its respective application, even though the folder in which it resides

will be invisible if the user has no corresponding folder permissions.

 

 

NOTE:  The Traverse Folder/Execute File special permission allows or denies moving through folders

to reach other files or folders, even if the user has no permissions for the traversed folders.

 

 

Deny Overrides Other Permissions

 

You can deny permissions to a user account or group for a specific file, although this is not the

recommended way to control access to resources. 

 

 

NTFS Permissions Inheritance

 

By default, permissions that you assign to the parent folder are inherited by and propagated to the

subfolders and files that are contained in the parent folder.

 

 

Understanding Permissions Inheritance

 

When you assign NTFS permissions to give access to a folder, you assign permissions for the folder

and for any existing files and subfolders, as well as any news files and subfolders that are created in

the folder.

 

 

 

=====================================================================

 

winads9.html                                                   PAGE 3                                                    2002/02/22

 

 

 

 

Preventing Permissions Inheritance

 

You can prevent permissions that are assigned to a parent folder from being inherited by subfolders

and files that are contained within the folder by setting an inheritance option set for a given object.

 

 

Lesson Summary:

 

•   NTFS permissions are only available on NTFS volumes.
•   The ACL contains a list of all user accounts and groups that have been granted access

for the file or folder, as well as the type of access that they have been granted.

•   NTFS file permissions take priority over NTFS folder permissions.
•   You can disallow the inherited box, if you do not want permissions to be inherited.

 

 

Lesson 2:  Assigning NTFS Permissions

 

 There are certain guidelines you should follow for assigning NTFS permissions.  Assign permissions

according to group and user needs; this includes allowing or preventing permissions inheritance from

parent folders to subfolders and files that are contained in the parent folder.

 

 

Planning NTFS Permissions

 

If you take the time to plan your NTFS permissions and follow a few guidelines, you will find that

NTFS permissions are easy to manage.  Using the following guidelines when you assign NTFS

permissions:

 

To simplify administration, group files into application, data and home folders.

 

•   You assign permissions only to folders, not to individual files.
•   Backup is less complex because there is no need to backup application files, and all

home and public folders are in one location.

 

 

 

 

 

=====================================================================

 

winads9.html                                                   PAGE 4                                                    2002/02/22

 

 

 

 

•   Allow users only the level of access that they require.
•   Create groups according to the access that they require for resources, and then assign

the appropriate permissions to the group.  Assign permissions to individual user accounts

only when necessary.

•   When you assign permissions for working with data or application folders, assign the Read

& Execute to the Users group and the Administrators group.

•   Turn off the permissions inheritance option at the home directory level.
•   When you assign permissions for public data folders, assign the Read & Execute permission

and the Write permission to the Users group, and the Full Control permission to CREATOR

OWNER identity group.

•   Deny permissions only when it is essential use very cautiously
•   Encourage users to assign permissions to the files and folders that they create and educate

them about how to do so.

 

 

Setting NTFS Permissions

 

By default, when you format a volume with NTFS, the Full Control permission is assigned to the

Everyone group.  You should change this default permission and assign other appropriate NTFS

permissions to control the access that users have to resources.

 

 

Preventing Permissions Inheritance

 

By default, subfolders and files inherit permissions that you assign to their parent folder.  This is

indicated in the Security tab in the Properties dialog box by a check in the Allow Inheritable

Permissions From Parent To Propagate To This Object check box.

 

 

Lesson Summary:

 

•   By default, when you format a volume with NTFS, the Full Control permission is

assigned to the Everyone group.

•   Administrators, the owners of files or folders, and users with Full Control permission can

assign NTFS permissions to users and groups to control access to files and folders.

•   By default, subfolders and files inherit permissions that you assign to their parent folders,

and you learned how to disable this feature so that subfolders and files do not inherit

the permissions assigned to their parents.

 

 

=====================================================================

 

winads9.html                                                   PAGE 5                                                    2002/02/22

 

 

 

 

Lesson 3:  Assigning Special Permissions

 

The standard NTFS permissions generally provide all of the access control that you need to

secure your resources.  To create a specific level of access, you can assign NTFS special

permissions.

 

 

When you assign special permissions to folders, you can choose where to apply the permissions

down the tree to subfolders and files.

 

The Change Permissions and Take Ownership special permissions are particularly useful for

controlling access to resources.

 

 

Change Permissions

 

Using the Change Permissions special permission, you can give other administrators and users the

ability to change permissions for a file or folder without giving them the Full Control permission

over the file or folder.  In this way, the administrator or user cannot delete or write to the file or

folder but can assign permissions to the file or folder.

 

 

Take Ownership

 

Using the Take Ownership special permission, you can give users or groups the ability to take

ownership of files or folders.  As an administrator, you can take ownership of a file or folder.

 

The following rules apply for taking ownership of a file or folder:

 

•   The current owner or any user with Full Control permission can assign the Full Control

standard permission or the Take Ownership special permission to another user account

or group, allowing the user account or a member of the group to take ownership.

•   An administrator can take ownership of a file or folder, regardless of assigned permissions.

If an administrator takes ownership, the Administrators group becomes the owner and

any member of the Administrators group can change the permissions for the file or folder

and assign the Take Ownership permission to another user account or group.

 

 

 

 

=====================================================================

 

winads9.html                                                   PAGE 6                                                    2002/02/22

 

 

 

IMPORTANT  You cannot assign anyone ownership of a file or folder.  The owner of a file,

an administrator, or anyone with Full Control permission can assign Take Ownership permission

to a user account or group, allowing that user to take ownership.  To become the owner of a file

or folder, a user or group member with Take Ownership permission must explicitly take ownership

of the file or folder, as explained later in this chapter.

 

 

Lesson Summary:

 

 

•   There are special permissions:  Change Permissions and Take Ownership.  You can give

administrators and other users the ability to change permissions for a file or folder without

giving them the Full Control permission over the file or folder.

•   The Take Ownership special permission to give users or groups the ability to take ownership

of files or folders.  The current owner or any user with Full Control permission can assign the

Full Control standard permission or the Take Ownership special permission to another user

account or group, allowing the user account or a member of the group to take ownership.

•   When an administrator takes ownership of a file or folder, the Administrators group becomes

the owner and any member of the Administrators group can change the permissions for the file

or folder and assign the Take Ownership permission to another user account or group.

 

 

Lesson 4:  Copying and Moving Files and Folders

 

When you copy and move files and folders, the permissions you set on the files or folders might change. 

There are rules that control how and when permissions change.  It is important that you understand

how and when permissions change during a copy or move.

 

 

Copying Files and Folders

 

When you copy files or folders from one folder to another folder, or from one volume to another

volume, permissions change.

 

When you copy a file within a single NTFS volume or between NTFS volumes

 

•   Windows 2000 treats it as a new file.  As a new file, it takes on the permissions of the

destination folder or volume.

 

 

 

=====================================================================

 

winads9.html                                                   PAGE 7                                                    2002/02/22

 

 

 

•   You must have the Write permission for the destination folder to copy files and folders.
•   You become the Creator Owner.

 

 

NOTE:  When you copy files or folders to non-NTFS volumes, the folders and files lose their

NTFS permissions because FAT volumes do not support NTFS permissions.

 

 

Moving Files and Folders

 

When you move a file or folder, permissions might or might not change, depending on where you

move the file or folder.

 

Moving Within a Single NTFS Volume:

 

•   The folder or file retains the original permissions.
•   You must have the Write permission for the destination folder to move files and folders

into it.

•   You must have the Modify permission for the source folder or file.  The Modify

 permission is required to move a folder or file because Windows 2000 deletes the

 folder or file from the source folder after it is copied  to the destination folder.

•   You become the Creator Owner.

 

 

Moving Between NTFS Volumes

 

When you move a file or folder between NTFS volumes

 

• The folder or file inherits the permissions of the destination folder.
• You must have the Write permission for the destination folder or move files and folders into it.
• You must have the Modify permission for the source folder or file.  The Modify permission is
• required to move a folder or file because Windows 2000 deletes the folder or file from the
• source folder after it is copied to the destination folder.
• You become the Creator Owner.

 

 

NOTE:  When you move files or folders to FAT volumes, the folders and files lose their NTFS

permissions because FAT volumes do not support NTFS permissions.

 

 

 

=====================================================================

 

winads9.html                                                   PAGE 8                                                    2002/02/22

 

 

 

 

Lesson Summary:

 

•   When you copy or move files or folders to another volume or the same volume of an NTFS

Volume, the permissions change.

•   When you move or copy to a FAT location you will also have changes in the permissions.

 

 

 

Lesson 5:   Troubleshooting Permissions Problems

 

When you assign or modify NTFS permissions to files and folders, problems might arise. 

Troubleshooting these problems is important to keep resources available to users.

 

 

If a user cannot gain access to a file or folder, you may want to check if the folder was

moved or copied from another location, the permissions may have changed.

 

 

***** See the chart on troubleshooting page 293 ***

 

 

NOTE:  Windows 2000 supports Portable Operating System Interface for UNIX (POSIX)

applications that are designed to run on UNIX.  On UNIX systems, Full Control permissions

allows you to delete files in a folder.  In Windows 2000, the Full Control permission includes

the Delete Subfolders and Files special permission, allowing you the same ability to delete

files in that folder regardless of the permissions that you have for the files in the folder.

 

 

Avoiding Permissions Problems

 

The following list provides best practices for implementing NTFS permissions.  These guidelines

will help you avoid permission problems.

 

•   Assign the most restrictive NTFS permissions that still enable users and groups to

accomplish necessary tasks.  Assign all permissions at the folder level, not at the file

level. 

•   For all application executable files, assign Read & Execute and Change

Permissions to the Administrators group, and assign Read & Execute to the Users group.

 

 

 

=====================================================================

 

winads9.html                                                   PAGE 9                                                    2002/02/22

 

 

 

•   Assign Full Control to Creator Owner for public data folders so that users can delete and modify

files and folders that they create.  For public folders, assign Full Control to Creator Owner and

•   Read and Write to the Everyone group.  Use long, descriptive names if the resource will be

accessed only at the computer.  Allow permissions rather than deny permissions.

 

 

 

Lesson Summary:

 

• When you assign or modify NTFS permissions for files and folders, problems might arise. 
• Troubleshooting these problems is important to keep resources available to users.