CHAPTER
14
SECURING RESOURCES WITH NTFS PERMISSIONS
Lesson 1:
Understanding NTFS Permissions
You use NTFS permissions to specify which users and groups can gain access to files and folders
and what they can do with the contents of the file or folder.
NTFS permissions
are available only on NTFS volumes. NTFS
permissions are not available on
volumes that are formatted with FAT or FAT32 file systems.
NTFS security is effective whether a user gains access to the file or folder at the computer or
over the network. The permissions you assign for folders are different from the permissions
you assign for files.
NTFS Folder Permissions
You can assign folder permissions to control the access that users have to folders and to the
files and subfolders that are contained within the folder.
NTFS Folder Permissions ** IMPORTANT **
===================================================================
NTFS Folder
Permission Allows the user to
===================================================================
Read See files and subfolders, view folder ownership
Permissions and attributes.
Write Create new files and subfolders within a folder,
Change folder attributes, and view folder
Ownership and permissions.
List Folder Contents See the names of files and subfolders in the folder.
Read & Execute Move through folders to reach other files and
Folders even if the users don’t have permission
For those folders.
Modify
(was change In WinNT) Delete the folder, plus perform actions permitted
by the Write permission and the Read & Execute
Full Control Change permissions, take ownership and delete
subfolders and files, plus perform actions
permitted by all other NTFS folder permissions.
=====================================================================
winpro14.html PAGE
2
2001/12/08
You can deny permissions to a user account or group. To deny all access to a user account
or group for a folder, deny the Full Control permission. DENY takes precedence over
ALLOW. DENY always overrides.
NTFS File
Permissions:
You assign file permissions to control the access that users have to files.
NTFS File Permissions ** IMPORTANT **
=====================================================================
NTFS File permissions Allows the user to
=====================================================================
Read Read, view attributes, ownership and permissions.
Write Overwrite the file, change file attributes, view file
Ownership and permissions.
Read & Execute Run applications, plus perform the actions permitted by
The Read permission.
Modify Modify and delete the file, plus perform the actions
Permitted by WRITE and READ & EXECUTE.
Full Control Change permissions and take ownership, plus perform
The actions permitted by all other NTFS file permissions.
======================================================================
Lesson Summary:
and what these permissions allow users to do with the contents of the files and folders.
=====================================================================
winpro14.html PAGE
3
2001/12/08
or over the network.
Modify and Full control.
Lesson 2:
Applying NTFS Permissions
Administrators, the owners of files or folders, and users with Full Control permissions can
assign NTFS permissions to users and groups to control access to files and folders.
Access Control List
volume. The ACL contains a list of all user accounts and groups that have been granted
access for the file or folder, as well as the type of access that they have been granted.
When a user attempts to gain access to a resource, the ACL must contain an entry,
called an access control entry (ACE), for the user account or a group to which
the user belongs. The entry must allow the type of access that is requested
(for example, Read access) for the user to gain access. If no ACE exits in the ACL,
the user can’t gain access to the resource.
Multiple NTFS Permissions
You can assign multiple permissions to a user account and to each group in which the user
is a member. To assign permissions, you must understand the rules and priorities regarding
hot NTFS assigns and combines multiple permissions and NTFS Permission inheritance.
Cumulative Permissions
A user’s effective permissions for a resource are the sum of the NTFS permissions that you
assign to the individual user account and to all of the groups to which the user belongs. If a
user has Read permissions for a folder and is a member of a group with Write permissions
for the same folder, the user has both Read and Write permissions for that folder, unless
one of them is DENY.
=====================================================================
winpro14.html PAGE
4 2001/12/08
Overriding Folder Permissions with File Permissions
NTFS file permissions take priority over NTFS folder permissions. A user with access to a
file will be able to gain access to the file even if he or she doesn’t have access to the folder
containing the file. A user can gain access to the files for which he or she has permissions by
using the full Universal naming convention (UNC) or local path to open the file from its respective
application, even through the folder in which it resides will be invisible if the user has no
corresponding folder permissions.
In other words, if
you don’t have permissions to access the folder containing the file you want
to access, you will have to know the full
path to the file to access it. Without
permission to
access the folder, you can’t see the folder, so
you can’t browse for the file you want to access.
Overriding Other Permissions with Deny
You can deny permissions to a user account or group for a specific file, although this is not the
recommended way to control access to resources. Denying a permission overrides all instances
where that permissions is allowed.
NTFS Permissions Inheritance
By default, permissions that you assign to the parent folder are inherited by and propagated to
the subfolders and files that are contained in the parent folder.
Understanding Permissions Inheritance
Whatever permissions you assign to the parent folder also apply to subfolders and files that are
contained within the parent folder. When you assign NTFS permissions to give access to a folder,
you assign permissions for the folder and for any existing files and subfolders, as well as for any
new files and subfolders that are created in the folder.
Preventing Permissions Inheritance
You can prevent permissions that are assigned to a parent folder from being inherited by subfolder
and files that are contained within a folder.
The folder for which you prevent permissions inheritance becomes the new parent folder, and
permissions that are assigned to this folder will be inherited by the subfolder and files that are
contained within it. Right click Properties on the Folder.
=====================================================================
winpro14.html PAGE
5
2001/12/08
Lesson Summary:
permissions to users and groups to control access to files and folders.
to the file or folder, as well as the type of access that they have been granted.
for example, NTFS file permissions take priority over NTFS folder permissions.
you assign to the individual user account and to all of the groups to which the user belongs.
Lesson 3:
Assigning NTFS Permissions:
Assign permissions according to group and user needs, which include allowing or preventing
permissions inheritance from parent folders to subfolders and files that are contained in the
parent folder.
Planning NTFS Permissions
Use the following guidelines to manage NTFS permissions:
home and public folders on a volume that is separate form applications and the operating
system.
You assign permissions only to folders, not to individual files.
Backup is less complex, no need to backup application folders.
=====================================================================
winpro14.html PAGE
6 2001/12/08
assign permissions to the group.
permissions to the Users group and the Administrators group. This prevents the application
files from being accidentally deleted.
Write permission to the Users group and the FC permission to Creator Owner user.
THE BOOK IS WRONG! DOES
NOT WORK.
FIX, you must go
into Advanced tab for the group you are changing, and
fine tune the properties, by selecting
Create File/Write Data. This
stops you from being able to delete other
users files too.
modify documents that other users create and the ability to read, modify, and delete the files
and folders that they create.
educate user about how to do so.
Setting NTFS Permissions
By default, when you format a volume with NTFS, the FC is assigned to the Everyone group.
You should change this default permission and assign other appropriate NTF permissions.
Assigning or Modifying Permissions
Administrators have Full Control (FC), and the owners of files and folders (CREATOR,OWNER)
can assign permissions to user accounts and groups.
Use the Security tab of Properties for the file or folder to configure the options required.
=====================================================================
winpro14.html PAGE
7
2001/12/08
Preventing Permissions Inheritance
By default, subfolders and files inherit permissions that you assign to their parent folder. This is
indicated on the Security tab in Properties. To prevent a subfolder or file from inheriting permissions
from a parent folder, clear the Allow Inheritable Permissions From Parent
To Propagate To This
Object check box.
Preventing
Permissions Inheritance Options
======================================================================
Option Description
======================================================================
Copy Copy the permissions form the parent folder to the current folder and
Then deny subsequent permissions inheritance from the parent
Folder.
Remove Remove the permissions that are inherited form the parent folder and
Retain only the permissions that you explicitly assign to the file or
Folders.
Cancel Cancel the dialog box and restore the check mark in the Allow
Inheritable Permissions From Parent to Propagate To This Object
Check box.
======================================================================
Lesson Summary:
Everyone group. You should change this default permission and assign other appropriate NTFS
permissions to control the access that users have to resources.
of the file or folder. By default, subfolders and files inherit permissions that you assign to their
parent folder. You can disable this feature so that subfolders and files don’t inherit the permissions
assigned to their parents.
=====================================================================
winpro14.html PAGE
8
2001/12/08
Lesson 4:
Assigning Special Access Permissions
The standard NTFS permissions generally provide all of the access control that you need
to secure your resources.
Using Special Access Permissions
There are 13 special access permissions. Two of them are Change Permissions and Take
Ownership.
Changing Permissions
You can give other administrators and user the ability to change permissions for a file or folder
without giving them Full control permission over the file or folder. In this way, the administrator
or user can’t delete or write to the file or folder but can assign permissions to the file or folder.
To give administrators the ability to change permissions,
assign Change Permissions to the
Administrators group
for the file or folder.
Taking Ownership
You can transfer ownership of files and folders from one user account or group to another
user account or group. You can give someone the ability to take ownership and, as an
administrator, you can take ownership of a file or folder.
permission or the Take Ownership special access permission to another user account
or group, allowing the user account or a member of the group to take ownership.
permissions. For example, if an employee leave the company, an administrator can
take ownership of the employee’s files, assign the Take Ownership permission another
employee, and then that employee can take ownership of the former employee’s files.
NOTE: You cannot assign anyone ownership of a file or folder. The owner of a file, an
administrator, or anyone with Full Control permission can assign Take Ownership permission
to a user account or group, allowing them to take ownership. To become the owner of a file
or folder, a user or group member with Take Ownership permission must explicitly take
ownership of the file or folder.
=====================================================================
winpro14.html PAGE
9
2001/12/08
Setting Special Access Permissions
Access control Settings/Permissions tab/user account or group
Click View/Edit to open the Permissions Entry.
Taking Ownership of a file or folder
To take ownership, the user or group member with Take Ownership permission must
explicitly take ownership of the file or folder as follows:
subfolders and files that are contained within the folder.
Lesson Summary:
Permissions and Take Ownership.
or folder without giving them FC permission over the file or folder.
it allows them to assign permissions to the file or folder.
standard permission or the Take Ownership special access permission to another user
account or group, allowing the user account or a member of the group to take ownership.
change the permission for the file or folder and assign the Take Ownership permission
to another user account or group.
Lesson 5:
Copying and Moving files and Folders:
When you copy a file within a single NTFS volume or between NTFS volumes:
Windows 2000 treats it as a new file. As a new file, it takes on the permissions of the
destination folder.
You must have Write permission for the destination folder to copy files and folders.
You become the CREATOR OWNER.
=====================================================================
winpro14.html PAGE
10
2001/12/08
NOTE: When you copy files or folders to FAT volumes, the folders and files lose their
NTFS permissions because FAT volumes don’t support NTFS permissions.
Moving files and Folders:
When you move a file or folder within a single NTFS volume:
required to move a file or folder because Windows 2000 delete the file or folder from the source
folder after it is copied to the destination folder.
Moving Between NTFS Volumes
When you move a file or folder between NTFS volumes
is required to move a file or folder because Windows 2000 delete the file or folder from
the source folder after it is copied to the destination folder.
NOTE: When you move files or folders to FAT volumes, the folders and files lose their NTFS
permissions because FAT volumes don’t support NTFS permissions.
Lesson Summary:
Rules control how and when permissions change.
move a file
=====================================================================
winpro14.html PAGE
11
2001/12/08
or folder within a single NTFS volume, the file or folder retains the original permission.
inherits the permissions of the destination folder.
Lesson 6:
Solving Permissions Problems
When you assign or modify NTFS Permissions to files and folders, problems might arise.
Troubleshooting these problems is important to keep resources available to users.
NOTE: Windows 2000 supports POSIX applications that are designed to run on UNIX.
On UNIX system, Full Control permissions allows you to delete files in a folder. In Windows
2000, the Full Control permission includes the Delete
Subfolder and Files Special Access
Permission, allowing you the same ability to delete files in that folder regardless of the
permissions that you have for the
files in the folder. If the folder = FC and a file within this
folder is NO ACCESS or DENY, there is a kind of
loophole. You can still delete the file
within the folder. One way around this is to make the folder
Modify, and Deny to a certain
folder in the Modify Folder.
Avoiding Permissions Problems:
accomplish necessary tasks. Assign all permissions at the folder level, not at the file level.
Group files in a separate folder for which you want to restrict user access, and then
assign that folder restricted access.
Administrators group, assign Read & Execute to the User group. Assign FC to the Creator
that they create.
Everyone group.
=====================================================================
winpro14.html PAGE
12
2001/12/08
Lesson Summary: