CHAPTER 6

                               SECURING NETWORK RESOURCES

                                          WITH NTFS PERMISSIONS

 

Lesson 1:  Introduction to NTFS Permissions ………………………                    211

Lesson 2:  Combining Share Permissions and NTFS Permissions …                    217

Lesson 3:  Guildelines for assigning NTFS Permissions ……………                    223

Lesson 4:  Assigning NTFS Permissions ……………………………                     230

Lesson 5:  Taking Ownership of Folders and Files …………………                     240

Lesson 6:  Copying or Moving Folders and Files …………………..                     245

Lesson 7:  Troubleshooting Permission Problems ………………….                     251

 

 

NTFS permissions secure folders and files on the local computer.  NTFS permissions can be

combined with shared permissions, can secure resources from users who connect to resources

over the network.

 

Lesson 1:  Introduction to NTFS Permissions

 

On NTFS volumes, you can set NTFS permissions on folders and files.  NTFS permissions secure

resources on the local computer and when users connect to resources over the network. 

 

 

What are NTFS Permissions?:

 

NTFS Permissions are permissions that are only available on a volume that has been formatted

with the Windows NT file system (NTFS).  So in my case Drive F: at school is my NTFS drive. 

NTFS permissions provide a greater degree of security because they can be assigned to folders

and to individual files.  NTFS folder and file permissions apply both to users working at the

computer where the folder or file is stored and to users accessing the folder or file over the

network by connecting to a shared folder.

 

 

Why Use NTFS Permissions?

 

You use NTFS permissions to protect resources from users who can access the computer in

the following ways:

 

• Locally, by sitting at the computer where the resource is stored.
• Remotely, by connecting to a shared folder, RAS.

 

You can set file permissions to a fine degree of granularity.  For example, you can set different

permissions for each file in a folder.  You can let on user read the contents of a file and change

it, let another user only read the file, and prevent all other users form any access to the file.

 

 

======================================================================

 

wntadm6.html                                                PAGE 2                                                        2001/10/28

 

 

 

NOTE:  When a volume is formatted with NTFS, the Everyone group is automatically assigned

Full Control permission to the volume.  Folders and files created on the volume or hard drive,

inherit this default permission.

 

 

Individual NTFS Permissions

 

Windows NT provides six individual NTFS permissions.  Each permission specifies the access

that a user or group can have to the folder or file.

 

 

======================================================================

NTFS

Individual

Permissions                For a folder, a user can                    For a file, a user can

======================================================================

Read (R)                     Display folder names,                Displays file data, attributes,     

                                    Attributes, owner and               owner and permissions.

                                    Permissions.

 

Write (W)                   Add files and folders,                Display owner and permissions,

                                    Change a folders attrib.,           change file attrib. Create data,

                                    Display owner and                   in, and append data to a file.

                                    Permissions.

 

Execute (X)                Display folder attributes            Display file attributes, owner,

                                    Make changes to folders           and permissions.  Run a file if

                                    Within a folder, and display       it is an executable.

                                    Owner and permissions.

 

Delete (D)                  Delete a folder.                         Delete a file.

 

Change                       Change a folder’s                     Change a file’s permissions.

Permissions (P)          permissions

                                   

Take Ownership         Take ownership of a                 Take ownership of file.

(O)                               Folder.

 

 

=====================================================================

 

NOTE:  On a NTFS Volume, the user who creates a folder or file becomes the owner.  If the

user is a member of the Administrators group, the Administrators group becomes the owner. 

The owner can always assign and change permissions on a folder or file.

 

 

 

=====================================================================

 

wntadm6.html                                                 PAGE 3                                                    2001/10/27

 

 

 

Standard Permissions

 

In most situations, you will use the NTFS standard permissions.  Standard permissions are

combinations of individual NTFS permissions and allow you to assign multiple NTFS

permissions at one time.

 

You can simplify administrative tasks, by assigning individual permissions at one time.  Each file

has the abbreviated standard beside the file.  For example, for Read on a file, the RX appears

beside the file.

 

=====================================================================

                                                Individual Permissions           Individual permissions

Standard Permission              on folders                                on files in the folder

=====================================================================

No Access                              None                                        None

 

List                                          RX                                          Not specified

 

Read                                       RX                                           RX

 

Add                                         WX                                          Not specified

 

Add & Read                           RWX                                       RX

 

Change                                   RWXD                                    RWXD

 

Full Control                            All                                            All

 

 

======================================================================

 

NOTE:   No Access means that the user cannot access the folder or file in any way, even if the

user is a member of a group that has been granted access to the folder.  “Not Specified” means

that the standard permission does not apply to files.

 

 

Standard File Permissions

 

The following table lists the standard file permissions and the individual NTFS permissions that

each standard file permission represents.

 

Standard permission                          Individual Permissions

 

No Access                                           None

Read                                                    RX

Change                                                 RWXD

Full Control                                          All

 

 

 

 

=====================================================================

 

wntadm6.html                                                 PAGE 4                                                    2001/10/27

 

 

 

 

NOTE:  The difference between the Full Control permission and the Change permission is that

Change does not include the ability to modify permissions or to take ownership of folders and files.

 

 

How NTFS Permissions are Applied

 

NTFS permissions are assigned to user and group accounts in the same way that share permissions

are assigned, a user can be assigned NTFS permissions directly or as a member of one or more

groups.

 

NTFS folder permissions are applied as Follows:

 

•  Like share permissions, NTFS permissions provide effective permissions for users that are the

combination of the user and group permissions, with the exceptions of No Access.  The No Access

overrides all other permissions.

•  Unlike share permissions, NTFS Permissions protect local resources and can be assigned to other

folders and files in the same folder hierarchy.

 

 

NTFS file permissions take precedence over the permissions assigned for the folder that the file is

contained in.  For example, if a user has Read permissions to a folder and Write permission to a file

in that folder, then the user will be able to write to the file, but will be unable to create a new file in the

folder.

 

 

Example of NTFS Folder Permissions

 

If User 1 is assigned the Write permissions to the folder named Data.  User1 is also a member of the

Everyone group to which the Read permission is assigned.  Therefore, User1’s effective permissions

are both Read and Write to the Data folder only.

 

Unlike share permissions, NTFS permissions do not automatically allow User1 to gain access to the

other folders within the Hierarchy.

 

 

Example of NTFS File Permissions (page 215)

 

In the following User1  is assigned the Read and Write permissions to File1 in the folder named Data. 

User1 is also a member of the Sales group to which a different permission, Read, is assigned for the

Data folder.  User1’s effective permission to the Data folder is Read, but it Read and Write to File1

because NTFS file permissions override NTFS Folder permissions.

 

 

 

=====================================================================

 

wntadm6.html                                                 PAGE 5                                                    2001/10/27

 

 

 

Lesson 2:  Combining Share Permissions and NTFS Permissions

 

Share permissions for NTFS volumes work in combination with file and folder permissions.

 

To provide users with network access to disk resources, the folders containing those resources must be

shared.  Once the folder is shared, you can protect it by assigning share permissions to user and groups. 

However, share permissions offer limited security because they:

 

•  Give the user the same level of access to all folders and files within the shared folder.
•  Have no effect when a user gains access to the resource locally by sitting at the computer where the

resource is located.Cannot be used to secure individual files.

 

If the shared folder is on an NTFS Volume, you can use NTFS permissions to effectively block or

change a user’s access to other folders or files in the shared folder hierarchy.  You gain the greatest

degree of security by combining NTFS permissions with Share permissions.

 

NOTE:  The easiest way to combine share permissions and NTFS permissions is to leave the default

share permission Full Control assigned to the Everyone group, and then to assign NTFS permissions to

specific user and group accounts for the folders and files within the shared folder hierarchy.

 

When combining share permissions with NTFS permissions, the most restrictive permission always

becomes the effective permission.  For example, if the share permission for a folder is Full Control,

and the NTFS permission for the same folder is Read, the effective permission is Read because it is

the most restrictive.

 

The following shows that User2 has the share permission Read for the shared folder named Public on

Computer 1, and NTFS FC Permission to FileA.  User2’s effective permission for FileA is Read

because Read  is the most restrictive permission.  User2’s effective permission for FileB is Read

because the NTFS Read permission has the same restrictions as the share permission Read. 

(see page 218, and review, it makes sense from the diagram.)

 

 

Example of Combined NTFS Permissions 

 

When share permissions are combined with NTFS Permissions the most restrictive permission

becomes the effective permissions.

 

The easiest way to combine share and NTFS permissions is to leave the default share permission

Full Control assigned to the Everyone group, and then assign NTFS permissions to specify user and

group accounts for the folders and files within the shared folder hierarchy.

 

 

 

 

=====================================================================

 

wntadm6.html                                                 PAGE 6                                                    2001/10/27

 

 

Lesson 3:  Guidelines for assigning NTFS Permissions

 

 

Guidelines for Planning Program Folders:

 

The following are general guidelines for assigning NTFS permissions to program folders:

 

Remove the default NTFS permission Full Control from the Everyone group and assign it to the

Administrators group.

Assign groups that are responsible for upgrading and troubleshooting software the Full Control or

Change permission for the appropriate folders.

If network programs are contained in shared folders, assign the Users group the Read permissions.

 

 

Guidelines for Planning Data Folders:

 

The following are general guidelines for assigning NTFS permissions to data folders:

 

•  Remove the default permission Full Control from the everyone group and assign it to the

Administrators group.

•  Assign the User group and Add & Read permission and the Creator Owner group the Full
•  Control permission.  This gives users who log on locally the ability to delete and modify only the

folders and files that they copy or create on the computer.

 

 

Guidelines for Planning Home Folders:

 

The following are general guidelines for assigning NTFS permissions to home folders:

 

•  Centralize home folders on an NTFS volume (on a network server) that is separate from

programs and the operating system to streamline administration and the backing up of data.

•  Use %Username% to automatically assign a user’s account to the folder and to automatically

assign the NTFS permission Full Control to the respective user.

 

 

 

 

 

 

 

=====================================================================

 

wntadm6.html                                                 PAGE 7                                                    2001/10/27

 

 

 

Creating Home Folders on an NTFS volume:

 

A big advantage to storing home folders on an NTFS volume is that you can organize them in one

hierarchy and restrict access to the respective users without sharing each folder.

 

Follow these steps to create home folders on NTFS volumes:

 

 

•  Create a folder named Users on a volume that is separate from the operating systems and

programs.  By doing so, the home folders will remain intact if the operating system volume

requires reformatting.

•  Share the Users folder to provide a single access point for network users and a single

administration point for administrators.

•  Remove the default permission Full Control from the Everyone group and assign the share

permission Full Control to the Users group.

•  User the %Username% variable to automatically name home folders using users’ user account

names.  The %Username% variable also automatically assigns the NTFS permission Full

Control to the respective user.  (on FAT volumes, home folders can only be restricted by

share permissions.)

         

             A:    In User Manager for Domains, create a new user account or double-

                    Click an existing account.

             B:    In the New User or User Properties dialog box, click Profile, and then

                    In the Home Directory To box, type        \\server_name\Users\%Username%

 

TIP  Educate users to store their personal and work data in their home folders.  If users’ home folders

are stored on a network server and are moved to a different server, only the home folder path

will require modification.

 

 

Lesson 4:  Assigning NTFS Permissions

 

To assign NTFS permissions, you need to be the owner of the folder or file, or have one of the

following permissions:

 

•  Standard permission:  Full Control
•  Special access (or individual) permissions:  Change Permissions
•  Special access (or individual permission:  Take Ownership (With this permission a user

can take ownership of a folder or file, and then change permissions on the resource.)

 

 

 

=====================================================================

 

wntadm6.html                                                 PAGE 8                                                    2001/10/27

 

 

 

Default NTFS Permissions:

 

•  When a volume is formatted with NTFS, the permission Full Control is automatically assigned

to the Everyone group.  This give all users with the Log on locally user right complete access

to the volume.

•  When a new folder or file is created on an NTFS volume, the folder or file inherits the

permissions of the folder that contains it.

 

 

CAUTION:  When Windows NT is installed on an NTFS volume, NTFS permissions are automatically

assigned to some system folders.  Do not modify the permissions on system file. 

 

 

Assigning NTFS Folder and File Permissions

 

You modify permissions by right-clicking the folder or file in Windows NT Explorer, clicking Properties,

clicking the Security tab, and then clicking Permissions.

 

Try some of the next exercises in class.

 

 

Assigning Special Access Permissions

 

In most situations, standard permissions are all you need to secure folders and files.  However, in a

few situations, you will need to assign special access permissions, which give you the ability to assign

individual permissions to user and group accounts.  For example, you need to assign special access

permissions to do the following:

 

•  Allow another user to manage permissions for files that you own, assign the user the

permission Change Permissions (P). 

•  To protect program  files from being delete accidentally or infected by viruses, assign all

users accounts, including administrative accounts, the permission Read (R) for executable files. 

•  To allow administrators to modify executable files, assign the Administrators group the

permission Change Permission (P).  This permission give administrators the ability to

change the permissions on Read only files if necessary.

 

 

NOTE:   the Special access permissions are identical for both files and folders.

 

=====================================================================

 

wntadm6.html                                                 PAGE 9                                                    2001/10/27

 

 

 

Lesson 5:  Taking Ownership

 

The user who creates the file is the owner and creator of the file or a folder, they are the only one

 that has full control of the file or folder.  This is by default.

 

Therefore, the user who creates the file can share it out and take ownership permission (O) to

other users and groups.  The owner can set the permissions for the file or folder.

 

The only way the Administrator could take control of a users information, say if they left the

company, is to go into permissions and tick off the Take Ownership box.  Then the Administrator

would have Full control over the users folders.

 

 

SUMMARY:

 

•  By default, the person who creates a folder or file is the owner
•  By default, members of the Administrators group always have the ability to take ownership of a

folder or file.  

•  The owner can assign another group or user the ability to take ownership of a folder

or file by assigning the Full Control permission, or by assigning the special access

permissions Change Permissions or Take Ownership.

 

 

 

Lesson 6:  Copying or Moving Folders and Files

 

Copying a Folder or File  (inherits)

 

When you copy a folder or file within the same NTFS volume or to a different NTFS volume, the

folder or file inherits the permissions of the destination folder location.  The user who copies a folder

or file becomes the owner.

 

You need to have Add permissions to do the Copy.

 

 

Moving a Folder or File (retains), but if different NTFS Volume (inherits)

 

To move a folder or file within the same NTFS volume, the folder or file retains its original permissions

and owner.

 

However, if you move a folder or file to a different NTFS volume, the folder or file inherits the

permissions of the destination folder and the new owner is the user who moved it, just like when a

user copies a folder or file.

 

You need to have Add and Delete permissions.  When you move the folder to another NTFS

volume, it deletes the source location.

 

 

 

 

=====================================================================

 

wntadm6.html                                                 PAGE 10                                                 2001/10/27

 

 

 

NOTE:  Folders or files that are copies or moved to FAT volumes lose their permissions because

FAT volumes do not support NTFS permissions.

 

 

 

SUMMARY:

 

•  When a folder or file is copied from one folder to another, it inherits the permissions of the

destination folder and the user who performed the copy becomes the owner of the folder or

file in its new destination.

•  When a folder or file is moved within the same volume, the permissions and owner are

retained.  If a folder or file is moved to a different volume, the same rules apply as when a

folder or file is copied.

•  To copy a folder or file, a user needs the Add permission for the destination folder.  To move

a folder or file, a user needs the Add permission for the destination folder and the Delete

permission for the source folder.

 

 

Lesson 7:  Troubleshooting Permission Problems:

 

1.  Trouble-shooting problems:

 

If a user cannot access a file:  It could be that the file was copied or moved to another location, and

with NTFS and the way copies and moves work, this is why the user cannot access the file, because

the permissions, and owner may have changed.

 

 

2. Trouble-shooting problems:

 

A user deletes a file, even though they were assigned the no access permissions for  the file:    You

must be careful with NTFS, because if a user has FC for a folder, but has No Access to a file within

the folder, they will still be able to delete the file.

A little loop-hole.

 

Solution:  Remove the NTFS FC from the folder. Assign special permissions for the folder.

 

 

3.Trouble-shooting problem:

 

You add a user to a group to give that user permission for a resource, but the user still cannot gain

access to the resource.

 

Solution:  Have the user log of and then log back on.  This will update the Access token.  An object

call the access token is created for a user every time the user logs on and is authenticated by a

computer running Windows NT.

 

Since the new user was added, it in a way did not resync.

 

=====================================================================

 

wntadm6.html                                                 PAGE 11                                                  2001/10/27

 

 

 

 

 

Lesson Summary:

 

•  If a user has a problem gaining access to a resource, check the permissions on the user account

and on any groups to which the user is a member. 

•  The NTFS folder permissions Full Control allows users to delete files in the folder, even if they

have the No Access permission for the file.  To avoid this, remove the Full Control permission

and, instead, assign the user all of the special directory access permissions for the folder. 

•  If a user cannot gain access to a resource after being added to a group that has permissions

to the resource, have the user log off and then log back on,

or have the user disconnect from the resource and then reconnect.  Must update the Access

Token.

 

 

BEST PRACTICES:

 

•  Assign NTFP permissions before sharing a folder.  In this way, you avoid the issue of users

connecting to a gaining access to folders and files before you fully secure them. 

•  Assign permissions to groups rather than to individual users.  If the user is a member of a group

that has access to certain files, you can end the user’s access by removing the user from the

group rather than by changing the permissions on each of the files. 

•  Assign the Read permission to the Users and Administrators group for all program

executable files. 

•  Educate users that share a computer to assign NTFS permissions to the folders and

files that they own. 

•  Damage to program files is usually a result of accidents and viruses.  To prevent

this type of file damage, assign the Read permission to all user accounts, including

Administrator, for program files.  By doing so, you prevent users and viruses from

modifying or deleting files.

•  Use the %Username% variable to create home folders, this simplifies administration

by automatically assigning each user the NTFS permission Full Control for his or her home

folder. 

•  Assign the Creator Owner group the Full Control permission for Data folders.  This gives

users the Full Control permission for only the folders or files that they create in the Data

folder. 

•  Use long, descriptive names if the resource will only be accessed locally.  If a

folder will eventually be shared, then use folder and file names that are accessible by all

client computers.