Chapter 4, Managing NTFS Permissions
|1| Chapter Overview
A. Understanding NTFS Permissions
B. Assigning NTFS Permissions
C. Assigning Special Permissions
Chapter 4, Lesson 1
|2| Understanding NTFS Permissions
1. Introduction
A. NTFS permissions are rules associated with file system objects (such as files and folders) that specify which users can access an object and in what manner.
|3| 2. Understanding NTFS Permissions
A. After sharing the drives on a computer running Windows 2000 Server, administrators can use NTFS permissions to control access to files and folders on NTFS volumes.
B. NTFS permissions are available only on NTFS volumes—they are not available on volumes formatted with the file allocation table (FAT) or FAT32 file systems.
C. Unlike share permissions, NTFS permissions are effective whether a user accesses a file or folder locally or over the network.
1. Share permissions only control access to resources over the network.
D. NTFS permissions you assign for folders are different from the NTFS permissions you assign for files.
|4| E. Controlling access to NTFS folders
1. NTFS folder permissions control the access that users have to folders and to the files and subfolders in the folder.
2. Administrators typically assign NTFS permissions to folders rather than files because it is easier to assign permissions to one folder than to the multiple individual files within the folder.
3. Standard NTFS folder permissions
|5|
a. Full Control: change folder permissions, take ownership of folders, and delete subfolders and files, plus perform the actions permitted by all of the other NTFS folder permissions
b. Modify: delete the folder, plus perform all actions permitted by the Write permission and the Read & Execute permission
c. Read & Execute: browse through folders to reach other files and folders, even if the user does not have permission to access those folders, and perform all actions permitted by the Read permission and the List Folder Contents permission
d. List Folder Contents: see the names of files and subfolders in the folder
e. Read: see the files and subfolders in the folder and view the folder ownership, permissions, and file system attributes (such as Read-Only, Hidden, Archive, and System)
f. Write: create new files and subfolders within the folder, change the folder attributes, and view the folder ownership and permissions
4. In addition to assigning NTFS permissions, you can also explicitly deny NTFS folder permissions to a user or group.
a. Denying permissions overrides the permission assignments a user or group has inherited from a parent folder.
b. When you deny a user or group Full Control, the user or group is denied all access to the folder.
F. Controlling access to NTFS files
|6|
1. NTFS file permissions enable you to control access to specific files.
2. Standard NTFS file permissions
a. Full Control: change file permissions and take ownership of files, plus perform the actions permitted by all of the other NTFS file permissions
b. Modify: modify and delete the file, plus perform all of the actions permitted by the Write permission and the Read & Execute permission
c. Read & Execute: run applications, plus perform all of the actions permitted by the Read permission
d. Read: read the file and view the file’s attributes, ownership, and permissions
e. Write: overwrite the file, change the file’s attributes, and view the file’s ownership and permissions
|7| 3. What Is an Access Control List?
A. NTFS stores an access control list (ACL) with every file and folder on an NTFS volume.
B. The ACL lists all user accounts and groups that have been granted or denied access to the file or folder and the type of access that they have been granted or denied.
C. When a user attempts to access a resource, the ACL must contain an entry (called an access control entry, or ACE) for the user account or a group the user belongs to.
The ACE must permit the type of access that is requested by the user.
If no such ACE exists in the ACL, the user cannot access the resource.
|8| 4. Managing Multiple NTFS Permissions
A. A user account can receive NTFS permissions to a file or folder from more than one source at the same time.
1. For example, a user can receive permissions to a file or folder by having them assigned to the individual user account and to each group the user is a member of.
B. Special rules and priorities determine how NTFS combines multiple permissions.
|9| C. Permissions are cumulative.
1. A user’s effective permissions for a file or folder are the sum of the NTFS permissions assigned to the individual user account for that resource and to all of the groups the user belongs to.
2. For example, if a user has the Read permission for a folder and is a member of a group with the Write permission for the same folder, the user has both Read and Write access to that folder.
|10| D. File permissions override folder permissions.
1. NTFS file permissions take priority over NTFS folder permissions.
2. It is possible for a user to have permission to a file, but not to the folder that contains the file.
a. In this case, the user can access the file even though he or she cannot access the folder.
b. The user cannot browse for the folder, so the user needs to specify the file’s full Universal Naming Convention (UNC) or local path to open the file.
|11| E. Deny overrides other permissions.
1. You can explicitly deny a user or group permission to access a specific file or folder, but this is not a recommended method for controlling access to resources.
2. The deny permission takes precedence over and overrides all other permissions.
3. Even if the user has permission to access a resource, if the user is a member of any group that is denied access to the resource, access is denied.
|12|
|13| 5. NTFS Permissions Inheritance
A. By default, NTFS permissions assigned to a parent folder are inherited by (and propagated to) the subfolders and files contained in the parent folder.
B. It is possible to prevent permissions inheritance.
|14|
|15| C. Understanding permissions inheritance
1. Files and subfolders can inherit permissions from their parent folder.
2. By default, when you assign NTFS permissions to grant a user or group access to a folder, because of inheritance rules you are also assigning that user or group the same access to any existing files and subfolders in that folder, as well as to any new files and subfolders created in the folder.
|16| D. Preventing permissions inheritance
1. You can set an option that prevents a file or folder from inheriting any permissions from its parent folder.
2. If you block the permissions inheritance for a folder, that folder becomes the top parent folder, and permissions that you assign to that folder are still inherited by the subfolders and files that it contains.
6. Lesson Review
A. The lesson review questions are located on pages 106–7 of the textbook.
|17| 7. Lesson Summary
A. NTFS permissions control access to files and folders on NTFS volumes.
B. NTFS permissions are cumulative.
C. You can deny permissions as well as allow them; denied permissions always take precedence over allowed permissions.
D. Files and subfolders can inherit permissions from their parent folder.
Chapter 4, Lesson 2
|18| Assigning NTFS Permissions
1. Introduction
Assess the needs of your users and groups.
Devise a permission strategy to provide for those needs.
|19| 2. Planning NTFS Permissions
A. Develop a method for assigning permissions and use it consistently throughout your enterprise.
B. Make sure all administrators understand and use the same method.
|20| C. Guidelines for assigning NTFS permissions
1. Turn off the permissions inheritance for users’ home folders so that users can set their own permissions for files and folders in their home folders.
2. When assigning permissions for public data folders, assign the Read & Execute permission and the Write permission to the groups containing users, and assign the Full Control permission to the CREATOR OWNER identity group.
3. Deny permissions only when absolutely necessary.
|21| 3. Setting NTFS Permissions
A. When you format a volume with NTFS, Windows 2000 assigns the Full Control permission to the Everyone group by default.
B. You should consider changing this default permission and assigning other appropriate NTFS permissions to control access to file system resources.
C. Be careful in assigning permissions to the Everyone group and enabling the Guest account.
1. Windows 2000 authenticates as Guest any user who does not have a valid user account; the user receives all of the rights and permissions assigned to the Everyone group.
2. If you decide to remove permissions from the Everyone group, first ensure that other users have Full Control permission over the resources you are modifying.
|22| D. Assigning or modifying permissions
1. Administrators, users with the Full Control permission, and owners of the file or folder can assign or modify NTFS permissions for the file or folder by using Windows Explorer.
a. In Windows Explorer, right-click the file or folder that you want to assign permissions for, and then select Properties from the menu that is displayed.
b. Click the Security tab, configure the options, and then click OK.
|23|
2. Security tab options
a. Name: contains the user accounts, groups, and special entities that have been assigned permissions to the folder. Select the entry that you want to change permissions for or remove from the list.
b. Permissions: displays the currently configured permissions for the entry selected in the Name list. To allow a permission, select the Allow check box. To deny a permission, select the Deny check box. Check boxes that are selected but shaded represent inherited permissions.
c. Add: opens the Select Users, Computers, Or Groups dialog box, which you use to select user accounts and groups to add to the Name list
d. Remove: removes from the Name list the selected user account, group, or special entity and its associated permissions for the file or folder
e. Advanced: opens the Access Control Settings dialog box, which you use to add, remove, view, or edit special permissions for selected user accounts and groups
f. Allow Inheritable Permissions From Parent To Propagate To This Object: specifies whether permissions for this object are affected by inheritance from parent objects
|24| E. Preventing permissions inheritance
1. By default, subfolders and files inherit the permissions that are assigned to their parent folder.
2. This inheritance is indicated by a check mark in the Allow Inheritable Permissions From Parent To Propagate To This Object check box in the Security tab of the Properties dialog box.
a. If any of the Allow or Deny check boxes on this tab are selected and shaded (grayed out), the permissions for the file or folder are inherited from the parent folder.
b. To prevent a subfolder or file from inheriting permissions from a parent folder, clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box in the Security tab of the Properties dialog box for the subfolder or file, and then select one of the following options:
|25|
(1) Copy: copies the permissions from the parent folder to the current folder but prevents all subsequent permissions inheritance
(2) Remove: removes the permissions that are assigned to the parent folder and retains only the permissions that you explicitly assign to the file or folder
(3) Cancel: cancels the dialog box, restoring normal permissions inheritance for the file or folder
4. Lesson Review
A. The lesson review questions are located on page 116 of the textbook.
|26| 5. Lesson Summary
A. When planning NTFS permissions, create a strategy and apply it throughout your enterprise.
B. Assign NTFS permissions to a file or folder by using the Security tab in the file or folder’s Properties dialog box in Windows Explorer.
C. To block permissions inheritance, clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box.
Chapter 4, Lesson 3
|27| Assigning Special Permissions
1. Introduction
A. The standard NTFS permissions generally provide all of the access control that you need to secure your file system resources.
B. If you need a more specific level of access, you can assign NTFS special permissions.
|28| 2. Understanding Special Permissions
A. Standard permissions are preconfigured combinations of more granular permissions, called special permissions.
B. Special permissions give the administrator an additional level of access control.
|29| C. NTFS special permissions for files and folders
1. Traverse Folder/Execute File: Traverse Folder grants or denies users or groups the ability to move through folders that the user does not have permission to access and to reach files or folders that the user does have permission to access (applies only to folders). Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder. Execute File allows or denies users or groups the ability to run program files (applies only to files).
2. List Folder/Read Data: List Folder grants or denies users or groups the ability to view the filenames and subfolder names within the folder (applies only to folders). Read Data grants or denies users or groups the ability to view data in files (applies only to files).
3. Read Attributes: grants or denies users or groups the ability to view the file system attributes of a file or folder, such as read-only and hidden.
4. Read Extended Attributes: grants or denies users or groups the ability to view the extended attributes of a file or folder. Extended attributes are defined by programs and can vary.
5. Create Files/Write Data: Create Files grants or denies users or groups the ability to create files within the folder (applies only to folders). Write Data grants or denies users or groups the ability to make changes to the file and overwrite existing content (applies only to files).
6. Create Folders/Append Data: Create Folders grants or denies users or groups the ability to create folders within a folder (applies only to folders). Append Data grants or denies users or groups the ability to make changes to the end of the file but not to change, delete, or overwrite existing data (applies only to files).
7. Write Attributes: grants or denies users or groups the ability to change the file system attributes of a file or folder, such as read-only or hidden.
8. Write Extended Attributes: grants or denies users or groups the ability to change the extended attributes of a file or folder. Extended attributes are defined by programs and can vary.
9. Delete Subfolders And Files: grants or denies users or groups the ability to delete subfolders and files, even if the Delete permission has not been granted on the subfolder or file.
|30| 10. Delete: grants or denies users or groups the ability to delete the file or folder. A user or group can still delete a file or folder, despite not having the Delete permission, if the user or group has been granted the Delete Subfolders And Files permission for the parent folder.
11. Read Permissions: grants or denies users or groups the ability to read the permissions for the file or folder, such as Full Control, Read, and Write.
12. Change Permissions: grants or denies users or groups the ability to change the permissions for the file or folder, such as Full Control, Read, and Write.
13. Take Ownership: grants or denies users or groups the ability to take ownership of the file or folder. The owner of a file or folder can always change permissions on it, regardless of any existing permissions protecting the file or folder.
14. Synchronize: grants or denies different threads the ability to use a file or folder and synchronize with another thread that might request it. This permission applies only to multithreaded, multiprocess programs.
|31| D. To assign special permissions, use the Permission Entry dialog box for the file or folder.
1. To access this dialog box, in Windows Explorer, open the Properties dialog box for the file or folder, click the Security tab, and then click Advanced. Then select an entry in the Permission Entries list and click View/Edit to display the special permissions for the user or group.
E. You control the special permissions assigned to a user or group by selecting the Allow or Deny check boxes for each permission, the same as for standard permissions.
F. Table 4.8 on page 120 of the textbook lists the combinations of NTFS special permissions that make up each of the standard NTFS file and folder permissions.
|32| G. Assigning Change Permissions
1. When this special permission is assigned to a user for a file or folder, the user can modify the permissions for the file or folder but cannot delete or write to the file or folder.
2. This permission is often assigned to other administrators because it lets them control access to the file or folder.
|33| H. Using the Take Ownership permission
1. This special permission allows users or groups to take over the ownership of files or folders.
2. Those who can take ownership of a file or folder include
a. The current owner of the file or folder
b. Any user with the Full Control permission for the file or folder
c. Any user who is assigned the Take Ownership special permission for the file or folder
d. Administrators can always take ownership of any file or folder, regardless of assigned permissions.
Taking ownership of a file or folder might be necessary if a user leaves the company and no one else has permissions to the file or folder.
a. An administrator can take ownership of the file or folder and then assign permissions to the user’s replacement.
4. You cannot assign anyone ownership of a file or folder. The Take Ownership permission does not give a user ownership; the user must explicitly take ownership of the file or folder.
|34| 5. To take ownership of a file or folder:
a. Open Windows Explorer and browse to the file or folder that you want to take ownership of.
b. Right-click the file or folder, and then click Properties.
c. Click the Security tab, and then click Advanced to open the Access Control Settings dialog box for the file or folder.
d. Click the Owner tab.
e. Select your name in the Change Owner To list. If you also want to take ownership of all subcontainers and objects, select the Replace Owner On Subcontainers And Objects check box.
f. Click OK, and then click OK again to close the Properties dialog box.
|35| 6. Assigning special permissions
a. Open Windows Explorer and browse to the file or folder that you want to assign special permissions to.
b. Right-click the file or folder, and then click Properties.
c. Click the Security tab, and then click Advanced to open the Access Control Settings dialog box for the file or folder. In this dialog box, you can view the permissions assigned to the file or folder.
d. Using the check box, specify whether you want to grant inheritable permissions from parent folders to be inherited by the folder you are configuring.
e. Using the check box, specify whether you want to reset the permissions on all child objects so that they can inherit permissions from the folder you are configuring.
f. In the Permission Entries list, select the user or group you want to assign special permissions to, and then click View/Edit to open the Permission Entry dialog box.
1. To assign permissions to a user or group not listed in the Permission Entries list, click Add, select a user or group, and then click OK.
g. In the Apply Onto drop-down list, specify the combination of folders, subfolders, and files you want to receive the special permissions you are assigning.
h. Select the Allow or Deny check boxes for the special permissions you want to assign to the file or folder for the user or group you selected.
i. Click OK to assign the permissions and return to the Access Control Settings dialog box.
3. Lesson Review
A. The lesson review questions are located on page 126 of the textbook.
|36| 4. Lesson Summary
A. Special permissions provide more granular control than standard NTFS permissions do.
B. Standard permissions are preconfigured combinations of special permissions.
C. Two important special permissions are the Change Permissions and Take Ownership special permissions.
D. You assign special permissions and take ownership of a file or folder by using the Access Control Settings dialog box.
Source: http://highered.mheducation.com/sites/dl/free/0074567890/60794/Ch04.doc
Web site to visit: http://highered.mheducation.com
Author of the text: not indicated on the source document of the above text
If you are the author of the text above and you not agree to share your knowledge for teaching, research, scholarship (for fair use as indicated in the United States copyrigh low) please send us an e-mail and we will remove your text quickly. Fair use is a limitation and exception to the exclusive right granted by copyright law to the author of a creative work. In United States copyright law, fair use is a doctrine that permits limited use of copyrighted material without acquiring permission from the rights holders. Examples of fair use include commentary, search engines, criticism, news reporting, research, teaching, library archiving and scholarship. It provides for the legal, unlicensed citation or incorporation of copyrighted material in another author's work under a four-factor balancing test. (source: http://en.wikipedia.org/wiki/Fair_use)
The information of medicine and health contained in the site are of a general nature and purpose which is purely informative and for this reason may not replace in any case, the council of a doctor or a qualified entity legally to the profession.
The following texts are the property of their respective authors and we thank them for giving us the opportunity to share for free to students, teachers and users of the Web their texts will used only for illustrative educational and scientific purposes only.
All the information in our site are given for nonprofit educational purposes
The information of medicine and health contained in the site are of a general nature and purpose which is purely informative and for this reason may not replace in any case, the council of a doctor or a qualified entity legally to the profession.
www.riassuntini.com