1

Chapter Overview

Understanding and Applying NTFS Permissions

Assigning NTFS Permissions and Special Permissions

Solving Permissions Problems

2

Introduction to NTFS Permissions

NT file system (NTFS) permissions specify Who can access folders and files What they can do with the contents

NTFS permissions are available only on NTFS volumes.

NTFS permissions provide security for Local access Over the network access

3

Managing NTFS Permissions

The following can assign NTFS permissions: Administrators Owners of files and folders Users with the Full Control permission

4

NTFS Folder Permissions

Read Write List Folder Contents Read & Execute Modify Full Control

5

NTFS File Permissions

Read Write Read & Execute Modify Full Control

6

Access Control List

NTFS stores an access control list (ACL) with every file and folder.

Each ACL contains A list of all user accounts and groups

granted access The type of access each user and group has

been granted An access control entry (ACE) for a user

account or a group

7

Effective Permissions You can assign multiple permissions to a

user account and to each group the user is a member of.

A user’s effective permissions for a resource are the sum of the NTFS permissions that you assign To a user account To all groups the user belongs to

A user’s permissions are said to be cumulative because they are the sum of the user’s permissions.

8

Overriding Folder Permissions with File Permissions NTFS file permissions take priority over NTFS folder

permissions. A user with the appropriate permissions can access a file

even if that user does not have permission to access the folder containing the file.

The Bypass Traverse Checking security permission allows a user to access a file even if the user does not have corresponding folder permissions.

The folder that contains the file is invisible if the user does not have corresponding folder permissions.

To gain access to the file, a user can do one of the following:

Use the full Universal Naming Convention (UNC). Use the local path to open the file from its respective

application.

9

Overriding Permissions with Deny

You can deny permissions to a user account or group for a specific file or folder.

Deny overrides all instances in which that permission is allowed.

Denying permissions is not the recommended way to control access to resources.

10

NTFS Permissions Inheritance By default, the parent folder’s permissions

are propagated to Any existing subfolders and files in the parent

folder Any files or folders created in the parent folder

You can prevent permissions inheritance. The folder for which you prevent permissions

inheritance becomes the new parent folder. The subfolders and files in the new parent

folder inherit the permissions from the new parent folder.

11

Simplify Administration of Permissions Group files into application, data, and home

folders. Centralize home and public folders on one

separate volume. Assign permissions only to folders, not to files. Isolate applications and the operating system

on a different volume. Back up only home and public folders. Do not back up applications or the operating

system. Deny permissions only when it is essential.

12

Minimize NTFS Permission Assignments Allow only the required level of access. Create groups according to the access

required for resources. Assign the appropriate permissions to

the group. Avoid assigning permissions to

individual user accounts. Encourage users to assign permissions

to the folders they create.

13

Assign Permissions for Data or Application Folders

Assign the Read & Execute permission to The Users group The Administrators group

14

Assign Permissions for Public Data Folders

Assign the Read & Execute and the Write permissions to the Users group.

Assign the Full Control permission to the CREATOR OWNER user.

15

Setting NTFS Permissions

16

Granting or Denying Special Permissions

1. In the folder Properties dialog box, click Advanced to display the Advanced Security Settings dialog box.

2. Select the user or group for which you want to modify the Special Permission settings, and then click Edit.

3. In the Permission Entry For dialog box, select Allow or Deny for each of the special permissions you want to modify.

17

Taking Ownership The current owner or a user with the Full

Control permission can assign a user The Full Control standard permission The Take Ownership permission

That user can now take ownership of the assigned file or folder.

An administrator can take ownership of the file or folder regardless of the assigned permission.

No one, not even the owner or the administrator, can assign ownership of a file or folder to anyone else.

18

Preventing Permissions Inheritance By default, subfolders and files inherit

permissions from parent folders. Clear the Allow Inheritable Permissions

From Parent To Propagate To This Object check box.

Select one of the following options: Copy Remove Cancel

19

Introduction to Solving Permissions Problems When you copy or move files and folders, the

permission you set on the files or folders might change.

Specific rules control how and when permissions change.

Understanding these rules helps you solve permissions problems.

Troubleshooting these permission problems is important to keep resources available for the appropriate users and protect them from unauthorized users.

20

Copying Files and Folders

21

Moving Files or Folders Within a Single NTFS Volume

The file or folder retains the original permissions.

You must have the Write permission for the destination folder.

You must have the Modify permission for the source file or folder.

The owner of the file or folder does not change.

22

Moving Files or Folders Between NTFS Volumes

23

Troubleshooting Permissions Problems

A user cannot gain access to a file or folder.

You add a user account to a group to give the user access to a file or folder, but the user still cannot gain access.

A user with the Full Control permission to a folder deletes a file in the folder and you want to prevent the user from deleting more files.

24

Avoiding NTFS Permissions Problems Assign the most restrictive NTFS permissions. Assign all permissions at the folder level. For all application-executable files, assign

The Read & Execute and Change permissions to the Administrators group

The Read & Execute permission to the Users group Assign the Full Control permission to

CREATOR OWNER for public data folders. Allow permissions rather than deny

permissions.

25

Chapter Summary NTFS permissions specify what type of access

users and groups have to files and folders. NTFS file permissions take priority over NTFS

folder permissions. Use the Security tab of the Properties dialog

box of a file or folder to assign or modify NTFS permissions.

By default, subfolders and files inherit permissions from their parent folders.

When you copy or move files and folders, the permissions you set on them might change.