1
Chapter Overview
Understanding and Applying NTFS Permissions
Assigning NTFS Permissions and Special Permissions
Solving Permissions Problems
2
Introduction to NTFS Permissions
NT file system (NTFS) permissions specify Who can access folders and files What they can do with the contents
NTFS permissions are available only on NTFS volumes.
NTFS permissions provide security for Local access Over the network access
3
Managing NTFS Permissions
The following can assign NTFS permissions: Administrators Owners of files and folders Users with the Full Control permission
4
NTFS Folder Permissions
Read Write List Folder Contents Read & Execute Modify Full Control
5
NTFS File Permissions
Read Write Read & Execute Modify Full Control
6
Access Control List
NTFS stores an access control list (ACL) with every file and folder.
Each ACL contains A list of all user accounts and groups
granted access The type of access each user and group has
been granted An access control entry (ACE) for a user
account or a group
7
Effective Permissions You can assign multiple permissions to a
user account and to each group the user is a member of.
A user’s effective permissions for a resource are the sum of the NTFS permissions that you assign To a user account To all groups the user belongs to
A user’s permissions are said to be cumulative because they are the sum of the user’s permissions.
8
Overriding Folder Permissions with File Permissions NTFS file permissions take priority over NTFS folder
permissions. A user with the appropriate permissions can access a file
even if that user does not have permission to access the folder containing the file.
The Bypass Traverse Checking security permission allows a user to access a file even if the user does not have corresponding folder permissions.
The folder that contains the file is invisible if the user does not have corresponding folder permissions.
To gain access to the file, a user can do one of the following:
Use the full Universal Naming Convention (UNC). Use the local path to open the file from its respective
application.
9
Overriding Permissions with Deny
You can deny permissions to a user account or group for a specific file or folder.
Deny overrides all instances in which that permission is allowed.
Denying permissions is not the recommended way to control access to resources.
10
NTFS Permissions Inheritance By default, the parent folder’s permissions
are propagated to Any existing subfolders and files in the parent
folder Any files or folders created in the parent folder
You can prevent permissions inheritance. The folder for which you prevent permissions
inheritance becomes the new parent folder. The subfolders and files in the new parent
folder inherit the permissions from the new parent folder.
11
Simplify Administration of Permissions Group files into application, data, and home
folders. Centralize home and public folders on one
separate volume. Assign permissions only to folders, not to files. Isolate applications and the operating system
on a different volume. Back up only home and public folders. Do not back up applications or the operating
system. Deny permissions only when it is essential.
12
Minimize NTFS Permission Assignments Allow only the required level of access. Create groups according to the access
required for resources. Assign the appropriate permissions to
the group. Avoid assigning permissions to
individual user accounts. Encourage users to assign permissions
to the folders they create.
13
Assign Permissions for Data or Application Folders
Assign the Read & Execute permission to The Users group The Administrators group
14
Assign Permissions for Public Data Folders
Assign the Read & Execute and the Write permissions to the Users group.
Assign the Full Control permission to the CREATOR OWNER user.
15
Setting NTFS Permissions
16
Granting or Denying Special Permissions
1. In the folder Properties dialog box, click Advanced to display the Advanced Security Settings dialog box.
2. Select the user or group for which you want to modify the Special Permission settings, and then click Edit.
3. In the Permission Entry For dialog box, select Allow or Deny for each of the special permissions you want to modify.
17
Taking Ownership The current owner or a user with the Full
Control permission can assign a user The Full Control standard permission The Take Ownership permission
That user can now take ownership of the assigned file or folder.
An administrator can take ownership of the file or folder regardless of the assigned permission.
No one, not even the owner or the administrator, can assign ownership of a file or folder to anyone else.
18
Preventing Permissions Inheritance By default, subfolders and files inherit
permissions from parent folders. Clear the Allow Inheritable Permissions
From Parent To Propagate To This Object check box.
Select one of the following options: Copy Remove Cancel
19
Introduction to Solving Permissions Problems When you copy or move files and folders, the
permission you set on the files or folders might change.
Specific rules control how and when permissions change.
Understanding these rules helps you solve permissions problems.
Troubleshooting these permission problems is important to keep resources available for the appropriate users and protect them from unauthorized users.
20
Copying Files and Folders
21
Moving Files or Folders Within a Single NTFS Volume
The file or folder retains the original permissions.
You must have the Write permission for the destination folder.
You must have the Modify permission for the source file or folder.
The owner of the file or folder does not change.
22
Moving Files or Folders Between NTFS Volumes
23
Troubleshooting Permissions Problems
A user cannot gain access to a file or folder.
You add a user account to a group to give the user access to a file or folder, but the user still cannot gain access.
A user with the Full Control permission to a folder deletes a file in the folder and you want to prevent the user from deleting more files.
24
Avoiding NTFS Permissions Problems Assign the most restrictive NTFS permissions. Assign all permissions at the folder level. For all application-executable files, assign
The Read & Execute and Change permissions to the Administrators group
The Read & Execute permission to the Users group Assign the Full Control permission to
CREATOR OWNER for public data folders. Allow permissions rather than deny
permissions.
25
Chapter Summary NTFS permissions specify what type of access
users and groups have to files and folders. NTFS file permissions take priority over NTFS
folder permissions. Use the Security tab of the Properties dialog
box of a file or folder to assign or modify NTFS permissions.
By default, subfolders and files inherit permissions from their parent folders.
When you copy or move files and folders, the permissions you set on them might change.