fortypoundhead.com

NTFS Permissions Intro

Posted On 2007-04-03 by FortyPoundHead
Keywords:
Tags: Security Tutorial Windows
Views: 2077


NTFS Permissions
Use NTFS permissions to specify which users and groups can gain access to files and folders, and what they can do with the contents of the file or folder. NTFS permissions are only available on NTFS volumes. The permissions you assign for folders are different from the permissions you assign for files.

You assign folder permissions to control the access that users have to folders and to the files and subfolders that are contained within the folder.

The table below lists the standard NTFS folder and file permissions that you can assign and the type of access that each provides.

NTFS Folder Permissions

NTFS Folder Permission
Allows the User To





Full Control
Change permissions, take ownership, and delete subfolders and files, plus perform actions permitted by all other NTFS folder permissions

Modify
Delete the folder plus perform actions permitted by the Write permission and the Read & Execute permission

Read & Execute
Move through folders to reach other files and folders, even if the users do not have permission for those folders, and perform actions permitted by the Read permission and the List Folder Contents permission

List Folder Contents
See the names of files and subfolders in the folder

Read
See files and subfolders in the folder and view folder ownership, permissions, and attributes (such as Read-only, Hidden, Archive, and System)

Write
Create new files and subfolders within the folder, change folder attributes, and view folder ownership and permissions






NTFS File Permissions

NTFS File Permission
Allows the User To





Full Control
Change permissions and take ownership, plus perform the actions permitted by all other NTFS file permissions

Modify
Modify and delete the file plus perform the actions permitted by the Write permission and the Read & Execute permission

Read & Execute
Run applications plus perform the actions permitted by the Read permission

Read
Read the file, and view file attributes, ownership, and permissions

Write
Overwrite the file, change file attributes, and view file ownership and permissions




Multiple NTFS Permissions

You can assign multiple permissions to a user account by assigning permissions for a resource to an individual user account and to each group of which the user is a member.

Permissions Are Cumulative

A user''s effective permissions for a resource are the sum of the NTFS permissions that you assign to the individual user account and to all of the groups to which the user belongs. If a user has Read permission for a folder and is a member of a group with Write permission for the same folder, the user has both Read and Write permission for that folder.

NTFS Permissions Inheritance

By default, permissions that you assign to the parent folder are inherited by and propagated to the subfolders and files that are contained in the parent folder.

Understanding Permissions Inheritance

Files and subfolders can inherit permissions from their parent folder. Whatever permissions you assign to the parent folder can also apply to subfolders and files that are contained within the parent folder, depending on the inheritance option set for a given object. When you assign NTFS permissions to give access to a folder, you assign permissions for the folder and for any existing files and sub folders, as well as any new files and subfolders that are created in the folder.

Preventing Permissions Inheritance

You can prevent permissions that are assigned to a parent folder from being inherited by subfolders and files that are contained within the folder by setting an inheritance option set for a given object. That is, the subfolders and files will not inherit permissions that have been assigned to the parent folder containing them.

If you prevent permissions inheritance for a folder, that folder becomes the top parent folder. Permissions assigned to this folder will be inherited by the subfolders and files that it contains.



Examples

When users request NT style group area, it will be created on FS1. You can access that machine by browsing through Network Neighborhood, or go to Start, Run and type \\fs1



When Computer Center create a NT style group area, only person who can access that directory is the person who requested it. For instance, if user BANGDM requested a NT style area called cctest, then initially, BANGDM is only person who can access that area. You can view that permission settings from Windows 2000/XP, but not with Windows NT. The following example was done on FS2 instead of FS1 but same concept.



Property shown by NT 4.0 Property shown by Windows 2000/XP

As you expected, user ''bangdm'' is only one who can access this directory. If some other user tried to access this directory, following is expected:



The owner of this directory, bangdm, need to add other group members into access control list (ACL). We added JLAB\CCC group and gave following access. Then click Advanced... button and check ''Reset permission on all child objects and enable propagation of inheritable permissions.'' (WARNING: Without this check box, members of CCC can not read subdirectory of \\fs2\cctest.)



Those permissions you created on previous step is called, root or parent permission. From now on, every directories or files you create gets the same permission you set from parent. From following drawing, you can see that directory "f1" inherited permission from parent, cctest.



You can, however, manually change child''s permission and become new parent of that directory. You need to Uncheck Allow inheritable permissions from parent to propagate to this object. You will get following security note. click remove if you want to set different permissions.



Now you just became a new parent directory. You can set new permissions that will be propagate to child objects.



IMPORTANT!!

On above step, only people you can add is Group CCC or users who are in CCC, because on the Root directory, only users we listed was Group CCC and user bangdm. If you want different user to be able to access the directory f2, then you need to list him on the root directory with minimal of Read. For example, if you want user name, myung (who is not in the CCC group, to be able to read files in \\fs2\cctest\f4\t1 directory only, permission tree might look like this.





About the Author

FortyPoundHead has posted a total of 1974 articles.

 


Comments On This Post

No comments on this post yet!


Do you have a thought relating to this post? You can post your comment here. If you have an unrelated question, you can use the Q&A section to ask it.

Or you can drop a note to the administrators if you're not sure where you should post.


Your IP address is:54.162.181.75

Before you can post, you need to prove you are human. If you log in, this test goes away.




Recent Forum Posts

Advanced search added
dwirch posted on September 23, 2017 at about 13:44 in Site News

Job Spammer: Gaurav Mehta - AgreeYa Solutions
dwirch posted on September 22, 2017 at about 10:35 in Spammers

Job Spammer: Prutha Siri - Javelin Systems
dwirch posted on September 10, 2017 at about 6:15 in Spammers

New security implemented
dwirch posted on September 7, 2017 at about 7:16 in Site News

Malicious IP Checker Companion Tool
dwirch posted on August 12, 2017 at about 20:24 in Site News

Job Spammer: Steve Adams
dwirch posted on August 8, 2017 at about 7:44 in Spammers