Windows and NTFS Permissions

Windows and NTFS Permissions

Windows servers also provide a second level of security related to shared files and folders on server drives that have been formatted with NTFS. Folders and files on NTFS volumes can also be assigned NTFS permissions. This differs from share permissions, which can only be applied to drives and folders. The NTFS permission levels for folders are listed in Table 9.1.

Table 9.1. NTFS Folder Permissions

Folder Permission

Access Level

Full Control

Allows the user or group to change permissions; delete the folder, subfolders and files; take ownership of the folder; and permits all other permission levels (read, write, list folders, and so on).

Modify

Allows modification of the folder, such as deletion of subfolders and files, and permissions related to all other lower-level permissions (read and execute, list contents, write and read).

Read and Execute

Navigate the folder contents (subfolders and files), execute contained executables and actions related to the list folder, and read and write permissions.

List Folder Contents

View the contents of the folder, such as subfolders and files in the folders.

Write

Create new contents in the folder, such as subfolders and files. Change the folder attributes and view the folder ownership and permissions information for the folder.

Read

View the files and subfolders in the folder and view other information related to the folder such as ownership, permissions, and file attributes.

NTFS permissions can also be applied at the file level. Table 9.2 lists the NTFS file permissions available.

Table 9.2. NTFS File Permissions

File Permission

Access Level

Full Control

Allows the user or group to change permissions, take ownership of the file, and exercise all other actions permitted by the other file permission levels.

Modify

Allows modification and deletion of the file and provides permissions related to all other lower-level permissions (read and execute, and write).

Read and Execute

Navigate the folder contents (subfolders and files), execute contained executables, and list folder and read and write permissions.

Write

Create new contents in the folder such as subfolders and files. Change the folder attributes and view the folder ownership and permissions information for the folder.

Read

View the files and subfolders in the folder and view other information related to the folder such as ownership, permissions, and file attributes.

Setting NTFS Permissions for a folder or a file requires two major steps. First you add groups or users that you wish to create permissions for; then you assign the user or group the permissions.

NTFS permissions are assigned using a folder's or file's Security tab on the objects Properties dialog box. Figure 9.8 shows the Security tab for a shared folder on the network.

Figure 9.8. Set the NTFS permission level for a user or a group.

graphics/09fig08.jpg

Notice that in Figure 9.8, Administrators are provided Full Control over a network share. While on first inspection, NTFS permissions may seem to be as straightforward as share permissions, NTFS permissions are more complex due to the fact that NTFS permissions can be assigned to files; so a file can have different NTFS permissions than its parent folder.

NTFS permissions can also become confusing because they can be assigned to both groups and users, meaning a user may have NTFS permissions for a folder or a file that have been individually assigned as well as NTFS permissions that have been assigned to a group that the user belongs to. Some important points to keep in mind when working with NTFS permissions are

  • NTFS permissions are cumulative; a user's final NTFS permissions are a combination of the NTFS permissions assigned to groups that the user is a member of and NTFS permissions assigned directly to the user.

  • NTFS file permissions override NTFS folder permissions. Even if a user has the NTFS permission of Full Control for a folder, if the NTFS file permissions for a file in that folder have only been set to Read, the user will only be able to read the file, not write to or modify it.

  • Permissions are inherited from parent folders; this means subfolders and files contained in a parent folder will inherit the permissions that you set for the parent folder. However, you can choose to not allow permissions to be inherited from the parent, if you wish to set different permissions for the child subdirectory or file (we discuss turning off inheritance when we discuss setting NTFS permissions later in this chapter).

A very solid understanding of both share and NTFS permissions is required before you employ them on network shares. Check the Microsoft Windows 2003 Web site at http://www.microsoft.com/windowsserver2003/. You can also consult a book that provides a more in-depth look at how you secure files and folders on a network. One resource possibility is Sams Teach Yourself Microsoft Windows Server 2003 in 24 Hours .



Absolute Beginner's Guide to Networking
Absolute Beginners Guide to Networking (4th Edition)
ISBN: 0789729113
EAN: 2147483647
Year: 2002
Pages: 188
Authors: Joe Habraken

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net