Configuring File and Folder Security Settings Manually | PC Magazine Windows Vista Security Solutions

If you need or want more flexibility in how NTFS security permissions are applied, you need to be running Windows Vista Business, Enterprise, or Ultimate edition. Only these editions enable you to configure NTFS permissions in a more granular and manual fashion - literally by specifying exactly which users or groups should have access to a particular folder, and to what degree. Windows Vista Home Basic and Home Premium editions don't allow you to configure NTFS security permissions in this way.

If you are running a non-Home version of Windows Vista, two broad categories of NTFS permissions exist - those that are allowed, and those that are denied. When a particular permission is allowed, a user or group can perform the actions associated with the permission. When a specific permission is denied, the user or group cannot perform its associated actions. So, if the Administrators group is allowed Full Control over a file, and one specific user (who is also an Administrator) is explicitly denied access to the same file, all Administrators would have full control over the file, with the exception of the one user who was denied - denied permissions always trump allowed permissions.

When you open the Security tab in the properties of a file stored on an NTFS drive, you can allow or deny a number of different permissions. The following list outlines (and explains capabilities associated with) the NTFS permissions that you can assign to users and groups for a file.

Read. The Read permission allows users to open and view files, as well as the permissions, attributes, and ownership information associated with a file.
Write. The Write permission allows a user to change the contents of a file and its attributes.
Read & Execute. The Read & Execute permission allows users to run executable files (such as programs) and perform actions allowed by the Read permission.
Modify. The Modify permission allows user to modify the contents of a file or even delete it, as well as perform the actions allowed by the Read, Read & Execute, and Write permissions.
Full Control. The Full Control permission gives users complete control over a file including the ability to change its attributes, permissions, and even ownership details.

Note

In addition to the standard NTFS file permissions in the preceding list, you can apply a number of special NTFS permissions that provide for an even more granular level of control over what users can and cannot do to a file stored on an NTFS drive. For example, the Read Permissions special permission allows a user to view the permissions configured for a file or folder, but nothing more. As a general rule, you'll seldom (if ever) need to configure special NTFS permissions. If you're curious about these permissions, however, you can view them by clicking the Advanced button on the Security tab, selecting a permission entry on the list, and then clicking Edit. As with files, special permissions can also be configured for folders.

Follow these steps to configure NTFS permission settings:

Select Start → Computer.
Browse to the file for which you want to configure NTFS security permissions. Right-click the file and select Properties.

Click the Security tab. A list of the permissions currently assigned to different users and groups displays, as shown in Figure 13-4.

image from book
Figure 13-4: Reviewing the NTFS permissions associated with a file.

Note

When the permission entries associated with a file or folder are grayed out and cannot be changed, it means that they have been inherited from a parent object. For example, if you find the permission entries grayed out on the Security tab in the properties of a file, it means that permissions have actually been configured at a higher folder level.

Click the Edit button, and then click the Add button. In the Select Users Or Groups window, type the name of the user or group for which you want to configure NTFS security permissions for the file, and then click OK.
On the Security tab, ensure that the user or group added in the previous step is selected, and then select the check box next to the NTFS security permission that you want to grant.
Click OK to apply the new permissions.

Caution

Never change the NTFS permissions associated with system-related files or folders because doing so may render your system unstable or unable to boot. Never make changes to include the root of drives (for example changing permissions on the Security tab for your C: drive), or the Windows, Documents And Settings, and Program Files folders. As a general rule, you should only change NTFS permissions on files or folders that you create.

The ability to configure NTFS permissions on individual files is handy, but if you ever need to change the permissions assigned to more than a few files, the process can be cumbersome. Thankfully, a quicker method of assigning permissions exists - when you assign NTFS permissions on the Security tab of a folder, those same permissions apply to any files and sub-folders it contains by default.

The NTFS permissions that you can apply to folders are slightly different than those associated with files, simply because files and folders are fundamentally different. The following list outlines (and explains capabilities associated with) the NTFS permissions that you can assign to users and groups for a folder.

Read. Allows users to view files and subfolders stored within a folder, as well as details like the folder's attributes, permissions, and ownership information.
Write. Enables users to add files or subfolders to a folder, change folder attributes, and view permission and ownership information.
List Folder Contents. Allows users to view the contents of folders and subfolders.
Read & Execute. Enables users to browse through a folder, even if they don't have other permissions for the folder. Additionally, it allows users to perform actions allowed by the Read and List Folder Contents permissions.
Modify. Allows users to delete a folder, as well as perform actions allowed by the Read, Write, and Read & Execute permissions.
Full Control. Gives users complete control over a folder including changing its attributes, permissions, and even ownership details.

Follow these steps to configure permission settings on a folder:

Select Start → Computer.
Browse to the folder for which you want to configure NTFS security permissions. Right-click the folder and select Properties.
Click the Security tab. A list of the permissions currently assigned to different users and groups displays, as shown in Figure 13-5.

Figure 13-5: Reviewing the NTFS permissions associated with a folder.
Click the Edit button, and then click the Add button. In the Select Users Or Groups window, type the name of the user or group for which you want to configure NTFS security permissions for the folder, and then click OK.
On the Security tab, ensure that the user or group added in the previous step is selected, and then select the check box next to the NTFS security permission that you want to grant.
Click OK to apply the new permissions.

As a general rule, follow the principle of least privilege when assigning users or groups NTFS permissions on files or folders. That principle dictates that you only grant users the absolute minimum level of access that they require, and nothing more. So, if you want a user to view, but not change a file, grant them the NTFS Allow Read permission, rather than something less restrictive like Modify or Full Control. From a security perspective, less is always more when assigning NTFS permissions.

Note

When you configure NTFS security permissions on a folder, all files within that folder (and any subfolders) inherit the new permission settings automatically. You can change the behavior of permission inheritance by clicking the Advanced button on the Security tab in the properties of a folder, double-clicking a permission entry, and then selecting a different option from the Apply Onto drop-down menu.