Administering NFTS Security Permissions

In order to log in to a computer running Windows XP Professional, a user must supply a valid username and password. Once logged in, the resources that the user can access are governed by the security permissions assigned to the user's account and to the group accounts to which the user account has been added. Computers that use NFTS as their file system are able to implement NTFS security permissions. These permissions allow administrators to define what resources users and groups are allowed to access. In addition, administrators differentiate among different types of access.

Note 

Computers whose drives are formatted using the FAT or FAT32 file system are not able to implement NFTS security permission and, as a result, are not able to restrict local access to computer resources. However, remote network access to local resources can be controlled using share level security. For more information on share level security, refer to "Securing Shared Drives and Folders" in Chapter 19, "Printer and Disk Sharing."

Every drive, folder, file, printer, and registry key on the computer is viewed by Windows XP Professional as an object. On computers using NTFS, access to each of these resources is controlled by each object's ACL (Access Control List). An ACL is composed of one or more ACEs (Access Control Entries) that specify exactly what type of access a user or group account has over the resource.

Table 9.3 lists the NTFS permissions associated with folder access. Similarly, Table 9.4 lists the NTFS permissions associated with file access.

Table 9.3: NTFS Folder Permissions

Permission

Description


Full Control

Provides the ability to take ownership of files, change file permission, and perform any operation provided by the other NTFS permissions

Modify

Provides the ability to change and delete folders and to perform any operation provided by the Read & Execute NTFS permission

Read & Execute

Provides the ability to explore drives and folders and to perform any operation provided by the List Folder Contents NTFS permission

List Folder Contents

Provides the ability to examine folder contents

Read

Provides the ability to examine the contents of files and folders

Write

Provides the ability to create files and folders and to view file and folder properties

Table 9.4: NTFS File Permissions

Permission

Description


Full Control

Provides the ability to take ownership of files, change file permissions, and perform any operation provided by the other NTFS permissions

Modify

Provides the ability to change and delete files and to perform any operation provided by the Read & Execute NTFS permission

Read & Execute

Provides the ability to execute programs and to perform any operation provided by the Read NTFS permission

Read

Provides the ability to view files and their properties

Write

Provides the ability to change file contents and view their properties

Similarly, Table 9.5 lists the permissions associated with securing printers.

Table 9.5: NTFS Printer Permissions

Permission

Description


Print

Allows the user or group to connect to and submit print jobs to the printer

Manage Printers

Allows the user or group to administrate all print jobs located in the printer queue

Manage Documents

Allows the user or group to manage all print jobs submitted by the user

NTFS permissions are applied to resources by selecting the Security property sheet on the resource's Properties dialog. The following procedure outlines the steps involved in applying the folder and file permissions listed in Table 9.3 and Table 9.4 to administer access to user accounts by specifying NTFS permissions.

  1. Click on Start and then My Computer. The My Computer folder appears.

  2. Right-click on a drive, folder, or file and select Properties.

  3. Select the Security property sheet, as shown in Figure 9.14.

    click to expand
    Figure 9.14: Modifying NTFS security permissions for a folder

  4. To modify the security permission assigned to a user or group account that has already been assigned to the object's ACL, select the account and select the appropriate NFTS permission in the lower half of the dialog. Permissions can be applied by selecting Allow, which grants the specified level of access to the resource, or by selecting Deny, which denies access to the resource.

    Tip 

    As a rule of thumb, administrators typically do not specify the Deny option when setting NTFS permissions. Simply removing a user or group from the object's ACL prevents their access.

  5. To add a new user or group account to the object's ACL, click on Add, type the account's name, and click on OK.

  6. To remove a user or group account from the object's ACL, select the account and click on Remove.

  7. Click on OK. The permissions will take effect the next time that the user logs in to the computer.

A user's actual access to a resource is based on the accumulation of all the NTFS permissions defined to their user account and to all the groups to which the account is a member. For example, if a user account has been given Read access to a resource while a group to which the account has been added provides Full Control, the user's resulting level of access will be Full Control. The only exception to the cumulative nature of NTFS permissions is the Deny setting, whichoverrides other security permissions. For example, if a user account has been assigned the Change permission over a resource but is a member of a group that has been assigned the Deny Read permission, the user will not be able to access the resource.



Microsoft Windows XP Professional Administrator's Guide
Microsoft Windows XP Professional Administrators Guide
ISBN: 1931841969
EAN: 2147483647
Year: 2005
Pages: 358

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net