In order to log in to a computer running Windows XP Professional, a user must supply a valid username and password. Once logged in, the resources that the user can access are governed by the security permissions assigned to the user's account and to the group accounts to which the user account has been added. Computers that use NFTS as their file system are able to implement NTFS security permissions. These permissions allow administrators to define what resources users and groups are allowed to access. In addition, administrators differentiate among different types of access.
Note | Computers whose drives are formatted using the FAT or FAT32 file system are not able to implement NFTS security permission and, as a result, are not able to restrict local access to computer resources. However, remote network access to local resources can be controlled using share level security. For more information on share level security, refer to "Securing Shared Drives and Folders" in Chapter 19, "Printer and Disk Sharing." |
Every drive, folder, file, printer, and registry key on the computer is viewed by Windows XP Professional as an object. On computers using NTFS, access to each of these resources is controlled by each object's ACL (Access Control List). An ACL is composed of one or more ACEs (Access Control Entries) that specify exactly what type of access a user or group account has over the resource.
Table 9.3 lists the NTFS permissions associated with folder access. Similarly, Table 9.4 lists the NTFS permissions associated with file access.
Permission | Description |
---|---|
| |
Full Control | Provides the ability to take ownership of files, change file permission, and perform any operation provided by the other NTFS permissions |
Modify | Provides the ability to change and delete folders and to perform any operation provided by the Read & Execute NTFS permission |
Read & Execute | Provides the ability to explore drives and folders and to perform any operation provided by the List Folder Contents NTFS permission |
List Folder Contents | Provides the ability to examine folder contents |
Read | Provides the ability to examine the contents of files and folders |
Write | Provides the ability to create files and folders and to view file and folder properties |
Permission | Description |
---|---|
| |
Full Control | Provides the ability to take ownership of files, change file permissions, and perform any operation provided by the other NTFS permissions |
Modify | Provides the ability to change and delete files and to perform any operation provided by the Read & Execute NTFS permission |
Read & Execute | Provides the ability to execute programs and to perform any operation provided by the Read NTFS permission |
Read | Provides the ability to view files and their properties |
Write | Provides the ability to change file contents and view their properties |
Similarly, Table 9.5 lists the permissions associated with securing printers.
Permission | Description |
---|---|
| |
| Allows the user or group to connect to and submit print jobs to the printer |
Manage Printers | Allows the user or group to administrate all print jobs located in the printer queue |
Manage Documents | Allows the user or group to manage all print jobs submitted by the user |
NTFS permissions are applied to resources by selecting the Security property sheet on the resource's Properties dialog. The following procedure outlines the steps involved in applying the folder and file permissions listed in Table 9.3 and Table 9.4 to administer access to user accounts by specifying NTFS permissions.
Click on Start and then My Computer. The My Computer folder appears.
Right-click on a drive, folder, or file and select Properties.
Select the Security property sheet, as shown in Figure 9.14.
Figure 9.14: Modifying NTFS security permissions for a folder
To modify the security permission assigned to a user or group account that has already been assigned to the object's ACL, select the account and select the appropriate NFTS permission in the lower half of the dialog. Permissions can be applied by selecting Allow, which grants the specified level of access to the resource, or by selecting Deny, which denies access to the resource.
Tip | As a rule of thumb, administrators typically do not specify the Deny option when setting NTFS permissions. Simply removing a user or group from the object's ACL prevents their access. |
To add a new user or group account to the object's ACL, click on Add, type the account's name, and click on OK.
To remove a user or group account from the object's ACL, select the account and click on Remove.
Click on OK. The permissions will take effect the next time that the user logs in to the computer.
A user's actual access to a resource is based on the accumulation of all the NTFS permissions defined to their user account and to all the groups to which the account is a member. For example, if a user account has been given Read access to a resource while a group to which the account has been added provides Full Control, the user's resulting level of access will be Full Control. The only exception to the cumulative nature of NTFS permissions is the Deny setting, whichoverrides other security permissions. For example, if a user account has been assigned the Change permission over a resource but is a member of a group that has been assigned the Deny Read permission, the user will not be able to access the resource.