After this lesson, you will be able to
Estimated lesson time: 15 minutes
After you create the installation partition, Setup prompts you to select the file system with which to format the partition. Windows 2000 supports three file systems: Windows 2000 file system (NTFS), file allocation table (FAT), and FAT32.
The Table 3.1 lists the features of the various file systems.
Table 3.1 File System Features
|NTFS||File and Folder level security|
|Disk Quota management|
|Mounting of Volumes to Folders|
|FAT and FAT32||Dual Booting No File-level security|
Unless you require dual booting, NTFS is the file system to use.
NTFS also allows you to specify which users and groups can gain access to files and folders and what they can do with the contents of the file or folder. NTFS permissions are available only on NTFS volumes. NTFS permissions are not available on volumes that are formatted with FAT or FAT32 file systems. NTFS security is effective whether a user gains access to the file or folder locally or from the network. The permissions you assign for folders are different from the permissions you assign for files.
You assign folder permissions to control the access that users have to folders and to the files and subfolders contained within the folder.
Table 3.2 lists the standard NTFS folder permissions that you can assign and the type of access that each provides to users.
Table 3.2 NTFS Folder Permissions
|NTFS folder permission||Allows the user to|
|Read||See files and subfolders in the folder and view folder ownership, permissions, and attributes (such as Read-Only, Hidden, Archive, and System)|
|Write||Create new files and subfolders within the folder; change folder attributes; view details of folder ownership and permissions|
|List Folder Contents||See the names of files and subfolders in the folder|
|Read & Execute||Move through folders to reach other files and folders, even if the users don't have permission for those folders; perform actions permitted by the Read permission and the List Folder Contents permission|
|Modify||Delete the folder; perform actions permitted by the Write permission and the Read & Execute permission|
|Full Control||Change permissions, take ownership, and delete subfolders and files; perform actions permitted by all other NTFS folder permissions|
As an administrator, you can deny permission to any user account or group. To deny all access to a user account or group for a folder, deny the Full Control permission.
You assign file permissions to control the access that users have to files. Table 3.3 lists the standard NTFS file permissions that you can assign and the type of access that each permission provides.
Table 3.3 NTFS File Permissions
|NTFS file permission||Allows the user to|
|Read||Read the file view file attributes, ownership, and permissions|
|Write||Overwrite the file; change file attributes; view file ownership and permissions|
|Read & Execute||Run applications; perform the actions permitted by the Read permission|
|Modify||Modify and delete the file; perform the actions permitted by the Write permission and the Read & Execute permission|
|Full Control||Change permissions and take ownership; perform the actions permitted by all other NTFS file permissions|
Administrators, the owners of files or folders, and users with Full Control permission can assign NTFS permissions to users and groups to control access to files and folders.
NTFS stores an access control list (ACL) with every file and folder on an NTFS volume. The ACL contains a list of all user accounts and groups that have been granted access for the file or folder, as well as the type of access that they have been granted. If a user attempts to gain access to a resource, the ACL must contain an entry called an access control entry (ACE) for the user account or a group to which the user belongs. The entry must allow the type of access that is requested (for example, Read access) for the user to gain access. If no ACE exists in the ACL, the user can't gain access to the resource.
You can assign multiple permissions to a user account and to each group in which the user is a member. To assign permissions, you must understand the rules and priorities regarding how NTFS assigns and combines multiple permissions and NTFS permission inheritance.
A user's effective permissions for a resource are the sum of the NTFS permissions that you assign to the individual user account and to all of the groups to which the user belongs. If a user has Read permission for a folder and is a member of a group with Write permission for the same folder, the user has both Read and Write permission for that folder.
Overriding Folder Permissions with File Permissions
NTFS file permissions take priority over NTFS folder permissions. A user with access to a file will be able to gain access to the file even if he or she doesn't have access to the folder containing the file. A user can gain access to the files for which he or she has permissions by using the full universal naming convention (UNC) or local path to open the file from its respective application, even though the folder in which it resides will be invisible if the user has no corresponding folder permission. In other words, if you don't have permission to access the folder containing the file you want to access, you will have to know the full path to the file to access it. Without permission to access the folder, you can't see the folder, so you can't browse for the file you want to access.
Overriding Other Permissions with Deny
You can deny permission to a user account or group for a specific file, although this is not the recommended way to control access to resources. Denying a permission overrides all instances where that permission is allowed. Even if a user has permission to gain access to the file or folder as a member of a group, denying permission to the user blocks that and any other permission the user might have (see Figure 3.1).
Figure 3.1 Multiple NTFS permissions
In Figure 3.1, User1 has Read permission for FolderA and is a member of Group A and Group B. Group B has Write permission for FolderA. Group A has been denied Write permission for File2.
Because of the read and write permissions User1 has to FolderA, User1 can read and write to File1. The user can also read File2 because of the folder permissions, but she cannot write to File2 because she is a member of Group A, which has been denied Write permission for File2.
By default, permissions that you assign to the parent folder are inherited by and propagated to the subfolders and files that are contained in the parent folder. However, you can prevent permissions inheritance, as shown in Figure 3.2.
Figure 3.2 Inheritance
You can prevent permissions assigned to a parent folder from being inherited by subfolders and files that are contained within the folder. That is, the subfolders and files will not inherit permissions that have been assigned to the parent folder containing them.
The folder for which you prevent permissions inheritance becomes the new parent folder, and permissions that are assigned to this folder will be inherited by the subfolders and files that are contained within it.
You should follow certain guidelines for assigning NTFS permissions. Assign permissions according to group and user needs, which includes allowing or preventing permissions inheritance from parent folders to subfolders and files that are contained in the parent folder.
If you take the time to plan your NTFS permissions and follow a few guidelines, you will find that NTFS permissions are easy to manage. Use the following guidelines when you assign NTFS permissions:
By default, when you format a volume with NTFS, the Full Control permission is assigned to the Everyone group. You should change this default permission and assign other appropriate NTFS permissions to control the access that users have to resources.
Administrators, users with the Full Control permission, and the owners of files and folders (CREATOR OWNER) can assign permissions to user accounts and groups.
To assign or modify NTFS permissions for a file or a folder, on the Security tab of the Properties dialog box for the file or folder, configure the options that are shown in Figure 3.3 and described in Table 3.4.
Figure 3.3 The Security tab of the Apps Properties dialog box for a folder
Table 3.4 Security Tab Options
|Name||Allows you to select the user account or group for which you want to change permissions or that you want to remove from the list|
|Permissions||Allows you to select the Allow check box to allow a permission |
Allows you to select the Deny check box to deny a permission
|Add||Allows you to open the Select Users, Computers, Or Groups dialog box, which you use to select user accounts and groups to add to the Name list|
|Remove||Allows you to remove the selected user account or group and the associated permissions for the file or folder|
|Advanced||Allows you to open the Access Control Settings for the selected folder so that you can grant or deny additional permissions|
By default, subfolders and files inherit permissions that you assign to their parent folder. This is indicated on the Security tab in the Properties dialog box by a check mark in the Allow Inheritable Permissions From Parent To Propagate To This Object check box. To prevent a subfolder or file from inheriting permissions from a parent folder, clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box. If you clear this check box, you are prompted to select one of the options described in Table 3.5.
Table 3.5 Preventing Permissions Inheritance Options
|Copy||Allows you to copy the permissions from the parent folder to the current folder and then deny subsequent permissions inheritance from the parent folder|
|Remove||Allows you to remove the permissions that are inherited from the parent folder and retain only the permissions that you explicitly assign to the file or folder|
|Cancel||Allows you to cancel the dialog box and restore the check mark in the Allow Inheritable Permissions From Parent To Propagate To This Object check box|
In this lesson, you learned that, by default, when you format a volume with NTFS, the Full Control permission is assigned to the Everyone group. You should change this default permission and assign other appropriate NTFS permissions to control the access that users have to resources. To assign or modify NTFS permissions for a file or a folder, you use the Security tab of the Properties dialog box for the file or folder.
You also learned that, by default, subfolders and files inherit permissions that you assign to their parent folder. You can disable this feature so that subfolders and files don't inherit the permissions assigned to their parents.