PermissionsConcepts


PermissionsConcepts

To grant users access to files and folders on the local computer or network, you assign these users permissions. Two kinds of permissions can be used to secure access to these resources: NTFS permissions and shared-folder permissions. You need to understand both kinds of permissions and how they work together.

NTFS Permissions

NTFS is the primary WS2003 filesystem (FAT/FAT32 aren't recommended for most purposes), and partitions formatted with NTFS can have their files and folders secured using NTFS permissions. These permissions secure the filesystem for both local and network access. For example, if user Mary Jones is granted NTFS Read permission on folder Pub and its contents (which are stored on her C : drive), she can log on to her machine, view the contents of Pub , and open any file stored in it. If Pub is then shared with the shared-folder permissions of Full Control for Everyone, she can log on to a different machine and access the Pub share and its contents over the network. Whether Mary is trying to access a resource on an NTFS volume locally or over the network, NTFS permissions will apply.

Special Permissions

The most granular NTFS permissions are called special permissions. These permissions give administrators the highest degree of control over how users can access files and folders stored on NTFS volumes . By selecting different sets of special permissions, administrators can create custom permissions for files or folders that need special access control. The 18 NTFS special permissions are listed and described in Table 4-34.

Table 4-34. NTFS special permissions

Special permission

Description

Folders only

 

Traverse Folder

Drill into the folder to other files and folders, even if you have no permissions on intermediate subfolders .

List Folder

View the names of subfolders and files in the folder.

Create Files

Create files in the folder.

Create Folders

Create subfolders within the folder.

Files only

 

Execute File

Execute the file.

Read Data

Read the file.

Write Data

Modify the file.

Append Data

Append to the file (you can't modify existing data, only append).

Both folders and files

 

Read Attributes

View the attributes of the file or folder (attributes include Read-only, Hidden, System, and Archive).

Read Extended Attributes

View custom attributes that may be defined by certain applications for the file or folder.

Write Attributes

Modify the attributes of the file or folder.

Write Extended Attributes

Modify custom attributes that may be defined by certain applications for the file or folder.

Delete Subfolders and Files

Delete subfolders or files.

Delete

Delete the file or folder (even if this permission is denied on a file, you can delete it if its parent folder has been granted Delete Subfolders and Files permission).

Read Permissions

View the permissions on the file or folder.

Change Permissions

Modify the permissions on the file or folder.

Take Ownership

Take ownership of the file or folder.

Synchronize

Let threads in multithreaded programs wait on the file or folder handle and synchronize with another thread that signals it.

Standard Permissions

Special permissions are really too granular for administrators to use to secure files and folders in day-to-day usage. To make life simpler, Microsoft has grouped these special permissions into two different sets:

Folder permissions

Used to secure folders and their files and subfolders

File permissions

Used to secure individual files within folders

Together, these two sets of permissions are called standard permissions, and they are described in Table 4-35 and Table 4-36. The effect of combined standard and special permissions is shown in Table 4-37 and Table 4-38.

Table 4-35. NTFS standard permissions for files

File permission

Description

Read

Open the file and view its permissions, attributes, and ownership.

Write

Modify the file, modify its attributes, and view its permissions, attributes, and ownership.

Read & Execute

Execute the file, plus do everything Read permission allows.

Modify

Delete the file and do everything Read & Execute and Write permissions allow.

Full Control

Take ownership, modify permissions, and do everything Modify permission allows.

Table 4-36. NTFS standard permissions for folders

Folder permission

Description

Read

View contents of folder and view its permissions, attributes, and ownership.

Write

Create new files and folders in the folder, modify its attributes, and view its permissions, attributes, and ownership.

List Folder Contents

View contents of folder only.

Read & Execute

Traverse subfolders within the folder plus do everything Read and List Folder Contents permissions allow.

Modify

Delete the folder and do everything Read & Execute and Write permissions allow.

Full Control

Take ownership, modify permissions, and do everything that Modify permission allows.

Table 4-37. Special file permissions as combinations of standard permissions

Special permission

Read

Write

Read & Execute

Modify

Full Control

Read Data

Yes

Yes

Yes

Yes

Read Attributes

Yes

Yes

Yes

Yes

Read Extended Attributes

Yes

Yes

Yes

Yes

Read Permissions

Yes

Yes

Yes

Yes

Yes

Synchronize

Yes

Yes

Yes

Yes

Yes

Write Data

Yes

Yes

Yes

Append Data

Yes

Yes

Yes

Write Attributes

Yes

Yes

Yes

Write Extended Attributes

Yes

Yes

Yes

Execute File

Yes

Yes

Yes

Delete

Yes

Yes

Delete Subfolders and Files

Yes

Change Permissions

Yes

Take Ownership

Yes

Table 4-38. Special folder permissions as combinations of standard permissions

Special permission

Read

Write

List Folder Contents

Read & Execute

Modify

Full Control

List Folder

Yes

Yes

Yes

Yes

Yes

Read Attributes

Yes

Yes

Yes

Yes

Yes

Read Extended Attributes

Yes

Yes

Yes

Yes

Yes

Read Permissions

Yes

Yes

Yes

Yes

Yes

Synchronize

Yes

Yes

Yes

Yes

Yes

Yes

Create Files

Yes

Yes

Yes

Create Folders

Yes

Yes

Yes

Write Attributes

Yes

Yes

Yes

Write Extended Attributes

Yes

Yes

Yes

Traverse Folder

Yes

Yes

Yes

Yes

Delete

Yes

Yes

Delete Subfolders and Files

Yes

Change Permissions

Yes

Take Ownership

Yes

Working with NTFS Permissions

In order to configure NTFS permissions on a file, folder, or NTFS volume, at least one of the following must be true:

  • You must be a member of the Administrators group .

  • You must have Full Control permission for the file, folder, or volume.

  • You must be the owner of the file, folder, or volume.

NTFS permissions must be explicitly applied to a file or folder in order to grant a user access to it. In other words, if a file has no permissions specified for a particular user or for the groups to which that user belongs, the user has no access to the file.

Having said that, however, when you explicitly assign permissions to a folder, by default all subfolders and files within that parent folder inherit the permissions assigned to the parent. Another way of saying this is that permissions automatically propagate from the parent to the child. This is done to simplify and speed up the job of assigning permissions.

If you like, you can later change the permissions to any subfolder or file within the parent folder without affecting the permissions assigned to the parent. In other words, you can prevent permissions inheritance at a given folder or file within the filesystem hierarchy. You can do this two ways:

  • You can copy the permissions inherited from the parent folder to the subfolder or file under consideration and then explicitly modify these permissions as desired.

  • You can remove the permissions inherited from the parent folder to the subfolder or file under consideration and then explicitly assign new ones as desired.

Either way, the subfolder or file under consideration now becomes the new parent from which the subtree of files and folders beneath it inherit their permissions (a file has no subtree beneath it, of course). An example might help here. Let's say that folder A contains folder B, which contains folder C, which contains file F. Begin by assigning Read permission to folder A for user Dennis. By default, this permission is automatically propagated to folders B and C and file F. Now prevent permissions inheritance from folder B by copying the permissions from its parent A. All folders and files still have Read permission for Dennis, but folder C and file F now inherit their permissions from folder B instead of A. Change the permissions on B from Read to Full Control. Folder C and file F now inherit Full Control permission from folder B, while folder A remains Read permission, as expected. In general, it simplifies things if you simply let permissions be inherited from their highest parent and don't try to prevent permissions at subfolders in the hierarchy unless absolutely necessary. Use the K.I.S.S. (Keep It Simple, Stupid!) principle when administering NTFS permissions, unless you're really good at keeping things documented. Otherwise, you may find yourself spending unnecessary time troubleshooting resource-access problems.

When you create a new file or folder on an NTFS volume, the new file or folder automatically inherits the permissions assigned to its parent folder. If the file or folder is created in the root directory of the volume, it inherits the permissions assigned to that root directory. By default, if you create a new NTFS volume by formatting a partition with NTFS, its root directory is assigned the permission Everyone has Full Control, so any new folder or file created in the root will automatically inherit Everyone has Full Control permission.

When you create an NTFS volume, it's generally a good idea to change the default Everyone has Full Control permission to Authenticated Users have Full Control before you start creating directories and storing files on the volume. This enhances the security of the volume since the Authenticated Users built-in system group represents all users who have valid domain user accounts on the network, while the Everyone group also includes untrusted users from other connected networks.

What you shouldn't do is try to modify the default permissions of system volumes like the C : drive or those on the \Windows or \Windows\System32 folders. These permissions are necessary for the proper functioning of the operating system, so don't change them.

If you assign a particular user or group permission on a folder, by default the user or group is granted the three permissionsRead & Execute, List Folder Contents, and Readfor the folder. You can then change these permissions to whatever kind of access you want the user or group to have. Similarly, if you assign a user or group permission on a file, by default the user or group is granted the two permissionsRead & Execute and Readfor the file. Change these permissions to whatever kind of access you want the user or group to have.

When you assign a particular NTFS permission to a file or folder, you can either explicitly allow the permission to grant the user or group access to the object, or you can explicitly deny the permission to prevent the user or group from accessing it. Most of the time, you explicitly allow permissions to enable users to access files and folders, but in certain situations you may want to explicitly deny a user permission on an object. For example, if Bob has Read permission to the Accounts folder and all its contents, you could deny Bob Read permission to the particular document in Accounts that describes the plans for Bob's upcoming surprise party to prevent him from reading it. Users can have multiple NTFS permissions assigned for the same file or folder. This is because users can belong to groups, and permissions are assigned separately to user accounts and groups. For example, Susan could have Read permission on the Pub folder, while the Marketing group to which she belongs has Modify permission on the same folder. In the case of multiple permissions, the effective permission for the user is determined by adding them together (logical OR). In this example Susan's cumulative level of access to Pub will be Modify. To determine the effective permissions in a given situation, use Tables Table 4-35 through Table 4-38.

The exception to this is that a permission denied always overrides a similar permission allowed. For example, if Susan is denied Read permission to Pub while the Marketing group to which she belongs is allowed Read permission, she is effectively denied Read permission on Pub .

Permissions for a file override those for the folder that contains the file. For example, if Susan has Read permission on Pub but has Modify permission on the file Readme.txt within Pub , Susan will be able to make changes to the file and save them.

Once you've explicitly assigned permissions to your parent folders on an NTFS volume and started creating subfolders and files, you need to know what will happen if you try to copy or move these files and folders. This is because the act of copying and moving files and folders can have an effect on the permissions assigned to them. The general rules are as follows :

Copying files or folders

Whether the destination parent folder is on the same or different NTFS volume, the copied file or folder inherits the permissions of the parent folder.

Moving files or folders

If the destination parent folder is on the same NTFS volume, the moved file or folder retains its original permissions. However, if the destination parent folder is on a different NTFS volume, the moved file or folder inherits the permissions of the parent folder (since a move to a different volume is really a copy followed by the delete of the original).

For both copies and moves, if the destination volume is formatted with FAT, all permissions are lost from the copied or moved file or folder. For more information on copying and moving files on NTFS volumes, see Files and Folders earlier in this chapter.

Default NTFS Permissions

In W2K the default permissions on a new NTFS volume included Full Control for Everyone. In WS2003 these permissions have been tightened for increased security, and the default permissions on new NTFS volumes are now those shown in Table 4-39. These permissions are the same whether the computer belongs to a workgroup or domain.

Table 4-39. Default permissions on NTFS volumes

Security principal

Standard permission

Additional special permissions

Applies to

Administrators (local user)

Full Control

None

This folder, subfolders, and files

CREATOR OWNER

None

All (equivalent to Full Control)

Subfolders and files only

Everyone

None

Traverse Folder/Execute File

This folder only

   

List Folder/Read Data

 
   

Read Attributes

 
   

Read Extended Attributes

 
   

Read Permissions

(equivalent to Read & Execute)

 

SYSTEM

Full Control

None

This folder, subfolders, and files

Users (local group)

Read & Execute

None

This folder, subfolders, and files

 

Create Folders/Append Data

 

This folder and subfolders

 

Create Files/Write Data

 

Subfolders only

Ownership

Ownership is an aspect of permissions in WS2003. Every file or folder created on an NTFS volume has an owner. When a user creates a file, the user becomes the owner of that file and can set permissions on it to allow others access to the file. And when a user installs a printer, the user becomes the owner of the printer. Objects in Active Directory also have owners and can be assigned permissions as well.

Ownership can't be given; it can only be taken. In order to assume ownership of a file or other object, a user needs Take Ownership permission. If the owner grants this permission on a file to another user, that user can then take ownership of the first user's file. Administrators, however, have the power to take ownership of any object that they can manage ( essentially , anything except system objects).

Shared-Folder Permissions

NTFS permissions are the primary means of securing filesystem resources on a computer or network. However, they can be used only on volumes formatted with NTFS and not on FAT or FAT32 volumes. Furthermore, assigning NTFS permissions to a folder doesn't make the contents of that folder available over the network. To do this, we have to share the resource, and this means we have to deal with a whole other set of permissions called shared-folder permissions and how these combine with NTFS permissions to secure shared network resources.

Shared-folder permissions are permissions assigned to folders or volumes that have been shared. These folders may be on NTFS, FAT, or FAT32 volumes, and any of these volumes may themselves be shared at their root directory. In fact, shared-folder permissions are the only permissions that can be used to secure resources on FAT and FAT32 volumes. Shared folders secure resources only at the network level, however, and not at the local level. For example, if you share the folder Pub , which is located on a FAT volume, you control which users can access the folder over the network and the level of access they can have, but anyone who can log on locally to the machine where the volume is located has unrestricted (full) access to the folder and all its contents. So if you are concerned about securing resources from local access, you must use NTFS instead of FAT or FAT32. Microsoft correctly recommends that all volumes on which applications, data, or users' home folders are located should be NTFS.

Another reason for always using NTFS is that shared-folder permissions aren't as granular as NTFS permissions for controlling access, as you can see from Table 4-40 (note that there is no equivalent in shared-folder permissions to the highly granular NTFS special permissions). Also, shared-folder permissions apply uniformly to the folder and all its contents; if you want to prevent shared-folder permissions at a subfolder of a shared folder, you must create a new share at the subfolder. Furthermore, shared-folder permissions can be applied only to folders and volumes, while NTFS permissions can also be applied to individual files.

Table 4-40. Shared-folder permissions

Permission

Description

Read

View contents of folder and traverse subfolders, open files and view their attributes, and run executable files

Change

Create new files and folders in the folder, modify and append data to files, modify file attributes, delete folders and files, plus do everything Read permission allows

Full Control

Take ownership and modify permissions of files (on NTFS volumes only), plus do everything Change permission allows

Working with Shared-Folder Permissions

In order to share a folder and configure its permissions, you must be a member of at least one of the following built-in groups:

Administrators
Server Operators
Power Users

In addition, if the folder you want to share is on an NTFS volume, you must have a minimum NTFS permission of Read for the folder in order to share it.

Folders (or volumes) must be shared and permissions explicitly assigned in order to grant a user access to the contents over the network. If a folder is shared but no shared-folder permissions are explicitly assigned to it, users will be able to see the share in My Network Places, but they won't be able to access its contents. Sharing a volume simply means sharing the root folder on the volume.

When you assign a particular shared-folder permission from the list in Table 4-40, you can either explicitly allow the permission for the folder to grant the user or group access to the contents of the folder or explicitly deny the permission to prevent the user or group from accessing it. Most of the time you will explicitly allow permissions instead of denying them.

When you share a folder, the default shared-folder permission assigned to it is Everyone has Full Control. It's usually a good idea to change this to Users have Full Control before you start storing files in the folder. When you assign a particular user or group permissions on a shared folder, by default the user or group is granted only Read permission for the folder. You can then change the permissions to whatever kind of access you want the user or group to have.

Like NTFS permissions, users can have multiple shared-folder permissions for the same folderfor example, when the user account is assigned one permission while a group to which the user account belongs is assigned a different permission. The effective permission is determined again by adding the different permissions together (logical OR). Once again, a permission denied always overrides a similar permission allowed. Copying or moving files to other shared folders always gives them the permissions assigned to the destination folder. Copying the shared folder itself leaves the original folder shared but the new folder not shared. Moving a shared folder causes it to stop being shared.

General Strategy for Assigning Permissions

The general strategy for using permissions to secure shared-network resources is to proceed as follows:

  1. Format the volume where the shared folder will be created using NTFS instead of FAT or FAT32. Create the folder you are going to share.

  2. Assign NTFS permissions to the folder first. Grant your users and groups suitable levels of access to the folder, giving each user and group only as much access as they need. It generally simplifies administration if you assign permissions only to groups and not to individual users. Check your NTFS permissions assignments to make sure they are correct.

  3. Now share the folder and leave its shared-folder permission set to the default Everyone has Full Control setting. You're done.

The advantage of doing things this way is that you really have to deal with configuring only one set of permissions, namely NTFS. For comparison, let's say you followed this strategy instead:

  1. Format the volume using NTFS. Create the folder you are going to share and leave its NTFS permissions set to the default Everyone has Full Control setting.

  2. Share the folder and grant your users and groups suitable levels of access to the folder using shared-folder permissions.

The problems with this scenario are:

  • The folder is secure for network access but not for local access. So if someone is able to log on locally to the computer where the volume is located, they will have unrestricted access to the folder and its contents.

  • Shared-folder permissions are limited to Read, Change, and Full Control, while NTFS folder permissions can be Read, Write, List Folder Contents, Read & Execute, Modify, and Full Control. NTFS permissions thus give you greater granularity in controlling access than shared-folder permissions.

  • You can also use NTFS file permissions to control access to individual files or create custom permission lists using NTFS special permissions. You can't do any of these things using shared-folder permissions.

  • Shared-folder permissions provide the same level of access for all files and subfolders within the folder, while NTFS permissions allow you to explicitly assign different permissions to subtrees of folders and files within the parent folder.

Let's take a look at one more strategy:

  1. Format the volume using NTFS and create the folder you are going to share.

  2. Assign NTFS permissions for the folder to users and groups to grant them different levels of access. For example, assign the Marketing group Read permission for the Pub folder.

  3. Share the folder and assign shared-folder permissions for the folder to users and groups to grant them different levels of access. For example, assign the Marketing group Change permission for the Pub folder.

The problem is that now you have the administrative headache of managing two separate sets of permissions instead of just one. Also, you must be aware of how NTFS and shared-folder permissions combine. The general rule is: when NTFS and shared-folder permissions combine, the most restrictive permission applies. In other words, for the Marketing group:

Read (NTFS) + Change (shared folder) = Read (combined)

What use is this second set of permissions (shared-folder permissions) if our strategy will always be to carefully assign NTFS permissions but leave shared-folder permissions at their default of Everyone has Full Control? Simple: shared-folder permissions are the only permissions that can be used to control resources for data stored on FAT volumes. Why would you want to use FAT instead of NTFS? Possible reasons are:

  • When you are setting up a peer-to-peer network using a workgroup model for a small business that can't afford an administrator to manage a domain controller

  • When you want to dual-boot a machine between WS2003 and Windows 95/98, which requires that you install WS2003 on FAT instead of NTFS

Neither of these is a particularly compelling reason, however.



Windows Server 2003 in a Nutshell
Windows Server 2003 in a Nutshell
ISBN: 0596004044
EAN: 2147483647
Year: 2003
Pages: 415
Authors: Mitch Tulloch

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net