You should follow certain guidelines for assigning NTFS permissions. Assign permissions according to group and user needs, which include allowing or preventing permissions to be inherited from parent folders to subfolders and files that are contained in the parent folder.
If you take the time to plan your NTFS permissions and follow a few guidelines, you will find that they are easy to manage. Use the following guidelines when you assign NTFS permissions:
By default, when you format a volume with NTFS, the Full Control permission is assigned to the Everyone group. This presented a problem in earlier versions of Windows, including Microsoft Windows 2000. In Windows XP Professional, the Anonymous Logon is no longer included in the Everyone group.
When a Windows 2000 Professional system is upgraded to a Windows XP Professional system, resources with permission entries for the Everyone group and not explicitly for the Anonymous Logon group are no longer available to the Anonymous Logon group.
Administrators, users with the Full Control permission, and the owners of files and folders can assign permissions to user accounts and groups.
To assign or modify NTFS permissions for a file or a folder, in the Security tab of the Properties dialog box for the file or folder, configure the options that are shown in Figure 8.3 and described in Table 8.3.
Table 8.3 Security Tab Options
Option | Description |
---|---|
Group Or User Name | Allows you to select the user account or group for which you want to change permissions or that you want to remove from the list. |
Permissions For group or user name | Allows and denies permissions. Select the Allow check box to allow a permission. Select the Deny check box to deny a permission. |
Add | Opens the Select Users Or Groups dialog box, which you use to select user accounts and groups to add to the Group Or User Name list (see Figure 8.4). |
Remove | Removes the selected user account or group and the associated permissions for the file or folder. |
Advanced | Opens the Advanced Security Settings dialog box for the selected folder so that you can grant or deny special permissions (see Figure 8.5). |
Figure 8.3 The Security tab of the Properties dialog box for a folder
Click Add to display the Select Users Or Groups dialog box (see Figure 8.4). Use this dialog box to add users or groups so that you can assign them permissions for accessing a folder or file. The options available in the Select Users Or Groups dialog box are described in Table 8.4.
Figure 8.4 The Select Users or Groups dialog box for a folder
Table 8.4 Select Users Or Groups Dialog Box Options
Option | Description |
---|---|
Select The Object Type | Allows you to select the types of objects you want to look for, such as built-in security principals (users, groups, and computer accounts), user accounts, or groups. |
From This Location | Indicates where you are currently looking, for example in the domain or on the local computer. |
Locations | Allows you to select where you want to look, for example in the domain or on the local computer. |
Enter The Object Names To Select | Allows you to type in a list of built-in security principals, users, or groups to be added. |
Check Names | Verifies the selected list of built-in security principals, users, or groups to be added. |
Advanced | Allows you access to advanced search features, including the ability to search for deleted accounts, accounts with passwords that do not expire, and accounts that have not logged on for a certain number of days. |
Click Advanced to display the Advanced Security Settings dialog box (Figure 8.5), which lists the users and groups and the permissions they have on this object. The Permissions Entries box also shows where the permissions were inherited from and where they are applied.
Figure 8.5 The Permissions tab of the Advanced Security Settings dialog box for a folder
You can use the Advanced Security Settings dialog box to change the permissions set for a user or group. To change the permissions set for a user or group, select a user and click Edit to display the Permission Entry For dialog box (see Figure 8.6). You can then select or clear the specific permissions, explained in Table 8.5, that you want to change.
Figure 8.6 The Permission Entry dialog box for a folder
Table 8.5 Special Permissions
Permission | Description |
---|---|
Full Control | Full Control applies all permissions to the user or group. |
Traverse Folder/ Execute File | Traverse Folder allows or denies moving through folders to access other files or folders, even when the user has no permissions for the traversed folder (the folder that the user is moving through). Traverse Folder is not applied if the user or group has the Bypass Traverse Checking user right granted in Group Policy. By default the Everyone group has Bypass Traverse Checking granted, so you must modify the Group Policy if you want to use Traverse Folder permission. Traverse Folder applies only to folders. Execute File allows or denies running executable files (application files). Execute File applies only to files. |
List Folder/ Read Data | List Folder allows or denies viewing file names and subfolder names within the folder. List Folder applies only to folders. |
| Read Data allows or denies viewing the contents of a file. Read Data applies only to files. |
Read Attributes | Read Attributes allows or denies the viewing of the attributes of a file or folder. These attributes are defined by NTFS. |
Read Extended Attributes | Read Extended Attributes allows or denies the viewing of extended attributes of a file or a folder. These attributes are defined by programs. |
Create Files/ Write Data | Create Files allows or denies the creation of files within a folder. Create Files applies to folders only. |
| Write Data allows or denies the making of changes to a file and the overwriting of existing content. Write Data applies to files only. |
Create Folders/ Append Data | Create Folders allows or denies the creation of folders within the folder. Create Folders applies only to folders. |
| Append Data allows or denies making changes to the end of the file, but not changing, deleting, or overwriting existing data. Append Data applies to files only. |
Write Attributes | Write Attributes allows or denies the changing of the attributes of a file or folder. These attributes are defined by NTFS. |
Write Extended | Write Extended Attributes allows or denies the changing of the Attributes extended attributes of a file or a folder. These attributes are defined by programs. |
Delete Subfolders and Files | Delete Subfolders and Files allows or denies the deletion of subfolders or files within a folder, even if the Delete permission has not been granted on the particular subfolder or file. |
Delete | Delete allows or denies the deletion of a file or folder. A user can delete a file or folder even without having the Delete permission granted on that file or folder, if the Delete Subfolder and Files permission has been granted to the user on the parent folder. |
Read Permissions | Read Permissions allows or denies the reading of the permissions assigned to the file or folder. |
Change Permissions | Change Permissions allows or denies the changing of the permissions assigned to the file or folder. You can give other administrators and users the ability to change permissions for a file or folder without giving them the Full Control permission over the file or folder. In this way, the administrator or user can't delete or write to the file or folder but can assign permissions to the file or folder. |
Take Ownership | Take Ownership allows or denies taking ownership of the file or folder. The owner of a file can always change permissions on a file or folder, regardless of the permissions set to protect the file or folder. |
Synchronize | Synchronize allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies only to multithreaded, multiprocess programs. |
You can transfer ownership of files and folders from one user account or group to another. You can give someone the ability to take ownership and, as an administrator, you can take ownership of a file or folder.
The following rules apply for taking ownership of a file or folder:
For example, if an employee leaves the company, an administrator can take ownership of the employee's files and assign the Take Ownership permission to another employee, and then that employee can take ownership of the former employee's files.
You cannot assign anyone ownership of a file or folder. The owner of a file, an administrator, or anyone with Full Control permission can assign Take Ownership permission to a user account or group, allowing them to take ownership. To become the owner of a file or folder, a user or group member with Take Ownership permission must explicitly take ownership of the file or folder.
To take ownership of a file or folder, the user or a group member with Take Ownership permission must explicitly take ownership of the file or folder, as follows:
By default, subfolders and files inherit permissions that you assign to their parent folder. This is indicated in the Advanced Security Settings dialog box (Figure 8.5) when the Inherit From Parent The Permission Entries That Apply To Child Objects check box is selected. To prevent a subfolder or file from inheriting permissions from a parent folder, clear the check box. You are then prompted to select one of the options described in Table 8.6.
Table 8.6 Preventing Permissions Inheritance Options
Option | Description |
---|---|
Copy | Copy the permission entries that were previously applied from the parent to the child and then deny subsequent permissions inheritance from the parent folder. |
Remove | Remove the permission entries that were previously applied from the parent to the child and retain only the permissions that you explicitly assign here. |
Cancel | Cancel the dialog box. |
In this practice, you will plan NTFS permissions for folders and files based on a business scenario. Then you will apply NTFS permissions for folders and files on your computer running Windows XP Professional in a workgroup environment, based on a second scenario. Finally, you will test the NTFS permissions that you set up to make sure that they are working properly.
Before beginning the exercises that follow, log on with an account that is a member of the Administrators group and create the users listed in the following table:
User account | Type |
---|---|
User81 | Limited |
User82 | Limited |
User83 | Limited |
User84 | Limited |
Create the following folders:
Run the PlanningNTFSPermissions file in the Demos folder on the CD-ROM accompanying this book for a demonstration of determining the default NTFS permissions applied to a folder. The demonstration also includes stopping a group from inheriting permissions from its parent object, deleting a group that has been assigned NTFS permissions, and adding a user and applying NTFS permissions to the user object for a folder.
In this exercise, you determine the default NTFS permissions for the newly created Public folder located on a computer running Windows XP Professional in a workgroup environment.
Windows XP Professional displays the Public Properties dialog box with the General tab active.
If you do not have a Security tab, there are two things to check: Is your partition formatted as NTFS or FAT? Only NTFS partitions use NTFS permissions, so only NTFS partitions have a Security tab. Are you using Simple File Sharing? Click Cancel to close the Public Properties dialog box. On the Tools menu, click Folder Options. In the Folder Options dialog box, click View. Under Advanced Settings, clear the Use Simple File Sharing (Recommended) check box and click OK. Repeat steps 3 and 4 and continue with this practice.
If any of the users or groups have special permissions, click the user or group and then click Advanced to see which special permissions are set.
Windows XP Professional displays the Public Properties dialog box with the Security tab active.
What are the existing folder permissions?
With the Public folder selected in the folder tree (the left pane), on the File menu, click New and then click Text Document to create the text document.
Were you successful? Why or why not?
Which tasks were you able to complete and why?
Which tasks were you able to perform and why?
In this exercise, you assign NTFS permissions for the Public folder.
The permissions that you assign are to be based on the following criteria:
Based on what you learned in Exercise 1, what changes in permission assignments do you need to make to meet each of these four criteria? Why?
You are currently logged on as User82. Can you change the permissions assigned to User82 while logged on as User82? Why or why not?
Windows XP Professional displays the Properties dialog box for the folder with the General tab active.
The Select Users Or Groups dialog box is displayed.
PRO1\User82 should now appear in the Enter The Object Names To Select text box, indicating that Windows XP Professional located User82 on PRO1 and it is a valid user account.
User82 now appears in the Group Or User Name box in the Public Properties dialog box.
What permissions are assigned to User82?
Windows XP Professional displays the Advanced Security Settings For Public dialog box with User82 (PRO1\User82) listed in the Permissions Entries text box.
Windows XP Professional displays the Permission Entry For Public dialog box with User82 (PRO1\User82) displayed in the Name text box.
All the check boxes under Allow are now selected.
Windows XP Professional displays the Advanced Security Settings For Public dialog box.
Which tasks were you able to record and why?
In this exercise, you create a file in a subfolder and test how NTFS permissions are inherited through a folder hierarchy.
Which tasks were you able to record and why?
The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. The answers are in Appendix A, "Questions and Answers."