UEU-co logo

ch13lev1sec3.html


Previous Page Next Page

Understanding NTFS Permissions

The NT File System, or NTFS, is a file system developed for the Windows NT environment (the NT stands for New Technology). It is now considered the standard file system for servers running Windows network operating systems such as Windows Server 2008. Folders and files on NTFS volumes can also be assigned NTFS permissions. This differs from share permissions, which can be applied only to drives and folders. NTFS permissions can secure a folder or file on the local computer (these permissions actually affect local users on the computer) and also can secure the object in respect to users who access the folder or file over the network.

By the Way

Each file and folder on an NTFS volume has an Access Control List. This list is used to determine the access level of a user or a group to the file or folder. The Access Control List entry for a group or a user is based on the NTFS permissions set for that group or user (in relation to the file or the folder).

Standard NTFS permissions exist for both folders and files. The NTFS folder permissions are listed in Table 13.1.

Table 13.1. NTFS Folder Permissions
Folder Permission Access Level
Full Control Enables the user or group to change permissions; delete the folder, subfolders, and files; take ownership of the folder; and permit all other permission levels (Read, Write, List Folder Contents, and so on)
Modify Enables the user or group to modify the folder, such as delete subfolders and files and permissions related to all other lower-level permissions (Read and Execute, List Folder Contents, Write, and Read)
Read and Execute Enables the user or group to navigate the folder contents (subfolders and files) and execute contained executables and actions related to the List Folder Contents, Read, and Write permissions
List Folder Contents Enables the user or group to view the contents of the folder, such as subfolders and files in the folders
Write Enables the user or group to create new contents in the folder, such as subfolders and files; change the folder attributes; and view the folder ownership and permissions information for the folder
Read Enables the user or group to view the files and subfolders in the folder and to view other information related to the folder, such as ownership, permissions, and file attributes

Setting NTFS permissions for a folder requires two major steps. First, you add groups or users for which you want to create permissions. Then you assign the user or group the permissions. Remember that, by default, the Everyone group is assigned Full Control to any resource on a NTFS volume (whether it has been shared or not).

NTFS file permissions enable you to control access down to the file level (NTFS file permissions actually override NTFS folder permissions, which we discuss in a moment). Table 13.2 provides a list of standard NTFS file permissions.

Table 13.2. NTFS File Permissions
File Permission Access Level
Full Control Enables the user or group to change permissions, take ownership of the file, and exercise all other actions permitted by the other file permission levels
Modify Enables the user or group to modify and delete the file, and provide permissions related to all other lower-level permissions (Read and Execute, and Write)
Read and Execute Enables the user or group to navigate the folder contents (subfolders and files), execute contained executables, and list folder contents and Read and Write permissions
Write Enables the user or group to create new contents in the folder, such as subfolders and files; change the folder attributes; and view the folder ownership and permissions information for the folder
Read Enables the user or group to view the files and subfolders in the folder and to view other information related to the folder, such as ownership, permissions, and file attributes

As with share permissions, you set NTFS permissions by selecting either Allow or Deny next to a particular permission. Figure 13.5 shows the different NTFS permissions for a file and the accompanying Allow or Deny check boxes.

Figure 13.5. NTFS permissions for a file are set in the Allow and Deny check boxes.

NTFS permissions might seem to be as straightforward as share permissions, but they are more complex because they can be assigned to files; therefore, a file can have different NTFS permissions than its parent folder. NTFS permissions can also become confusing because they can be assigned to both groups and users. Thus, a user might have NTFS permissions for a folder or a file that have been individually assigned, as well as NTFS permissions that have been assigned to a group that the user belongs to. These are important points to keep in mind when working with NTFS permissions:

Copying or moving files from one location to another can also be problematic when you are dealing with NTFS permissions. The final permissions depend on whether you are copying or moving, and whether you are copying or moving within or between NTFS partitions or volumes.

As you can see, you need to plan how you will use NTFS permissions to secure the various folders and files that you share on the network. Keeping track of your users’ cumulative permissions can enable you to foresee problems that involve a user accessing a folder or file to a greater degree than you had intended as you assigned permissions. Using groups (instead of users) to assign NTFS permissions is likely to make the entire process a little less confusing.

By the Way

If you are still running FAT32-formatted disks, you can convert them to NTFS (allowing you to take advantage of NTFS permissions). This process does not affect the files or folders currently on the volume. At the command prompt, type convert c:/fs:ntfs, where c is the drive letter assigned to the volume. Press Enter. The volume is converted to NTFS.

Previous Page Next Page

Leave a Reply


Time limit is exhausted. Please reload the CAPTCHA.

Categories

apply_now Pepperstone Group Limited