1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and...
Embed Size (px)
Transcript of 1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and...
Chapter Overview Understanding and Applying NTFS PermissionsAssigning NTFS Permissions and Special PermissionsSolving Permissions Problems
Introduction to NTFS Permissions NT file system (NTFS) permissions specifyWho can access folders and filesWhat they can do with the contentsNTFS permissions are available only on NTFS volumes.NTFS permissions provide security forLocal accessOver the network access
Managing NTFS Permissions The following can assign NTFS permissions:AdministratorsOwners of files and foldersUsers with the Full Control permission
NTFS Folder Permissions ReadWriteList Folder ContentsRead & ExecuteModifyFull Control
NTFS File Permissions ReadWriteRead & ExecuteModifyFull Control
Access Control List NTFS stores an access control list (ACL) with every file and folder.Each ACL containsA list of all user accounts and groups granted accessThe type of access each user and group has been grantedAn access control entry (ACE) for a user account or a group
Effective Permissions You can assign multiple permissions to a user account and to each group the user is a member of.A users effective permissions for a resource are the sum of the NTFS permissions that you assignTo a user accountTo all groups the user belongs toA users permissions are said to be cumulative because they are the sum of the users permissions.
Overriding Folder Permissions with File Permissions NTFS file permissions take priority over NTFS folder permissions.A user with the appropriate permissions can access a file even if that user does not have permission to access the folder containing the file.The Bypass Traverse Checking security permission allows a user to access a file even if the user does not have corresponding folder permissions.The folder that contains the file is invisible if the user does not have corresponding folder permissions.To gain access to the file, a user can do one of the following:Use the full Universal Naming Convention (UNC).Use the local path to open the file from its respective application.
Overriding Permissions with DenyYou can deny permissions to a user account or group for a specific file or folder.Deny overrides all instances in which that permission is allowed.Denying permissions is not the recommended way to control access to resources.
NTFS Permissions Inheritance By default, the parent folders permissions are propagated toAny existing subfolders and files in the parent folderAny files or folders created in the parent folderYou can prevent permissions inheritance.The folder for which you prevent permissions inheritance becomes the new parent folder.The subfolders and files in the new parent folder inherit the permissions from the new parent folder.
Simplify Administration of PermissionsGroup files into application, data, and home folders.Centralize home and public folders on one separate volume.Assign permissions only to folders, not to files.Isolate applications and the operating system on a different volume.Back up only home and public folders.Do not back up applications or the operating system.Deny permissions only when it is essential.
Minimize NTFS Permission Assignments Allow only the required level of access.Create groups according to the access required for resources.Assign the appropriate permissions to the group.Avoid assigning permissions to individual user accounts. Encourage users to assign permissions to the folders they create.
Assign Permissions for Data or Application Folders Assign the Read & Execute permission to The Users groupThe Administrators group
Assign Permissions for Public Data Folders Assign the Read & Execute and the Write permissions to the Users group.Assign the Full Control permission to the CREATOR OWNER user.
Setting NTFS Permissions
Granting or Denying Special Permissions In the folder Properties dialog box, click Advanced to display the Advanced Security Settings dialog box.Select the user or group for which you want to modify the Special Permission settings, and then click Edit.In the Permission Entry For dialog box, select Allow or Deny for each of the special permissions you want to modify.
Taking Ownership The current owner or a user with the Full Control permission can assign a userThe Full Control standard permissionThe Take Ownership permissionThat user can now take ownership of the assigned file or folder.An administrator can take ownership of the file or folder regardless of the assigned permission.No one, not even the owner or the administrator, can assign ownership of a file or folder to anyone else.
Preventing Permissions Inheritance By default, subfolders and files inherit permissions from parent folders.Clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box.Select one of the following options:CopyRemoveCancel
Introduction to Solving Permissions Problems When you copy or move files and folders, the permission you set on the files or folders might change.Specific rules control how and when permissions change.Understanding these rules helps you solve permissions problems.Troubleshooting these permission problems is important to keep resources available for the appropriate users and protect them from unauthorized users.
Copying Files and Folders
Moving Files or Folders Within a Single NTFS Volume The file or folder retains the original permissions.You must have the Write permission for the destination folder.You must have the Modify permission for the source file or folder.The owner of the file or folder does not change.
Moving Files or Folders Between NTFS Volumes
Troubleshooting Permissions ProblemsA user cannot gain access to a file or folder.You add a user account to a group to give the user access to a file or folder, but the user still cannot gain access.A user with the Full Control permission to a folder deletes a file in the folder and you want to prevent the user from deleting more files.
Avoiding NTFS Permissions Problems Assign the most restrictive NTFS permissions.Assign all permissions at the folder level.For all application-executable files, assign The Read & Execute and Change permissions to the Administrators groupThe Read & Execute permission to the Users groupAssign the Full Control permission to CREATOR OWNER for public data folders.Allow permissions rather than deny permissions.
Chapter Summary NTFS permissions specify what type of access users and groups have to files and folders.NTFS file permissions take priority over NTFS folder permissions.Use the Security tab of the Properties dialog box of a file or folder to assign or modify NTFS permissions.By default, subfolders and files inherit permissions from their parent folders.When you copy or move files and folders, the permissions you set on them might change.