NTFS File Permissions
Embed Size (px)
Transcript of NTFS File Permissions
NTFS File Permissions
NTFS file permissions determine which users can view or update files. For example, youwould use NTFS file permissions to grant your Human Resources group access to personnelfiles while preventing other users from accessing those files.The default NTFS file permissions for user and system folders are designed to meet basicneeds. These default permissions for different file types are: User files Users have full control permissions over their own files. Administrators alsohave full control. Other users who are not administrators cannot read or write to a usersfiles. System files Users can read, but not write to, the %SystemRoot% folder and subfolders.Administrators can add and update files. This allows administrators, but not users, toinstall updates and applications. Program files Similar to the system files permissions, the %ProgramFiles% folder permissionsare designed to allow users to run applications and allow only administratorsto install applications. Users have read access, and administrators have full control.Additionally, any new folders created in the root of a disk will grant administrators full controland users read access.The default file and folder permissions work well for desktop environments. File servers, however,often require you to grant permissions to groups of users to allow collaboration. Forexample, you might want to create a folder that all Marketing users can read and update butthat users outside the Marketing group cannot access. Administrators can assign users orgroups any of the following permissions to a file or folder: List Folder Contents Users can browse a folder but not necessarily open the files in it. Read Users can view the contents of a folder and open files. If a user has Read but notRead & Execute permission for an executable file, the user will not be able to start theexecutable. Read & Execute In addition to the Read permission, users can run applications. Write Users can create files in a folder but not necessarily read them. This permissionis useful for creating a folder in which several users can deliver files but not access eachothers files or even see what other files exist. Modify Users can read, edit, and delete files and folders. Full Control Users can perform any action on the file or folder, including creating anddeleting it and modifying its permissions.
To protect a file or folder with NTFS, follow these steps:1. Open Windows Explorer (for example, by clicking Start and then choosing Computer).2. Right-click the file or folder, and then choose Properties.The Properties dialog box for the file or folder appears.3. Click the Security tab.4. Click the Edit button.The Permissions dialog box appears.5. If the user you want to configure access for does not appear in the Group Or User Nameslist, click Add. Type the user name, and then click OK.6. Select the user you want to configure access for. Then, select the check boxes for thedesired permissions in the Permissions For user or group name list, as shown in Figure11-1. Denying access always overrides allowed access. For example, if Mary is a memberof the Marketing group and you allow full control access for Mary and then denyfull control access for the Marketing group, Marys effective permissions will be todeny full control.
Figure 11-1 The permissions dialog box
7. Repeat steps 5 and 6 to configure access for additional users.8. Click OK twice.Additionally, there are more than a dozen special permissions that you can assign to a user orgroup. To assign special permissions, click the Advanced button in the Security tab of the fileor folder Properties dialog box, as shown in Figure 11-2.To configure NTFS file permissions from a command prompt or script, use the Icacls command.For complete usage information, type icacls /? at a command prompt.NTFS file permissions are in effect whether users are logged on locally or accessing foldersacross the network.
Figure 11-2 The Security tab
One of the most common ways for users to collaborate is by storing documents in shared folders.Shared folders allow any user with access to your network and appropriate permissions toaccess files. Shared folders also allow documents to be centralized, where they are more easilymanaged than if they were distributed to thousands of client computers.Although all versions of Windows since Windows For Workgroups 3.11 have supported filesharing, Windows Server 2008 adds the File Services server role, which includes a robust setof features for sharing folders and managing shared files. With the improved disk quota capability,Windows can notify users and administrators if individual users consume too muchdisk space. DFS provides a centralized directory structure for folders shared from multiplecomputers and is capable of automatically replicating files between folders for redundancy.Offline Files automatically copy shared files to mobile computers so that users can access thefiles while disconnected from the network.
Installing the File Services Server Role
Windows Server 2008 can share folders without adding any server roles. However, adding theFile Services server role adds useful management tools along with the ability to participate inDFS namespaces, configure quotas, generate storage reports, and other capabilities. To installthe File Services server role, follow these steps:1. In Server Manager, select and then right-click Roles. Choose Add Role.The Add Roles Wizard appears.2. On the Before You Begin page, click Next.3. On the Server Roles page, select the File Services check box. Click Next.4. On the File Services page, click Next.5. On the Select Role Services page, select from the following roles: File Server Although not required to share files, adding this core role serviceallows you to use the Share And Storage Management snap-in. Distributed File System Enables sharing files using the DFS namespace and replicatingfiles between DFS servers. If you select this role service, the wizard willprompt you to configure a namespace. File Server Resources Manager Installs tools for generating storage reports, configuringquotas, and defining file screening policies. If you select this role service, thewizard will prompt you to enable storage monitoring on the local disks. Services for Network File System Provides connectivity for UNIX client computersthat use Network File System (NFS) for file sharing. Note that most modernUNIX operating systems can connect to standard Windows file shares, so this serviceis typically not required. Windows Search Service Indexes files for faster searching when clients connect toshared folders. This role service is not intended for enterprise use. If you select thisrole service, the wizard will prompt you to enable indexing on the local disks. Windows Server 2003 File Services Provides services compatible with computersrunning Windows Server 2003.6. Respond to any roles service wizard pages that appear.7. On the Confirmation page, click Install.8. On the Results page, click Close.You can access the File Services tools using the Roles\File Services node in Server Manager.Using QuotasWhen multiple users share a disk, whether locally or across the network, the disk will quicklybecome filledusually because one or two users consume far more disk space than the rest.Disk quotas make it easy to monitor users who consume more than a specified amount of diskspace. Additionally, you can enforce quotas to prevent users from consuming more disk space(although this can cause applications to fail and is not typically recommended).With Windows Server 2008 you should use the Quota Management console to configure diskquotas. You can also configure quotas using the DirQuota command-line tool. Additionally,you can configure disk quotas by using Group Policy settings or by using Windows Explorer.The sections that follow describe each of these techniques.Configuring Disk Quotas Using the Quota Management Console
After installing the File Server Resource Manager role service, you can manage disk quotasusing the Quota Management console. In Server Manager, you can access the snap-in atRoles\File Services\Share And Storage Management\File Server Resource Manager\QuotaManagement. The Quota Management console provides more flexible control over quotas andmakes it easier to notify users or administrators that a user has exceeded a quota threshold orto run an executable file that automatically clears up disk space.Creating Quota Templates The Quota Management snap-in supports the use of quota templates.You can use a quota template to apply a set of quotas and response behavior to volumes.Windows Server 2008 includes the following standard templates: 100 MB Limit Defines a hard quota (a quota that prevents the user from creating morefiles) of 100 MB per user, with e-mail warnings sent to the user at 85 percent and 95percent. At 100 percent of the quota, this template sends an e-mail to the user and toadministrators. 200 MB Limit Reports To User Defines a hard quota of 200 MB per user, with e-mailwarnings sent to the user at 85 percent and 95 percent. At 100 percent of the quota, thistemplate sends an e-mail to the user and to administrators and sends a report to the user. 200 MB Limit With 50 MB Extension Defines a 200 MB quota. When the 200MB quotais reached, the computer sends an e-mail to the user and administrators and then appliesthe 250 MB Extended Limit quota to grant the user additional capacity. 250 MB Extended Limit Primarily used with the previous quota template to provide theuser an additional 50 MB of capacity. This template prevents the user from exceeding250 MB. Monitor 200 GB Volume Usage Provides e-mail notifications when utilization reaches70 percent, 80 percent, 90 percent, and 100 percent of the 200 GB soft quota. Monitor 500 MB Share Provides e-mail notifications when utilization reaches 80 perc