Windows NT 4.x offers several levels of access control:
Share-level permissions
Directory-level permissions (only with NTFS)
File-level permissions (only with NTFS)
Some consider "File Ownership" an additional level of access
control. (only with NTFS)
Advantages for using NTFS...
Allows access permissions to be set on Directories and Files. (The File & Directory security is enforced whether you
are networked or not.)
NTFS uses disk space more efficiently (sparingly) than does
FAT. (slack space per file is never more than 512 bytes)
Faster access to files.
File and Directory names can be up to 254 characters.
Long filenames are also supported under FAT.
Long filenames are automatically converted to 8.3 for DOS
programs.
Directories are automatically sorted.
Support for upper- and lowercase letters in filenames.
You can share volumes with a Macintosh.
Windows NT 4.x does not have a provision for user Disk
Quotas.
Share-level Permissions: are enforced
by the File Server software over the network. (They
have no effect for users with physical access to the server.)
To set Share-Level permissions, use the Sharing
tab from the File or Directory Properties dialog box. (You
will see the Sharing tab whether you are on a NTFS volume on not.)
Windows NT 4.x can only share directories, not individual
files.
To create a Share on a WinNT Server, you must be logged
on as a member of the Administrators group or Server Operators
group.
ACL - The entire list of permissions
for a Share is called the Access Control List.
Hidden Shares (shares that do not
appear in the browse list) can be created by having a '$' as the
last character of the Share name.
Windows NT creates default hidden shares for each partition
and CDROM drive at the root of these drives. (ie C$, D$, E$, etc.)
and the ADMIN$ share for the directory WinNT is installed in.
But, only Administrators can get to these hidden shares.
The share NETLOGON created on the
PDC is the directory where logon scripts and policies are stored
The Share-level permissions are:
No Access - prevents access to the shared directory,
it's subdirectories, and it's files. (one No Access trumps all other share access permissions)
Read - allows viewing contents, running programs, and
changing to sub-directories.
Change - (Read & Write) allows viewing contents,
running programs, and changing to sub-directories, as well as
changing and deleting files. (ie. full-access except permission
to change ownership and permissions.)
Full-Control - full Read & Write access (Change)
AND the permission to change owership and file & directory
permissions. (Full-Control is only relevant with NTFS, under
FAT there is no difference between Change and Full-Control.)
File & Directory Permissions: are
enforced by the File System, which must be
NTFS. NOTE: NTFS enforces File & Directory permissions even on
"non-shared" areas of the disk and whether or not you are networked
(ie. local physical access).
To access data across the network with NTFS, you must have Share-Level
permission andFile & Directory permissions.
To set File & Directory permissions, use the Security
tab from the File or Directory Properties dialog box. (Remember,
you will not see the Security tab unless you are on a NTFS volume.)
File Permissions - [R W X D P O]
R
Read
allows display of file data and attributes of the file
W
Write
allow change of a file's data and attributes
X
eXecute
allow running of program files and display of attributes ,
permissions, and owner (Note: does not include Read permission)
D
Delete
allow deletion of a file (does not seem to work in 4.x
for files, ie. if the user has Write permission, then they also
can delete the file.)
P
Permission
allow changes to file permissions
O
Ownership
allow changing a file's owner
No Access
any No Access permission for the user, or any group
the user is a member of, overrides all other permissions
Directory Permissions - [R W X D P O]
R
Read
allows display of filenames and attributes of filenames in
a directory
W
Write
allow creation of subdirectories and change attributes
X
eXecute
allow display of attributes, permissions, and owner (if you
also have Read permission) & allow changing to subdirectories.
(Traversing subdirectories)
D
Delete
allow deletion of a directory (does work, see file permissions)
P
Permission
allow changes to directory permissions
O
Ownership
allow changing a directory's owner
No Access
any No Access permission for the user, or any group
the user is a member of, overrides all other permissions
Special Directory Permissions:
List
is actually (RX) above. (Read & eXecute) for a directory
you can now see a directory and traverse it.
Add
is actualy (WX) above. (Write & eXecute) can add files
to a directory and traverse the directory structure.
Add & Read
is actually (RWX) above (Read, Write, & eXecute) can navigate,
look, and change the directory trees.
What is the Bypass Traverse Checking Advanced
Right?
If you have the Bypass Traverse Checking right, then
having Read permission to a directory will essentially
allow both Read & eXecute access to the directory.
(Remember, Read access to a directory is permission to see
files in the directory, while eXecute permission allows changing
to subdirectories in the directory (traversing directories).
By default, this right is given to the Everyone group. (Which
is why new WinNT administrators have a hard time seeing the difference
between having Read permission to a directory and having Read
& eXecute permission.)
File Permissions for newly Copied, Created, or Moved
Files:
When you Copy (or Create) a file to a directory, the
newly created file or copy takes on the permissions of the directory
it is in.
When you Move a file, it takes its permissions with
it.
Whether you Move, Copy or Create a file, you assume Ownership
of the file.
File Ownership:
A File or Directory's Owner is the user that can always
modify that object's permissions, no matter what entries are in
the object's ACL. (Ordinarily only an Administrator can always
control an object's permissions.)
To see who is an objects owner, right-click on the File or Directory
and select Properties, click the Security
tab, then click the [Ownership] button.
The Administrator can always take ownership
of a File or Directory. ...View the ownership by; right-click
on the File or Directory and select properties, click the Security
tab, click the Ownership button, then click the Take Ownership
button.
Once taken, Ownership cannot be given back. This means
that if the Administrator is locked out of a file or directory
by a "No Access" permission, the Administrator can gain access
by "taking ownership" of the object, then changing the ACL. But,
the Administrator cannot give "Ownership" back so an audit trail
is left. (Of course the Administrator could give the original user
"Full Access", login as the user, and "take ownership" of the
object... but that requires knowing the users password. The Administrator
could always change the users password to login in as the user,
but there is no way of knowing what the original password was...)
Permissions & Ownership Summary:
New Files and new subdirectories inherit permissions from the
directory they are created in.
The user who creates a new file or directory is the owner. Ownership
is the ability to always control access by changing ACL permissions
(NTFS only).
When you change permissions on an existing directory, you can
choose whether or not to apply the changes to all the files and
subdirectories in the directory.
Users and groups can be denied access to a file or directory
simply by not granting the user or group permission for it. You
do not have to assign "No Access" to those users or groups you
wish to keep out.
Permissions are cummulative, except for "No Access". Any "No
Access" overrides all other permissions a user might have had
by user or group permissions.
Securing User Home Directories with File & Directory
Permissions:
A users home directory is a directory on the network server
that belongs to the user alone; no one else has access to that directory
(except the Administrator). A C:\USERS directory
is automatically created when you install WinNT. Users home directories
can be individually secured with Share-Level permissions,
but this is a lot of work and would create a very large browse list.
A better way is to secure User Home Directories using File &
Directory permissions:
Be sure the \USERS directory is on an NTFS partition.
(You must be using NTFS or you will not see the Security tab.)
From Explorer, right-click on the USERS folder and select
properties.
From the Sharing tab, share the USERS
directory, giving Full Control to the Everyone group.
(Share-level Permissions, remember - these will be overridden
by File & Directory permissions.)
From the Security tab, set the directory
permissions to Read and Execute (List) for the Everyone
group and Full Control for Administrators. Set the file
permissions to None for the Everyone group and Full
Control for Administrators.
Steps 1, 2, & 3 need only be done once.
When finished the permissions for USERS should look
like...
Everyone
Special Access (RX)(None)
Administrators
Full Control (All)(All)
For each individual user perform the following steps...
A directory for each user should already be created under \USERS.
From Explorer, right-click on the users directory, choose Properties,
then click on the Security tab.
Click Permissions to see the Directory Permissions dialog box.
Click the Remove button to remove all entries from the
dialog box.
Click the Add button to add the user. (You will see the Add
Users and Groups dialog box)
Click the Show Users button to display the names of individual
users. (Insted of Groups)
Select the correct user, click Add, and choose Full Control
in the Type of Access: list box.
aprabul@yahoo.com