Windows NT Server 4.0 Administration Notes


Module 6: Securing Network Resources with NTFS Permissions

Introduction to NTFS Permissions
  • NTFS permissions are permissions that are only available on a volume that has only been formatted with the Windows NT file system (NTFS). NTFS permissions provide a great degree of security because they can be assigned to folders and to individual files. They are sometimes referred to as local permissions.
    • You use NTFS permissions to protect resources from users who access the computer; locally and remotely.
  • NTFS permissions are:
NTFS Permission For a folder - a user can: For a file - a user can:
Read (R) Display folder
  • names,
  • attributes,
  • owner and permissions
Display file
  • data, 
  • attributes, 
  • owner, and permissions
Write (W)
  • Add files and folders,
  • change a folder's attributes, and display owner and permissions
  • Change file attributes, 
  • create data in and
  • append data to a file
  • display owner and permissions,
Execute (X)
  • Display folder attributes
  • make changes to folders within a folder
  • display owner and permissions
  • Display file attributes
  • owner and permissions
  • Run a file if it is an executable
Delete (D) Delete a folder Delete a file
Change Permission (P) Change a folder's permissions Change a file's permissions
Take Ownership (O) Take ownership of a folder Take ownership of a file
Note:
On a NTFS volume, the person who creates a file or folder becomes the owner. The owner can always assign and change permissions on a file or folder.

Standard Permissions:

Are combinations of individual NTFS permissions. They simplify administration by giving you the ability to assign combinations of individual permissions at one time.

Standard Shared Folder Permissions
 

Standard permission Individual permission on folders Individual permissions on files in the folder
No Access None None
List RX Not specified
Read RX RX
Add WX Not specified
Add & Read RWX RX
Change RWXD RWXD
Full Control All All

Standard File Permissions

The following table lists the standard file permissions and the individual NTFS permissions that each standard file permission represents:

Standard permission Individual permission
No Access None
Read RX
Change RWXD
Full Control All (RWXDPO)

How NTFS permissions are applied

  • User can be assigned permissions directly or as a member of a group.
  • User might be a member of several groups with different permissions.
  • NTFS file permissions take precedence over the permissions assigned for the folder that the file is contained in.
  • AGAIN, File Permissions OVERRIDE FOLDER PERMISSIONS
    • even in a NO ACCESS folder the user can access the files via UNC or local path if he has permissions to the FILE.

Combining Shared Folder and NTFS Permissions

  • You gain the greatest degree of security by combining NTFS permissions with shared folder permissions.
  • The most restrictive permission is always the effective permission.
  • Shared folder permissions offer limited security because:
    • Give user same level of access to all folders and files within the shared folder.
    • Have no affect when a user accesses the resource locally.
    • Cannot be used to secure individual files.

You gain the greatest degree of security by combining NTFS permissions with shared folder permissions. The most restrictive permission is always the effective permission.

Guidelines for assigning NTFS Permissions

  • Application Folders:
    • Remove default permission Full Control from Everyone and assign it to Administrator.
    • If applications are contained in shared folders, assign Users group Read permission.
  • Data Folders:
    • Remove default permission Full Control from Everyone and assign it to Administrator.
    • Assign Users group Add & Read permissions and the Creator Owner special identity Full Control permission to data folders. This gives users who log on locally the ability to delete and modify only the files and folders that they create.
    • Educate users that share a computer to assign NTFS permissions to folders and files they own.
  • Home folders:
    • Centralize home folders on a network volume separate from applications and the operating system to streamline backing up data and administration.
    • Use the %Username% variable to automatically assign a users account name to the folder the NTFS Full Control Permission.
    • Store home folders on an NTFS volume on a network server
      • This simplifies backup
      • streamlines the assignment of permissions
    • NOTE:
      • On NTFS volumes,  using %username% automatically assigns Everyone Full Control permissions to home folders
      • On FAT volumes, folders can only be restricted by shared folder permissions.

Assigning NTFS Permissions:

To assign NTFS permissions, you need to be the OWNER of the folder or file and have one of the following permissions:

  • Requirements to assign NTFS permissions
    • Be the owner
    • Have full control
    • Have Special Access: Change Permission
    • Special Access: Take Ownership
      • With this permission you first take ownership and then as the owner can change permissions
  • Default NTFS permissions
    • Volume is NTFS formatted, the permission Full Control to Everyone
      • This means that all Users with the right to Log on Locally have complete access to the volume
    • When folder or file is created on an NTFS volume, it inherits the permission of the folder containing it.

Assigning NTFS File and Folder Permissions

  • To assign NTFS permissions for files or folders right click in Explorer and select Properties. Click Security tab and click Permissions. In the Directory Permissions or File_name Permissions dialog box, configure the following options.
Option Purpose
Replace Permissions on Subdirectories
  • If selected, changes existing permissions for ALL folders within the selected folder's hierarchy
  • This option doesn't change permissions on existing files in the folder hierarchy
  • This check box is cleared by default and is an option ONLY when assigning folder permissions
Replace Permissions on Existing Files
  • If selected, changes existing permissions for all files within the selected folder only.
  • It doesn't change file permissions for folders within the same hierarchy
  • This check box is cleared by default and is an option ONLY when assigning folder permissions
Name
  • Displays the folder or file permissions assigned to a group or user for the resource
  • The first set of parentheses indicates the folder permissions and the second set of parentheses indicates the permissions for any new files created in the folder
Type of Access
  • Displays the folder or file permissions for the selected group or user in the NAME box and allows you to change the permission assigned to the selection

Assigning Special Access Permissions

You might want to assign individual permissions, or create a custom set of permissions. You can do this by assigning special permissions. For example, to allow another user to manage permissions for files you own, assign that user the special file access permission Change Permissions (P).

NOTE: This is also here to give UNIX users full individual rights instead of giving them FULL CONTROL. With Full Control, a UNIX user can delete a folder or file even though there are NO ACCESS permissions on the object. Assigning individual rights to this user gets around this.

How to get there?

  • right-click on folder or file
  • Click Properties
  • Click Permissions
  • Select a user or group name
  • In the Type of Access list, click Special Directory Access or Special File Access
  • click the appropriate permission, then OK

Requirements to Take Ownership:

Whoever creates a folder or file OWNS it ==>'s user can share folder and assign permissions to others

If the user has denies access to a file and then leaves the company, you can take ownership of the file and change the permissions so that others can use it.

By default, members of the Administrators group always have the ability to take ownership of a file or folder. An owner cannot change the ownership of a resource they own.

REMEMBER, YOU CAN'T GIVE OWNERSHIP AWAY, YOU CAN ONLY TAKE IT.  The owner can only give another user or group the ABILITY to take ownership of a file or folder by assigning one of the following permissions:

  • Full Control
  • Special Access, Take Ownership
  • Special Access, Change Permissions - with this permission, users can assign the Take Ownership permission to themselves or to another user or group

Copying or Moving Folders and Files

(sure exam question area)

A user cannot copy or move files within or between NTFS volumes, unless the user has the correct permissions. The following table describes the required permissions to copy or move a file or folder to another folder on an NTFS volume or to another NTFS volume.

Action Permission required
Copy
  • Add permission for the destination folder
Move
  • Add permission for the destination folder and
  • Delete for the source folder

Permissions and Copying and moving files

Copying and moving files or folders within and between NTFS volumes can affect the original permissions set on a file. The following table describes what happens to permissions on a folder or file when copied or moved within or between an NTFS volume.
 

Task Within an NTFS volume Between NTFS volumes
Copy  Inherits permissions of the destination folder Inherits permissions of the destination folder
Move Retains original permissions Inherits permissions of the destination folder

The rule is, then, the ONLY time the permissions are retained is when the file is moved within the same NTFS volume. A move is a copy or delete operation and it merely changes the pointer to the file.

Important Note:

  • The user who copies the file/folder becomes owner.
  • Files and folders that are copied or moved to FAT volumes lose their permissions, because FAT volumes do not support NTFS permissions.

Troubleshooting

Problem: a user deletes a file even though he was assigned NO ACCESS permission for the file

Instead of assigning the NTFS standard Full Control permission for a folder, assign all of the individual special directory access permissions. This gives all the abilities of the Full Control permissions for the folder by PREVENTS them from deleting files in the folder (for which they have been assigned NO ACCESS)

You add a user or group to give them access to an resource, but they still can't get access

  • User must log off and then on again OR
  • if on a remote computer, disconnect and connect

    Because an ACCESS TOKEN is created for the user every time the user connects to NT. This token contains info about the groups to which the user belongs. The token needs to be updated and the only way to do that is by logging on fresh again.

 

 


E-mail Me! Comments and suggestions? E-mail me at grantwil@sk.sympatico.ca
Last Updated: Wednesday, March 10, 1999 Grant Wilson, Tisdale, SK. Canada