Module 6: Securing Network Resources with NTFS Permissions
Introduction to NTFS Permissions |
- NTFS permissions are permissions that are only available on
a volume that has only been formatted with the Windows NT file system (NTFS). NTFS
permissions provide a great degree of security because they can be assigned to folders and
to individual files. They are sometimes referred to as local permissions.
- You use NTFS permissions to protect resources from users
who access the computer; locally and remotely.
NTFS Permission |
For a folder - a user can: |
For a file - a user can: |
Read (R) |
Display folder
- names,
- attributes,
- owner and permissions
|
Display file
- data,
- attributes,
- owner, and permissions
|
Write (W) |
- Add files and folders,
- change a folder's attributes, and display owner and permissions
|
- Change file attributes,
- create data in and
- append data to a file
- display owner and permissions,
|
Execute (X) |
- Display folder attributes
- make changes to folders within a folder
- display owner and permissions
|
- Display file attributes
- owner and permissions
- Run a file if it is an executable
|
Delete (D) |
Delete a folder |
Delete a file |
Change Permission (P) |
Change a folder's permissions |
Change a file's permissions |
Take Ownership (O) |
Take ownership of a folder |
Take ownership of a file |
Note: |
On a NTFS volume, the person who creates a file or folder
becomes the owner. The owner can always assign and change permissions on a file or folder. |
Standard Permissions:
Are combinations of individual NTFS permissions. They
simplify administration by giving you the ability to assign combinations of individual
permissions at one time.
Standard Shared Folder Permissions
Standard
permission |
Individual
permission on folders |
Individual
permissions on files in the folder |
No Access |
None |
None |
List |
RX |
Not specified |
Read |
RX |
RX |
Add |
WX |
Not specified |
Add & Read |
RWX |
RX |
Change |
RWXD |
RWXD |
Full Control |
All |
All |
Standard File Permissions
The following table lists the standard file permissions
and the individual NTFS permissions that each standard file permission represents:
Standard
permission |
Individual
permission |
No Access |
None |
Read |
RX |
Change |
RWXD |
Full Control |
All (RWXDPO) |
How NTFS permissions are
applied
- User can be assigned permissions directly or as a member of
a group.
- User might be a member of several groups with different
permissions.
- NTFS file permissions take precedence over the permissions
assigned for the folder that the file is contained in.
- AGAIN, File Permissions OVERRIDE FOLDER
PERMISSIONS
- even in a NO ACCESS folder the user can access
the files via UNC or local path if he has permissions to the FILE.
Combining Shared Folder and NTFS Permissions
- You gain the greatest degree of security by combining NTFS
permissions with shared folder permissions.
- The most restrictive permission is always the effective
permission.
- Shared folder permissions offer limited security because:
- Give user same level of access to all folders and files
within the shared folder.
- Have no affect when a user accesses the resource locally.
- Cannot be used to secure individual files.
You gain the greatest degree of security by combining NTFS
permissions with shared folder permissions. The most restrictive permission is always the
effective permission.
Guidelines for assigning NTFS
Permissions
- Application Folders:
- Remove default permission Full Control from Everyone and
assign it to Administrator.
- If applications are contained in shared folders, assign
Users group Read permission.
- Data Folders:
- Remove default permission Full Control from Everyone and
assign it to Administrator.
- Assign Users group Add & Read permissions and the
Creator Owner special identity Full Control permission to data folders. This gives users
who log on locally the ability to delete and modify only the files and folders that they
create.
- Educate users that share a computer to assign NTFS
permissions to folders and files they own.
- Home folders:
- Centralize home folders on a network volume separate from
applications and the operating system to streamline backing up data and administration.
- Use the %Username% variable to automatically assign a users
account name to the folder the NTFS Full Control Permission.
- Store home folders on an NTFS volume on a network server
- This simplifies backup
- streamlines the assignment of permissions
- NOTE:
- On NTFS volumes, using %username% automatically
assigns Everyone Full Control permissions to home folders
- On FAT volumes, folders can only be restricted by shared
folder permissions.
Assigning NTFS Permissions:
To assign NTFS permissions, you need to be the OWNER of
the folder or file and have one of the following permissions:
- Requirements to assign NTFS
permissions
- Be the owner
- Have full control
- Have Special Access: Change Permission
- Special Access: Take Ownership
- With this permission you first take ownership and then as
the owner can change permissions
- Default NTFS permissions
- Volume is NTFS formatted, the permission Full Control to
Everyone
- This means that all Users with the right to Log on
Locally have complete access to the volume
- When folder or file is created on an NTFS volume, it
inherits the permission of the folder containing it.
Assigning NTFS File and Folder Permissions
- To assign NTFS permissions for files or folders right click
in Explorer and select Properties. Click Security tab and click Permissions. In the
Directory Permissions or File_name Permissions dialog box, configure the following
options.
Option |
Purpose |
Replace Permissions on Subdirectories |
- If selected, changes existing permissions for ALL folders within the selected
folder's hierarchy
- This option doesn't change permissions on existing files in the folder hierarchy
- This check box is cleared by default and is an option ONLY when assigning folder
permissions
|
Replace Permissions on Existing Files |
- If selected, changes existing permissions for all files within the selected folder only.
- It doesn't change file permissions for folders within the same hierarchy
- This check box is cleared by default and is an option ONLY when assigning folder
permissions
|
Name |
- Displays the folder or file permissions assigned to a group or user for the resource
- The first set of parentheses indicates the folder permissions and the second set of
parentheses indicates the permissions for any new files created in the folder
|
Type of Access |
- Displays the folder or file permissions for the selected group or user in the NAME box
and allows you to change the permission assigned to the selection
|
Assigning Special Access Permissions
You might want to assign individual permissions, or create
a custom set of permissions. You can do this by assigning special permissions. For
example, to allow another user to manage permissions for files you own, assign that user
the special file access permission Change Permissions (P).
NOTE: This is also here to give UNIX users full
individual rights instead of giving them FULL CONTROL. With Full Control, a UNIX user can
delete a folder or file even though there are NO ACCESS permissions on the object.
Assigning individual rights to this user gets around this.
How to get there?
- right-click on folder or file
- Click Properties
- Click Permissions
- Select a user or group name
- In the Type of Access list, click Special
Directory Access or Special File Access
- click the appropriate permission, then OK
Requirements to Take Ownership:
Whoever creates a folder or file OWNS it ==>'s user can
share folder and assign permissions to others
If the user has denies access to a file and then leaves
the company, you can take ownership of the file and change the permissions so that others
can use it.
By default, members of the Administrators group always
have the ability to take ownership of a file or folder. An owner cannot change the
ownership of a resource they own.
REMEMBER, YOU CAN'T GIVE OWNERSHIP AWAY, YOU CAN ONLY TAKE
IT. The owner can only give another user or group the ABILITY to take ownership of a
file or folder by assigning one of the following permissions:
- Full Control
- Special Access, Take Ownership
- Special Access, Change Permissions - with this
permission, users can assign the Take Ownership permission to themselves or to
another user or group
Copying or Moving Folders and Files
(sure exam question area)
A user cannot copy or move files within or between NTFS
volumes, unless the user has the correct permissions. The following table describes the
required permissions to copy or move a file or folder to another folder on an NTFS volume
or to another NTFS volume.
Action |
Permission
required |
Copy |
- Add permission for the destination folder
|
Move |
- Add permission for the destination folder and
- Delete for the source folder
|
Permissions and Copying and moving files
Copying and moving files or folders within and between
NTFS volumes can affect the original permissions set on a file. The following table
describes what happens to permissions on a folder or file when copied or moved within or
between an NTFS volume.
Task |
Within an
NTFS volume |
Between
NTFS volumes |
Copy |
Inherits permissions of the
destination folder |
Inherits permissions of the
destination folder |
Move |
Retains
original permissions |
Inherits permissions of the
destination folder |
The rule is, then, the ONLY time the
permissions are retained is when the file is moved within the same NTFS volume. A
move is a copy or delete operation and it merely changes the pointer to the file.
Important Note:
- The user who copies the file/folder becomes owner.
- Files and folders that are copied or moved to FAT volumes lose
their permissions, because FAT volumes do not support NTFS permissions.
Troubleshooting
Problem: a user deletes a file even though he was assigned
NO ACCESS permission for the file
Instead of assigning the NTFS standard Full Control
permission for a folder, assign all of the individual special directory access
permissions. This gives all the abilities of the Full Control permissions for the folder
by PREVENTS them from deleting files in the folder (for which they have been assigned NO
ACCESS)
You add a user or group to give them access to an
resource, but they still can't get access
- User must log off and then on again OR
- if on a remote computer, disconnect and connect
|