NTFS Permissions This chapter discusses resource security using NTFS permissions. It specifically discusses security on files and folders within the NT File System (NFTS). The chapter covers NTFS file and folder permissions, access control lists, using NTFS permissions, planning NTFS permission, using special access permission, copying and moving data with NTFS permissions assigned, and troubleshooting NTFS permission problems. This chapter also introduces you to the next generation of NTFS, NTFS 5.0, which Windows 2000 touts as its standard file system. In addition, this chapter outlines all of the components of using NTFS permissions on a NTFS 5.0 file system effectively on a Windows 2000 network. Defining Special Access Permissions There are fourteen Special Access Permissions, and they provide the finite level of security to resources on a Windows 2000 network that some administrators require. I will use three tables to explain the Special Access Permissions and how they relate to NTFS file and folder permissions. Table 4 lists the Special Access Permissions and provides a description of the kind of access they allow or deny. Permission Description Traverse This allows or denies a user to browse through a folder's subfolders and files Folder/Execute File where he would otherwise not have access. In addition, it allows or denies the user the ability to run programs within that folder. List Folder/Read This allows or denies the user to view subfolders and fill names in the parent Data folder. In addition, it allows or denies the user to view the data within the files in the parent folder or subfolders of that parent. Read Attributes This allows or denies a user to view the standard NTFS attributes of a file or folder. Read Extended This allows or denies the user to view the extended attributes of a file or folder, Attributes which can vary due to the fact that they are defined by the programs themselves. Create Files/Write This allows or denies the user the right to create new files in the parent folder. In Data addition, it allows or denies the user to modify or overwrite existing data in a file. Create This allows or denies the user to create new folders in the parent folder. In Folders/Append addition, it allows or denies the user the right to add data to the end of files. This Data does not include making changes to any existing data within a file. Write Attributes This allows or denies the ability to change the attributes of a files or folder, such as Read-Only and Hidden. Write Extended This allows or denies a user the ability to change the extended attributes of a file Attributes or folder. These attributes are defined by programs and may vary. Delete Subfolders This allows or denies the deleting of files and subfolder within the parent folder. and Files It also true that if this permission is assigned files and subfolders can be deleted even if the Delete special access permission has not been granted. Delete This allows or denies the deleting of files and folders. If the user does not have this permission assigned but does have the Delete Subfolders and Files permission, she can still delete. Read Permissions This allows or denies the user the ability to read the standard NTFS permissions of a file or folder. Change This allows or denies the user the ability to change the standard NTFS permissions Permissions of a files or folder. Take Ownership This allows or denies a user the ability to take ownership of a file or folder. The owner of a file or folder can change the permissions on the files and folders she owns, regardless of any other permission that might be in place. Synchronize This allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies to only multithreaded, multiprocessing programs. NOTE: Some of the Special Access Permissions have two parts, as shown in Table 4. The first applies to folders and the second only to files. Remember this when referring to these tables. Now let's look at how these new special access permissions are related to the standard NTFS file permissions. Table 5 displays a cross-reference chart of NTFS file permissions and special access permissions. You will see that the each of the standard NTFS file permissions is actually a group made up of special access permissions. Notice also how the Write NTFS permission is made up of six special access permissions. The Write NTFS permission is actually made up of the Create Files/Write Data, Create Folders/Append Data, Write Attributes, Write Extended Attributes, Read Permissions, and Synchronize special access permissions. You will find that having these reference tables will be very helpful when deciding which special access permissions to use in your organization. Table 6 displays the same list of special access permissions but shows how they interrelate to the NTFS folder permissions. Change Permissions Two of the special access permissions are particularly useful in application. We discuss here the first one, the Change Permissions special access permission. When using special access permissions it is no longer necessary to assign a user or Windows 2000 administrator the Full Control NTFS permission so that they have the allowed right to change permissions. Using the Change Permissions special access permission a user or Windows 2000 administrator can change permissions to a file or folder. However, they do not have access to delete any files or subfolders. That way the user or Windows 2000 administrator can control the access to the data but not delete any of the data itself. Take Ownership The second particularly useful special access permission is Take Ownership. All files and folders on a nNTFS volume have an owner. By default, the owner is the person installing the volume and formatting it with the NTFS file system. This is usually a Windows 2000 Administrator. File and folder ownership can be transfer to another user or group. You can grant a user account or a user group the ability to take ownership of a file or folder. As an administrator, you have the ability to take control of any files or folders on the NTFS volume. Two hard-and-fast rules apply here. Remember these when thinking about granting someone the ability to take ownership of a file or folder. 1. The owner of a file or folder or any user with the Full Control NTFS permission to a file or folder can assign the Full Control standard NTFS permission or the Take Ownership special access permission, which allows taking control of that file or folder. For instance, if User A has the Full Control standard NTFS permission to D:\Apps and assigns the Take Ownership special access permission to User A, User A can now take ownership of any files or folders in D:\Apps. 2. A Windows 2000 administrator can take ownership of a file or folder at any time. This is one of the inherited rights that administrators have. Administrators can then assign the Take Ownership special access permission to another user or group, so that they can take control of the files and folders in a parent folder. For instance, if User A leaves the organization for another position, a Windows 2000 administrator can assign the Take Ownership special access permission to the former employee's manager for the former employee's files and folders. The manager can then take ownership of those files and folders. NOTE: The Take Ownership special access permission can be assigned to a user account or group. The receiving user account or group can then take ownership of the respected resources. You cannot, however, give ownership of a file or folder to a user account or group. Using Special Access Permissions Special access permissions provide a more finite level of security than the standard NTFS permissions. I suggest learning how to use them in you own environment. This subtopic will give you a quick glance at how to assign special access permissions to an NTFS volume. To set special access permissions to a folder take the following steps: 1. On your Windows 2000 desktop, right-click My Computer. 2. Click Explore. This will start the Windows Explorer. 3. Click the plus sign to the left of an NTFS volume that you would like to view. 4. Find a folder and right-click on that folder. 5. Click the Properties option on the list. 6. Use Alt-Tab to switch to the Securities tab, or select it by clicking on it. 7. Now click Advanced to view the Access Control properties dialog box, as shown in Figure 5. 8. Now click on Add. 9. This opens up the Select User, Compute, or Group dialog box as shown in Figure 6. 10. After you select the object that you would like to add the special access permissions to, click OK. 11. This displays the Permission Entry dialog box, as shown in Figure 7. Now we see that all of the special access permissions are listed in the permissions list box. This is where all special access permission are assigned and denied. Let's discuss the options for a moment. Table 7 lists the options and their descriptions. Permission Description Name This is the user use account or group name that will be affected by the special access permissions. Clicking on the Change command button can change the user account or group affected. Apply onto This dropdown list box lists the level of the folder hierarchy at which the special access permissions being assigned will be applied. Permissions This is a list of all the special access permissions. To allow a special access permission click the check box in the Allow column to the right of the permission. In addition, to deny a special access permission click the check box in the Deny column to the right of the special access permission. Apply these This allows or denies permission inheritance for the parent folder. To allow permissions to objects permission inheritance for the special access permissions being assigned select and/or containers this check box, otherwise clear the check box. within this container only Clear All This clears all of the check boxes in the Allow and Deny columns in the permissions list box. Taking Ownership of Secure Resources A Windows 2000 administrator working with NTFS file and folder permissions should know how to take ownership of a resource. This doesn't mean walking down to the local parts shop and picking up a new hard disk. I am talking about using the Take Ownership special access permission. To take control of a file or folder the user or group member must have the Take Ownership permission assigned to them for that file or folder. Then they must explicitly take ownership of that file or folder. The following is a list of the steps that you would take: 1. On your Windows 2000 desktop, right-click My Computer. 2. Click Explore. This will start the Windows Explorer. 3. Click the plus sign to the left of an NTFS volume that you would like to view. 4. Find a folder and right-click on that folder. 5. Click the Properties option on the list. 6. Use <Alt><Tab> to switch to the Securities tab, or select it by clicking on it. 7. Click Advanced to view the Access Control Settings dialog box. 8. In the Access Control Settings dialog box use <Alt><Tab> to switch to the Owner tab or select it by clicking on it. 9. Select your name in the Change owner to list box. This specifies that you are going to take ownership of the resource. 10. Check the Replace owners on sub containers and objects check box, and click Ok. That is all for special access permissions and how they relate to the standard NTFS permissions. Now you can assign NTFS permissions with ease on your Windows 2000 network, confident that you have the knowledge to do so. COPYING AND MOVING DATA Copying and moving data is something that every administrator does, usually on a pretty frequent basis. When copying files and folders with NTFS permissions assigned to them you need to folder certain guidelines. The NTFS permissions sometimes change as the file and folders are moved or copied. It is important to know these guidelines before you start shuffling data around your Windows 2000 network. This discussion outlines these rules and explains what happens to the NTFS permissions when files and folders are moved or copied. Copying Files and Folders When files and folders on a NTFS volume are copied to another volume, the permissions change. For instance, if you copy a file from one NTFS volume to another NTFS volume, the following things happen if the right criteria are met. The receiving NTFS volume treats the file as a new file. Like any new file, it gains the permissions of the folder it is created in. The user account used to copy the file must have the Write NTFS permission in the destination folder on the receiving volume. The user account used to copy the file becomes the Creator Owner of that file. This means that any permissions assigned to that file before it is copied are lost during the copy itself. If you want to keep those same permissions, they will have to be reassigned at the destination folder. When files and folders are copied from an NTFS volume to a FAT partition, the permissions are lost. This happens because FAT partitions do not support NTFS permissions. Moving Files and Folders When files or folders are copied from an NTFS volume, the permissions change. Now when files or folders are moved from an NTFS volume, the permissions might or might not change. This depends entirely on where the destination folder lies. We can safely assume that when files or folders are moved to a FAT partition, the permissions are lost. That is correct, and for same reason that NTFS permissions are lost when copying files and folders from a NTFS volume to a FAT partition. There are in fact two other cases worth pointing out when moving files and folders from an NTFS volume: moving files and folders within a NTFS volume and moving files and folder to another separate NTFS volume. When moving files and folders within a single NTFS volume, these rules are followed: 1. The files and folders keep the original permissions assigned to them. 2. The user account moving the files and folders must have the Write NTFS permission to the destination folder. 3. The user account moving the file must have either the Modify standard NTFS permission or the Delete special access permission assigned. This is because during a file or folder move, the files and folders are deleted from the source directory after they have been copied to the destination folder. 4. The user account used to move the files and folders becomes the Creator Owner of those files and folders. When moving files and folders from one NTFS volume to a separate NTFS volume, these are the rules followed: 1. The files and folders being moved inherit the permissions of the destination folder. For example, if you move a file from a folder that has Everyone with Read permission into a folder on another partition that has permissions only allowing Domain Admins Read access, the file will now carry the latter security settings. 2. The user account moving the files and folders must have the Write NTFS permission to the destination folder, since a move is really a combination copy/delete. 3. The user account moving the file must have either the Modify standard NTFS permission or the Delete special access permission assigned. This is because during a file or folder move, the files and folders are deleted from the source directory after they have been copied to the destination folder. 4. The user account used to move the files and folders becomes the Creator Owner of those files and folders. TROUBLESHOOTING PERMISSIONS PROBLEMS The number one goal of a Windows 2000 administrator should be making sure that resources are always available to the users. This includes many things, but I'm talking here about the secure data on the network. If users cannot access the data they need to do their job, production slows. Now your boss is breathing down you neck, asking why the users can't get to their data, and how long will it take for you to fix the NTFS permission problem. This discussion will lay down some rules on NTFS permission problems. The topics include avoiding NTFS permission problems and troubleshooting NTFS permission problems. Avoiding NTFS Permission Problems Avoiding permission problems involves following some basic guidelines. Below is a list of do's and don'ts when assigning NTFS permissions on a NTFS 5.0 file system. Use this list as a reference when assigning NTFS permissions on your Windows 2000 network. When assigning NTFS permissions, try to assign only enough access for a user or group of users to perform their job. Try not to assign any NTFS permissions at the file level. This increases the complexity of managing the permissions. Assign the NTFS permissions at the folder level only. If several files require the same access, move them to a common folder and assign the permissions to that folder. Application executables should have Read & Execute and Change assigned to the Administrators group. The Users group, on the other hand, should have only Read & Execute. This will prevent users or a virus from modifying the files. When an administrator wants to update the application executables, he or she can temporarily assign himself or herself Full Control to perform the task. Assign Full Control to the Creator Owner of public folders and the Read and Write NTFS permissions to the Everyone group. This way users have full access to the files that they create, but the members of the Everyone group can only read and create files in the folder. Try not to deny any NTFS permissions. If you have to do this to a user or group, document it well and state that this is a special case. Instead of denying access to a resource by denying NTFS permissions, don't assign the permissions to gain access. Troubleshooting NTFS Permissions This topic is designed to help you troubleshoot the most common NTFS permission problems. Table 8 lists the most common ones and solutions. Problem Solution A user or group cannot access a Check the permissions assigned to the user or group. Permissions file or folder. may not be assigned for the selected resource, or permission could be denied. In addition, the permissions could have been changed if the file or folder has been copied or moved. The administrator assigns Ask the user to log off and then log back on. When the user logs access to a group for a selected back on, his NTFS permission are updated to include the new file or folder, but the users of group that they were added to. Another way to update a user's that group still cannot access permissions is to ask them to disconnect the network drive on the file or folder. which the file or folder resides and then reconnect it. This forces the permissions to update on the reconnect of the network drive. A user with Full Control to file Open the Permission Entry box for that folder and remove the has deleted some files in a Delete Subfolders and Files special access permission for that user. folder, and you want to prevent them from doing it again. With a little perseverance any NTFS permission problem can be solved, and I hope that this table provides a starting point for the resolution. CHAPTER SUMMARY We discussed the many faces of NT File System (NTFS) permissions being utilized on a Windows 2000 network. Now we know that the standard file system for Windows 2000 is NTFS 5.0, and that NTFS permissions can be assigned only on an NTFS formatted volume. We learned the effects of assigning multiple permissions to a single resource and how to use permission inheritance effectively. For administrators in need of a more granular level of security on file and folder resources, we now know that special access permissions are available. When possible, permissions should be applied at the folder level rather than the file level for ease of administration. Also, it is important to remember that a permission of No Access will always override any other permissions assigned. Use this setting sparingly; it is usually better to simply omit a user account from the Access Control Lists (ACL) than to explicitly list the account with No Access specified.
Pages to are hidden for
"ntfs permissionsdoc"Please download to view full document