ntfs permissionsdoc by housework

VIEWS: 50 PAGES: 5

More Info
									NTFS Permissions
This chapter discusses resource security using NTFS permissions. It specifically discusses security on files and
folders within the NT File System (NFTS). The chapter covers NTFS file and folder permissions, access control
lists, using NTFS permissions, planning NTFS permission, using special access permission, copying and
moving data with NTFS permissions assigned, and troubleshooting NTFS permission problems. This chapter
also introduces you to the next generation of NTFS, NTFS 5.0, which Windows 2000 touts as its standard file
system. In addition, this chapter outlines all of the components of using NTFS permissions on a NTFS 5.0 file
system effectively on a Windows 2000 network.
Defining Special Access Permissions
There are fourteen Special Access Permissions, and they provide the finite level of security to resources on a
Windows 2000 network that some administrators require. I will use three tables to explain the Special Access
Permissions and how they relate to NTFS file and folder permissions. Table 4 lists the Special Access
Permissions and provides a description of the kind of access they allow or deny.
     Permission             Description

     Traverse               This allows or denies a user to browse through a folder's subfolders and files
     Folder/Execute File   where he would otherwise not have access. In addition, it allows or denies the
                           user the ability to run programs within that folder.

     List Folder/Read        This allows or denies the user to view subfolders and fill names in the parent
     Data                  folder. In addition, it allows or denies the user to view the data within the files in
                           the parent folder or subfolders of that parent.

     Read Attributes       This allows or denies a user to view the standard NTFS attributes of a file or
                           folder.

     Read Extended         This allows or denies the user to view the extended attributes of a file or folder,
     Attributes            which can vary due to the fact that they are defined by the programs themselves.

     Create Files/Write    This allows or denies the user the right to create new files in the parent folder. In
     Data                  addition, it allows or denies the user to modify or overwrite existing data in a file.

     Create                This allows or denies the user to create new folders in the parent folder. In
     Folders/Append        addition, it allows or denies the user the right to add data to the end of files. This
     Data                  does not include making changes to any existing data within a file.

     Write Attributes      This allows or denies the ability to change the attributes of a files or folder, such
                           as Read-Only and Hidden.

     Write Extended        This allows or denies a user the ability to change the extended attributes of a file
     Attributes            or folder. These attributes are defined by programs and may vary.

     Delete Subfolders       This allows or denies the deleting of files and subfolder within the parent folder.
     and Files             It also true that if this permission is assigned files and subfolders can be deleted
                           even if the Delete special access permission has not been granted.

     Delete                This allows or denies the deleting of files and folders. If the user does not have
                           this permission assigned but does have the Delete Subfolders and Files
                           permission, she can still delete.

     Read Permissions      This allows or denies the user the ability to read the standard NTFS permissions of
                           a file or folder.

     Change                This allows or denies the user the ability to change the standard NTFS permissions
     Permissions           of a files or folder.

     Take Ownership        This allows or denies a user the ability to take ownership of a file or folder. The
                           owner of a file or folder can change the permissions on the files and folders she
                           owns, regardless of any other permission that might be in place.

     Synchronize           This allows or denies different threads to wait on the handle for the file or folder
                           and synchronize with another thread that may signal it. This permission applies to
                           only multithreaded, multiprocessing programs.
NOTE: Some of the Special Access Permissions have two parts, as shown in Table 4. The first applies to folders
and the second only to files. Remember this when referring to these tables.


Now let's look at how these new special access permissions are related to the standard NTFS file permissions.
Table 5 displays a cross-reference chart of NTFS file permissions and special access permissions. You will see
that the each of the standard NTFS file permissions is actually a group made up of special access permissions.
Notice also how the Write NTFS permission is made up of six special access permissions. The Write NTFS
permission is actually made up of the Create Files/Write Data, Create Folders/Append Data, Write Attributes,
Write Extended Attributes, Read Permissions, and Synchronize special access permissions.

You will find that having these reference tables will be very helpful when deciding which special access
permissions to use in your organization.

Table 6 displays the same list of special access permissions but shows how they interrelate to the NTFS folder
permissions.

Change Permissions
Two of the special access permissions are particularly useful in application. We discuss here the first one, the
Change Permissions special access permission.

When using special access permissions it is no longer necessary to assign a user or Windows 2000
administrator the Full Control NTFS permission so that they have the allowed right to change permissions.
Using the Change Permissions special access permission a user or Windows 2000 administrator can change
permissions to a file or folder. However, they do not have access to delete any files or subfolders. That way the
user or Windows 2000 administrator can control the access to the data but not delete any of the data itself.

Take Ownership
The second particularly useful special access permission is Take Ownership.

All files and folders on a nNTFS volume have an owner. By default, the owner is the person installing the
volume and formatting it with the NTFS file system. This is usually a Windows 2000 Administrator. File and
folder ownership can be transfer to another user or group. You can grant a user account or a user group the
ability to take ownership of a file or folder. As an administrator, you have the ability to take control of any files or
folders on the NTFS volume.

Two hard-and-fast rules apply here. Remember these when thinking about granting someone the ability to take
ownership of a file or folder.
    1.   The owner of a file or folder or any user with the Full Control NTFS permission to a file or folder can assign the Full
         Control standard NTFS permission or the Take Ownership special access permission, which allows taking control of
         that file or folder. For instance, if User A has the Full Control standard NTFS permission to D:\Apps and assigns the
         Take Ownership special access permission to User A, User A can now take ownership of any files or folders in
         D:\Apps.
    2.   A Windows 2000 administrator can take ownership of a file or folder at any time. This is one of the inherited rights
         that administrators have. Administrators can then assign the Take Ownership special access permission to another
         user or group, so that they can take control of the files and folders in a parent folder. For instance, if User A leaves
         the organization for another position, a Windows 2000 administrator can assign the Take Ownership special access
         permission to the former employee's manager for the former employee's files and folders. The manager can then
         take ownership of those files and folders.
NOTE: The Take Ownership special access permission can be assigned to a user account or group. The receiving
user account or group can then take ownership of the respected resources. You cannot, however, give ownership of
a file or folder to a user account or group.



Using Special Access Permissions
Special access permissions provide a more finite level of security than the standard NTFS permissions. I
suggest learning how to use them in you own environment. This subtopic will give you a quick glance at how to
assign special access permissions to an NTFS volume.
To set special access permissions to a folder take the following steps:
    1.    On your Windows 2000 desktop, right-click My Computer.
    2.    Click Explore. This will start the Windows Explorer.
    3.    Click the plus sign to the left of an NTFS volume that you would like to view.
    4.    Find a folder and right-click on that folder.
    5.    Click the Properties option on the list.
    6.    Use Alt-Tab to switch to the Securities tab, or select it by clicking on it.
    7.    Now click Advanced to view the Access Control properties dialog box, as shown in Figure 5.
    8.    Now click on Add.
    9.    This opens up the Select User, Compute, or Group dialog box as shown in Figure 6.
    10.   After you select the object that you would like to add the special access permissions to, click OK.
    11.   This displays the Permission Entry dialog box, as shown in Figure 7.
Now we see that all of the special access permissions are listed in the permissions list box. This is where all
special access permission are assigned and denied. Let's discuss the options for a moment. Table 7 lists the
options and their descriptions.
    Permission                     Description

    Name                          This is the user use account or group name that will be affected by the special
                                 access permissions. Clicking on the Change command button can change the
                                 user account or group affected.

    Apply onto                   This dropdown list box lists the level of the folder hierarchy at which the special
                                 access permissions being assigned will be applied.

    Permissions                  This is a list of all the special access permissions. To allow a special access
                                 permission click the check box in the Allow column to the right of the
                                 permission. In addition, to deny a special access permission click the check box
                                 in the Deny column to the right of the special access permission.

    Apply these                    This allows or denies permission inheritance for the parent folder. To allow
    permissions to objects       permission inheritance for the special access permissions being assigned select
    and/or containers            this check box, otherwise clear the check box.
    within this container
    only

    Clear All                    This clears all of the check boxes in the Allow and Deny columns in the
                                 permissions list box.


Taking Ownership of Secure Resources
A Windows 2000 administrator working with NTFS file and folder permissions should know how to take
ownership of a resource. This doesn't mean walking down to the local parts shop and picking up a new hard
disk. I am talking about using the Take Ownership special access permission.

To take control of a file or folder the user or group member must have the Take Ownership permission assigned
to them for that file or folder. Then they must explicitly take ownership of that file or folder. The following is a list
of the steps that you would take:
    1.  On your Windows 2000 desktop, right-click My Computer.
    2.  Click Explore. This will start the Windows Explorer.
    3.  Click the plus sign to the left of an NTFS volume that you would like to view.
    4.  Find a folder and right-click on that folder.
    5.  Click the Properties option on the list.
    6.  Use <Alt><Tab> to switch to the Securities tab, or select it by clicking on it.
    7.  Click Advanced to view the Access Control Settings dialog box.
    8.  In the Access Control Settings dialog box use <Alt><Tab> to switch to the Owner tab or select it by clicking on it.
    9.  Select your name in the Change owner to list box. This specifies that you are going to take ownership of the
        resource.
    10. Check the Replace owners on sub containers and objects check box, and click Ok.
That is all for special access permissions and how they relate to the standard NTFS permissions. Now you can
assign NTFS permissions with ease on your Windows 2000 network, confident that you have the knowledge to
do so.
COPYING AND MOVING DATA
Copying and moving data is something that every administrator does, usually on a pretty frequent basis. When
copying files and folders with NTFS permissions assigned to them you need to folder certain guidelines. The
NTFS permissions sometimes change as the file and folders are moved or copied. It is important to know these
guidelines before you start shuffling data around your Windows 2000 network. This discussion outlines these
rules and explains what happens to the NTFS permissions when files and folders are moved or copied.

Copying Files and Folders
When files and folders on a NTFS volume are copied to another volume, the permissions change. For instance,
if you copy a file from one NTFS volume to another NTFS volume, the following things happen if the right criteria
are met.
      The receiving NTFS volume treats the file as a new file. Like any new file, it gains the permissions of the folder it is
         created in.
        The user account used to copy the file must have the Write NTFS permission in the destination folder on the
         receiving volume.
        The user account used to copy the file becomes the Creator Owner of that file.
This means that any permissions assigned to that file before it is copied are lost during the copy itself. If you
want to keep those same permissions, they will have to be reassigned at the destination folder.

When files and folders are copied from an NTFS volume to a FAT partition, the permissions are lost. This
happens because FAT partitions do not support NTFS permissions.

Moving Files and Folders
When files or folders are copied from an NTFS volume, the permissions change. Now when files or folders are
moved from an NTFS volume, the permissions might or might not change. This depends entirely on where the
destination folder lies. We can safely assume that when files or folders are moved to a FAT partition, the
permissions are lost. That is correct, and for same reason that NTFS permissions are lost when copying files
and folders from a NTFS volume to a FAT partition. There are in fact two other cases worth pointing out when
moving files and folders from an NTFS volume: moving files and folders within a NTFS volume and moving files
and folder to another separate NTFS volume.

When moving files and folders within a single NTFS volume, these rules are followed:
    1.   The files and folders keep the original permissions assigned to them.
    2.   The user account moving the files and folders must have the Write NTFS permission to the destination folder.
    3.   The user account moving the file must have either the Modify standard NTFS permission or the Delete special
         access permission assigned. This is because during a file or folder move, the files and folders are deleted from the
         source directory after they have been copied to the destination folder.
    4.   The user account used to move the files and folders becomes the Creator Owner of those files and folders.
When moving files and folders from one NTFS volume to a separate NTFS volume, these are the rules followed:
    1.   The files and folders being moved inherit the permissions of the destination folder. For example, if you move a file
         from a folder that has Everyone with Read permission into a folder on another partition that has permissions only
         allowing Domain Admins Read access, the file will now carry the latter security settings.
    2.   The user account moving the files and folders must have the Write NTFS permission to the destination folder, since
         a move is really a combination copy/delete.
    3.   The user account moving the file must have either the Modify standard NTFS permission or the Delete special
         access permission assigned. This is because during a file or folder move, the files and folders are deleted from the
         source directory after they have been copied to the destination folder.
    4.   The user account used to move the files and folders becomes the Creator Owner of those files and folders.

TROUBLESHOOTING PERMISSIONS PROBLEMS
The number one goal of a Windows 2000 administrator should be making sure that resources are always
available to the users. This includes many things, but I'm talking here about the secure data on the network. If
users cannot access the data they need to do their job, production slows. Now your boss is breathing down you
neck, asking why the users can't get to their data, and how long will it take for you to fix the NTFS permission
problem. This discussion will lay down some rules on NTFS permission problems. The topics include avoiding
NTFS permission problems and troubleshooting NTFS permission problems.
Avoiding NTFS Permission Problems
Avoiding permission problems involves following some basic guidelines. Below is a list of do's and don'ts when
assigning NTFS permissions on a NTFS 5.0 file system. Use this list as a reference when assigning NTFS
permissions on your Windows 2000 network.
     When assigning NTFS permissions, try to assign only enough access for a user or group of users to perform their
         job.
        Try not to assign any NTFS permissions at the file level. This increases the complexity of managing the
         permissions. Assign the NTFS permissions at the folder level only. If several files require the same access, move
         them to a common folder and assign the permissions to that folder.
        Application executables should have Read & Execute and Change assigned to the Administrators group. The Users
         group, on the other hand, should have only Read & Execute. This will prevent users or a virus from modifying the
         files. When an administrator wants to update the application executables, he or she can temporarily assign himself
         or herself Full Control to perform the task.
        Assign Full Control to the Creator Owner of public folders and the Read and Write NTFS permissions to the
         Everyone group. This way users have full access to the files that they create, but the members of the Everyone
         group can only read and create files in the folder.
        Try not to deny any NTFS permissions. If you have to do this to a user or group, document it well and state that this
         is a special case. Instead of denying access to a resource by denying NTFS permissions, don't assign the
         permissions to gain access.
Troubleshooting NTFS Permissions
This topic is designed to help you troubleshoot the most common NTFS permission problems. Table 8 lists the
most common ones and solutions.
        Problem                              Solution

        A user or group cannot access a      Check the permissions assigned to the user or group. Permissions
        file or folder.                      may not be assigned for the selected resource, or permission could
                                             be denied. In addition, the permissions could have been changed if
                                             the file or folder has been copied or moved.

        The administrator assigns            Ask the user to log off and then log back on. When the user logs
        access to a group for a selected     back on, his NTFS permission are updated to include the new
        file or folder, but the users of     group that they were added to. Another way to update a user's
        that group still cannot access       permissions is to ask them to disconnect the network drive on
        the file or folder.                  which the file or folder resides and then reconnect it. This forces
                                             the permissions to update on the reconnect of the network drive.

        A user with Full Control to file      Open the Permission Entry box for that folder and remove the
        has deleted some files in a          Delete Subfolders and Files special access permission for that user.
        folder, and you want to prevent
        them from doing it again.


With a little perseverance any NTFS permission problem can be solved, and I hope that this table provides a
starting point for the resolution.

CHAPTER SUMMARY
We discussed the many faces of NT File System (NTFS) permissions being utilized on a Windows 2000
network. Now we know that the standard file system for Windows 2000 is NTFS 5.0, and that NTFS permissions
can be assigned only on an NTFS formatted volume.

We learned the effects of assigning multiple permissions to a single resource and how to use permission
inheritance effectively. For administrators in need of a more granular level of security on file and folder
resources, we now know that special access permissions are available. When possible, permissions should be
applied at the folder level rather than the file level for ease of administration. Also, it is important to remember
that a permission of No Access will always override any other permissions assigned. Use this setting sparingly;
it is usually better to simply omit a user account from the Access Control Lists (ACL) than to explicitly list the
account with No Access specified.

								
To top