Why do we need ntfs permissions. Setting NTFS permissions and special permissions Program quick assignment of rights in ntfs

The television

The following situation is illustrated below: User1 has Write permission to the Data folder. In addition, he is a member of the Everyone group, which has been assigned Read permission. Therefore, the actual permission for User1 will be a combination of Read and Write, but only for the Data folder.

Unlike share permissions, NTFS permissions do not grant access to subfolders of the Data folder.

Example ntfs permissions for a file

The following example illustrates the following situation: User1 has Read and Write permissions on File1 in the Data folder. In addition, he is a member of the Sales team, which has a different permission for the Data folder - Read. This will give User1 read permission to the Data folder, and to read / write to File1, because NTFS file permissions take precedence over folder permissions.

    NTFS permissions provide strong protection for folders and files located on Windows NT File System (NTFS) volumes.

    NTFS permissions for folders and files apply both to users working directly on the computer and to those accessing protected objects on the computer over the network.

    As with share permissions, a user can obtain NTFS permission either directly or as a member of one or more groups that have permission.

    Similar to the share permissions, the actual NTFS permissions for a user are a combination of the permissions of the user and the groups of which they belong. The only exception to this rule is the No Access permission, which overrides all other permissions.

    Unlike access rights to shared resources, NTFS permissions can be different for a folder and files (folders) nested within it.

    NTFS permissions on a file take precedence over permissions on the folder that contains it.

    1. Ntfs access rights and permissions

Share rights on NTFS volumes work in conjunction with file and folder permissions. In this lesson, you will learn how to protect disk resources by combining NTFS permissions and access rights.

      1. Basic information

In order for users to access disk resources over the network, the folders containing these resources must be shared. You can protect these folders by assigning appropriate access rights to users and groups. However, access rights to shared resources provide only limited protection because they:

    provide the same level of access to all folders and files located in a shared folder;

    do not protect the resource from the local user;

    cannot be used to protect individual files.

If the shared folder is on an NTFS volume, you can use NTFS permissions to change or deny user access to folders and files located in the shared folder. Applying NTFS permissions and access rights provides the highest level of security.

Here's the simplest way to combine NTFS permissions and permissions: keep the default Full Control permissions assigned to the Everyone group, and give individual group and user accounts NTFS permissions for specific folders and files in the shared folder.

When using a combination of NTFS access rights and permissions, access is always determined by the most severe restriction. For example, if the folder is set to Full Control permission and NTFS Read permission, the resulting permission will be the stricter Read permission.

The following example illustrates the following situation: User1 has Read access to the Public Data shared folder on Computer1 (when connected over a network) and NTFS Full Control permission on File A in that folder. As a result, User1 will have read-only access to File A, since Read is a stricter restriction. User2's access to File B is also read-only, since NTFS Read permission and Read access lead to the same restrictions.

When User1 is working on Computer1, it does not have access to the Public Data folder. However, the NTFS permissions (full control for file A and read-only access for file B) remain in effect. If User1 connects to this shared folder, he, like User1, will receive read-only permission.

A granular and complex permission system is used to control user access to folders and files. The mechanism for controlling access to Windows objects is one of the most detailed among known operating systems. For files and folders, there are at least 14 NTFS permissions that can be enabled or blocked - and checked. These permissions can be assigned to files or folders and to users or groups. In addition, you can designate the inheritance order of permissions for files or folders and users or groups. It's easy to get lost in the maze of permissions. This article will discuss how folder and file permissions work and the most effective ways to use them.

Object Access Basics

The user never comes into direct “contact” with any Windows object. All access to objects is through programs (eg Windows Explorer, Microsoft Office) or processes. A program that accesses resources on behalf of a user performs a procedure called impersonation. A program that accesses a remote resource performs a procedure called delegation.

After a user is registered, the System Identifier (SID) and group SIDs are processed by the lsass.exe process, which generates the user's secure access token. Other information is also entered into the secure access token, including the rights (permissions) assigned to the user, the user's session ID (unique for each session), the permission mask with a detailed description of the type of access requested. The rights assigned to the user can be seen using the command

When a program accesses a protected resource on behalf of the user, the Windows security reference monitor asks the program for the user's security access token. The Security Monitor then analyzes the token to determine the effective user permissions and allows or denies the user-requested operation. The effective resolutions are described in more detail below.

Share Permissions

Every protected Windows object — including files, folders, shares, printers, and registry keys — supports security permissions. Any Windows folder can be made public to allow remote access. Share permissions can be assigned to any folder and printer object in Windows, but permissions are applied only if the object is accessed over a network share. Folder Share permissions include Full Control, Change, and Read.

Security principals who have been assigned Full Control rights to an object can perform almost any operation on an object. They can delete, rename, copy, move and modify an object. A user with Full Control can change the Share permissions of an object and take ownership of the object (unless he is already the owner and does not have Take Ownership permission). This way, any user with Full Control permission can revoke the permissions of others, including the administrator (although the administrator can always take back ownership and permissions). The ability to change permissions is a requirement of any discretionary access control (DAC) operating system, such as Windows.

In most cases, the main permission to access a resource required by regular users is Change. With the Change permission, the user can add, delete, modify, and rename any resources in the corresponding folder. Read permission allows you to view, copy, rename, and print an object. A user with Read permission can copy an object to another location where he has Full Control permission.

NTFS permissions

If Windows uses the NTFS (not FAT) file system, then all files, folders, registry keys, and many other objects have NTFS permissions. NTFS permissions apply to both local and remote access to an object. To view and change the permissions of an NTFS file or folder, just right-click on the object, select Properties, and go to the Security tab.

Table 1 shows the 7 total NTFS permissions. The summary permissions are various combinations of the 14 more granular permissions shown in Table 2. You can view the granular permissions by opening the Advanced Security Settings dialog box for an object, clicking the Advanced button on the Security tab, and then clicking the Edit button on the Permissions tab. It is a good habit to become familiar with the granular permissions of an object (especially one that requires increased security), although it takes more effort. Summary permissions do not always accurately reflect the state of granular permissions. For example, I had to see the total Read permission, when in reality the user had Read & Execute permission.

Similar to Full Control Share permission, Full Control NTFS permission gives owners more options. Non-admin users often have Full Control permission on their home directory and other files and folders. As noted earlier, the owner of this level of rights can change the file's permissions and make himself the owner. Instead of giving users Full Control permission, you can only give them the Modify permission. If the user is the owner of the file, then, if necessary, you can manually prevent him from changing permissions.

Technically, NTFS permissions are known as discretionary ACLs (DACLs). Audit permissions are known as system ACLs (SACLs). Most NTFS protected objects have both types of permissions.

Impact of Windows Trusts

By default, all Windows 2000 and later domains and forests have two-way trusts with all other domains in the forest. If a domain trusts another domain, then all users in the trusted domain have the same security permissions in the trusting domain as the Everyone group and Authenticated Users group of the trusting domain. In any domain, many permissions are assigned to these groups by default, and trusts implicitly provide broad rights that would not otherwise be granted. Keep in mind that unless the trust relationship is selective, any permissions granted to the Everyone and Authenticated Users groups are assigned to all other users in the forest.

Checking permissions from the command line

Administrators often use command line tools such as subinacl.exe, xacls.exe, and cacls.exe to check NTFS permissions. Subinacl is part of the Windows Server 2003 Resource Kit Tools. With Subinacl, you can view and change NTFS permissions for files, folders, objects, registry keys, and services. The most important feature of Subinacl is to copy the permissions of a user, group, or object and apply them to another user, group, or object in the same or a different domain. For example, moving a user from one domain to another on Windows creates a new user account; all pre-existing SIDs or permissions associated with the original user are revoked. By copying the permissions to the new user account using Subinacl, you can make them identical. Xcacls functions similarly to Subinacl and is included in the Windows 2000 Server Resource Kit.

The Cacls program is described in the Microsoft published article “Undocumented CACLS: Group Permissions Capabilities”. It is an older tool that has been included with Windows since Windows NT. Cacls is not as useful as Subinacl or Xacls, but the utility is always available on Windows. You can use Cacls to view and modify files and permissions by user and group, but not create granular NTFS permissions. Currently, Cacls is limited to working with No Access, Read, Change, and Full Control permissions, which correspond to NTFS but not Share. In addition, the Read permission of Cacls corresponds to the Read & Execute permission of NTFS.

Inheritance

By default, all files, folders, and registry keys inherit permissions from the parent container. Inheritance can be enabled or disabled for individual files, folders, or registry keys, and for individual users or groups. As you can see in Figure 1, the Apply To field in the Permissions tab of the Advanced Security Settings dialog box indicates whether a particular permission is restricted by the current container, or whether it is propagated to subfolders and files. The administrator can assign permission (for individual users), which are inherited or not. In this example, the Everyone group has Read & Execute permission on the current folder, and this permission is not inherited.

If a file or folder inherits most of its permissions, but also has a set of explicitly set permissions, the latter always takes precedence over inherited rights. For example, you can grant a user Full Control-Deny permission on the root directory of a specific volume, and have all files and folders on the drive inherit these permissions. You can then assign an access right to any file or folder on the disk that overrides the legacy Full Control-Deny mode.

Effective Permissions

Windows Protection Monitor determines effective user permissions (the actual permissions they actually have) based on several factors. As noted above, Security Monitor first collects information about an individual user account and all groups to which it belongs, and summarizes all permissions assigned to all user and group SIDs. If Deny and Allow permissions exist at the same level, Deny usually takes precedence. If Full Control-Deny is given priority, then the user usually does not have access to the object.

By default, when considering NTFS and Share permissions (the user connects to the resource over the network), the Security Monitor should collect all Share and NTFS permissions. As a result, the effective user permissions are the set of permissions granted by both Share and NTFS permissions.

For example, a user might end up with Read and Change Share permissions and Read and Modify NTFS permissions. Effective permissions are the most limited set of permissions. In this case, the permissions are almost identical. Read and Change / Modify are effective permissions. Many administrators mistakenly believe that Read only permissions are effective because of poor, oversimplified examples or outdated documentation.

The Advanced Security Settings dialog box on Windows XP and later has an Effective Permissions tab (see Figure 2). Unfortunately, the Effective Permissions tab only reflects NTFS permissions. The impact of Share permissions, action-based groups that the user does not have a membership of, and other factors such as Encrypting File System (EFS) are not considered. If EFS is enabled on a file or folder, a user with the appropriate NTFS and Share permissions may be unable to access the object if they do not have EFS access to the folder or file.

  • It is prudent to grant Full Control permissions to regular users. It is useful to give them Modify permission instead. In most cases, this approach provides users with all the permissions they need, without allowing them to change rights or take ownership.
  • Work carefully with the Everyone group; it is better to use the Authenticated Users (or Users) group, or a special group with limited rights. An important omission of the Authenticated Users group is the lack of a Guest and an unauthenticated user.
  • It is not uncommon for network administrators to be asked to enter guest accounts for third-party users (eg consultants, contractors, freelance programmers). But regular user rights are often redundant for the guest. Create and use a group that is heavily curtailed by default (for example, Full Control-Deny permission for root directories), and then explicitly allow access only to the files and folders required by this guest account. Explicitly assigned permissions are preferred because they provide guest users with the exact permissions they need to work, but no more.
  • Care should be taken when restricting the Everyone and Users groups, since administrators belong to these groups as well.
  • In the case of trusts with other domains, it is useful to use one-way and selective trust to restrict the rights of users of the trusted domain.
  • You should periodically audit NTFS and Share permissions to ensure they are as limited as possible.

Using these guidelines and reference tables with a brief description of all permissions, you can safely go to the maze of the file system. The administrator can confidently assign permissions to files, folders, users and groups.

Table 1. Summary of NTFS Permissions

Resolution

Act

Provides viewing, copying, printing and renaming files, folders and objects. Prevents executable programs from running other than script files. Allows you to read object permissions, object attributes, and extended attributes (for example, the Archive bit, EFS). Lets you list files and subfolders of a folder

Read permissions, plus create and overwrite files and folders

List (Folders Only)

Allows you to view the names of files and subfolders within a folder

Reading Permissions and Running Program Files

Grants all permissions except the ability to assign ownership and assign permissions. Allows you to read, delete, modify and overwrite files and folders

Provides complete management of folders and files, including the ability to assign permissions

Special Permissions

Allows you to create combinations of 14 more detailed resolutions that are not included in any of the other 6 total resolutions. This group includes the Synchronize permission

Table 2. Granular NTFS Permissions

Resolution

Act

Traverse Folder / Execute File

Traverse Folder allows you to navigate folders to access other files and folders, even if the security principal does not have permissions in the transit folder. Applies to folders only. The Traverse Folder takes effect only if the security principal does not have Bypass traverse checking user permission (granted to the Everyone group by default). Execute File allows you to run program files. Assigning Traverse Folder permission to a folder does not automatically set Execute File permissions to all files in the folder

List Folder / Read Data

Provides a view of the names of files and subfolders in a folder. The List Folder only affects the contents of the folder — it does not affect whether the folder to which the permission is assigned is listed. Read Data lets you view, copy and print files

The security principal sees the attributes of the object (for example, Read-only, System, Hidden)

Read Extended Attributes

The security principal sees the extended attributes of the object (e.g. EFS, Compression)

Create Files / Write Data

Create Files allows you to create files inside a folder (applies to folders only). Write Data allows you to make changes to the file and overwrite existing content (only applies to files)

Create Folders / Append Data

Create Folders allows you to create folders within a folder (applies to folders only). Append Data allows you to make changes to the end of the file, but not modify, delete, or overwrite existing data (applies only to files)

Write Attributes

Determines whether a security principal can write or modify standard attributes (for example, Read-only, System, Hidden) of files and folders. Does not affect the contents of files and folders, only their attributes.

Write Extended Attributes

Determines whether a security principal can write or modify extended attributes (eg, EFS, Compression) of files and folders. Does not affect the contents of files and folders, only their attributes

Delete Subfolders and Files

Allows you to delete subfolders and files even if Delete permission is not granted to the subfolder or file

Allows you to delete a folder or file. If you do not have Delete permission on a file or folder, you can delete it if you have Delete Subfolders and Files permission on the parent folder

Read Permissions

Change permissions

Allows you to change the permissions (for example, Full Control, Read, Write) of a file or folder. Prevents modification of the file itself

Determines who can own a file or folder. Owners can always have Full Control, and their permissions on a file or folder cannot be permanently revoked unless the ownership is revoked.

Administrators rarely use this permission. It is used for synchronization in multithreaded, multiprocessing programs and defines the interaction between several threads that access the same resource

Information taken from Chapter Thirteen of the Windows 2000 Administrator's Guide. Written by William R. Stanek.

On NTFS volumes, you can set security permissions for files and folders. These permissions grant or deny access to files and folders. To view the current security permissions, do the following:

Understanding File and Folder Permissions

Table 13-3 shows the basic permissions that apply to files and folders.
The basic file access permissions are: Full Control, Modify, Read & Execute, Read and Write.
The following basic permissions apply to folders: Full Control, Modify, Read & Execute, List Folder Contents, Read and Write.

Always keep the following in mind when setting file and folder permissions:

To run scripts, you only need to have Read permission. Execute File permission (special Execute File permission) is optional.
Read permission is required to access the shortcut and associated object.
The Write to File permission (special Write Data permission) without the Delete File permission (special Delete permission) still allows the user to delete the contents of the file.
If a user has basic Full Control permission on a folder, he can delete any files in that folder, regardless of the permissions on those files.

Table 13-3 - Basic File and Folder Permissions in Windows 2000

Base Resolution Value for folders Value for files
Read Allows browsing folders and viewing a list of files and subfolders Allows viewing and access to file content
Write Allows adding files and subfolders Allows writing data to a file
Allows browsing folders and viewing a list of files and subfolders; inherited by files and folders Allows viewing and accessing the contents of the file, as well as launching the executable file
Allows browsing folders and viewing a list of files and subfolders; only inherited by folders Not applicable
Modify Allows viewing content and creating files and subfolders; allows folder deletion Allows reading and writing data to a file; allows file deletion
Full Control Allows viewing content, as well as creating, modifying and deleting files and subfolders Allows reading and writing data, as well as modifying and deleting a file

Basic permissions are created by logical grouping specific permissions, which are shown in Table 13-4 (for files) and 13-5 (for folders). Special permissions can be assigned individually using advanced settings. When examining specific file permissions, consider the following:
If access rights are not explicitly defined for a group or user, then access to the file is denied to them.
When calculating the effective permissions of a user, all permissions assigned to the user and the groups of which they are a member are taken into account. For example, if user GeorgeJ has Read access, and at the same time is a member of the Techies group, which has Modify access, then as a result, GeorgeJ has Modify access. If you include the Techies group in the Administrators group with Full Control, GeorgeJ will have full control over the file.

Table 13-4 - Specific File Permissions

Special Permissions Full Control Modify Read & Execute Read Write
Execute File X X X
Read Data X X X X
X X X X
X X X X
Write Data X X X
Append Data X X X
X X X
X X X
Delete X X
X X X X X
X
X

Table 13-5 shows the specific permissions used to create base folder permissions. Consider the following as you explore special folder permissions:

When you set permissions on a parent folder, you can match the permission items of files and subfolders to the permissions of the current parent folder. To do this, select the Reset Permissions On All Child Objects And Enable Propagation Of Inheritable Permissions check box.
The files that are created inherit some of the permissions from the parent. These permissions are shown as the default file permissions.

Table 13-5 - Special Permissions for Folders

Special Permissions Full Control Modify Read & Execute List Folder Contents Read Write
Traverse Folder X X X X
Folder Contents (List Folder) X X X X X
Read Attributes X X X X X
Reading Extended Attributes X X X X X
Create Files X X X
Create Folders X X X
Write Attributes X X X
Write Extended Attributes X X X
Delete Subfolders and Files X
Delete X X
Read Permissions X X X X X X
Change Permissions X
Take Ownership X

Setting file and folder permissions

To set permissions for files and folders, do the following:

1. In select a file or folder and right click.
2. In the context menu, select the command Properties and in the dialog go to the tab Securityshown in Figure 13-12.


Figure 13-12 - Configuring basic permissions for files or folders on the Security tab
3. In the list Name lists the users or groups who have access to the file or folder. To change the permissions for these users or groups, do the following:

Highlight the user or group for which you want to change permissions.

Use a list Permissions: (Permissions) to set or revoke permissions.

Council. Inherited permission boxes are grayed out. To revoke an inherited permission, reverse it.
4. To set permissions to users, contacts, computers, or groups that are not listed Name, press the button Add (Add)... The dialog box shown in Figure 13-13 will appear.


Figure 13-13 - Select users, computers and groups for which you need to allow or deny access.
5. Use a dialog box Choice: User, Computer or Group (Select Users, Computers, Or Groups) to select users, computers or groups for which you want to set access permissions. This window contains the fields described below:

Search in (Look In) This drop-down list allows you to view the available accounts of other domains. This includes a list of the current domain, trusted domains, and other available resources. To see all accounts in a folder, select Entire Directory.

Name This column shows the existing accounts of the selected domain or resource.

Add (Add) This button adds the highlighted names to the list of selected names.

Check Names This button allows you to check the names of users, computers, or groups in the list of selected names. This can be useful when names are entered manually and you need to make sure they are correct.

6. In the list Name highlight a user, contact, computer, or group to configure, then check or uncheck the boxes in the Permissions: (Permissions) to determine access rights. Repeat the same steps for other users, computers, or groups.
7. When finished, click OK.

System resource audit

Auditing is the best way to track events on Windows 2000 systems. Auditing can be used to collect information related to the use of a resource. Examples of events for auditing include file access, logons, and system configuration changes. After enabling auditing of an object, entries are written to the system security log whenever an attempt is made to access this object. The security log can be viewed from the snap-in Event Viewer.

Note. To change most of the auditing settings, you must be logged in with the Administrator account or a member of the Administrators group, or have the Manage Auditing And Security Log in group policy.

Setting audit policies

Applying audit policies dramatically improves the security and integrity of systems. Almost every computer system on the network should be configured with security logs. Configuring audit policies is available in the snap-in Group Policy... Using this component, you can set audit policies for an entire site, domain, or organizational unit. Policies can also be set for personal workstations or servers.

After selecting the desired Group Policy container, you can configure audit policies as follows:

1. As shown in Figure 13-14, you can find the node by moving down the console tree: Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy.


Figure 13-14 - Configuring audit policy using the Audit Policy node in Group Policy.
2. There are the following auditing categories:

Audit Account Logon Events monitors events related to user login and logout.

Audit Account Management monitors all events related to account management, snap-in tools. Audit records appear when you create, modify, or delete user, computer, or group accounts.

Monitors Active Directory access events. Audit records are generated each time users or computers access the directory.

Tracks logon or logoff events and remote network connections.

Monitors the use of system resources by files, directories, shares, and Active Directory objects.

Audit Policy Change monitors changes to user rights assignment policies, audit policies, or trust policies.

Tracks every attempt by a user to use a right or privilege granted to him. For example, the rights to archive files and directories.

Note. Politics Audit Privilege Use does not track events related to system access, such as the use of the right to log on interactively or access a computer from the network. These events are monitored by policy Audit Logon Events.

Audit Process Tracking monitors system processes and the resources they use.

Audit System Events monitors computer startup, restart, or shutdown events, as well as events affecting system security or reflected in the security log.

3. To configure an audit policy, double-click the required policy, or select the command from the context menu of the selected policy Properties... This will open a dialog box Local Security Policy Setting (Properties).
4. Check the box Define These Policy Settings... Then check or uncheck the boxes Success and Failure... Success auditing means creating an audit record for each successful event (for example, a successful login attempt). Failure auditing means creating an audit record for every unsuccessful event (such as a failed login attempt).
5. When finished, click OK.

Audit of operations with files and folders

If policy is involved Audit Object Access, you can use auditing at the level of individual folders and files. This will accurately track their usage. This feature is available only on volumes with the NTFS file system.

To configure file and folder auditing, do the following:

1. IN Windows Explorer select the file or folder for which you want to configure auditing. In the context menu, select the command Properties.
2. Go to the tab Securityand then click Advanced.
3. In the dialog box, go to the tab Auditingshown in Figure 13-15.


Figure 13-15 - Configuring audit policies for individual files or folders on the Auditing tab.
4. For audit settings to be inherited from the parent object, the Allow Inheritable Auditing Entries From Parent To Propagate To This Object check box must be selected.
5. To make child objects inherit the audit settings of the current object, select the checkbox Reset audit items for all child objects and enable migration of inherited audit items (Reset Auditing Entries On All Child Objects And Enable Propagation Of Inheritable Auditing Entries).
6. Use a list Remove.
7. Add (Add) for a dialog box to appear OK, a dialog box appears Audit item for Folder or file name shown in Figure 13-16.

Note. If you want to track the actions of all users, use the special group Everyone... In other cases, select individual users or groups in any combination for auditing.


Figure 13-16 - Dialog box Audit item for Folder or file name (Auditing Entry For New Folder), used to set audit items to a user, contact, computer, or group.
8. Apply Onto.
9. Check the boxes Successful and / or Failed for required audit events. Success auditing means creating an audit record for a successful event (such as a successful file read). Failure auditing means creating an audit record for a failed event (for example, a failed attempt to delete a file). Events to audit are the same as special permissions (Tables 13-4 and 13-5), except for offline files and folders synchronization, which cannot be audited.
10. When finished, click OK... Repeat these steps to configure auditing for other users, groups, or computers.

Auditing Active Directory Directory Objects

If policy is involved Audit Directory Service Access, you can use Active Directory object-level auditing. This will accurately track their usage.

To set up auditing for an object, do the following:

1. In snap Active Directory Users And Computers select the object container.
2. Right-click on the object to be audited and select the command Properties.
3. Go to the tab Security and press the button Advanced.
4. Go to the tab Auditing dialog box Access Control Settings... For audit settings to be inherited from the parent object, the Allow Inheritable Auditing Entries From Parent To Propagate To This Object check box must be selected.
5. Use a list Auditing Entries to select users, computers or groups whose activities will be monitored. To remove an account from this list, select it and click Remove.
6. To add an account, click the button Add (Add)... A dialog box will appear Choice: Users, Contacts, Computers, Or Groupsin which select the account to add. When you click OK, a dialog box appears Audit item for Folder or file name (Auditing Entry For New Folder).
7. If you need to refine the objects to apply audit settings, use the drop-down list Apply Onto.
8. Check the boxes Successful and / or Failed for required audit events. Success auditing means creating an audit record for every successful event (for example, a successful file read). Failure auditing means creating an audit record for every failed event (for example, a failed attempt to delete a file).
9. When finished, click OK... Repeat these steps to configure auditing for other users, contacts, groups, or computers.


Material taken from the book "Windows 2000. Administrator's Guide". Written by William R. Stanek. Copyright © 1999 Microsoft Corporation. All rights reserved.

With the help of NTFS-permissions, we can delimit rights in a folder in more detail. We can prevent a certain group from changing a certain file, leaving the ability to edit the entire main one; in the same folder, one user group may have edit rights on one file and cannot view other files edited by another user group, and vice versa. In short, NTFS permissions allow us to create a very flexible access system, the main thing is not to get confused in it yourself. In addition, NTFS permissions work both when accessing a folder over a network, in addition to shared permissions, and when accessing files and folders locally.

There are six basic permissions, which are a combination of 14 advanced permissions.

BASIC PERMISSIONS:

  • Full access (fullcontrol) - full access to a folder or file, with the ability to change access rights and audit rules for folders and files
  • Modify - the right to read, modify, view the contents of a folder, delete folders / files and run executable files. Includes Read and Execute (readandexecute), Write (write), and Delete (delete).
  • Reading and executing (readandexecute) - the right to open folders and files for reading, without the ability to write. It is also possible to run executable files.
  • List folder contents (listdirectory) - the right to view the contents of the folder
  • Read (read) - the right to open folders and files for reading, without the ability to write. Includes Folder Contents / Reading Data (readdata), Reading Attributes (readattributes), Reading Additional Attributes (readextendedattributes) and Reading Permissions (readpermissions)
  • Write - the right to create folders and files, modify files. Includes File Creation / Data Writing (writedata), Folder Creation / Data Writing (appenddata), Writing Attributes (writeattributes) and Writing Additional Attributes (writeextendedattributes)

ADDITIONAL PERMISSIONS

  • Traverse folders / execute files (traverse) - the right to run and read files, regardless of folder access rights. The user will not have access to the folder (what is in the folder will remain a mystery), but the files in the folder will be available via a direct link (full, relative or UNC path). You can put on the folder Traverse folders, and on the file any other permissions that the user needs to work. The user will not be able to create and delete files in the folder.
  • Folder content / Read data (readdata) - the right to view the contents of the folder without the possibility of modification. You cannot run and open files in the watched folder
  • Reading Attributes - the right to view the attributes (FileAttributes) of a folder or file. You cannot view the contents of a folder or files or change any of the attributes.
  • Reading additional attributes (readextendedattributes) - the right to view additional attributes of a folder or file.
  • Create files / write data (writedata) - gives the user the ability to create files in a folder to which he does not have access. You can copy files to a folder and create new files in the folder. You cannot view the contents of a folder, create new folders, or modify existing files. The user will not be able to change any file, even if he is the owner of this file - only create.
  • Create folders / append data (appenddata) - gives the user the ability to create subfolders in a folder and append data to the end of the file without changing the existing content.

Protecting files and shared folders

The topic of information security is more popular today than ever. IT professionals draw knowledge from everywhere: from special articles in the magazine and even from daily e-mails.

Most technical tools protect the resources of an organization from outside interference. But often it is necessary to share access to information within the enterprise itself. Just imagine what problems could arise if all employees gain access to the personal records of their colleagues.

The NTFS file system in Windows XP and its shared folder permissions are specifically designed to protect the contents of shared folders from both internal and external leaks. This article provides some tips to help the administrator assign NTFS permissions and control access to shared folders and files.

File access control

Most users upload files to the public for members of workgroups and p2p networks, for this you need:

  1. Enter a name for the folder in the Share Name field
  2. Optionally, you can add some explanatory words in the Comment column.
  3. Click OK.

However, this method does not always work correctly, especially on Windows XP systems with NTFS-formatted disks (when conflicting NTFS credentials, coming into conflict, do not allow authorized users to access these resources; more on this below). Well, the saddest thing is that the default permissions on Windows XP grant access to the contents of directories for all users.

Also, in order to assign different permissions to different users, you must disable the default Windows XP Simple File Sharing option:

  1. Open Windows Explorer
  2. Go to the Tools menu
  3. Select Folder Options
  4. Click the View tab.
  5. In the Advanced Settings window, uncheck the Use Simple File Sharing (Recommended) | Use simple file sharing (recommended).
  6. Click OK.

To disable permission for Everyone and configure the access level for each user individually:

Full Control permission allows users or groups to read, modify, delete, and run the files in a folder. In addition, such users can create and delete new subfolders in this directory.

Users who have the right to change information in the (Change) folder can view and modify files in the directory, create their own files and folders in it, and launch programs located in it for execution.

Users and groups with Read permissions are only allowed to view files stored in the directory and run programs. Additional permissions can be set for information on Windows XP drives formatted in the NTFS file system.

NTFS credentials

NTFS permissions in Windows provide an additional set of options that can be configured for each individual file or folder.

First you need to make sure that the Windows XP settings allow you to work with the NTFS file system:

  1. Click Start
  2. Select the Run command
  3. Enter compmgmt.msc in the line and click OK. The Computer Management console opens.
  4. Navigate to the Disk Management object on the Storage tab to see what type of file system is used on each disk.

If the disk or one of its partitions is not formatted in NTFS, this can be fixed by entering convert X: / fs: ntfs, replacing X with the letter of the desired disk or partition. The convert command will change the current file system of the disk to NTFS without destroying the data stored on it. However, it is best to back up the disk contents before running the command.

To configure NTFS permissions:

Note that by default, subdirectories inherit the properties of their root directories. To change this, click the Advanced button on the Security tab of the Properties dialog box.

Types of NTFS authorities:

  • Full Control - allows users and groups to perform any operations with the contents of the folder, including browsing files and subdirectories, launching application files, managing the list of folder contents, reading and launching executable files, changing the attributes of files and folders, creating new files, adding data to files, deleting files and subdirectories, as well as changing access permissions to files and folders.
  • Modify - Allows users and groups to view files and subdirectories, run application executables, manage the list of folder contents, view folder options, change folder and file attributes, create new files and subdirectories, add data to files, and delete files.
  • Read & Execute - Allows users and groups to view a list of files and subdirectories, run application executables, view the contents of files, and change the attributes of files and folders.
  • List Folder Contents - Allows users and groups to navigate directories, work with the list of folder contents, and view attributes of files and folders.
  • Read - Allows users and groups to view folder contents, read files, and view attributes of files and folders.
  • Write - Allows users and groups to change the attributes of files and folders, create new folders and files, and modify and supplement the contents of files.

To determine the final permissions of a user, subtract from the NTFS permissions granted to him directly (or as a member of the group) all individual bans (or the bans he received as a member of the group). For example, if a user has Full Control to this folder, but at the same time is a member of a group for which full access is denied, then he will not have full access rights as a result. If a user is restricted by Read & Execute and List Folder Contents in the same group and is denied access to the List Folder Contents level, the result is NTFS privileges will only be limited to the Read & Execute level. For this reason, the administrator should approach prohibitions with extreme caution, since prohibited functions take precedence over those permitted for the same user or group.

Windows XP comes with a handy utility to validate valid user or group permissions:


Combining NTFS Permissions with Shared Permissions

It sounds promising. It would seem that it is enough to competently distribute the appropriate powers to users - and you can start working. However, the reality is not that simple. Shared permissions and NTFS permissions should clearly define what real permissions users and groups have, but unfortunately they often conflict with each other. Compare the resulting shared permissions with the resulting NTFS permissions to determine the final permissions for a user. Remember that access restrictions will dominate permissions. For example, if a user's final NTFS privileges are limited to the Read and Execute level and the resulting shared privileges are limited to Full Control, the system will not grant that user valid Full Control privileges, but will select the highest priority level. in this case, it is NTFS read and execute permission. It should always be remembered that the resulting limitations in rights take precedence over the resulting permissions. This is a very important point that is easily forgotten, after which it gives users a lot of trouble. Therefore, carefully calculate the ratios of denials and permissions of NTFS permissions and sharing.

Recommended
How to reset the settings on Android to factory settings - in detail
Ways to disable the touchpad on Lenovo laptops How to remove unwanted actions prevention on Lenovo
Exclamation mark on the phone
How to put a password on a folder, file or USB flash drive