NTFS

1

• NTFS

2
Chapter Overview

• Understanding and Applying NTFS Permissions
• Assigning NTFS Permissions and Special
  Permissions
• Solving Permissions Problems

3
Discovering NTFS

• Using NTFS permissions

• How XP applies NTFS permissions

• Assigning NTFS permissions

• Copying and moving files and folders

4
Introduction to NTFS Permissions

• NT file system (NTFS) permissions specify
• Who can access folders and files
• What they can do with the contents
• NTFS permissions are available only on NTFS
  volumes.
• NTFS permissions provide security for
• Local access
• Over the network access

5
Using NTFS permissions

• NTFS permissions
• NTFS Folder permissions
• NTFS file permissions

6
Managing NTFS Permissions

• The following can assign NTFS permissions
• Administrators
• Owners of files and folders
• Users with the Full Control permission

7

• NTFS is the Windows file system that defines the
  way in which files are named, stored, and
  organized.
• A file system is used to partition a hard drive.
• Partitions are simply a logical portion of a
  physical disk that functions as though it were a
  separate unit.

If no permissions are assigned to a user or group
they can not access the resource. NTFS provides
the level of user access.
8
NTFS permissions
NTFS Partition C\

• Permissions can be assigned to user accounts and
  groups
• Permission can be denied

READ
User 1
No permissions Assigned
User 2
9
When assigning permissions to files it is best to
instead assign permissions to a folder. Then
place files into a folder with the security
requirements you need. You can specify
permissions on individual files within a folder
if you want a user to have access to only a
particular file
User 1
10

• Folder and File permissions

11
NTFS Folder Permissions

• Read
• Write
• List Folder Contents
• Read Execute
• Modify
• Full Control

12

• You assign folder permissions to control access
  users have to
• Folders
• and the files
• and the sub folders.

13
Most restrictive
least
14
NTFS File Permissions

• Read
• Write
• Read Execute
• Modify
• Full Control

15
NTFS Partition C\

• You assign file permissions to control the access
  that users have to files.

Folder A
File1
File2
16
Most restrictive
least
17
Granular control

• When Microsoft designed both file and folder
  permissions schemes, they used many specific and
  special permissions to accomplish this goal.
• Much of this design comes from well established
  VMS, Unix and mainframe environments.
• These many special permission are complex in
  their nature.
• To ease administration, they group them into
  basic permission functions

18
Special folder permissions
19
Special file permissions
20
Access Control List

• NTFS stores an access control list (ACL) with
  every file and folder.
• Each ACL contains
• A list of all user accounts and groups granted
  access
• The type of access each user and group has been
  granted
• An access control entry (ACE) for a user account
  or a group

21
Effective Permissions

• A users effective permissions for a resource are
  the sum of the NTFS permissions that you assign
• To a user account
• To all groups the user belongs to
• A users permissions are said to be cumulative
  because they are the sum of the users
  permissions.

22
NTFS adds permissions

• A users effective permissions for a resource are
  the combination of the NTFS permissions assigned
  to the user account and all the groups to which
  the user belongs

Folder A
File 1
Group B
Write at folder A
File 2
User1
Read at Folder A
Group A
Deny write to file2
23

• The user 1 has read permission for the folder A,
  but is a member of a group with write permissions
  for that same folder
• The user has now both read and write permissions.

NTFS Partition C\
Folder A
Read write
Read write
File1
Group B
Write at folder A
File2
User1
Read at Folder A
24
Fact.

• When multiple permissions are assigned to a group
  of users, the least restrictive permissions
  apply.

25
Overriding Folder Permissions with File
Permissions

• NTFS file permissions take priority over NTFS
  folder permissions.
• A user with the appropriate permissions can
  access a file even if that user does not have
  permission to access the folder containing the
  file.
• The Bypass Traverse Checking security permission
  allows a user to access a file even if the user
  does not have corresponding folder permissions.
• The folder that contains the file is invisible if
  the user does not have corresponding folder
  permissions.
• To gain access to the file, a user can do one of
  the following
• Use the full Universal Naming Convention (UNC).
• Use the local path to open the file from its
  respective application.

26

• NTFS file permissions take priority over folder
  permissions.
• The user has at folder A now both read and write
  permissions but file permissions on file 2
  restrict him to only read.

NTFS Partition C\
Folder A
Read and write
Read and write
File1
Group B
Write at folder A
File2
Read
User1
Read at Folder A
Group A
Deny write to file 2
27
Overriding Permissions with Deny

• You can deny permissions to a user account or
  group for a specific file or folder.
• Deny overrides all instances in which that
  permission is allowed.
• Denying permissions is not the recommended way to
  control access to resources.

28

• Deny overrides other permissions.
• Avoid using deny permissions
• It is preferable to structure groups and organize
  resources in folder so that allowing permission
  is sufficient.

NTFS Partition C\
Folder A
Read and write
Read and write
File1
Group B
Write at folder A
File2
Read
User1
Read at Folder A
Group A
Deny write to file2
29

• Deny overrides other permissions.
• If you denied a user Read Execute even if
  later you added the user to a group with full
  control the user would not be able to Read
  Execute.

30
Denying read and execute permissions for a user
.. Turns off all the associated special
permissions and overrides any other permissions
given.
31
Lets see what you know!

• Users can write at folder A
• Sales can read at folder A
• What permissions does Joe have at folder A?

Folder A

• Users can read at folder A
• Sales can write to folder B
• What can Joe do at file 2?

File 1
Users
File 2
Joe

• Users have modify for folder A
• File 2 should have access by sales only and read
  only
• What steps must be take to ensure this situation?

Folder B
Sales
File 2
32
(No Transcript)
33
(No Transcript)
34
(No Transcript)
35
(No Transcript)
36
(No Transcript)
37
(No Transcript)
38
(No Transcript)
39
(No Transcript)
40
NTFS Permissions Inheritance

• By default, the parent folders permissions are
  propagated to
• Any existing subfolders and files in the parent
  folder
• Any files or folders created in the parent folder
• You can prevent permissions inheritance.
• The folder for which you prevent permissions
  inheritance becomes the new parent folder.
• The subfolders and files in the new parent folder
  inherit the permissions from the new parent
  folder.

41
Permission Inheritance
42
Assigned permissions
Group B
Folder A
Read and write
Read and write
Folder B
Access to folder B
Inherit permissions
By default, permissions that you assign to a
parent folder are inherited by and propagated to
the subfolder and files that are contained in the
parent folder.
Read
43
Parent folder
By default, permissions that you assign to a
parent folder are inherited by and propagated to
the subfolder and files that are contained in the
parent folder.
44
You can turn off/turn on or reset permission
inheritance.
45
(No Transcript)
46
Controlling permission Inheritance
Changing inheritance of permissions at
c\freebies folder
47
(No Transcript)
48
By default, permissions that you assign to a
parent folder are inherited by and propagated to
the subfolder and files that are contained in the
parent folder. Thus attempting to remove
permissions on folders or files require that you
first remove the inherit property from the parent
object. In our example our parent to our
D\freebies would be D\root
49
Cont..
50
We edit the inherit property of the parent object
to prevent everyone group from being applied by
default to all child objects
Cont
51
At the D\root can change how inherit
permissions propagate to child objects such as
our d\freebies directory.
52
You can change default inherit permissions you
assign to a parent folder. Your choice will
determine one of the above options of inheritance
of permissions.
53
Now Back to d\freebies. We have have a choice
on how permission at the folder level are
inherited to the child objects below (files and
subfolders). We can also disable inheritance of
permissions on child objects.
54
Preventing Permissions Inheritance

• By default, subfolders and files inherit
  permissions from parent folders.
• Clear the Allow Inheritable Permissions From
  Parent To Propagate To This Object check box.
• Select one of the following options
• Copy
• Remove
• Cancel

55
(No Transcript)
56
note

• The folder at which you prevent permissions
  inheritance. Now becomes the new parent folder
• . And the subfolders and files that are
  contained within it will inherit the permissions
  you assign

Stop inheritance
57
Simplify Administration of Permissions

• Group files into application, data, and home
  folders.
• Centralize home and public folders on one
  separate volume.
• Assign permissions only to folders, not to files.
• Isolate applications and the operating system on
  a different volume.
• Back up only home and public folders.
• Do not back up applications or the operating
  system.
• Deny permissions only when it is essential.

58
Minimize NTFS Permission Assignments

• Allow only the required level of access.
• Create groups according to the access required
  for resources.
• Assign the appropriate permissions to the group.
• Avoid assigning permissions to individual user
  accounts.
• Encourage users to assign permissions to the
  folders they create.

59
Assign Permissions for Data or Application
Folders

• Assign the Read Execute permission to
• The Users group
• The Administrators group

60
Assign Permissions for Public Data Folders

• Assign the Read Execute and the Write
  permissions to the Users group.
• Assign the Full Control permission to the CREATOR
  OWNER user.

61
Default NTFS permissions

• NTFS permissions are automatically assigned
• When a partition is formatted with NTFS
• When a folder or file is created in the partition
• When a user or group accounts added to a folder

62

• When you format a partition with NTFS
• Windows automatically assigns the Full Control
  permissions for the root folder to the Everyone
  group.
• Folders and files that are created on the
  partition inherit this default permissions.
• To restrict access you must change the default
  settings.

• default 1

63
(No Transcript)
64
Folders and files that are created on the
partition inherit this default permissions.

• default 2

65
Folders and files that are created on the
partition inherit this default permissions.
Default settings for a created folder
66

• When you assign a user or group to a new folder
  or file the following permissions are given by
  default
• when adding a user or group to a folder
• Read Execute
• List folder contents
• Read
• When adding a user or group to a file
• Read Execute
• Read

• default 3

67
(No Transcript)
68
(No Transcript)
69
Setting NTFS Permissions
70
Granting or Denying Special Permissions

• In the folder Properties dialog box, click
  Advanced to display the Advanced Security
  Settings dialog box.
• Select the user or group for which you want to
  modify the Special Permission settings, and then
  click Edit.
• In the Permission Entry For dialog box, select
  Allow or Deny for each of the special permissions
  you want to modify.

71
special permissions

• Traverse Folder/Execute file
• List folder/read data
• Read Extended Attributes
• Create files/Write Data
• Create folders/Append Data
• Write Attributes
• Write Extended Attributes

• Delete Subfolders and Files
• Delete
• Read Permissions
• Change Permissions
• Take ownership
• Synchronize

72
Taking Ownership

• The current owner or a user with the Full Control
  permission can assign a user
• The Full Control standard permission
• The Take Ownership permission
• That user can now take ownership of the assigned
  file or folder.
• An administrator can take ownership of the file
  or folder regardless of the assigned permission.
• No one, not even the owner or the administrator,
  can assign ownership of a file or folder to
  anyone else.

73
Introduction to Solving Permissions Problems

• When you copy or move files and folders, the
  permission you set on the files or folders might
  change.
• Specific rules control how and when permissions
  change.
• Understanding these rules helps you solve
  permissions problems.
• Troubleshooting these permission problems is
  important to keep resources available for the
  appropriate users and protect them from
  unauthorized users.

74
Copying Files and Folders
75
Moving Files or Folders Within a Single NTFS
Volume

• The file or folder retains the original
  permissions.
• You must have the Write permission for the
  destination folder.
• You must have the Modify permission for the
  source file or folder.
• The owner of the file or folder does not change.

76
Moving Files or Folders Between NTFS Volumes
77
(No Transcript)
78
Troubleshooting Permissions Problems

• A user cannot gain access to a file or folder.
• You add a user account to a group to give the
  user access to a file or folder, but the user
  still cannot gain access.
• A user with the Full Control permission to a
  folder deletes a file in the folder and you want
  to prevent the user from deleting more files.

79
(No Transcript)
80
(No Transcript)
81
Avoiding NTFS Permissions Problems

• Assign the most restrictive NTFS permissions.
• Assign all permissions at the folder level.
• For all application-executable files, assign
• The Read Execute and Change permissions to the
  Administrators group
• The Read Execute permission to the Users group
• Assign the Full Control permission to CREATOR
  OWNER for public data folders.
• Allow permissions rather than deny permissions.

82
Chapter Summary

• NTFS permissions specify what type of access
  users and groups have to files and folders.
• NTFS file permissions take priority over NTFS
  folder permissions.
• Use the Security tab of the Properties dialog box
  of a file or folder to assign or modify NTFS
  permissions.
• By default, subfolders and files inherit
  permissions from their parent folders.
• When you copy or move files and folders, the
  permissions you set on them might change.