Securing Network
Resources
•
•
•
•
•
Understanding NTFS Permissions
Assigning NTFS Permissions
Assigning Special Permissions
Copying and Moving Files and Folders
Troubleshooting Permissions Problems
1
Understanding
NTFS Permissions
•
•
•
•
•
•
NTFS Permissions
NTFS Folder Permissions
NTFS File Permissions
Access Control List
Multiple NTFS Permissions
NTFS Permissions Inheritance
2
NTFS Permissions
•
Rules associated with objects that regulate which users can gain
access to an object and in what manner.
•
Specify which users and groups can gain access to files and
folders, including access to the contents of the file or folder.
•
•
•
Only available on NTFS partitions.
•
Different permissions are assigned for files and folders.
Not available with the FAT or FAT32 file systems.
Security is effective whether a user gains access to the file or
folder at the computer or over the network.
3
NTFS Folder
Permissions Overview
•
Folder permissions are assigned to control the access that users
have to folders, and to the files and subfolders contained within
the folder.
•
•
Folder permissions can be denied to a user account or group.
To deny all access to a user account or group for a folder, the
Full Control permission is denied.
4
NTFS Folder Permissions
•
Full Control: Change permissions, take ownership, and delete
subfolders and files, plus perform actions permitted by all other
NTFS folder permissions
•
Modify: Delete the folder plus perform actions permitted by the
Write permission and the Read & Execute permission
•
Read & Execute: Move through folders to reach other files and
folders, even if the users do not have permission for those
folders, and perform actions permitted by the Read permission
and the List Folder Contents permission
•
List Folder Contents: See the names of files and subfolders in
the folder
•
Read: See files and subfolders in the folder and view folder
ownership, permissions, and attributes
•
Write: Create new files and subfolders within the folder, change
folder attributes, and view folder ownership and permissions
5
NTFS File Permission
Overview
•
•
Control access users have to files
Can be denied to a user account or group
6
NTFS File Permissions
•
Full Control: Change permissions and take ownership, plus
perform the actions permitted by all other NTFS file permissions
•
Modify: Modify and delete the file, plus perform the actions
permitted by the Write permission and the Read & Execute
permission
•
Read & Execute: Run applications, plus perform the actions
permitted by the Read permission
•
Read: Read the file, and view file attributes, ownership, and
permissions
•
Write: Overwrite the file, change file attributes, and view file
ownership and permissions
7
Access Control List (ACL)
•
NTFS stores an ACL with every file and folder on an NTFS
volume.
•
An ACL contains a list of all user accounts and groups that have
been granted access for the file or folder, as well as the type of
access that has been granted.
•
For a user to gain access to a resource, the ACL must contain an
access control entry (ACE) for the user account or a group to
which the user belongs.
•
The ACE must allow the type of access that is requested for the
user to gain access.
•
If no ACE exists in the ACL, the user cannot gain access to the
resource.
8
Multiple NTFS Permissions
9
File Permissions Override
Folder Permissions
•
A user with access to a file will be able to gain access to the file
even if the user does not have access to the folder containing
the file.
•
A user can gain access to the files for which he or she has
permissions by using the full UNC name or local path to open
the file from its respective application, even though the folder in
which it resides will be invisible if the user has no corresponding
folder permission.
•
Without permission to access the folder, the user cannot see the
folder and is therefore unable to browse for the file.
10
Deny Overrides
Other Permissions
•
Permission to a user account or group for a specific file can be
denied, although this is not the recommended way to control
access to resources.
•
Denying permission overrides all instances where that
permission is allowed.
11
Permissions Inheritance
12
Understanding
Permissions Inheritance
•
Files and subfolders can inherit permissions from their parent
folder.
•
Inheritance depends on the inheritance option set for a given
object.
13
Assigning NTFS Permissions
•
•
•
Planning NTFS Permissions
Setting NTFS Permissions
Practice: Planning and Assigning NTFS Permissions
14
Planning NTFS Permissions
•
Group files into application, data, and home folders to simplify
administration.
•
Centralize home and public folders on a volume that is separate
from applications and the operating system.
•
•
Allow users only the level of access that they require.
•
Assign permissions to individual user accounts only when
necessary.
•
When assigning permissions for working with data or application
folders, assign the Read & Execute permission to the Users
group and assign the Read & Execute permission and the
Change permission to the Administrators group.
Create groups according to the access that the group members
require for resources.
15
Planning NTFS
Permissions (con’t)
•
Turn off the permissions inheritance option at the home
directory level; allows the user to consider permissions for each
file or folder in the home directory.
•
When assigning permissions for public data folders, assign Read
& Execute permission and the Write permission to the Users
group, and the Full Control permission to the Creator Owner
identity group.
•
Deny permissions only when denying specific access to a specific
user account or group is essential.
•
Encourage users to assign permissions to the files and folders
that they create, and educate them about how to do so.
16
Setting NTFS Permissions
•
When formatting a volume with NTFS, the Full Control
permission is assigned to the Everyone group by default.
•
The access that users have to resources is controlled by
changing the Full Control permission and assigning other
appropriate NTFS permissions.
•
Administrators, users with Full Control permission, and the
owners of files and folders (Creator Owner) can assign
permissions to user accounts and groups.
17
Setting NTFS Permissions:
Guest Account
The Guest account is a member of the Everyone group by default.
• Care should be taken when assigning permissions to the
Everyone group and enabling the Guest account.
• Windows 2000 will authenticate as Guest a user who does
not have a valid user account.
• A user authenticated as Guest automatically gets all rights
and permissions that have been assigned to the Everyone
group.
18
Security Tab of the Properties
Dialog Box for the Data Folder
19
Preventing Permissions
Inheritance
•
By default, subfolders and files inherit permissions that are
assigned to their parent folder.
•
A check in the Allow Inheritable Permissions From Parent To
Propagate To This Object check box, located in the Security tab
in the Properties dialog box, is the default setting.
•
If the check boxes under Permissions are shaded, then the file
or folder has inherited permissions from the parent folder.
•
Clearing the Allow Inheritable Permissions From Parent To
Propagate To This Object check box prevents a subfolder or file
from inheriting permissions from a parent folder.
20
Assigning Special
Permissions
•
•
•
•
Special Permissions
Setting Special Permissions
Taking Ownership of a File or Folder
Practice: Taking Ownership of a File
21
Special Permissions
Overview
•
Special permissions are set on the Permission Entry For dialog
box for the file or folder.
•
Special permissions are accessed by selecting Advanced on the
Security tab of the Properties dialog box for the file or folder,
and then selecting View/Edit for a Permission Entry on the
Access Control Setting For dialog box for the file or folder.
•
Each of the standard file and folder permissions consists of a
logical group of special permissions.
•
When assigning special permissions to folders, choose where to
apply the permissions down the tree to subfolders and files.
•
Change Permissions and Take Ownership are particularly useful
for controlling access to resources.
22
Special Permissions
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Create Files/Write Data
Create Folders/Append Data
Write Attributes
Write Extended Attributes
Delete Subfolders and Files
Delete
Read Permissions
Change Permissions
Take Ownership
Synchronize
23
Special Permissions Associated with
Standard File and Folder Permissions
•
•
•
•
•
•
Full Control
Modify
Read & Execute
List Folder Contents
Read
Write
24
Change Permissions
•
Granting Change Permissions allows other administrators and
users to change permissions for a file or folder without giving
them the Full Control permission over the file or folder.
•
The administrator or user granted Change Permissions cannot
delete or write to the file or folder, but can assign permissions to
the file or folder.
•
To give administrators the ability to change permissions, Change
Permissions is assigned to the Administrators group for the file
or folder.
25
Rules For Taking Ownership
of a File or Folder
•
The current owner or any user with Full Control permission can
assign the Full Control standard permission or the Take
Ownership special permission to another user account or group,
allowing the user account or a member of the group to take
ownership.
•
An administrator can take ownership of a file or folder,
regardless of assigned permissions.
26
Access Control
Settings For Dialog Box
27
Permission Entry
For Dialog Box
28
Copying and Moving
Files and Folders
•
•
•
Copying Files and Folders
Moving Files and Folders
Practice: Copying and Moving Folders
29
Copying Files or Folders
Between Folders or Volumes
30
Copying a File Within a Single NTFS
Volume or Between NTFS volumes
•
Windows 2000 treats it as a new file; takes on the permissions
of the destination folder or volume.
•
Must have Write permission for the destination folder to copy
files and folders.
•
The person copying the files or folders becomes the Creator
Owner.
31
Moving Files or Folders
Between Folders or Volumes
32
Moving a File or Folder Within
a Single NTFS Volume
•
•
•
•
The folder or file retains the original permissions.
Write permission for the destination folder is required.
Modify permission for the source folder or file is required.
The person moving the file or folder becomes the Creator
Owner.
33
Moving a File or Folder
Between NTFS Volumes
•
The folder or file inherits the permissions of the destination
folder.
•
Write permission for the destination folder is required to move
files and folders into it.
•
•
Modify permission for the source folder or file is required.
The person moving the file or folder becomes the Creator
Owner.
34
Troubleshooting
Permissions Problems
•
•
•
Troubleshooting Permissions Problems
Avoiding Permissions Problems
Practice: Deleting a file with All Permissions Denied
35
If a User Can’t Gain Access
to a File or Folder
•
Permissions might have changed if the file or folder was copied
or moved.
•
Check the permissions that are assigned to the user account and
to groups of which the user is a member.
•
The user might not have permission or might be denied access
either individually or as a member of a group.
36
Avoiding Permissions
Problems
•
Assign the most restrictive NTFS permissions that still enable
users and groups to accomplish necessary tasks.
•
Assign all permissions at the folder level, not at the file level;
group files in a separate folder for which user access is to be
restricted, and then assign that folder restricted access.
•
For all application executable files, assign Read & Execute and
Change Permissions to the Administrators group, and assign
Read & Execute to the Users group.
37
Avoiding Permissions
Problems (con’t)
•
Assign Full Control to Creator Owner for public data folders so
that users can delete and modify files and folders that they
create.
•
For public folders, assign Full Control to Creator Owner and
Read and Write to the Everyone group.
•
Use long, descriptive names if the resource will be accessed only
at the computer; if the folder will be shared, use folder and file
names that are accessible by all client computers.
•
Allow permissions rather than deny permissions.
38