Module 6: Securing Network Resources with NTFS Permissions


NT Administration Notes
Introduction	Users	Groups	Admin
Shares	NTFS	Printing 1	Printing 2
Auditing	Monitoring	Backup

Module 6: Securing Network Resources with NTFS Permissions

Introduction to NTFS Permissions

NTFS permissions are permissions that are only available on a volume that has only been formatted with the Windows NT file system (NTFS). NTFS permissions provide a great degree of security because they can be assigned to folders and to individual files. They are sometimes referred to as local permissions.

You use NTFS permissions to protect resources from users who access the computer; locally and remotely.

NTFS permissions are:

NTFS Permission	For a folder - a user can:	For a file - a user can:
Read (R)	Display folder names, attributes, owner and permissions	Display file data, attributes, owner, and permissions
Write (W)	Add files and folders, change a folder's attributes, and display owner and permissions	Change file attributes, create data in and append data to a file display owner and permissions,
Execute (X)	Display folder attributes make changes to folders within a folder display owner and permissions	Display file attributes owner and permissions Run a file if it is an executable
Delete (D)	Delete a folder	Delete a file
Change Permission (P)	Change a folder's permissions	Change a file's permissions
Take Ownership (O)	Take ownership of a folder	Take ownership of a file

Note:

On a NTFS volume, the person who creates a file or folder becomes the owner. The owner can always assign and change permissions on a file or folder.

Standard Permissions:

Are combinations of individual NTFS permissions. They simplify administration by giving you the ability to assign combinations of individual permissions at one time.

Standard Shared Folder Permissions

Standard permission	Individual permission on folders	Individual permissions on files in the folder
No Access	None	None
List	RX	Not specified
Read	RX	RX
Add	WX	Not specified
Add & Read	RWX	RX
Change	RWXD	RWXD
Full Control	All	All

Standard File Permissions

The following table lists the standard file permissions and the individual NTFS permissions that each standard file permission represents:

Standard permission	Individual permission
No Access	None
Read	RX
Change	RWXD
Full Control	All (RWXDPO)

How NTFS permissions are applied

User can be assigned permissions directly or as a member of a group.
User might be a member of several groups with different permissions.
NTFS file permissions take precedence over the permissions assigned for the folder that the file is contained in.
AGAIN, File Permissions OVERRIDE FOLDER PERMISSIONS

even in a NO ACCESS folder the user can access the files via UNC or local path if he has permissions to the FILE.

Combining Shared Folder and NTFS Permissions

You gain the greatest degree of security by combining NTFS permissions with shared folder permissions.
The most restrictive permission is always the effective permission.
Shared folder permissions offer limited security because:

Give user same level of access to all folders and files within the shared folder.
Have no affect when a user accesses the resource locally.
Cannot be used to secure individual files.

You gain the greatest degree of security by combining NTFS permissions with shared folder permissions. The most restrictive permission is always the effective permission.

Guidelines for assigning NTFS Permissions

Application Folders:

Remove default permission Full Control from Everyone and assign it to Administrator.

If applications are contained in shared folders, assign Users group Read permission.

Data Folders:

Remove default permission Full Control from Everyone and assign it to Administrator.

Assign Users group Add & Read permissions and the Creator Owner special identity Full Control permission to data folders. This gives users who log on locally the ability to delete and modify only the files and folders that they create.

Educate users that share a computer to assign NTFS permissions to folders and files they own.

Home folders:

Centralize home folders on a network volume separate from applications and the operating system to streamline backing up data and administration.

Use the %Username% variable to automatically assign a users account name to the folder the NTFS Full Control Permission.

Store home folders on an NTFS volume on a network server

This simplifies backup

streamlines the assignment of permissions

NOTE:

On NTFS volumes, using %username% automatically assigns Everyone Full Control permissions to home folders

On FAT volumes, folders can only be restricted by shared folder permissions.

Assigning NTFS Permissions:

To assign NTFS permissions, you need to be the OWNER of the folder or file and have one of the following permissions:

Requirements to assign NTFS permissions

Be the owner
Have full control
Have Special Access: Change Permission
Special Access: Take Ownership

With this permission you first take ownership and then as the owner can change permissions

Default NTFS permissions

Volume is NTFS formatted, the permission Full Control to Everyone

This means that all Users with the right to Log on Locally have complete access to the volume

When folder or file is created on an NTFS volume, it inherits the permission of the folder containing it.

Assigning NTFS File and Folder Permissions

To assign NTFS permissions for files or folders right click in Explorer and select Properties. Click Security tab and click Permissions. In the Directory Permissions or File_name Permissions dialog box, configure the following options.

Option	Purpose
Replace Permissions on Subdirectories	If selected, changes existing permissions for ALL folders within the selected folder's hierarchy This option doesn't change permissions on existing files in the folder hierarchy This check box is cleared by default and is an option ONLY when assigning folder permissions
Replace Permissions on Existing Files	If selected, changes existing permissions for all files within the selected folder only. It doesn't change file permissions for folders within the same hierarchy This check box is cleared by default and is an option ONLY when assigning folder permissions
Name	Displays the folder or file permissions assigned to a group or user for the resource The first set of parentheses indicates the folder permissions and the second set of parentheses indicates the permissions for any new files created in the folder
Type of Access	Displays the folder or file permissions for the selected group or user in the NAME box and allows you to change the permission assigned to the selection

Assigning Special Access Permissions

You might want to assign individual permissions, or create a custom set of permissions. You can do this by assigning special permissions. For example, to allow another user to manage permissions for files you own, assign that user the special file access permission Change Permissions (P).

NOTE: This is also here to give UNIX users full individual rights instead of giving them FULL CONTROL. With Full Control, a UNIX user can delete a folder or file even though there are NO ACCESS permissions on the object. Assigning individual rights to this user gets around this.

How to get there?

right-click on folder or file
Click Properties
Click Permissions
Select a user or group name
In the Type of Access list, click Special Directory Access or Special File Access
click the appropriate permission, then OK

Requirements to Take Ownership:

Whoever creates a folder or file OWNS it ==>'s user can share folder and assign permissions to others

If the user has denies access to a file and then leaves the company, you can take ownership of the file and change the permissions so that others can use it.

By default, members of the Administrators group always have the ability to take ownership of a file or folder. An owner cannot change the ownership of a resource they own.

REMEMBER, YOU CAN'T GIVE OWNERSHIP AWAY, YOU CAN ONLY TAKE IT. The owner can only give another user or group the ABILITY to take ownership of a file or folder by assigning one of the following permissions:

Full Control

Special Access, Take Ownership

Special Access, Change Permissions - with this permission, users can assign the Take Ownership permission to themselves or to another user or group

Copying or Moving Folders and Files

(sure exam question area)

A user cannot copy or move files within or between NTFS volumes, unless the user has the correct permissions. The following table describes the required permissions to copy or move a file or folder to another folder on an NTFS volume or to another NTFS volume.

Action	Permission required
Copy	Add permission for the destination folder
Move	Add permission for the destination folder and Delete for the source folder

Permissions and Copying and moving files

Copying and moving files or folders within and between NTFS volumes can affect the original permissions set on a file. The following table describes what happens to permissions on a folder or file when copied or moved within or between an NTFS volume.

Task	Within an NTFS volume	Between NTFS volumes
Copy	Inherits permissions of the destination folder	Inherits permissions of the destination folder
Move	Retains original permissions	Inherits permissions of the destination folder

The rule is, then, the ONLY time the permissions are retained is when the file is moved within the same NTFS volume. A move is a copy or delete operation and it merely changes the pointer to the file.

Important Note:

The user who copies the file/folder becomes owner.
Files and folders that are copied or moved to FAT volumes lose their permissions, because FAT volumes do not support NTFS permissions.

Troubleshooting

Problem: a user deletes a file even though he was assigned NO ACCESS permission for the file

Instead of assigning the NTFS standard Full Control permission for a folder, assign all of the individual special directory access permissions. This gives all the abilities of the Full Control permissions for the folder by PREVENTS them from deleting files in the folder (for which they have been assigned NO ACCESS)

You add a user or group to give them access to an resource, but they still can't get access

User must log off and then on again OR
if on a remote computer, disconnect and connect

Because an ACCESS TOKEN is created for the user every time the user connects to NT. This token contains info about the groups to which the user belongs. The token needs to be updated and the only way to do that is by logging on fresh again.

Top of page

Comments and suggestions? E-mail me at grantwilson21@yahoo.com I'm sorry, but I can't answer specific network-related, or exam-related questions.
Last Updated: August 6, 2001	Grant Wilson, Edmonton, AB Canada