TechTutorials - Free Computer Tutorials  







Windows 2000/2003 NTFS and Share Permissions 
 


Added: 06/12/2005, Hits: 3,105, Rating: 0, Comments: 0, Votes: 0
Add To Favorites | Comment on this article
The concept of permissions in a Microsoft environment is one of the more confusing subjects that certification candidates face, but a very necessary topic to know as many of Microsoft's certification exams test on this. This guide aims to help you understand the different the various types of permissions and how to use them in Windows 2000 and 2003 environments.

NTFS file permissions are used to control the access that a user, group, or application has to folders and files. They are referred to as NTFS permissions because a drive must be formatted with NTFS in order to utilize these permissions.

NTFS File Permissions:
NTFS file permissions are used to control the access that a user, group, or application has to files. This first table displays the available permissions for files.

Full ControlRead, write, modify, execute, change attributes, permissions, and take ownership of the file.
ModifyRead, write, modify, execute, and change the file's attributes.
Read & ExecuteDisplay the file's data, attributes, owner, and permissions, and run the file (if it's a program or has a program associated with it for which you have the necessary permissions).
ReadDisplay the file's data, attributes, owner, and permissions.
WriteWrite to the file, append to the file, and read or change its attributes.


Windows 2000 & 2003 have the option of denying a user or users a particular permission. For example, if you wanted to make sure that Bob is unable to read any file, then simply deny him read permissions. Permissions are cumulative, except for Deny, which overrides everything. By cumulative, we mean that a user's effective permissions are the result of combining the user's assigned permissions and the permissions assigned to any groups that the user is a member of. For example, if Bob is assigned Read access to a file, and the "sales" group that Bob is a member of has Write permissions assigned, Bob's effective permissions is are Read and Write for that file.

NTFS Folder Permissions:
NTFS Folder permissions determine the access that is granted to a folder and the files and subfolders within that folder. These permissions can be assigned to a user or group. The following table displays the different permissions for folders.

Full ControlRead, write, modify, and execute files in the folder, change attributes, permissions, and take ownership of the folder or files within.
ModifyRead, write, modify, and execute files in the folder, and change attributes of the folder or files within.
Read & ExecuteDisplay the folder's contents and display the data, attributes, owner, and permissions for files within the folder, and run files within the folder (if they're programs or have a program associated with them for which you have the necessary permissions).
List Folder ContentsDisplay the folder's contents and display the data, attributes, owner, and permissions for files within the folder, and run files within the folder (if they're programs or have a program associated with them for which you have the necessary permissions).
ReadDisplay the file's data, attributes, owner, and permissions.
WriteWrite to the file, append to the file, and read or change its


The Read & Execute and List Folder Contents folder permissions appear to be exactly the same, however, they are inherited differently, thus are different permissions. Files can inherit the Read & Execute permissions but can't inherit the List Folder Contents permission. Folders can inherit both.

File permissions override folder permissions. For example, let's say that Bob has read access to a file called file.txt which is located in a folder that he has no access to. In this case, the file will be invisible to the Bob and since he cannot list the folder contents, he would have to access the file using the UNC path or the logical file path.

Copying, Moving, and Inheritance:
The next table shows what happens to files when they are copied or moved within or across NTFS partitions.

Moving within a partitionDoes not create a new file - simply updates location in directory. File keeps its original permissions.
Moving across a partitionCreates a new file and deletes the old one. Inherits the target folders permissions.
Copying within a partitionCreates a new file which inherits permissions of target folder.


Files moved from an NTFS partition to a FAT partition do not retain their attributes or security descriptors, but will retain their long filenames.

Special Access File Permissions:

Windows 2000 & 2003 also support special access permissions which are made by combining other permissions. The following tables will show special access permissions and the recipes to make them.

File Special PermissionsFull ControlModifyRead & ExecuteReadWrite
Traverse Folder/Execute FileXXX  
List Folder/Read DataXXXX 
Read AttributesXXXX 
Read Extended AttributesXXXX 
Create Files/Write DataXX  X
Create Folders/Append DataXX  X
Write AttributesXX  X
Write Extended AttributesXX  X
Delete Subfolders and FilesX    
DeleteXX   
Read PermissionsXXXXX
Change PermissionsX    
Take OwnershipX    
SynchronizeXXXXX


Special Access Folder Permissions:
Below are the special access permisions for folders.


Folder Special PermissionsFull ControlModifyRead & ExecuteList Folder ContentsRead
Traverse Folder/Execute FileXXXX 
List Folder/Read DataXXXXX
Read AttributesXXXXX
Read Extended AttributesXXXXX
Create Files/Write DataX X   
Create Folders/Append Dataxx   
Write AttributesXX   
Write Extended AttributesXX   
Delete Subfolders And FilesX    
DeleteXX   
Read PermissionsXXXXX
Change PermissionsX    
Take OwnershipX    
SynchronizeXXXXX


Remember that file permissions override the permissions of its parent folder. Anytime a new file is created, the file will inherit permissions from the target folder.

Share Permissions:
Shares are administered through the MMC, My Computer or through Explorer and permissions can be set on a share in the "Share Permissions" tab. Share level permissions only apply when a file or folder is being accessed via the network and do not apply to a user logged into the machine locally. The following are the different share-level permissions:

ReadView files and subdirectories. Execute applications. No changes can be made.
ChangeIncludes read permissions and the ability to add, delete or change files or subdirectories
Full ControlCan perform any and all functions on all files and folders within the share.


The Deny permission can also be applied to shares. The Deny permission overrides all others. When folders on FAT and FAT32 volumes are shared, only the share level permissions apply as these systems do not support file and directory (NTFS) permissions. When folders on NTFS volumes are shared, the effective permission of the user will be the most restrictive of the NTFS and share permissions. This means that if Bob is trying to access a file called mystuff located on myshare and he has share permissions of read and file permissions of full control, his effective permissions would be read. Conversely, if his share permissions are full control and his file permissions are read, he will still only have read permissions to mystuff.

Effective Permissions Tool in Windows 2003:

Determining effective permissions can get confusing, especially on enterprise networks. In Windows 2003, Microsoft included a new feature that helps sort this mess out. If you go to the Advanced properties of the Security tab for NTFS resources, there is a tab titled "Effective Permissions" which allows you to calculate the permissions that apply to users or groups. This tool does not take share permissions into account.

Best Practices:
The way companies manage their permissions will vary based on their needs. In any event, a lot of planning should be done before implementing permissions systems in order to avoid a lot of headaches later. Below are some best practices for using permissions.

When setting permissions, you want to minimize the amount of administration required. Imagine if you had to manage the permissions on every file on your network for every user. It would be an administrative nightmare. For this reason, unless absolutely necessary, assign permissions to groups and place users in the relevant group. The same should be done for share permissions as well.

Avoid using Deny permissions except in the following types of cases:
  • Use Deny permissions to exclude a subset of a group which has Allowed permissions.

  • Use Deny to exclude one special permission when you have already granted full control to a user or group.

You definitely should not ever use Deny permissions for the everyone group because that includes administrators.

When possible, use security templates.

Keep in mind that priveledges (rights) can sometimes override permissions.

Note: While the permissions systems in Windows 2000 and 2003 are nearly identical, there are a few differences. One of the biggest permissions differences between Windows 2000 and 2003 was the default security settings. Windows 2000 shipped with full control for the everyone group (NTFS and share permissions), guest account was enabled, etc. Windows 2003 was locked down better in its default state. For more information on this, read Changes to Default Settings Make Windows Server 2003 More Secure (Part 1).





Comments (0)

Be the first to comment on this article


Related Items








7 Seconds Resources, Inc.




IT Showcase