1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders Troubleshooting Permissions Problems

2 Understanding NTFS Permissions NTFS Permissions NTFS Folder Permissions NTFS File Permissions Access Control List Multiple NTFS Permissions NTFS Permissions Inheritance

3 NTFS Permissions Rules associated with objects that regulate which users can gain access to an object and in what manner. Specify which users and groups can gain access to files and folders, including access to the contents of the file or folder. Only available on NTFS partitions. Not available with the FAT or FAT32 file systems. Security is effective whether a user gains access to the file or folder at the computer or over the network. Different permissions are assigned for files and folders.

4 NTFS Folder Permissions Overview Folder permissions are assigned to control the access that users have to folders, and to the files and subfolders contained within the folder. Folder permissions can be denied to a user account or group. To deny all access to a user account or group for a folder, the Full Control permission is denied.

5 NTFS Folder Permissions Full Control: Change permissions, take ownership, and delete subfolders and files, plus perform actions permitted by all other NTFS folder permissions Modify: Delete the folder plus perform actions permitted by the Write permission and the Read & Execute permission Read & Execute: Move through folders to reach other files and folders, even if the users do not have permission for those folders, and perform actions permitted by the Read permission and the List Folder Contents permission List Folder Contents: See the names of files and subfolders in the folder Read: See files and subfolders in the folder and view folder ownership, permissions, and attributes Write: Create new files and subfolders within the folder, change folder attributes, and view folder ownership and permissions

6 NTFS File Permission Overview Control access users have to files Can be denied to a user account or group

7 NTFS File Permissions Full Control: Change permissions and take ownership, plus perform the actions permitted by all other NTFS file permissions Modify: Modify and delete the file, plus perform the actions permitted by the Write permission and the Read & Execute permission Read & Execute: Run applications, plus perform the actions permitted by the Read permission Read: Read the file, and view file attributes, ownership, and permissions Write: Overwrite the file, change file attributes, and view file ownership and permissions

8 Access Control List (ACL) NTFS stores an ACL with every file and folder on an NTFS volume. An ACL contains a list of all user accounts and groups that have been granted access for the file or folder, as well as the type of access that has been granted. For a user to gain access to a resource, the ACL must contain an access control entry (ACE) for the user account or a group to which the user belongs. The ACE must allow the type of access that is requested for the user to gain access. If no ACE exists in the ACL, the user cannot gain access to the resource.

9 Multiple NTFS Permissions

10 File Permissions Override Folder Permissions A user with access to a file will be able to gain access to the file even if the user does not have access to the folder containing the file. A user can gain access to the files for which he or she has permissions by using the full UNC name or local path to open the file from its respective application, even though the folder in which it resides will be invisible if the user has no corresponding folder permission. Without permission to access the folder, the user cannot see the folder and is therefore unable to browse for the file.

11 Deny Overrides Other Permissions Permission to a user account or group for a specific file can be denied, although this is not the recommended way to control access to resources. Denying permission overrides all instances where that permission is allowed.

12 Permissions Inheritance

13 Understanding Permissions Inheritance Files and subfolders can inherit permissions from their parent folder. Inheritance depends on the inheritance option set for a given object.

14 Assigning NTFS Permissions Planning NTFS Permissions Setting NTFS Permissions Practice: Planning and Assigning NTFS Permissions

15 Planning NTFS Permissions Group files into application, data, and home folders to simplify administration. Centralize home and public folders on a volume that is separate from applications and the operating system. Allow users only the level of access that they require. Create groups according to the access that the group members require for resources. Assign permissions to individual user accounts only when necessary. When assigning permissions for working with data or application folders, assign the Read & Execute permission to the Users group and assign the Read & Execute permission and the Change permission to the Administrators group.

16 Planning NTFS Permissions (con’t) Turn off the permissions inheritance option at the home directory level; allows the user to consider permissions for each file or folder in the home directory. When assigning permissions for public data folders, assign Read & Execute permission and the Write permission to the Users group, and the Full Control permission to the Creator Owner identity group. Deny permissions only when denying specific access to a specific user account or group is essential. Encourage users to assign permissions to the files and folders that they create, and educate them about how to do so.

17 Setting NTFS Permissions When formatting a volume with NTFS, the Full Control permission is assigned to the Everyone group by default. The access that users have to resources is controlled by changing the Full Control permission and assigning other appropriate NTFS permissions. Administrators, users with Full Control permission, and the owners of files and folders (Creator Owner) can assign permissions to user accounts and groups.

18 Setting NTFS Permissions: Guest Account The Guest account is a member of the Everyone group by default. Care should be taken when assigning permissions to the Everyone group and enabling the Guest account. Windows 2000 will authenticate as Guest a user who does not have a valid user account. A user authenticated as Guest automatically gets all rights and permissions that have been assigned to the Everyone group.

19 Security Tab of the Properties Dialog Box for the Data Folder

20 Preventing Permissions Inheritance By default, subfolders and files inherit permissions that are assigned to their parent folder. A check in the Allow Inheritable Permissions From Parent To Propagate To This Object check box, located in the Security tab in the Properties dialog box, is the default setting. If the check boxes under Permissions are shaded, then the file or folder has inherited permissions from the parent folder. Clearing the Allow Inheritable Permissions From Parent To Propagate To This Object check box prevents a subfolder or file from inheriting permissions from a parent folder.

21 Assigning Special Permissions Special Permissions Setting Special Permissions Taking Ownership of a File or Folder Practice: Taking Ownership of a File

22 Special Permissions Overview Special permissions are set on the Permission Entry For dialog box for the file or folder. Special permissions are accessed by selecting Advanced on the Security tab of the Properties dialog box for the file or folder, and then selecting View/Edit for a Permission Entry on the Access Control Setting For dialog box for the file or folder. Each of the standard file and folder permissions consists of a logical group of special permissions. When assigning special permissions to folders, choose where to apply the permissions down the tree to subfolders and files. Change Permissions and Take Ownership are particularly useful for controlling access to resources.

23 Special Permissions Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Create Files/Write Data Create Folders/Append Data Write Attributes Write Extended Attributes Delete Subfolders and Files Delete Read Permissions Change Permissions Take Ownership Synchronize

24 Special Permissions Associated with Standard File and Folder Permissions Full Control Modify Read & Execute List Folder Contents Read Write

25 Change Permissions Granting Change Permissions allows other administrators and users to change permissions for a file or folder without giving them the Full Control permission over the file or folder. The administrator or user granted Change Permissions cannot delete or write to the file or folder, but can assign permissions to the file or folder. To give administrators the ability to change permissions, Change Permissions is assigned to the Administrators group for the file or folder.

26 Rules For Taking Ownership of a File or Folder The current owner or any user with Full Control permission can assign the Full Control standard permission or the Take Ownership special permission to another user account or group, allowing the user account or a member of the group to take ownership. An administrator can take ownership of a file or folder, regardless of assigned permissions.

27 Access Control Settings For Dialog Box

28 Permission Entry For Dialog Box

29 Copying and Moving Files and Folders Copying Files and Folders Moving Files and Folders Practice: Copying and Moving Folders

30 Copying Files or Folders Between Folders or Volumes

31 Copying a File Within a Single NTFS Volume or Between NTFS volumes Windows 2000 treats it as a new file; takes on the permissions of the destination folder or volume. Must have Write permission for the destination folder to copy files and folders. The person copying the files or folders becomes the Creator Owner.

32 Moving Files or Folders Between Folders or Volumes

33 Moving a File or Folder Within a Single NTFS Volume The folder or file retains the original permissions. Write permission for the destination folder is required. Modify permission for the source folder or file is required. The person moving the file or folder becomes the Creator Owner.

34 Moving a File or Folder Between NTFS Volumes The folder or file inherits the permissions of the destination folder. Write permission for the destination folder is required to move files and folders into it. Modify permission for the source folder or file is required. The person moving the file or folder becomes the Creator Owner.

35 Troubleshooting Permissions Problems Avoiding Permissions Problems Practice: Deleting a file with All Permissions Denied

36 If a User Can’t Gain Access to a File or Folder Permissions might have changed if the file or folder was copied or moved. Check the permissions that are assigned to the user account and to groups of which the user is a member. The user might not have permission or might be denied access either individually or as a member of a group.

37 Avoiding Permissions Problems Assign the most restrictive NTFS permissions that still enable users and groups to accomplish necessary tasks. Assign all permissions at the folder level, not at the file level; group files in a separate folder for which user access is to be restricted, and then assign that folder restricted access. For all application executable files, assign Read & Execute and Change Permissions to the Administrators group, and assign Read & Execute to the Users group.

38 Avoiding Permissions Problems (con’t) Assign Full Control to Creator Owner for public data folders so that users can delete and modify files and folders that they create. For public folders, assign Full Control to Creator Owner and Read and Write to the Everyone group. Use long, descriptive names if the resource will be accessed only at the computer; if the folder will be shared, use folder and file names that are accessible by all client computers. Allow permissions rather than deny permissions.