Presentation on theme: "1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems."— Presentation transcript:
1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems
2 Introduction to NTFS Permissions NT file system (NTFS) permissions specify Who can access folders and files What they can do with the contents NTFS permissions are available only on NTFS volumes. NTFS permissions provide security for Local access Over the network access
3 Managing NTFS Permissions The following can assign NTFS permissions: Administrators Owners of files and folders Users with the Full Control permission
4 NTFS Folder Permissions Read Write List Folder Contents Read & Execute Modify Full Control
5 NTFS File Permissions Read Write Read & Execute Modify Full Control
6 Access Control List NTFS stores an access control list (ACL) with every file and folder. Each ACL contains A list of all user accounts and groups granted access The type of access each user and group has been granted An access control entry (ACE) for a user account or a group
7 Effective Permissions You can assign multiple permissions to a user account and to each group the user is a member of. A user’s effective permissions for a resource are the sum of the NTFS permissions that you assign To a user account To all groups the user belongs to A user’s permissions are said to be cumulative because they are the sum of the user’s permissions.
8 Overriding Folder Permissions with File Permissions NTFS file permissions take priority over NTFS folder permissions. A user with the appropriate permissions can access a file even if that user does not have permission to access the folder containing the file. The Bypass Traverse Checking security permission allows a user to access a file even if the user does not have corresponding folder permissions. The folder that contains the file is invisible if the user does not have corresponding folder permissions. To gain access to the file, a user can do one of the following: Use the full Universal Naming Convention (UNC). Use the local path to open the file from its respective application.
9 Overriding Permissions with Deny You can deny permissions to a user account or group for a specific file or folder. Deny overrides all instances in which that permission is allowed. Denying permissions is not the recommended way to control access to resources.
10 NTFS Permissions Inheritance By default, the parent folder’s permissions are propagated to Any existing subfolders and files in the parent folder Any files or folders created in the parent folder You can prevent permissions inheritance. The folder for which you prevent permissions inheritance becomes the new parent folder. The subfolders and files in the new parent folder inherit the permissions from the new parent folder.
11 Simplify Administration of Permissions Group files into application, data, and home folders. Centralize home and public folders on one separate volume. Assign permissions only to folders, not to files. Isolate applications and the operating system on a different volume. Back up only home and public folders. Do not back up applications or the operating system. Deny permissions only when it is essential.
12 Minimize NTFS Permission Assignments Allow only the required level of access. Create groups according to the access required for resources. Assign the appropriate permissions to the group. Avoid assigning permissions to individual user accounts. Encourage users to assign permissions to the folders they create.
13 Assign Permissions for Data or Application Folders Assign the Read & Execute permission to The Users group The Administrators group
14 Assign Permissions for Public Data Folders Assign the Read & Execute and the Write permissions to the Users group. Assign the Full Control permission to the CREATOR OWNER user.
16 Granting or Denying Special Permissions 1. In the folder Properties dialog box, click Advanced to display the Advanced Security Settings dialog box. 2. Select the user or group for which you want to modify the Special Permission settings, and then click Edit. 3. In the Permission Entry For dialog box, select Allow or Deny for each of the special permissions you want to modify.
17 Taking Ownership The current owner or a user with the Full Control permission can assign a user The Full Control standard permission The Take Ownership permission That user can now take ownership of the assigned file or folder. An administrator can take ownership of the file or folder regardless of the assigned permission. No one, not even the owner or the administrator, can assign ownership of a file or folder to anyone else.
18 Preventing Permissions Inheritance By default, subfolders and files inherit permissions from parent folders. Clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box. Select one of the following options: Copy Remove Cancel
19 Introduction to Solving Permissions Problems When you copy or move files and folders, the permission you set on the files or folders might change. Specific rules control how and when permissions change. Understanding these rules helps you solve permissions problems. Troubleshooting these permission problems is important to keep resources available for the appropriate users and protect them from unauthorized users.
21 Moving Files or Folders Within a Single NTFS Volume The file or folder retains the original permissions. You must have the Write permission for the destination folder. You must have the Modify permission for the source file or folder. The owner of the file or folder does not change.
22 Moving Files or Folders Between NTFS Volumes
23 Troubleshooting Permissions Problems A user cannot gain access to a file or folder. You add a user account to a group to give the user access to a file or folder, but the user still cannot gain access. A user with the Full Control permission to a folder deletes a file in the folder and you want to prevent the user from deleting more files.
24 Avoiding NTFS Permissions Problems Assign the most restrictive NTFS permissions. Assign all permissions at the folder level. For all application-executable files, assign The Read & Execute and Change permissions to the Administrators group The Read & Execute permission to the Users group Assign the Full Control permission to CREATOR OWNER for public data folders. Allow permissions rather than deny permissions.
25 Chapter Summary NTFS permissions specify what type of access users and groups have to files and folders. NTFS file permissions take priority over NTFS folder permissions. Use the Security tab of the Properties dialog box of a file or folder to assign or modify NTFS permissions. By default, subfolders and files inherit permissions from their parent folders. When you copy or move files and folders, the permissions you set on them might change.