NTFS permissions

Get a glimpse inside Paul Cooke's e-book "The definitive guide to Windows 2000 security" with this series of book excerpts, courtesy of Realtimepublishers.com. This excerpt is from Chapter 5, "Configuring access control." Click for the book excerpt series or get the full e-book.

NTFS permissions

There are many advantages to using the NT File System (NTFS) over file systems based on the old-style File Allocation Table (FAT). For example, NTFS can track permissions and provide ownership of files and folders. As a result, file and folder permissions are probably the most common form of authorization that you'll manipulate as you work with Windows 2000. You're probably already familiar with managing file and folder permissions in NT, and you won't find things a whole lot different. Although there are some cosmetic changes to the user interface (UI), the only noticeable change is a few new permissions.

The permissions that you can set on folders and files depend on how an object is being accessed. On one hand, folders and files that are on the local NTFS volume are only constrained by the permissions on the object. On the other hand, folders and files that are accessed over the network are subject to the assigned NTFS permissions as well as any share-level permissions. Share-level permissions are important, but if you understand how permissions work on local folders and files, you'll understand how they work on your network shares too.

You modify permissions on folders and files in the same fashion as in NT 4.0: Right-click a file or folder, choose Properties from the shortcut menu, then click the Security tab. The basic permissions dialog box appears, as shown in Figure 5.5.

Figure 5.5: The basic NTFS permissions dialog box.

One of the first things to notice about the NTFS permissions dialog box in Windows 2000 is that it now handles both folders and files. As a result, administering folder and file permissions in Windows 2000 is quite a bit easier because once you know how to modify permissions on one NTFS object, you can modify permissions on the other. Another thing to notice is that Windows 2000 provides five basic permissions for folders and files: Full Control, Modify, Read & Execute, Read, and Write. Folders also have a List Folder permission.

In addition to these basic permissions, you can access the full set of file and folder permissions by clicking Advanced in the basic NTFS permissions dialog box, then clicking View/Edit. The full permissions dialog box appears, as shown in Figure 5.6.

Figure 5.6: The advanced NTFS permissions dialog box.

One of the things to note from this figure is that the set of NTFS permissions is more complete in Windows 2000 than in NT. Thankfully, the name of each permission is pretty self-explanatory, so you can usually make a good guess about what authorization a permission provides just by looking at its name. However, the thing that isn't all that intuitive is how the advanced permissions map to the basic file permissions that you'll typically manipulate. The mapping between these two sets of permissions is shown in Table 5.2.

Advanced Permission	EnablesBasic Full Control Permission	Enables Basic Modify Permission	Enables Basic Read & Execute Permission	Enables Basic List Folder Contents Permission	Enables Basic Read Permission	Enables Basic Write Permission
Traverse Folder / Execute File	X	X	X	X	-	-
List Folder / Read Data	X	X	X	X	X	-
Read Attributes	X	X	X	X	X	-
Read Extended Attributes	X	X	X	X	X	-
Create Files / Write Data	X	X	-	-	-	X
Create Folders / Append Data	X	X	-	-	-	X
Write Attributes	X	X	-	-	-	X
Write Extended Attributes	X	X	-	-	-	X
Delete Subfolders and Files	X	-	-	-	-	-
Delete	X	X	-	-	-	-
Read Permissions	X	X	X	X	X	-
Change Permissions	X	-	-	-	-	-
Take Ownership	X	-	-	-	-	-

Table 5.2: Mapping basic NTFS permissions to advanced NTFS permissions.

I've touched on the concept of an object's owner a number of times so far, but I haven't really talked about object ownership. Just like every other object, folders and files must have an owner, and by default, it's the user who created it. Remember that as an owner of a folder or file, you can use permissions to grant authorizations to others and have a great deal of control over who and how you allow others to access your NTFS resources. Included in these permissions is Take Ownership, which grants authorization on a folder or file. If you've been granted the Take Ownership permission on another user's NTFS resource, you can take ownership of it from the Advanced Permissions dialog box using the Owner tab.

Click for the next excerpt in this series: AD permissions