When you're installing Windows 2000, either clean or upgrading a server, you should be aware of new capabilities that Windows 2000 brings. And while you're administering security, the new capabilities give you far better control over users than was possible in the past. This tip, from Windows 2000 Security, by Roberta Bragg, published by New Riders, discusses some of the issues.
To manage permissions on an object in Windows NT, you grant a specific type of access, give no access by simply not including the account, or explicitly define access by using the No Access permission. Windows 2000 increases the granularity by giving you the choice of Allow or Deny for each type of permission possible on an object. This is true of permissions set on printers, registry keys, and other objects as well as on files and folders. File and folder permissions are grouped into categories; each category can include the permission sets of other categories. Categories are
- Full Control (includes Modify, Read & Execute, List Folder Contents, Read, Write)
- Modify (includes Read & Execute, List Folder Contents, Read, Write)
- Read & Execute (includes List Folder Contents, Read)
- List Folder Contents
Each category is a collection of permission sets. These permission sets can be viewed and selected individually on the Advanced page of the Security tab of the file or folder object properties page.
Each category and permission can be set to Allow or Deny for a particular user or group. This granularity allows a user to be denied Write permission, for example, on a file [for which] a group to which he belongs has Write permission. In Windows NT, this cannot be done; it is either lose all permissions, or create even more groups.