لطفا منتظر باشید ...
Publisher| PermissionsConcepts |
network, you assign these users permissions. Two kinds of permissions
can be used to secure access to these resources: NTFS permissions and
shared-folder permissions. You need to understand both kinds of
permissions and how they work together.
NTFS Permissions
NTFS is the primary WS2003 filesystem (FAT/FAT32
aren't recommended for most purposes), and
partitions
formatted
with NTFS can have their files and folders secured using NTFS
permissions. These permissions secure the filesystem for both local
and network access. For example, if user Mary Jones is granted NTFS
Read permission on folder Pub and its contents
(which are stored on her C : drive), she can log
on to her machine, view the contents of Pub , and
open any file stored in it. If Pub is then
shared with the shared-folder permissions of Full Control for
Everyone, she can log on to a different machine and access the
Pub share and its contents over the network.
Whether Mary is trying to access a resource on an NTFS volume locally
or over the network, NTFS permissions will apply.
Special Permissions
The most granular NTFS
permissions
are called special permissions. These permissions give administrators
the highest degree of control over how users can access files and
folders stored on NTFS volumes. By selecting different sets of
special permissions, administrators can create custom permissions for
files or folders that need special access control. The 18 NTFS
special permissions are listed and described in Table 4-34.
Special permission | Description |
|---|---|
Folders only | |
Traverse Folder | Drill into the folder to other files and folders, even if you have no permissions on intermediate subfolders. |
List Folder | View the names of subfolders and files in the folder. |
Create Files | Create files in the folder. |
Create Folders | Create subfolders within the folder. |
Files only | |
Execute File | Execute the file. |
Read Data | Read the file. |
Write Data | Modify the file. |
Append Data | Append to the file (you can't modify existing data, only append). |
Both folders and files | |
Read Attributes | View the attributes of the file or folder (attributes include Read-only, Hidden, System, and Archive). |
Read Extended Attributes | View custom attributes that may be defined by certain applications for the file or folder. |
Write Attributes | Modify the attributes of the file or folder. |
Write Extended Attributes | Modify custom attributes that may be defined by certain applications for the file or folder. |
Delete Subfolders and Files | Delete subfolders or files. |
Delete | Delete the file or folder (even if this permission is denied on a file, you can delete it if its parent folder has been granted Delete Subfolders and Files permission). |
Read Permissions | View the permissions on the file or folder. |
Change Permissions | Modify the permissions on the file or folder. |
Take Ownership | Take ownership of the file or folder. |
Synchronize | Let threads in multithreaded programs wait on the file or folder handle and synchronize with another thread that signals it. |
Standard Permissions
Special permissions are really too
granular for administrators to use to
secure files and folders in day-to-day usage. To make life simpler,
Microsoft has grouped these special permissions into two different
sets:
- Folder permissions
Used to secure folders and their files and subfolders- File permissions
Used to secure individual files within folders
Together, these two sets of permissions are called standard
permissions, and they are described in Table 4-35 and Table 4-36. The
effect of combined standard and special permissions is shown in
Table 4-37 and Table 4-38.
File permission | Description |
|---|---|
Read | Open the file and view its permissions, attributes, and ownership. |
Write | Modify the file, modify its attributes, and view its permissions, attributes, and ownership. |
Read & Execute | Execute the file, plus do everything Read permission allows. |
Modify | Delete the file and do everything Read & Execute and Write permissions allow. |
Full Control | Take ownership, modify permissions, and do everything Modify permission allows. |
Folder permission | Description |
|---|---|
Read | View contents of folder and view its permissions, attributes, and ownership. |
Write | Create new files and folders in the folder, modify its attributes, and view its permissions, attributes, and ownership. |
List Folder Contents | View contents of folder only. |
Read & Execute | Traverse subfolders within the folder plus do everything Read and List Folder Contents permissions allow. |
Modify | Delete the folder and do everything Read & Execute and Write permissions allow. |
Full Control | Take ownership, modify permissions, and do everything that Modify permission allows. |
Special permission | Read | Write | Read & Execute | Modify | Full Control |
|---|---|---|---|---|---|
Read Data | Yes | Yes | Yes | Yes | |
Read Attributes | Yes | Yes | Yes | Yes | |
Read Extended Attributes | Yes | Yes | Yes | Yes | |
Read Permissions | Yes | Yes | Yes | Yes | Yes |
Synchronize | Yes | Yes | Yes | Yes | Yes |
Write Data | Yes | Yes | Yes | ||
Append Data | Yes | Yes | Yes | ||
Write Attributes | Yes | Yes | Yes | ||
Write Extended Attributes | Yes | Yes | Yes | ||
Execute File | Yes | Yes | Yes | ||
Delete | Yes | Yes | |||
Delete Subfolders and Files | Yes | ||||
Change Permissions | Yes | ||||
Take Ownership | Yes |
Special permission | Read | Write | List Folder Contents | Read & Execute | Modify | Full Control |
|---|---|---|---|---|---|---|
List Folder | Yes | Yes | Yes | Yes | Yes | |
Read Attributes | Yes | Yes | Yes | Yes | Yes | |
Read Extended Attributes | Yes | Yes | Yes | Yes | Yes | |
Read Permissions | Yes | Yes | Yes | Yes | Yes | |
Synchronize | Yes | Yes | Yes | Yes | Yes | Yes |
Create Files | Yes | Yes | Yes | |||
Create Folders | Yes | Yes | Yes | |||
Write Attributes | Yes | Yes | Yes | |||
Write Extended Attributes | Yes | Yes | Yes | |||
Traverse Folder | Yes | Yes | Yes | Yes | ||
Delete | Yes | Yes | ||||
Delete Subfolders and Files | Yes | |||||
Change Permissions | Yes | |||||
Take Ownership | Yes |
Working with NTFS Permissions
In order to configure NTFS permissions on a file, folder, or NTFS
volume, at least one of the following must be true:
- You must be a member of the Administrators group.
- You must have Full Control permission for the file, folder, or volume.
- You must be the owner of the file, folder, or volume.
NTFS permissions must be explicitly applied to a file or folder in
order to grant a user access to it. In other words, if a file has no
permissions specified for a particular user or for the groups to
which that user belongs, the user has no access to the file.Having said that, however, when you explicitly assign permissions to
a folder, by default all subfolders and files within that parent
folder inherit the permissions assigned to the parent. Another way of
saying this is that permissions automatically propagate from the
parent to the child. This is done to simplify and speed up the job of
assigning permissions.If you like, you can later change the permissions to any subfolder or
file within the parent folder without affecting the permissions
assigned to the parent. In other words, you can prevent permissions
inheritance at a given folder or file within the filesystem
hierarchy. You can do this two ways:
- You can copy the permissions inherited from the parent folder to the
subfolder or file under consideration and then explicitly modify
these permissions as desired. - You can remove the permissions inherited from the parent folder to
the subfolder or file under consideration and then explicitly assign
new ones as desired.
Either way, the subfolder or file under consideration now becomes the
new parent from which the subtree of files and folders beneath it
inherit their permissions (a file has no subtree beneath it, of
course). An example might help here. Let's say that
folder A contains folder B, which contains folder C, which contains
file F. Begin by assigning Read permission to folder A for user
Dennis. By default, this permission is automatically propagated to
folders B and C and file F. Now prevent permissions inheritance from
folder B by copying the permissions from its parent A. All folders
and files still have Read permission for Dennis, but folder C and
file F now inherit their permissions from folder B instead of A.
Change the permissions on B from Read to Full Control. Folder C and
file F now inherit Full Control permission from folder B, while
folder A remains Read permission, as expected. In general, it
simplifies things if you simply let permissions be inherited from
their highest parent and don't try to prevent
permissions at subfolders in the hierarchy unless absolutely
necessary. Use the K.I.S.S. (Keep It Simple, Stupid!) principle when
administering NTFS permissions, unless you're really
good at keeping things documented. Otherwise, you may find yourself
spending unnecessary time troubleshooting resource-access problems.When you create a new file or folder on an NTFS volume, the new file
or folder automatically inherits the permissions assigned to its
parent folder. If the file or folder is created in the root directory
of the volume, it inherits the permissions assigned to that root
directory. By default, if you create a new NTFS volume by formatting
a partition with NTFS, its root directory is assigned the permission
Everyone has Full Control, so any new folder or file created in the
root will automatically inherit Everyone has Full Control permission.When you create an NTFS volume, it's generally a
good idea to change the default Everyone has Full Control permission
to Authenticated Users have Full Control before you start creating
directories and storing files on the volume. This enhances the
security of the volume since the Authenticated Users built-in system
group represents all users who have valid domain user accounts on the
network, while the Everyone group also includes untrusted users from
other connected networks.
|
user or group permission on a folder, by default the user or group is
granted the three permissionsRead & Execute, List Folder
Contents, and Readfor the folder. You can then change these
permissions to whatever kind of access you want the user or group to
have. Similarly, if you assign a user or group permission on a file,
by default the user or group is granted the two
permissionsRead & Execute and Readfor the file.
Change these permissions to whatever kind of access you want the user
or group to have.When you assign a particular NTFS
permission to a file or folder, you can either explicitly allow the
permission to grant the user or group access to the object, or you
can explicitly deny the permission to prevent the user or group from
accessing it. Most of the time, you explicitly allow permissions to
enable users to access files and folders, but in certain situations
you may want to explicitly deny a user permission on an object. For
example, if Bob has Read permission to the Accounts folder and all
its contents, you could deny Bob Read permission to the particular
document in Accounts that describes the plans for
Bob's upcoming surprise party to prevent him from
reading it. Users can have multiple NTFS permissions assigned for the
same file or folder. This is because users can belong to groups, and
permissions are assigned separately to user accounts and groups. For
example, Susan could have Read permission on the
Pub folder, while the Marketing group to which
she belongs has Modify permission on the same folder. In the case of
multiple permissions, the effective permission for the user is
determined by adding them together (logical OR). In this example
Susan's cumulative level of access to
Pub will be Modify. To determine the effective
permissions in a given situation, use Tables Table 4-35 through Table 4-38.The exception to this is that a permission denied always
overrides a similar permission allowed. For example, if Susan is
denied Read permission to Pub while the
Marketing group to which she belongs is allowed Read permission, she
is effectively denied Read permission on Pub .Permissions for a file override those for the folder
that contains the file. For example, if Susan has Read permission on
Pub but has Modify permission on the file
Readme.txt within Pub ,
Susan will be able to make changes to the file and save them.Once you've explicitly assigned permissions to
your parent folders on an NTFS volume and started creating subfolders
and files, you need to know what will happen if you try to copy or
move these files and folders. This is because the act of copying and
moving files and folders can have an effect on the permissions
assigned to them. The general rules are as follows:
- Copying files or folders
Whether the destination parent folder is on the same or different
NTFS volume, the copied file or folder inherits the permissions of
the parent folder.- Moving files or folders
If the destination parent folder is on the same NTFS volume, the
moved file or folder retains its original permissions. However, if
the destination parent folder is on a different NTFS volume, the
moved file or folder inherits the permissions of the parent folder
(since a move to a different volume is really a copy followed by the
delete of the original).
For both copies and moves, if the destination volume is formatted with
FAT, all permissions are lost from the copied or moved file or
folder. For more information on copying and moving files on NTFS
volumes, see Files and Folders earlier in this
chapter.
Default NTFS Permissions
In W2K the default permissions
on
a new NTFS volume included Full Control for Everyone. In WS2003 these
permissions have been tightened for increased security, and the
default permissions on new NTFS volumes are now those shown in Table 4-39. These permissions are the same whether the
computer belongs to a workgroup or domain.
Security principal | Standard permission | Additional special permissions | Applies to |
|---|---|---|---|
Administrators (local user) | Full Control | None | This folder, subfolders, and files |
CREATOR OWNER | None | All (equivalent to Full Control) | Subfolders and files only |
Everyone | None | Traverse Folder/Execute File | This folder only |
List Folder/Read Data | |||
Read Attributes | |||
Read Extended Attributes | |||
Read Permissions(equivalent to Read & Execute) | |||
SYSTEM | Full Control | None | This folder, subfolders, and files |
Users (local group) | Read & Execute | None | This folder, subfolders, and files |
Create Folders/Append Data | This folder and subfolders | ||
Create Files/Write Data | Subfolders only |
Ownership
Ownership is an aspect of
permissions
in WS2003. Every file or folder created on an NTFS volume has an
owner. When a user creates a file, the user becomes the owner of that
file and can set permissions on it to allow others access to the
file. And when a user installs a printer, the user becomes the owner
of the printer. Objects in Active Directory also have owners and can
be assigned permissions as well.Ownership can't be given; it can only be taken. In
order to assume ownership of a file or other object, a user needs
Take Ownership permission. If the owner grants this permission on a
file to another user, that user can then take ownership of the first
user's file. Administrators, however, have the power
to take ownership of any object that they can manage (essentially,
anything except system objects).
Shared-Folder Permissions
NTFS permissions are the
primary means of securing
filesystem resources on a computer or network. However, they can be
used only on volumes formatted with NTFS and not on FAT or FAT32
volumes. Furthermore, assigning NTFS permissions to a folder
doesn't make the contents of that folder available
over the network. To do this, we have to share the resource, and this
means we have to deal with a whole other set of permissions called
shared-folder permissions and how these combine with NTFS permissions
to secure shared network resources.Shared-folder permissions are permissions assigned to folders or
volumes that have been shared. These folders may be on NTFS, FAT, or
FAT32 volumes, and any of these volumes may themselves be shared at
their root directory. In fact, shared-folder permissions are the only
permissions that can be used to secure resources on FAT and FAT32
volumes. Shared folders secure resources only at the network level,
however, and not at the local level. For example, if you share the
folder Pub , which is located on a FAT volume,
you control which users can access the folder over the network and
the level of access they can have, but anyone who can log on locally
to the machine where the volume is located has unrestricted (full)
access to the folder and all its contents. So if you are concerned
about securing resources from local access, you must use NTFS instead
of FAT or FAT32. Microsoft correctly recommends that all volumes on
which applications, data, or users' home folders are
located should be NTFS.Another reason for always using NTFS is that shared-folder
permissions aren't as granular as NTFS permissions
for controlling access, as you can see from Table 4-40 (note that there is no equivalent in
shared-folder permissions to the highly granular NTFS special
permissions). Also, shared-folder permissions apply uniformly to the
folder and all its contents; if you want to prevent shared-folder
permissions at a subfolder of a shared folder, you must create a new
share at the subfolder. Furthermore, shared-folder permissions can be
applied only to folders and volumes, while NTFS permissions can also
be applied to individual files.
Permission | Description |
|---|---|
Read | View contents of folder and traverse subfolders, open files and view their attributes, and run executable files |
Change | Create new files and folders in the folder, modify and append data to files, modify file attributes, delete folders and files, plus do everything Read permission allows |
Full Control | Take ownership and modify permissions of files (on NTFS volumes only), plus do everything Change permission allows |
Working with Shared-Folder Permissions
In order to share a folder and configure its permissions, you must be
a member of at least one of the following built-in groups:
- Administrators
- Server Operators
- Power Users
In addition, if the folder you want to share is on an NTFS volume,
you must have a minimum NTFS permission of Read for the folder in
order to share it.Folders (or volumes) must be shared and permissions explicitly
assigned in order to grant a user access to the contents over the
network. If a folder is shared but no shared-folder permissions are
explicitly assigned to it, users will be able to see the share in My
Network Places, but they won't be able to access its
contents. Sharing a volume simply means sharing the root folder on
the volume.When you assign a particular shared-folder permission from the list
in Table 4-40, you can either explicitly allow the
permission for the folder to grant the user or group access to the
contents of the folder or explicitly deny the permission to prevent
the user or group from accessing it. Most of the time you will
explicitly allow permissions instead of denying them.When you share a folder, the default shared-folder permission
assigned to it is Everyone has Full Control. It's
usually a good idea to change this to Users have Full Control before
you start storing files in the folder. When you assign a particular
user or group permissions on a shared folder, by default the user or
group is granted only Read permission for the folder. You can then
change the permissions to whatever kind of access you want the user
or group to have.Like NTFS permissions, users can have multiple shared-folder
permissions for the same folderfor example, when the user
account is assigned one permission while a group to which the user
account belongs is assigned a different permission. The effective
permission is determined again by adding the different permissions
together (logical OR). Once again, a permission denied always
overrides a similar permission allowed. Copying or moving files to
other shared folders always gives them the permissions assigned to
the destination folder. Copying the shared folder itself leaves the
original folder shared but the new folder not shared. Moving a shared
folder
causes
it to stop being shared.
General Strategy for Assigning Permissions
The general strategy for using
permissions to secure shared-network
resources is to proceed as follows:
- Format the volume where the shared folder will be created using NTFS
instead of FAT or FAT32. Create the folder you are going to share. - Assign NTFS permissions to the folder first. Grant your users and
groups suitable levels of access to the folder, giving each user and
group only as much access as they need. It generally simplifies
administration if you assign permissions only to groups and not to
individual users. Check your NTFS permissions assignments to make
sure they are correct. - Now share the folder and leave its shared-folder permission set to
the default Everyone has Full Control setting.
You're done.
The advantage of doing things this way is that you really have to
deal with configuring only one set of permissions, namely NTFS. For
comparison, let's say you followed this strategy
instead:
- Format the volume using NTFS. Create the folder you are going to
share and leave its NTFS permissions set to the default Everyone has
Full Control setting. - Share the folder and grant your users and groups suitable levels of
access to the folder using shared-folder permissions.
The problems with this scenario are:
- The folder is secure for network access but not for local access. So
if someone is able to log on locally to the computer where the volume
is located, they will have unrestricted access to the folder and its
contents. - Shared-folder permissions are limited to Read, Change, and Full
Control, while NTFS folder permissions can be Read, Write, List
Folder Contents, Read & Execute, Modify, and Full Control. NTFS
permissions thus give you greater granularity in controlling access
than shared-folder permissions. - You can also use NTFS file permissions to control access to
individual files or create custom permission lists using NTFS special
permissions. You can't do any of these things using
shared-folder permissions. - Shared-folder permissions provide the same level of access for all
files and subfolders within the folder, while NTFS permissions allow
you to explicitly assign different permissions to subtrees of folders
and files within the parent folder.
Let's take a look at one more strategy:
- Format the volume using NTFS and create the folder you are going to
share. - Assign NTFS permissions for the folder to users and groups to grant
them different levels of access. For example, assign the Marketing
group Read permission for the Pub folder. - Share the folder and assign shared-folder permissions for the folder
to users and groups to grant them different levels of access. For
example, assign the Marketing group Change permission for the
Pub folder.
The problem is that now you have the administrative headache of
managing two separate sets of permissions instead of just one. Also,
you must be aware of how NTFS and shared-folder permissions combine.
The general rule is: when NTFS and shared-folder permissions combine,
the most restrictive permission applies. In other words, for the
Marketing group:Read (NTFS) + Change (shared folder) = Read (combined)What use is this second set of permissions (shared-folder
permissions) if our strategy will always be to carefully assign NTFS
permissions but leave shared-folder permissions at their default of
Everyone has Full Control? Simple: shared-folder permissions are the
only permissions that can be used to control resources for data
stored on FAT volumes. Why would you want to use FAT instead of NTFS?
Possible reasons are:
- When you are setting up a peer-to-peer network using a workgroup
model for a small business that can't afford an
administrator to manage a domain controller - When you want to dual-boot a machine between WS2003 and Windows
95/98, which requires that you install WS2003 on FAT instead of NTFS
Neither of these is a particularly compelling reason, however.
