لطفا منتظر باشید ...
Lesson 2: Assigning NTFS Permissions
There are certain guidelines you should follow for assigning NTFS permissions. Assign permissions according to group and user needs; this includes allowing or preventing permissions inheritance from parent folders to subfolders and files that are contained in the parent folder. This lesson presents guidelines for
planning NTFS permissions and then walks you through the steps of assigning NTFS permissions.
After this lesson, you will be able to
Plan what permissions to assign to users or groups for applications and data folders
Assign NTFS folder and file permissions to user accounts and groups
Estimated lesson time: 60 minutes
Planning NTFS Permissions
If you take the time to plan your NTFS permissions and follow a few guidelines, you will find that NTFS permissions are easy to manage. Use the following guidelines when you assign NTFS permissions:
To simplify administration, group files into application, data, and home folders. Centralize home and public folders on a volume that is separate from applications and the operating system. Doing so provides the following benefits:
You assign permissions only to folders, not to individual files.
Backup is less complex because there is no need to back up application files, and all home and public folders are in one location.
Allow users only the level of access that they require. If a user only needs to read a file, assign the Read permission to his or her user account for the file. This reduces the possibility of users accidentally modifying or deleting important documents and application files.
Create groups according to the access that the group members require for resources, and then assign the appropriate permissions to the group. Assign permissions to individual user accounts only when necessary.
When you assign permissions for working with data or application folders, assign the Read & Execute permission to the Users group and the Administrators group. This prevents application files from being accidentally deleted or damaged by users or viruses.
Turn off the permissions inheritance option at the home directory level. This allows the user to consider permissions for each file or folder in the home directory.
When you assign permissions for public data folders, assign the Read & Execute permission and the Write permission to the Users group, and the Full Control permission to CREATOR OWNER identity group. The user who creates a file is by default the creator and owner of the file. After you create a file, you may grant another user permission to take ownership of the file. The person who takes ownership would then become the owner of the file. If you assign the Read & Execute permission and the Write permission to the Users group, and the Full Control permission to CREATOR OWNER, users have the ability to read and modify documents that other users create and the ability to read, modify, and delete the files and folders that they create.
Deny permissions only when it is essential to deny specific access to a specific user account or group.
Encourage users to assign permissions to the files and folders that they create and educate them about how to do so.
Setting NTFS Permissions
By default, when you format a volume with NTFS, the Full Control permission is assigned to the Everyone group. You should change this default permission and assign other appropriate NTFS permissions to control the access that users have to resources. Be careful if you assign permissions to the Everyone group and
enable the Guest account. Windows 2000 will authenticate a user who does not have a valid user account as Guest. The user automatically gets all rights and
permissions that you have assigned to the Everyone group.
Assigning or Modifying Permissions
Administrators, users with the Full Control permission, and the owners of files and folders (CREATOR OWNER) can assign permissions to user accounts and groups.
To assign or modify NTFS permissions for a file or a folder
Right-click the file or folder for which you want to assign permissions, then click Properties.
In the Security tab (see Figure 9.3) of the Properties dialog box for the file or folder, configure the options that are described in Table 9.3.
Figure 9.3 Security tab of the Properties dialog box for the Data folder
Table 9.3 Security Tab Options
| Option | Description |
|---|---|
| Name | Select the user account, group, or special entity for which you want to change permissions or that you want to remove from the list. |
| Permission | To allow a permission, select the Allow check box. To deny a permission, select the Deny check box. |
| Add | Opens the Select Users, Computers, Or Groups dialog box, which you use to select user accounts and groups to add to the Name list. |
| Remove | Removes the selected user account, group, or special entity and the associated permissions for the file or folder. |
| Advanced | Opens the Access Control Settings For dialog box, which you use to add, remove, view, or edit special permissions for selected user accounts and groups. |
| Allow Inheritable Permissions From Parent To Propogate To This Object | Specifies whether permissions for this object will be affected by inheritance. |
Preventing Permissions Inheritance
By default, subfolders and files inherit permissions that you assign to their parent folder. This is indicated in the Security tab in the Properties dialog box by a check in the Allow Inheritable Permissions From Parent To Propagate To This Object check box. If the check boxes under Permissions are shaded, then the file or folder has inherited permissions from the parent folder. To prevent a subfolder or file from inheriting permissions from a parent folder, clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box. If you clear this check box, you are prompted to select one of the options described in Table 9.4.
Table 9.4 Preventing Permissions Inheritance Options
| Option | Description |
|---|---|
| Copy | Copy the permissions from the parent folder to the current folder and then deny subsequent permissions inheritance from the parent folder. |
| Remove | Remove the permissions that are assigned to the parent folder and retain only the permissions that you explicitly assign to the file or folder. |
| Cancel | Cancel the dialog box and restore the check mark in the Allow Inheritable Permissions From Parent To Propagate To This Object check box. |
Practice: Planning and Assigning NTFS Permissions
In this practice you plan NTFS permissions for folders and files based on a business scenario. Then you apply NTFS permissions for folders and files on your computer based on a second scenario. Finally, you test the NTFS permissions that you set up to make sure that they are working properly.
Exercise 1: Planning NTFS Permissions
In this exercise you plan how to assign NTFS permissions to folders and files on a computer running Windows 2000 Server, based on the scenario described in the next section.
Scenario
The default NTFS folder and file permissions are Full Control for the Everyone group. Figure 9.4 shows the folder and file structure used for this practice. You need to review the following security criteria and record the changes that you should make to the NTFS folder and file permissions to meet the security criteria.
Figure 9.4 Folder and file structure for practice
To plan NTFS permissions, you must determine the following:
What groups to create and what built-in groups to use
What permissions users will require to gain access to folders and files
Whether or not to clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box for the folder or file for which you are assigning permissions
Keep the following general guidelines in mind:
NTFS permissions that are assigned to a folder are inherited by all of the folders and files that it contains. To assign permissions for all of the folders and files in the Apps folder, you need only assign NTFS permissions to the Apps folder.
To assign more restrictive permissions to a folder or file that is inheriting permissions, you must either deny the unwanted permissions or block inheritance by clearing the Allow Inheritable Permissions From Parent To Propagate To This Object check box.
The decisions that you make are based on the following criteria:
In addition to the default built-in groups, the following groups have been created in the domain:
Accounting
Managers
Executives
Administrators require the Full Control permission for all folders and files.
All users will run programs in the WordProc folder, but they should not be able to modify the files in the WordProc folder.
Only members of the Accounting, Managers, and Executives groups should be able to read documents in the Spreadsh and Database application folders by running the associated spreadsheet and database applications, but they should not be able to modify the files in those folders.
All users should be able to read and create files in the Public folder.
All users should be prevented from modifying files in the Public\Library folder.
Only USER81 should be able to modify and delete files in the Public\Manuals folder.
When you apply custom permissions to a folder or file, which default permission entry should you remove?
Complete Table 9.5 to plan and record your permissions.
Table 9.5 Permissions Planning Table for Exercise 1
| Path | User Account or Group | NTFS Permissions | Block Inheritance (Yes/No) |
|---|---|---|---|
| Apps | |||
| Apps\WordProc | |||
| Apps\Spreadsh | |||
| Apps\Database | |||
| Public | |||
| Public\Library | |||
| Public\Manuals |
Exercise 2: Assigning NTFS Permissions for the Data Folder
In this exercise you assign NTFS permissions for the C:\Data folder (where C:\ is the name of your system drive) based on the scenario described next.
Before beginning the following exercises, create the users and groups listed in Table 9.6.
Table 9.6 Users and Groups for Exercise 2
| Group | User Account |
|---|---|
| Managers | USER81 (member of Print Operators) |
| Sales | User82 (member of Sales and Print Operators) |
| Sales | User83 (member of Managers and Print Operators) |
Create the following folders (where C:\ is the name of your system drive):
C:\Data
C:\Data\Managers
C:\Data\Managers\Reports
C:\Data\Sales
Scenario
The permissions that you assign are based on the following criteria:
All users in the domain should be able to read documents and files in the Data folder.
All users in the domain should be able to create documents in the Data folder.
All users in the domain should be able to modify the contents, properties, and permissions of the documents that they create in the Data folder.
To remove permissions from the Everyone group
Log on to your domain as Administrator.
Right-click My Computer, then click Explore.
Expand the Local Disk (C:), right-click the C:\Data folder, then click Properties.
Windows 2000 displays the Data Properties dialog box with the General
tab active.
Click the Security tab to display the permissions for the Data folder.
Windows 2000 displays the Data Properties dialog box with the Security
tab active.
What are the existing folder permissions?
Notice that the current allowed permissions cannot be modified.
Under Name, select the Everyone group, then click Remove.
What do you see?
Click OK to close the message box.
Clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box to block permissions from being inherited.
Windows 2000 displays the Security message box, prompting you to copy the currently inherited permissions to the folder or remove all permissions for the folder except those that you explicitly specify.
Click Remove.
What are the existing folder permissions?
Answers
To assign permissions to the Users group for the Data folder
In the Data Properties dialog box, click Add.
Windows 2000 displays the Select Users, Computers, Or Groups dialog box.
In the Look In list at the top of the Select Users, Computers, Or Groups dialog box, select your domain.
The Look In list allows you to select the computer or domain from which to select user accounts, groups, or computers when you assign permissions. You should specify your domain to select from the user accounts and groups that you created.
In the Name column, select Users, then click Add.
Users is listed in the box at the bottom of the Select Users, Computers, Or Groups dialog box.
In the box at the bottom of the Select Users, Computers, Or Groups dialog box, you can also type the name of the object you want. You can type multiple names by separating them with semicolons. If the object exists in a Windows 2000 domain or global catalog, you can type the first few characters of the name and then click Check Names. Windows 2000 either completes the name if there are no similar names, or prompts you to choose a name from a list of similar names.
Click OK to return to the Data Properties dialog box.
What are the existing allowed folder permissions?
Make sure that Users is selected, and then next to Write, select the Allow check box.
Click Apply to save your changes.
Answers
To assign permissions to the CREATOR OWNER group for the Data folder
In the Security tab of the Data Properties dialog box, click Add.
Windows 2000 displays the Select Users, Computers, Or Groups dialog box.
In the Look In list at the top of the Select Users, Computers, Or Groups dialog box, select your domain.
In the Name list, select CREATOR OWNER, then click Add.
CREATOR OWNER is listed in the box at the bottom of the Select Users, Computers, Or Groups dialog box.
Click OK to return to the Data Properties dialog box.
What are the existing allowed folder permissions?
Make sure that CREATOR OWNER is selected, and next to Full Control, select the Allow check box, then click Apply to save your changes.
What do you see?
Click Advanced to display the additional permissions.
Windows 2000 displays the Access Control Settings For Data dialog box.
Under Name, select CREATOR OWNER.
What permissions are assigned to the CREATOR OWNER group and where do these permissions apply? Why?
Click OK.
On the Data Properties dialog box, click OK, then log off your domain.
Answers
To test the folder permissions that you assigned for the Data folder
Log on to your domain as USER81, then start Windows Explorer.
Expand the C:\Data directory.
In the Data folder, attempt to create a text file named User81.txt.
Were you successful? Why or why not?
Attempt to perform the following tasks for the file that you just created, and then record those tasks that you are able to complete.
Open the file
Modify the file
Delete the file
Close all applications, then log off Windows 2000.
Answers
Exercise 3: Assigning NTFS Permissions
In this exercise you assign NTFS permissions to the Data, Managers, Reports, and Sales folders based on the scenario described in the following section.
Scenario
Assign the appropriate permissions to folders as listed in Table 9.7.
Table 9.7 Folder Permissions for Exercise 3
| Folder Name | User Account or Group | Permissions |
|---|---|---|
| C:\Data | Users group Administrators group | Read & Execute Full Control |
| C:\Data\Managers | Users group Managers group Administrators group | Read & Execute Full Control Modify |
| C:\Data\Managers\Reports | Users group Administrators group User82 | Read & Execute Full Control Modify |
| C:\Data\Sales | Users group Administrators group Sales group | Read & Execute Full Control Modify |
To assign NTFS permissions for a folder
Log on to your domain as Administrator, then start Windows Explorer.
Expand the Local Disk (C:).
Right-click the folder for which you are modifying permissions, then click Properties.
Windows 2000 displays the Properties dialog box for the folder with the
General tab active.
In the Properties dialog box for the folder, click the Security tab.
In the Security tab, if you need to modify the inherited permissions for a user account or group, clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box, and then when prompted to copy or remove inherited permissions, click Copy.
To add permissions to user accounts or groups for the folder, click Add.
Windows 2000 displays the Select User, Computer, Or Group dialog box.
Make sure that your domain appears in the Look In list at the top of the Select Users, Computers, Or Groups dialog box.
In the Name column, type the name of the appropriate user account or group, based on the preceding scenario, then click Add.
Windows 2000 displays the user account or group under Name at the bottom of the dialog box.
Repeat Step 8 for each user account or group that is listed for the folder in the preceding scenario.
Click OK to return to the Properties dialog box for the folder.
If the Properties dialog box for the folder contains user accounts and groups that are not listed in the preceding scenario, select the user account or group, then click Remove.
For all user accounts and groups that are listed for the folder in the preceding scenario, under Name, select the user account or group, and then under Permissions, select the Allow check box or the Deny check box next to the appropriate permissions that are listed for the folder in the preceding scenario.
Click OK to apply your changes, and close the Properties dialog box for the folder.
Repeat this procedure for each folder for which you are assigning permissions as specified in the preceding scenario.
Log off Windows 2000.
Exercise 4: Testing NTFS Permissions
In this exercise you log on using various user accounts and test NTFS permissions.
To test permissions for the Reports folder while logged on as USER81
Log on as USER81, then start Windows Explorer.
In Windows Explorer, expand the C:\Data\Managers\Reports directory.
Attempt to create a file in the Reports folder.
Were you successful? Why or why not?
Log off Windows 2000.
Answers
To test permissions for the Reports folder while logged on as User82
Log on as User82, then start Windows Explorer.
Expand the C:\Data\Managers\Reports directory.
Attempt to create a file in the Reports folder.
Were you successful? Why or why not?
Log off Windows 2000.
Answers
To test permissions for the Sales folder while logged on as Administrator
Log on to your domain as Administrator, then start Windows Explorer.
Expand the C:\Data\Sales directory.
Attempt to create a file in the Sales folder.
Were you successful? Why or why not?
Close Windows Explorer, and then log off Windows 2000.
Answers
To test permissions for the Sales folder while logged on as USER81
Log on as USER81, then start Windows Explorer.
Expand the C:\Data\Sales directory.
Attempt to create a file in the Sales folder.
Were you successful? Why or why not?
Answers
To test permissions for the Sales folder while logged on as User82
Log on as User82, then start Windows Explorer.
Expand the C:\Data\Sales directory.
Attempt to create a file in the Sales folder.
Were you successful? Why or why not?
Close all applications, then log off Windows 2000.
Answers
Lesson Summary
In this lesson you learned that by default, when you format a volume with NTFS, the Full Control permission is assigned to the Everyone group. You learned that you should change this default permission and assign other appropriate NTFS permissions to control the access that users have to resources. You learned that Administrators, the owners of files or folders, and users with Full Control permission can assign NTFS permissions to users and groups to control access to files and folders. You learned how to assign or modify NTFS permissions for a file or a folder by using the Security tab of the Properties dialog box for the file or folder.
You also learned that by default, subfolders and files inherit permissions that you assign to their parent folder, and you learned how to disable this feature so that subfolders and files do not inherit the permissions assigned to their parents. In the practice exercises, you created some folders, assigned NTFS permissions, and then tested the permissions you set up to determine if you set them up correctly.
