Understanding and Applying NTFS Permission in Windows XP Professional

   You use NTFS permissions to specify which users and groups can access files and folders and what they can do with the contents of the files or folders. NTFS permissions are available only on NTFS volumes. They are not available on volumes formatted with file allocation table (FAT) or FAT32 file systems. NTFS security is effective whether a user accesses the file or folder at the local computer or over the network.

The permissions you assign for folders are different from the permissions you assign for files. Administrators, the owners of files or folders, and users with Full Control permission can assign NTFS permissions to users and groups to control access to files and folders.

   NTFS Folder Permissions

   You assign folder permissions to control the access that users have to folders and to the files and subfolders that are contained within the folders. the table below lists the standard NTFS folder permissions that you can assign and the type of access that each provides.
    
NTFS folder permission Allows the user to
Read See files and subfolders in the folder and view folder ownership, permissions, and attributes (such as Read-Only, Hidden, Archive, and System)
Write Create new files and subfolders within the folder, change folder attributes, and view folder ownership and permissions
List Folder Contents See the names of files and subfolders in the folder
Read & Execute Move through folders to reach other files and folders, even if the users don't have permission for those folders, and perform actions permitted by the Read permission and the List Folder Contents permission
Modify Delete the folder plus perform actions permitted by the Write permission and the Read & Execute permission
Full Control Change permissions, take ownership, and delete subfolders and files, plus perform actions permitted by all other NTFS folder permissions
   You can deny permission to a user account or group. To deny all access to a user account or group for a folder, deny the Full Control permission.

   NTFS File Permissions

   You assign file permissions to control the access that users have to files. The table below lists the standard NTFS file permissions that you can assign and the type of access that each provides.
    
NTFS file permission Allows the user to
Read Read the file, and view file attributes, ownership, and permissions
Write Overwrite the file, change file attributes, and view file ownership and permissions.
Read & Execute Run applications, plus perform the actions permitted by the Read permission.
Modify Modify and delete the file, plus perform the actions permitted by the Write permission and the Read & Execute permission.
Full Control Change permissions and take ownership, plus perform the actions permitted by all other NTFS file permissions.

   Access Control List

   NTFS stores an access control list (ACL) with every file and folder on an NTFS volume. The ACL contains a list of all user accounts and groups that have been assigned permissions for the file or folder, as well as the permissions that they have been assigned. When a user attempts to gain access to a resource, the ACL must contain an entry, called an access control entry (ACE), for the user account or a group to which the user belongs. The entry must allow the type of access that is requested (for example, Read access) for the user to gain access. If no ACE exists in the ACL, the user can't access the resource.

   Multiple NTFS Permissions

   You can assign multiple permissions to a user account and to each group of which the user is a member. To assign permissions, you must understand the rules and priorities by which NTFS assigns and combines multiple permissions and NTFS permissions inheritance.

   Effective Permissions

   A user's effective permissions for a resource are the sum of the NTFS permissions that you assign to the individual user account and to all of the groups to which the user belongs. If a user has Read permission for a folder and is a member of a group with Write permission for the same folder, the user has both Read and Write permissions for that folder.

   Overriding Folder Permissions with File Permissions

   NTFS file permissions take priority over NTFS folder permissions. If you have access to a file, you will be able to access the file if you have the Bypass Traverse Checking security permission, even if you don't have access to the folder containing the file. You can access the files for which you have permissions by using the full Universal Naming Convention (UNC) or local path to open the file from its respective application, even though the folder in which it resides is invisible if you have no corresponding folder permission. In other words, if you don't have permission to access the folder containing the file you want to access, you must have the Bypass Traverse Checking security permission and you have to know the full path to the file to access it. Without permission to access the folder, you can't see the folder, so you can't browse for the file.

   Overriding Other Permissions with Deny

   You can deny permission to a user account or group for a specific file, although this is not the recommended method of controlling access to resources. Denying permission overrides all instances in which that permission is allowed. Even if a user has permission to access a file or folder as a member of a group, denying permission to the user blocks any other permissions the user might have.

   NTFS Permissions Inheritance

   By default, permissions that you assign to the parent folder are inherited by and propagated to the subfolders and files contained in the parent folder. However, you can prevent permissions inheritance.

   Understanding Permissions Inheritance

   Whatever permissions you assign to the parent folder also apply to subfolders and files contained within the parent folder. When you assign NTFS permissions to give access to a folder, you assign permissions for the folder and for any existing files and subfolders, as well as for any new files and subfolders that are created in the folder.

   Preventing Permissions Inheritance

   You can prevent permissions that are assigned to a parent folder from being inherited by subfolders and files that are contained within the folder. That is, the subfolders and files will not inherit permissions that have been assigned to the parent folder containing them. The folder for which you prevent permissions inheritance becomes the new parent folder. The subfolders and files contained within this new parent folder inherit the permissions assigned to it.
 
 
Best viewed with 1024 x 768 px Resolution
Developed in association with K K Webtech P Ltd.