Assigning NTFS Permission in Windows XP Professional

   We will see what are the best practices of implementing NTFS permissions and also how to implement the NTFS in the right way.

  By default, when you format a volume with NTFS, the Full Control permission is assigned to the Everyone group. This presented a problem in earlier versions of Windows, including Microsoft Windows 2000. In Windows XP Professional, the Anonymous Logon is no longer included in the Everyone group.

   Assigning or Modifying Permissions

  Only Administrators, users with the Full Control permission, and the owners of files and folders can assign permissions to user accounts and groups. The users with the least privileges will be unable to modify the permissions of these files. The procedure to assign or modify NTFS permissions for a file or a folder, is the Security tab of the Properties dialog box for the file or folder. Right click on the folder to which the permission has to be assigned or modified and then select the Sharing and Security... link from the drop down menu. Then in the tab window that appears, select the Security tab. The detail of each setting in the Security tab is explained in the table below.

    
Option Description
Group Or User Name Allows you to select the user account or group for which you want to change permissions or that you want to remove from the list.
Permissions For group or user name Allows and denies permissions. Select the Allow check box to allow a permission. Select the Deny check box to deny a permission.
Add This opens the Select Users Or Groups dialog box, which you use to select user accounts and groups to add to the Group Or User Name list
Remove Removes the selected user account or group and the associated permissions for the file or folder.
Advanced Opens the Advanced Security Settings dialog box for the selected folder so that you can grant or deny special permissions.

   Adding Users and Groups

   Now we will add users to this particular folder so that so that permissions can be granted for accessing a folder or file. Click Add to display the Select Users Or Groups dialog box. The options available in the Select Users Or Groups dialog box are described in the table below
    
Option Description
Select The Object Type Allows you to select the types of objects you want to look for, such as built-in security principals (users, groups, and computer accounts), user accounts, or groups.
From This Location Indicates where you are currently looking, for example in the domain or on the local computer.
Locations Allows you to select where you want to look, for example in the domain or on the local computer.
Enter The Object Names To Select Allows you to type in a list of built-in security principals, users, or groups to be added.
Check Names Verifies the selected list of built-in security principals, users, or groups to be added.
Advanced Allows you access to advanced search features, including the ability to search for deleted accounts, accounts with passwords that do not expire, and accounts that have not logged on for a certain number of days.

   Granting or Denying Special Permissions

   Click Advanced to display the Advanced Security Settings dialog box. This lists the users and groups and the permissions they have on this object. The Permissions Entries box also shows where the permissions were inherited from and where they are applied. You can use the Advanced Security Settings dialog box to change the permissions set for a user or group. To change the permissions set for a user or group, select a user and click Edit to display the Permission Entry For dialog box. You can then select or clear the specific permissions, that you want to change. The details of the specific permissions are explained in the table below.
    
Permission Description
Full Control Full Control applies all permissions to the user or group.
Traverse Folder/ Execute File Traverse Folder allows or denies moving through folders to access other files or folders, even when the user has no permissions for the traversed folder (the folder that the user is moving through). Traverse Folder is not applied if the user or group has the Bypass Traverse Checking user right granted in Group Policy. By default the Everyone group has Bypass Traverse Checking granted, so you must modify the Group Policy if you want to use Traverse Folder permission. Traverse Folder applies only to folders. Execute File allows or denies running executable files (application files). Execute File applies only to files.
List Folder/ Read Data List Folder allows or denies viewing file names and subfolder names within the folder. List Folder applies only to folders. Read Data allows or denies viewing the contents of a file. Read Data applies only to files.
Read Attributes Read Attributes allows or denies the viewing of the attributes of a file or folder. These attributes are defined by NTFS.
Read Extended Attributes Read Extended Attributes allows or denies the viewing of extended attributes of a file or a folder. These attributes are defined by programs.
Create Files/ Write Data Create Files allows or denies the creation of files within a folder. Create Files applies to folders only. Write Data allows or denies the making of changes to a file and the overwriting of existing content. Write Data applies to files only.
Create Folders/ Append Data Create Folders allows or denies the creation of folders within the folder. Create Folders applies only to folders. Append Data allows or denies making changes to the end of the file, but not changing, deleting, or overwriting existing data. Append Data applies to files only.
Write Attributes Write Attributes allows or denies the changing of the attributes of a file or folder. These attributes are defined by NTFS.
Write Extended Write Extended Attributes allows or denies the changing of the Attributes extended attributes of a file or a folder. These attributes are defined by programs.
Delete Subfolders and Files Delete Subfolders and Files allows or denies the deletion of subfolders or files within a folder, even if the Delete permission has not been granted on the particular subfolder or file.
Delete Delete allows or denies the deletion of a file or folder. A user can delete a file or folder even without having the Delete permission granted on that file or folder, if the Delete Subfolder and Files permission has been granted to the user on the parent folder.
Read Permissions Read Permissions allows or denies the reading of the permissions assigned to the file or folder.
Change Permissions Change Permissions allows or denies the changing of the permissions assigned to the file or folder. You can give other administrators and users the ability to change permissions for a file or folder without giving them the Full Control permission over the file or folder. In this way, the administrator or user can't delete or write to the file or folder but can assign permissions to the file or folder.
Take Ownership Take Ownership allows or denies taking ownership of the file or folder. The owner of a file can always change permissions on a file or folder, regardless of the permissions set to protect the file or folder.
Synchronize Synchronize allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies only to multithreaded, multiprocess programs.

   Taking Ownership

   Ownership of files and folders can be transferred from one user account or group to another. It is possible to give someone the ability to take ownership and, as an administrator, it is possible to take ownership of a file or folder. The following rules apply for taking ownership of a file or folder:
  • The current owner or any user with Full Control permission can assign the Full Control standard permission or the Take Ownership special access permission to another user account or group, allowing the user account or any member of the group to take ownership.
  • An administrator can take ownership of a folder or file, regardless of assigned permissions. If an administrator takes ownership, the Administrators group becomes the owner and any member of the Administrators group can change the permissions for the file or folder and assign the Take Ownership permission to another user account or group.

    •    For example, if an employee leaves the company, an administrator can take ownership of the employee's files and assign the Take Ownership permission to another employee, and then that employee can take ownership of the former employee's files.

    You cannot assign anyone ownership of a file or folder. The owner of a file, an administrator, or anyone with Full Control permission can assign Take Ownership permission to a user account or group, allowing them to take ownership. To become the owner of a file or folder, a user or group member with Take Ownership permission must explicitly take ownership of the file or folder. To take ownership of a file or folder, the user or a group member with Take Ownership permission must explicitly take ownership of the file or folder, as follows:

  • In the Security tab of the Properties dialog box for the file or folder, click Advanced.
  • In the Advanced Security Settings dialog box, in the Owner tab, in the Change Owner To list, select your name.
  • Select the Replace Owner On Subcontainers And Objects check box to take ownership of all subfolders and files that are contained within the folder, and then click OK.

    •    Preventing Permission Inheritance

       By default, subfolders and files inherit permissions that you assign to their parent folder. This is indicated in the Advanced Security Settings dialog box when the Inherit From Parent The Permission Entries That Apply To Child Objects check box is selected. To prevent a subfolder or file from inheriting permissions from a parent folder, clear the check box.
        
    Option Description
    Copy Copy the permission entries that were previously applied from the parent to the child and then deny subsequent permissions inheritance from the parent folder.
    Remove Remove the permission entries that were previously applied from the parent to the child and retain only the permissions that you explicitly assign here.
    Cancel Cancel the dialog box.
        

       Guidelines for implementing NTFS Permissions

       The following guidelines are very important to understand the best way of implementing NTFS Permissions.
  • To simplify administration, group files into application, data, and home folders. Centralize home and public folders on a volume that is separate from applications and the operating system. This provides the following benefits:Permissions are assigned only to folders, not to individual files and Backup is less complex because you don't need to back up application files, and all home and public folders are in one location.
  • Allow users only the level of access that they require. If a user only needs to read a file, assign the Read permission to his or her user account for the file. This reduces the possibility of users accidentally modifying or deleting important documents and application files.
  • Create groups according to the access that the group members require for resources, and then assign the appropriate permissions to the group. Assign permissions to individual user accounts only when necessary.
  • When you assign permissions for working with data or application folders, assign the Read & Execute permission to the Users group and the Administrators group. This prevents application files from being accidentally deleted or damaged by users or viruses.
  • When you assign permissions for public data folders, assign the Read & Execute permission and the Write permission to the Users group and the Full Control permission to the CREATOR OWNER. By default, the user who creates a file is also the owner of the file. The owner of a file can grant another user permission to take ownership of the file. The person who takes ownership would then become the owner of the file. If you assign the Read & Execute permission and the Write permission to the Users group and the Full Control permission to the CREATOR OWNER, users have the ability to read and modify documents that other users create and the ability to read, modify, and delete the files and folders that they create.
  • Deny permissions only when it is essential to deny specific access to a specific user account or group.
  • Encourage users to assign permissions to the files and folders that they create and educate them about how to do so.
    •  
     
    Best viewed with 1024 x 768 px Resolution
    Developed in association with K K Webtech P Ltd.