|1| Chapter 9, Securing Network Resources
|2| Chapter 9, Lesson 1
Understanding NTFS Permissions
|3| 1. NTFS
Permissions
A. Rules associated with objects that
regulate which users can gain access to an object and in what manner
B. Specify which users and groups can gain
access to files and folders, including access to the contents of the file or
folder
C. Only available on NTFS partitions
D. Not available with the file allocation
table (FAT) or FAT32 file systems
E. Security is effective whether a user gains
access to the file or folder at the computer or over the network.
F.
Different
permissions are assigned for files and folders.
Note The
version of NTFS used in Microsoft Windows 2000 cannot be natively recognized by
earlier versions. Windows NT 4.0 installation will require Service Pack 4 or
later.
2. NTFS Folder Permissions
|4| A. Overview
1. Folder permissions are assigned to
control the access that users have to folders, and to the files and subfolders
that are contained within the folders.
2. Folder permissions can be denied to a
user account or group.
3. To deny all access to a user account or
group for a folder, the Full Control permission is denied.
|5| B. Folder permissions
1. Full Control: Change permissions, take
ownership, and delete subfolders and files, plus perform actions permitted by
all other NTFS folder permissions
2. Modify: Delete the folder plus perform
actions permitted by the Write permission and the Read & Execute permission
3. Read & Execute: Move through folders
to reach other files and folders, even if the users do not have permission for
those folders, and perform actions permitted by the Read permission and the
List Folder Contents permission
4. List Folder Contents: See the names of
files and subfolders in the folder
5. Read: See files and subfolders in the
folder and view folder ownership, permissions, and attributes
6. Write: Create new files and subfolders
within the folder, change folder attributes, and view folder ownership and
permissions
3. NTFS File Permissions
|6| A. Overview
1. Control access users have to files
2. Can be denied to a user account or group
|7| B. File permissions
1. Full Control: Change permissions and take
ownership, plus perform the actions permitted by all other NTFS file permissions
2. Modify: Modify and delete the file, plus
perform the actions permitted by the Write permission and the Read &
Execute permission
3. Read & Execute: Run applications,
plus perform the actions permitted by the Read permission
4. Read: Read the file, and view file
attributes, ownership, and permissions
5. Write: Overwrite the file, change file
attributes, and view file ownership and permissions
|8| 4. Access
Control List (ACL)
A. NTFS stores an ACL with every file and
folder on an NTFS volume.
B. An ACL contains a list of all user
accounts and groups that have been granted access for the file or folder, as
well as the type of access that has been granted.
C. For a user to gain access to a resource,
the ACL must contain an access control entry (ACE) for the user account or a
group to which the user belongs.
D. The ACE must allow the type of access that
is requested for the user to gain access.
E. If no ACE exists in the ACL, the user
cannot gain access to the resource.
|9| 5. Multiple
NTFS Permissions
A. Overview
1. Multiple NTFS permissions can be assigned
to a user account by assigning permissions for a resource to an individual user
account and to each group of which the user is a member.
2. NTFS assigns and combines multiple
permissions.
3. NTFS permissions are inherited.
B. Permissions are cumulative
1. Effective permissions for a resource are
the sum of the NTFS permissions assigned to the individual user account and to
all of the groups to which the user belongs.
|10| C. File permissions override folder
permissions
1. A user with access to a file will be able
to gain access to it even if the user does not have access to the folder
containing the file.
2. A user can gain access to the files for
which he or she has permissions by using the full UNC or local path to open the
file from its respective application, even though the folder in which it
resides will be invisible if the user has no corresponding folder permission.
3. Without permission to access the folder,
the user cannot see the folder and is therefore unable to browse for the file.
Note The
Traverse Folder/Execute File special permission allows or denies moving through
folders to reach other files or folders, even if the user has no permissions
for the traversed folders. This permission takes effect only when the group or
user is granted the Bypass Traverse Checking user right in the Group Policy
snap-in.
|11| D. Deny overrides other permissions
1. Permission to a user account or group for
a specific file can be denied, although this is not the recommended way to
control access to resources.
2. Denying permission overrides all
instances in which that permission is allowed.
|12| 6. NTFS
Permissions Inheritance
A. Overview
1. By default, permissions assigned to the
parent folder are inherited by and propagated to the subfolders and files that
are contained in the parent folder.
2. Permissions inheritance can be prevented.
|13| B. Understanding permissions inheritance
1. Files and subfolders can inherit
permissions from their parent folder.
2. Inheritance depends on the inheritance
option set for a given object.
C. Preventing permissions inheritance
1. Permissions assigned to a parent folder
can be prevented from being inherited by subfolders and files that are
contained within the folder by setting an inheritance option set for a given
object.
2. If permissions inheritance is prevented
for a folder, that folder becomes the top parent folder.
|14| Chapter 9, Lesson 2
Assigning NTFS Permissions
1. Overview
A. Certain guidelines should be followed.
B. Assign permissions according to group and
user needs.
C. Allow or prevent permissions inheritance
from parent folders to subfolders and files that are contained in the parent
folder.
|15| 2. Planning
NTFS Permissions
A. Group files into application, data, and
home folders to simplify administration.
B. Centralize home and public folders on a
volume that is separate from applications and the operating system to provide
benefits:
1. Assigns permissions only to folders, not to
individual files
2. Backup is less complex, because no reason
exists to back up program files.
3. All home and public folders are in one
location.
C. Allow users only the level of access that
they require.
D. Create groups according to the access that
the group members require for resources; then, assign the appropriate
permissions to the group.
E. Assign permissions to individual user
accounts only when necessary.
F.
When
assigning permissions for working with data or application folders, assign the
Read & Execute permission to the Users group and assign the Read &
Execute permission and the Change permission to the Administrators group.
|16| G. Turn off the permissions inheritance
option at the home directory level; allows the user to consider permissions for
each file or folder in the home directory.
H. When assigning permissions for public data
folders, assign the Read & Execute permission and the Write permission to
the Users group, and the Full Control permission to the Creator Owner identity
group.
1. A user who creates a file is by default
the creator owner of the file.
2. After the file is created, permission for
another user to take ownership may be granted.
I. Deny permissions only when denying
specific access to a specific user account or group is essential.
J. Encourage users to assign permissions to
the files and folders that they create, and educate them about how to do so.
|17| 3. Setting
NTFS Permissions
A. Overview
1. When formatting a volume with NTFS, the
Full Control permission is assigned to the Everyone group by default.
2. The access that users have to resources
is controlled by changing the Full Control permission and assigning other
appropriate NTFS permissions.
3. Administrators, users with Full Control
permission, and the owners of files and folders (Creator Owner) can assign
permissions to user accounts and groups.
|18| 4. The Guest account is a member of the
Everyone group by default.
a. Care should be taken when assigning
permissions to the Everyone group and enabling the Guest account.
b. Windows 2000 will authenticate as Guest a
user who does not have a valid user account.
c. A user authenticated as Guest
automatically gets all rights and permissions that have been assigned to the
Everyone group.
B. Assigning or modifying permissions
1. To assign or modify permissions for files
and folders
a. Right-click the file or folder for which
permissions are to be assigned, and then click Properties
b. In the Security tab of the Properties
dialog box for the file or folder, configure the options
|19| 2. Security Tab options:
a. Name: Select the user account, group, or
special entity to change or remove permissions
b. Permission: To allow a permission, select
the Allow check box; to deny, select the Deny check box
c. Add: Opens the Select Users, Computers,
Or Groups dialog box; use to select user accounts and groups to add to the Name
list
d. Remove: Removes the selected user account,
group, or special entity and the associated permissions for the file or folder
e. Advanced: Opens the Access Control
Settings For dialog box, which is used to add, remove, view, or edit special
permissions for selected user accounts and groups
f. Allow Inheritable Permissions From Parent
To Propagate To This Object: Specifies whether permissions for this object will
be affected by inheritance
|20| C. Preventing permissions inheritance
1. Overview
a. By default, subfolders and files inherit
permissions that are assigned to their parent folder.
b. A check in the Allow Inheritable Permissions
From Parent To Propagate To This Object check box, located in the Security tab
of the Properties dialog box, is the default setting.
c. If the check boxes under Permissions are
shaded in the Properties dialog box, then the file or folder has inherited permissions
from the parent folder.
d. Clearing the Allow Inheritable Permissions
From Parent To Propagate To This Object check box prevents a subfolder or file
from inheriting permissions from a parent folder.
2. Options
a. Copy: Copy the permissions from the parent
folder to the current folder and then deny subsequent permissions inheritance
from the parent folder
b. Remove: Remove the permissions that are
assigned to the parent folder and retain only the permissions that are
explicitly assigned to the file or folder
c. Cancel: Cancel the dialog box and restore
the check mark in the Allow Inheritable Permissions From Parent To Propagate To
This Object check box
|21| Chapter 9, Lesson 3
Assigning Special Permissions
1. Overview
A. Standard NTFS permissions generally
provide all of the access control that is needed to secure resources.
B. Sometimes the standard NTFS permissions
don’t provide the specific level of access that may be needed to assign users.
C. NTFS special permissions are used to create
a specific level of access.
|22| 2. Special
Permissions
A. Overview
1. Special permissions are set on the
Permission Entry For dialog box for the file or folder.
2. Special permissions are accessed by
selecting Advanced on the Security tab of the Properties dialog box for the
file or folder, and then selecting View/Edit for a Permission Entry on the
Access Control Setting For dialog box for the file or folder.
3. Each of the standard file and folder
permissions consists of a logical group of special permissions.
4. When assigning special permissions to
folders, choose where to apply the permissions down the tree to subfolders and
files.
5. Change Permissions and Take Ownership are
particularly useful for controlling access to resources.
|23| B. Special file and folder permissions
1. Traverse Folder/Execute File
a. Traverse Folder allows or denies moving
through folders that the user does not have permission to access, to reach
files or folders that the user does have permission to access; applies to
folders only.
b. Traverse Folder takes effect only when the
group or user is not granted the Bypass Traverse Checking user right in group
policy.
c. By default, the Everyone group is given
the Bypass Traverse Checking user right.
d. Setting the Traverse Folder permission on
a folder does not automatically set the Execute File permission on all files
within that folder.
e. Execute File allows or denies running
program files; applies to files only.
2. List Folder/Read Data
a. List Folder allows or denies viewing file
names and subfolder names within the folder; applies to folders only.
b. Read Data allows or denies viewing data in
files; applies to files only.
3. Read Attributes
a. Allows or denies viewing the attributes of
a file or folder, such as read-only and hidden
b. Attributes are defined by NTFS.
4. Read Extended Attributes
a. Allows or denies viewing the extended
attributes of a file or folder
b. Defined by programs and may vary
5. Create Files/Write Data
a. Create Files allows or denies creating
files within the folder; applies to folders only.
b. Write Data allows or denies making changes
to the file and overwriting existing content; applies to files only.
6. Create Folders/Append Data
a. Create Folders allows or denies creating
folders within a folder; applies to folders only.
b. Append Data allows or denies making
changes to the end of the file but not changing, deleting, or overwriting
existing data; applies to files only.
7. Write Attributes
a. Allows or denies changing the attributes
of a file or folder, such as read-only or hidden
b. Attributes are defined by NTFS.
8. Write Extended Attributes
a. Allows or denies changing the extended
attributes of a file or folder
b. Extended attributes are defined by
programs and may vary.
9. Delete Subfolders and Files
a. Allows or denies deleting subfolders and
files
b. Applies even if the Delete permission has
not been granted on the subfolder or file
10. Delete
a. Allows or denies deleting the file or
folder
b. The file can still be deleted if granted
the Delete Subfolders and Files permission on the parent folder.
11. Read Permissions
a. Allows or denies reading permissions for
the file or folder, such as Full Control, Read, and Write
12. Change Permissions
a. Allows or denies changing permissions for
the file or folder, such as Full Control, Read, and Write
13. Take Ownership
a. Allows or denies taking ownership of the
file or folder
b. The owner of a file or folder can always
change permissions on it, regardless of any existing permissions that protect
the file or folder.
14. Synchronize
a. Allows or denies different threads to wait
on the handle for the file or folder and synchronize with another thread that
may signal it
b. This permission applies only to multithreaded,
multiprocess programs.
|24| C. Special permissions associated with
standard file and folder permissions
1. Full Control
a. Traverse Folder/Execute File
b. List Folder/Read Data
c. Read Attributes
d. Read Extended Attributes
e. Create Files/Write Data
f. Create Folders/Append Data
g. Write Attributes
h. Write Extended Attributes
i. Delete Subfolders and Files
j. Delete
k. Read Permissions
l. Change Permissions
m. Take Ownership
n. Synchronize
2. Modify
a. Traverse Folder/Execute File
b. List Folder/Read Data
c. Read Attributes
d. Read Extended Attributes
e. Create Files/Write Data
f. Create Folders/Append Data
g. Write Attributes
h. Write Extended Attributes
i. Delete
j. Read Permissions
k. Synchronize
3. Read & Execute
a. Traverse Folder/Execute File
b. List Folder/Read Data
c. Read Attributes
d. Read Extended Attributes
e. Read Permissions
f. Synchronize
4. List Folder Contents
a. Traverse Folder/Execute File
b. List Folder/Read Data
c. Read Attributes
d. Read Extended Attributes
e. Read Permissions
f. Synchronize
5. Read
a. List Folder/Read Data
b. Read Attributes
c. Read Extended Attributes
d. Read Permissions
e. Synchronize
6. Write
a. Create Files/Write Data
b. Create Folders/Append Data
c. Write Attributes
d. Write Extended Attributes
e. Read Permissions
b.
Synchronize
Note Although
the List Folder Contents and Read & Execute standard permissions appear to
have the same special permissions, these permissions are inherited differently.
List Folder Contents is inherited by folders but not by files, and appears only
when you view folder permissions. Read & Execute is inherited by both files
and folders and is always present when you view file or folder permissions.
|25| D. Change Permissions
1. Granting Change Permissions allows other
administrators and users to change permissions for a file or folder without
giving them the Full Control permission over the file or folder.
2. The administrator or user-granted Change
Permissions cannot delete or write to the file or folder, but can assign
permissions to the file or folder.
3. To give administrators the ability to
change permissions, Change Permissions is assigned to the Administrators group
for the file or folder.
E. Take Ownership
1. Overview
a. Granting Take Ownership gives users or
groups the ability to take ownership of files or folders.
b. Administrator can take ownership of a file
or folder.
|26| 2. Rules for taking ownership of a file or
folder:
a. The current owner or any user with Full Control
permission can assign the Full Control standard permission or the Take
Ownership special permission to another user account or group, allowing the
user account or a member of the group to take ownership.
b.
An administrator
can take ownership of a file or folder, regardless of assigned permissions.
Note Ownership
of a file or folder cannot be assigned to anyone. The owner of a file, an
administrator, or anyone with Full Control permission can assign Take Ownership
permission to a user account or group, allowing the user to take ownership. To
become the owner of a file or folder, a user or group member with Take
Ownership permission must explicitly take ownership of the file or folder.
3. To take ownership of a file or folder
a. In the Access Control Settings For dialog
box for the file or folder, in the Owner tab, in the Change Owner To list,
select the account name
b. Select the Replace Owner On Subcontainers
And Objects check box to take ownership of all objects and subcontainers within
the folder
c. Click OK
|27| 3. Setting
Special Permissions
A. To set Change Permissions or Take
Ownership permissions
1. Locate the file or folder for which to
apply special permissions, right-click the file or folder, click Properties,
and then click the Security tab
2. Click Advanced
3. In the Access Control Settings For dialog
box for a file or folder, in the Permissions tab, select the user account or
group for which to apply special permissions; on the Access Control Settings
For dialog box, view the permissions that are applied to the file or folder,
the owner, and where the permissions apply
4. For the Allow Inheritable Permissions
From Parent To Propagate To This Object check box:
a. Check the box to specify that this object
will inherit permissions from the parent folder
b. Clear the box to specify that this object
will not inherit any permissions from the parent folder
5. For the Reset Permissions On All Child
Objects And Enable Propagation Of Inheritable Permissions check box:
a. Check the box to reset any existing
permissions on child objects so that the child objects will inherit permissions
from the parent object
b. Clear the box to not reset any existing
permissions on child objects so that the child objects will not inherit
permissions from the parent object
|28| 6. Click View/Edit to open the Permission
Entry For dialog box for the file or folder
B. Options in the Permission Entry For dialog
box
1. Name: The user account or group name; to
select a different user account or group, click Change
2. Apply Onto: The level of the folder
hierarchy at which the special NTFS permissions are inherited; default is This
Folder, Subfolders, And Files
3. Permissions: The special permissions; to
allow Change Permissions or the Take Ownership permission, select the Allow
check box
4. Apply These Permissions To Objects And/Or
Containers Within This Container Only: Specifies whether subfolders and files
within a folder inherit the special permissions from the folder
a. Select this check box to propagate the
special permissions to files and subfolders
b. Clear this check box to prevent
permissions inheritance
5. Clear All: Click this button to clear all
selected permissions
|29| Chapter 9, Lesson 4
Copying and Moving Files and Folders
|30| 1. Overview
A. When files and folders are copied or
moved, the permissions set on the files or folders may change.
B. Specific rules control how and when
permissions change during a copy or move.
|31| 2. Copying
Files and Folders
A. Copying a file within a single NTFS volume
or between NTFS volumes
1. Windows 2000 treats it as a new file and
takes on the permissions of the destination folder or volume.
2. Must have Write permission for the
destination folder to copy files and folders
3.
The person
copying the files or folders becomes the Creator Owner.
Note When
copying files and folders to non-NTFS volumes, the folders and files lose their
NTFS permissions because FAT volumes do not support NTFS permissions.
|32| 3. Moving
Files and Folders
|33| A. Moving within a single NTFS volume
1. The folder or file retains the original
permissions.
2. Write permission for the destination
folder is required to move files and folders into it.
3. Modify permission for the source folder
or file is required.
4. The person moving the file or folder
becomes the Creator Owner.
|34| B. Moving between NTFS volumes
1. The folder or file inherits the
permissions of the destination folder.
2. Write permission for the destination
folder is required to move files and folders into it.
3. Modify permission for the source folder
or file is required.
4. The person moving the file or folder
becomes the Creator Owner.
|35| Chapter 9, Lesson 5
Troubleshooting Permissions Problems
1. Permissions Problems and Solutions
|36| A. Problem: A user cannot gain access to a
file or folder.
1. Possible solution: Permissions might have
changed if the file or folder was copied or moved.
2. Possible solution: Check the permissions
that are assigned to the user account and to groups of which the user is a
member.
3. Possible solution: The user might not
have permission or might be denied access either individually or as a member of
a group.
B. Problem: A user account is added to a
group to give that user access to a file or folder, but the user still cannot
gain access.
1. Possible solution: For access permissions
to be updated to include the new group, the user must log off and then log on
again.
2. Possible solution: The user can close all
network connections to the computer on which the file or folder resides and
then make new connections.
C. Problem: A user with Full Control
permission to a folder deletes a file in the folder although that user does not
have permission to delete the file itself.
1. Possible solution: Clear the special
permission Delete Subfolders And Files check box.
2.
Possible
solution: Prevent users with Full Control of the folder from being able to
delete files in the folder.
Note Windows
2000 supports POSIX applications designed to run on UNIX. On UNIX systems, Full
Control permission allows the deletion of files in a folder. In Windows 2000,
the Full Control permission includes the Delete Subfolders and Files special
permission, allowing the same ability to delete files in that folder regardless
of the permissions that are set for the files and folders.
|37| 2. Avoiding
Permissions Problems
A. Assign the most restrictive NTFS
permissions that still enable users and groups to accomplish necessary tasks.
B. Assign all permissions at the folder
level, not at the file level; group files in a separate folder for which user
access is to be restricted, and then assign that folder restricted access.
C. For all application executable files,
assign Read & Execute and Change Permissions to the Administrators group,
and assign Read & Execute to the Users group.
|38| D. Assign Full Control to Creator Owner for
public data folders so that users can delete and modify files and folders that
they create.
E. For public folders, assign Full Control to
Creator Owner and Read and Write to the Everyone group.
F. Use long, descriptive names if the
resource will be accessed only at the computer; if the folder will be shared,
use folder and file names that are accessible by all client computers.
G. Allow permissions rather than deny them.