19. NTFS Permissions
These protect local files and folders as well as remotely protect them and are often called local
permissions. NTFS permissions consist of the following:
- Read (R)
- Write (W) - Change attributes.
- Execute (X) - Run a file if it is an executable.
- Delete (D)
- Change Permission (P)
- Take Ownership (O)
The person who creates a file or folder becomes the owner.
Standard permissions are made up of a combination of the individual permissions and they are listed
- No Access (no individual permissions)
- Read (RX)
- List (RX) - folders only
- Add (WX) - folders only
- Add and Read (RWX) - folders only
- Change (RWXD)
- Full Control (All permissions)
File permissions take precedence over the permissions assigned to the folder that the file resides in.
Even if the user has 'No Access' to a folder. Typing the complete UNC or local path to the file
will allow access.
You can combine shared folder permissions with NTFS permissions for greater security. For example,
if the group Everyone has full control over files on a particular NTFS volume but only read
permission to the folder, then the group Everyone has only read access to the file. The most restrictive
permission is the effective one.
- Remove Full Control Permission from the Everyone Group.
- Assign Full control permission to the Administrators group.
- Assign Creator Owner Full Control to Data Folders.
- Encourage users to assign NTFS permissions to their files.
- Centralise home folders.
On NTFS volumes the %Username% variable automatically assigns Full Control permission
to home folders.
Assigning NTFS permissions is achieved by right-clicking on the folder or file, clicking
Properties, selecting the Security tab and clicking Permissions.
You have the option to change permissions on all subdirectories or just the files within the folder only.
he Name box displays the groups and users together with both their folder permissions and their
file permissions within the folder. The Type of Access box allows you to change the permissions
for the group or user selected.
If you wish to create Special Access Permissions then you select Special Directory Access
or Special File Access in the Type of Access box. Here you can select the individual permissions.
By default the Administrators group can take ownership of a file. An owner cannot assign ownership
to someone else they can only give permission for someone else to take ownership.
In order for a user to copy files between NTFS volumes, they must have Add permission for
the destination folder. In order to move a file, the user must not only have Add permission for the
destination folder but also Delete permission for the current folder.
Files copied either within an NTFS volume or between NTFS volumes, inherits the permissions
of the destination folder. Files moved within an NTFS volume retain their permissions, but
if they are moved between NTFS volumes they inherit the permissions of the destination folder.
Recommendations for permission usage:
- Assign NTFS permissions before sharing the resource.
- Make executable files read only for all users.
- Use the %Username% variable for all home folders.
- Assign the Creator Owner Full control to data folders.
- Use long names only if the resource is accessed locally.