File- and folder-level permissions are one of the most dreaded and tedious, but necessary, tasks of system administration. However, they are significant in terms of protecting data from unauthorized use on your network. If you have ever worked with Unix permissions, you know how difficult they are to understand and set: complex CHMOD-based commands, with numbers that represent bits of permission signatures—it's so easy to get lost in the confusion. Windows Server 2008, on the other hand, provides a remarkably robust and complete set of permissions, more than any common Unix or Linux variety available today. It's also true that no one would argue how much easier it is to set permissions in Windows than to set them in any other operating system. That's not to say, however, that Windows permissions are a cinch to grasp; there's quite a bit to them.
Standard and Special Permissions
Windows supports two different views of permissions: standard and special. Standard permissions are often sufficient to be applied to files and folders on a disk, whereas special permissions break standard permissions down into finer combinations and enable more control over who is allowed to do what functions to files and folders (called objects) on a disk. Coupled with Active Directory groups, Windows Server 2008 permissions are particularly powerful for dynamic management of access to resources by people other than the system administrator—for example, in the case of changing group membership.
Table 3-1 describes the standard permissions available in Windows.
File permissions always take precedence over folder permissions. If a user can execute a program in a folder, she can do so even if she doesn't have read and execute permissions on the folder in which that program resides.
Similarly, a user can read a file for which he explicitly has permission, even if that file is in a folder for which he has no permission, by simply knowing the location of that file. For example, you can hide a file listing employee Social Security numbers in a protected folder in Payroll to which user Mark Jones has no folder permissions. However, if you explicitly give Mark read rights on that file, by knowing the full path to the file, he can open the file from a command line or from the Run command on the Start menu.
Deny permissions always trump Allow permissions. This applies even if a user is added to a group that is denied access to a file or folder that the user was previously allowed to access through his other memberships.
Windows also has a bunch of permissions labeled special permissions, which, simply put, are very focused permissions that make up standard permissions. You can mix, match, and combine special permissions in certain ways to make standard permissions. Windows has "standard permissions" simply to facilitate the administration of common rights assignments.
There are 14 default special permissions, shown in Table3-2. The table also shows how these default special permissions correlate to the standard permissions discussed earlier.
|Traverse Folder/Execute File||X||X||X||X|
|List Folder/Read Data||X||X||X||X||X|
|Read Extended Attributes||X||X||X||X||X|
|Create Files/Write Data||X||X||X|
|Create Folders/Append Data||X||X||X|
|Write Extended Attributes||X||X||X|
|Delete Subfolders and Files||X|
The default special permissions are further described in the following list.
- Traverse Folder/Execute File
- List Folder/Read Data
- Read Attributes
- Read Extended Attributes
- Create Files/Write Data
- Create Folders/Append Data
- Write Attributes
Allows you to change the basic attributes of a file.
- Write Extended Attributes
Allows you to change the extended attributes of a file.
- Delete Subfolders and Files
- Read Permissions
- Change Permissions
- Take Ownership
You also can create custom combinations of permissions, known as special permissions, other than those defined in Windows Server 2008 by default; I cover that procedure in detail later in this section.
*.* Source of Information : O'Reilly Windows Server 2008: The Definitive Guide