Sunday, May 18, 2008

Windows Server 2008 NTFS File and Folder Permissions

File- and folder-level permissions are one of the most dreaded and tedious, but necessary, tasks of system administration. However, they are significant in terms of protecting data from unauthorized use on your network. If you have ever worked with Unix permissions, you know how difficult they are to understand and set: complex CHMOD-based commands, with numbers that represent bits of permission signatures—it's so easy to get lost in the confusion. Windows Server 2008, on the other hand, provides a remarkably robust and complete set of permissions, more than any common Unix or Linux variety available today. It's also true that no one would argue how much easier it is to set permissions in Windows than to set them in any other operating system. That's not to say, however, that Windows permissions are a cinch to grasp; there's quite a bit to them.


Standard and Special Permissions

Windows supports two different views of permissions: standard and special. Standard permissions are often sufficient to be applied to files and folders on a disk, whereas special permissions break standard permissions down into finer combinations and enable more control over who is allowed to do what functions to files and folders (called objects) on a disk. Coupled with Active Directory groups, Windows Server 2008 permissions are particularly powerful for dynamic management of access to resources by people other than the system administrator—for example, in the case of changing group membership.

Table 3-1 describes the standard permissions available in Windows.

Table 3-1. Windows Server 2008 standard permissions
Type Description
Read (R) Allows user or group to read the file.
Write (W) Allows user or group to write to the contents of a file or folder and to create new files and folders. It is possible to have write permissions without read permissions.
Read and Execute (RX) Allows user or group to read attributes of a file or folder, view its contents, and read files within a folder. Files inside folders with RX rights inherit the rights onto themselves.
List Folder Contents (L) Similar to RX, but files within a folder with L rights will not inherit RX rights. New files, however, automatically get RX permissions.
Modify (M) Allows user or group to read, write, execute, and delete the file or folder.
Full Control (FC) Similar to M, but also allows user or group to take ownership and change permissions. Users or groups can delete files and subfolders within a folder if FC rights are applied to that folder.


The following key points should help you to understand how permissions work:

  • File permissions always take precedence over folder permissions. If a user can execute a program in a folder, she can do so even if she doesn't have read and execute permissions on the folder in which that program resides.

  • Similarly, a user can read a file for which he explicitly has permission, even if that file is in a folder for which he has no permission, by simply knowing the location of that file. For example, you can hide a file listing employee Social Security numbers in a protected folder in Payroll to which user Mark Jones has no folder permissions. However, if you explicitly give Mark read rights on that file, by knowing the full path to the file, he can open the file from a command line or from the Run command on the Start menu.

  • Permissions are cumulative: they "add up" based on the overall permissions a user gets as a result of her total group memberships.

  • Deny permissions always trump Allow permissions. This applies even if a user is added to a group that is denied access to a file or folder that the user was previously allowed to access through his other memberships.

Windows also has a bunch of permissions labeled special permissions, which, simply put, are very focused permissions that make up standard permissions. You can mix, match, and combine special permissions in certain ways to make standard permissions. Windows has "standard permissions" simply to facilitate the administration of common rights assignments.

There are 14 default special permissions, shown in Table3-2. The table also shows how these default special permissions correlate to the standard permissions discussed earlier.

Table 3-2. Windows Server 2008 special permissions
Special permission R W RX L M FC
Traverse Folder/Execute File

X X X X
List Folder/Read Data X
X X X X
Read Attributes X
X X X X
Read Extended Attributes X
X X X X
Create Files/Write Data
X

X X
Create Folders/Append Data
X

X X
Write Attributes
X

X X
Write Extended Attributes
X

X X
Delete Subfolders and Files




X
Delete



X X
Read Permissions X
X X X X
Change Permissions




X
Take Ownership




X
Full Control X X X X X X


The default special permissions are further described in the following list.

Traverse Folder/Execute File

Traverse Folder allows you to access a folder nested within a tree even if parent folders in that tree deny a user access to the contents of those folders. Execute File allows you to run a program.


List Folder/Read Data

List Folder allows you to see file and folder names within a folder. Read Data allows you to open and view a file.


Read Attributes

Allows you to view basic attributes of an object (read-only, system, archive, and hidden).


Read Extended Attributes

Allows you to view the extended attributes of an object—for example, summary, author, title, and so on for a Word document. These attributes will vary from program to program.


Create Files/Write Data

Create Files allows you to create new objects within a folder; Write Data allows you to overwrite an existing file (this does not allow you to add data to existing objects in the folder).


Create Folders/Append Data

Create Folders allows you to nest folders. Append Data allows you to add data to an existing file, but not delete data within that file (a function based on file size), or delete the file itself.


Write Attributes

Allows you to change the basic attributes of a file.


Write Extended Attributes

Allows you to change the extended attributes of a file.


Delete Subfolders and Files

Allows you to delete the contents of a folder regardless of whether any individual file or folder within the folder in question explicitly grants or denies the Delete permission.


Delete

Allows you to delete a single file or folder, but not other files or folders within it.


Read Permissions

Allows you to view NTFS permissions on an object, but not to change them.


Change Permissions

Allows you to both view and change NTFS permissions on an object.


Take Ownership

Allows you to take ownership of a file or folder, which inherently allows the ability to change permissions on an object. This is granted to administrator-level users by default.


You also can create custom combinations of permissions, known as special permissions, other than those defined in Windows Server 2008 by default; I cover that procedure in detail later in this section.


*.* Source of Information : O'Reilly Windows Server 2008: The Definitive Guide

No comments: