Setting the permissions for a file or folder
allows you to permit some users to read or change your files while
restricting access to others. Problem is, if you rely on Vista's
defaults, anyone will be able to read your files and no one will be able to change them.
So,
before you start messing with permissions, you'll need to turn off
Simple File Sharing. Open Control Panel and then Folder Options, choose
the View tab, and turn off the Use Sharing Wizard option at the end of the Advanced Settings list. Click OK when you're done.
Note that permissions can only be used on files and folders stored on NTFS volumes.
1. Set Permissions for a File or Folder
Shockingly,
Microsoft actually took default permissions seriously when designing
Windows Vista. In previous versions of Windows, everyone with an account
on your PC had access to every file on your hard disk; if you wanted to
protect your private data, you had to take matters into your own hands.
In Vista, defaults are set to protect your private data from other
users, and to protect Windows operating system files from all users.
Of
course, no progress is without its price. Some of Vista's defaults are
so restrictive that they can break certain software not expressly
written for Vista.
To
give someone access to your files, or to further restrict access,
you'll need to mess with his or her permissions. Of course, it gets a
little confusing when you realize that there are two different
Permissions windows for any given object (file, folder, printer, etc.).
Object permissions
Right-click any file, folder, drive, Registry key, or printer, select Properties, and choose the Security
tab to view or change the permissions for the selected object(s). These
settings affect how the object is accessed by users on your machine
(including you).
Share permissions
Right-click any file, folder, drive, or printer, select Properties, choose the Sharing tab, click Advanced Sharing, and then click the Permissions
button to view or change the share permissions for the selected
object(s). These settings affect whether users on other PCs on your
network can read or write to your shared files or print to your shared
printers.
Fortunately, all Permissions windows look and work the same; the only difference is their scope. Figure 1 shows a typical Permissions window.
Typically, a single entry, "Everyone," will appear at the top of the list. In the example in Figure 8-4, only five single users are shown here. Any user not in the list will not be allowed to view or modify the object.
Permissions
protect files from other user accounts only. If you walk away from your
PC while you're logged in, for example, someone else sitting down at
your keyboard will have full access to all your files, regardless of
permissions or even encryption. This is why—when your PC is in a public
place, anyway—it's a good idea to use the "On resume, display logon screen" option in the Screen Saver Settings window. |
|
Select
any user in the list, and then use the checkboxes in the list below to
modify the permissions for that user. In this example, members of the
Everyone group are allowed to read the selected file, but not allowed to
write to it. Although this window only shows the permissions for one
user or group at a time, you can click Advanced to see a better overview, as shown in Figure 2.
In some cases, when you attempt to remove or modify permissions in the standard Permissions window (Figure 1), Windows will complain about the fact that the object is inheriting permissions. The reason is the Inherit from parent option in the Advanced Security Settings dialog shown in Figure 2.
1.1. Inheritance and ownership
Inheritance
can be confusing at first, but it does save time in the long run.
Essentially, if you set the permissions of a folder, those permissions
will propagate to all of the files and subfolders contained therein
(although Windows will usually ask you whether or not you want this to
happen). When the permissions for a "parent" folder trickle down to a
"child" folder or file, that child object is said to "inherit" the
permissions of its parent folder. Furthermore, the child's inherited
permissions are locked, at least until you turn off the aforementioned Inherit from parent option.
The Auditing
tab in the Advanced Security Settings window allows you to log access
activity relating to the selected object. Before auditing will work,
you'll need to set up an auditing policy by opening the Group Policy
window (gpedit.msc). Then, navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy, and double-click any entry in the right pane (such as Audit logon events or Audit privilege use) to instruct Windows to start keeping track of those events. Later on, open the Event Viewer (eventvwr.msc) to view the corresponding logs. Note that settings in the Auditing tab also obey the inheritance scheme just discussed.
The Owner tab is used to assume ownership
of one or more objects, and can be the source of a lot of frustration
when wrestling with permissions. One of the means by which Vista
maintains its lock on important operating system files and Registry keys
is through ownership; by default, all these system-level objects are
owned by a user named "Creator Owner." (See the upcoming sidebar, "What's the Creator Owner Account?,"
for details.) To make any changes to these objects, you must first
assume ownership by selecting your own name in the list, turning on the Replace owner on subcontainers and objects option, and clicking OK
in all the open Permissions windows.
Another time when you'd use the Owner tab is when you need to share documents between two Windows installations on the same PC ; in most cases, Windows won't let you access such files until you "take ownership" using the Owner tab of this window.For another way to manage ownership of files and folders, see the "Take Ownership from the Command Line" sidebar, next.
It's
a real pain to dig down through all those windows to take ownership of a
file, only to have to close them all, and then reopen them to
subsequently change the permissions. If you're comfortable with the
Command Prompt or you need a way to take ownership from script , there are a few useful tools included with Vista for this purpose. To assume ownership of a file or folder, use the takeown command. Open a Command Prompt window, and at the prompt, type: takeown /f "c:\full_path\myfile.ext"
where c:\full_path\myfile.ext is the full path and filename to take ownership of. Add the /r option—only if you're specifying a folder name—to also take ownership of all the folders and files contained therein. Type takeown /? for more options. Next, to set Full Access permissions on the file or folder, use the cacls command, like this: cacls "c:\full_path\myfile.ext" /G your_username:F
where your_username is, obviously, your username. And for those familiar with Unix, there's a chown (change ownership) command-line utility (written for NT but works in Vista) available for free at http://www.thep.physik.uni-mainz.de/~frink/nt.html. |
Finally, the Effective Permissions
tab is a troubleshooting tool that lets you view the selected object's
permissions as they pertain to a single user. This is most useful when
dealing with groups of users.
1.2. Add new users to the Permissions window
Typically, a single entry, Everyone, will appear at the top of the Group or user names list in the Permissions window. (Here, Everyone literally means all users and groups in perpetuity.) More than likely, though, you'll want to eliminate the Everyone entry and add only those users (such as yourself) whom you need to specifically grant access to your stuff.
Start by deleting any unwanted users by selecting them and clicking Remove. Then, click Add to open the Select Users or Groups window, as shown in Figure 3.
The
first time you use this tool, you'll probably expect to see a list of
all the users on your PC; unfortunately, Microsoft in its infinite
wisdom decided it would be easier for you to type each user's account
name by hand. To add a user, type one or more names in the Enter the object names to select field; separate multiple names with semicolons.
In the example in Figure 3, notice that the third entry, SCHOOLBUS\Wendell, is unlike the others. While Seth and Munchie
are users on the PC (or in the corporate domain to which this computer
belongs), this third entry shows how you'd specify a user account on a
different machine; in this case, the user Wendell on the computer SCHOOLBUS is to be added. The only time you'd likely need to do this is if Wendell needed to access your shared files remotely , and you didn't want to create an account for Wendell on your own PC. |
|
So, why, in the Select User or Groups window, can you not actually select
a user or group? Why aren't all the user and group names on your PC
listed in here? Why all the typing? The reason is that this window was
originally designed to accommodate a company-wide network with thousands
of users, and since Microsoft hasn't made a single change to this
interface in at least seven years, you'll need to go elsewhere to get a
list of users.
When you click OK,
Windows will verify the user and group names you've entered, and if all
is well, will add them to the Permissions window. Mistype a name, and
you won't be allowed to leave. (To verify your entries without closing
the window, click Check Names.)
When you've added a new user to the Permissions window (shown previously in Figure 1), highlight the user, and selectively click the checkmarks in the Allow or Deny columns.
Deny entries take precedence over any Allow entries. Say a user named Surly is part of a group named Duff. If you deny read access to the Duff group, and then allow read access to the Surly account, Surly still won't be able to read the files. |
|
Depending on the type of object you've selected, you may see any number of different types of entries here, such as Full Control, Read, Write and Modify. After playing with the checkmarks, you'll notice that there is quite a bit of redundancy in this list; for example, Modify is an umbrella term that includes Read & Execute, Read, and Write.
For more control over permissions, click Advanced to show the Advanced Security Settings window (shown earlier in Figure 2), select the user with whom you want to work, and click Edit. The Permission Entry window shown in Figure 4
allows you to fine-tune permissions and allow only those permissions
that are absolutely necessary for the object. When settings most
permissions day-to-day, you won't ever need to use this tool.
When you're done choosing permissions, click OK.
If you're modifying the permissions for a folder, Windows may or may
not prompt you to have your changes propagated to all subfolders and
files.
1.3. How permissions affect software
In
most cases, you'll want to set permissions to protect your files and
folders from unauthorized access. But some permissions are necessary to
get certain programs to work.
For example, if you're writing a CGI or ASP program for the IIS web server , you'll need to set the permissions of your files to give the Internet Guest Account full access. The Internet Guest Account user account name is based on the machine name: for a system named SERVER, you'd enter SERVER\IUSR_SERVER into the Select Users or Groups dialog (as shown earlier in Figure 3).
