Windows Small Business Server 2011 : Working with Permissions (part 2) - Using NTFS Permissions

2 Using NTFS Permissions

Once you grant to the Everyone special identity the Allow Full Control share permission, anyone can access the shared folder over the network. However, users cannot access the files in the shared folder unless they have appropriate NTFS permissions. NTFS permissions apply whether the user is accessing the files over the network or is seated at the computer where the files are stored.

Unlike the relatively simple share permissions system, NTFS permissions provide much more detailed control over the access granted to a specific security principal. You might want to limit some users to reading a file while granting others permission to modify the contents of the same file. Still others might be able to create new files in the same folder.

2.1 Standard Permissions and Special Permissions

The NTFS file system includes two types of permissions: standard permissions and special permissions. Standard permissions are the ones that most administrators use on an everyday basis. The six NTFS standard permissions and the privileges they provide when you apply them to files and folders are listed in Table 2.

Table 2. NTFS Standard Permissions

STANDARD PERMISSION	WHEN APPLIED TO A FOLDER, ENABLES A SECURITY PRINCIPAL TO	WHEN APPLIED TO A FILE, ENABLES A SECURITY PRINCIPAL TO
Full Control	Modify the folder permissions Take ownership of the folder Delete subfolders and files contained in the folder Perform all actions associated with all the other NTFS folder permissions	Modify the file permissions Take ownership of the file Perform all actions associated with all the other NTFS file permissions
Modify	Delete the folder Perform all actions associated with the Write and the Read & Execute permissions	Modify the file Delete the file Perform all actions associated with the Write and the Read & Execute permissions
Read & Execute	Navigate through restricted folders to reach other files and folders Perform all actions associated with the Read and List Folder Contents permissions	Perform all actions associated with the Read permission Run applications
List Folder Contents	View the names of the files and subfolders contained in the folder	Not applicable
Read	See the files and subfolders contained in the folder View the ownership, permissions, and attributes of the folder	Read the contents of the file View the ownership, permissions, and attributes of the file
Write	Create new files and subfolders inside the folder Modify the folder attributes View the ownership and permissions of the folder	Overwrite the file Modify the file attributes View the ownership and permissions of the file

When you open the Properties dialog box for an NTFS file or folder, select the Security tab, and click Edit, you see the interface shown in Figure 2, which is quite similar to the share permission interface you worked with earlier. In fact, all the Windows Server 2008 R2 permission systems use the same basic interface, the differences being the names of the permissions you can select and the number of available permissions.

Figure 2. The Security tab of an NTFS file.

Standard permissions are easy to use, but they are not the most detailed form of permissions available on NTFS volumes. In actuality, standard permissions are preconfigured combinations of special permissions. Special permissions provide the finest possible control over your NTFS files and folders. There are 14 special permissions, as listed in Table 3.

Table 3. NTFS Special Permissions

SPECIAL PERMISSION	FUNCTIONS
Traverse Folder/Execute File	The Traverse Folder permission allows or denies security principals the ability to move through folders that they do not have permission to access so they can reach files or folders that they do have permission to access. This permission applies to folders only. The Execute File permission allows or denies security principals the ability to run program files. This permission applies to files only.
List Folder/Read Data	The List Folder permission allows or denies security principals the ability to view the file and subfolder names within a folder. This permission applies to folders only. The Read Data permission allows or denies security principals the ability to view the contents of a file. This permission applies to files only.
Read Attributes	Allows or denies security principals the ability to view the NTFS attributes of a file or folder.
Read Extended Attributes	Allows or denies security principals the ability to view the extended attributes of a file or folder.
Create Files/Write Data	The Create Files permission allows or denies security principals the ability to create files within the folder. This permission applies to folders only. The Write Data permission allows or denies security principals the ability to modify the file and overwrite existing content. This permission applies to files only.
Create Folders/Append Data	The Create Folders permission allows or denies security principals the ability to create subfolders within a folder. This permission applies to folders only. The Append Data permission allows or denies security principals the ability to add data to the end of the file but not to modify, delete, or overwrite existing data in the file. This permission applies to files only.
Write Attributes	Allows or denies security principals the ability to modify the NTFS attributes of a file or folder.
Write Extended Attributes	Allows or denies security principals the ability to modify the extended attributes of a file or folder.
Delete Subfolders and Files	Allows or denies security principals the ability to delete subfolders and files, even if the Delete permission has not been granted on the subfolder or file.
Delete	Allows or denies security principals the ability to delete the file or folder.
Read Permissions	Allows or denies security principals the ability to read the permissions for the file or folder.
Change Permissions	Allows or denies security principals the ability to modify the permissions for the file or folder.
Take Ownership	Allows or denies security principals the ability to take ownership of the file or folder.
Synchronize	Allows or denies different threads of multithreaded, multiprocessor programs to wait on the handle for the file or folder, and synchronize with another thread that might signal it.

When you assign a standard permission to a security principal, you are actually assigning a combination of special permissions. The standard permissions and their corresponding special permissions are listed in Table 4. However, it is also possible to work with special permissions directly.

Table 4. NTFS Standard Permissions and their Special Permission Equivalents

STANDARD PERMISSIONS	SPECIAL PERMISSIONS
Read	List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions Synchronize
Read & Execute	List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions Synchronize Traverse Folder/Execute File
Modify	Create Files/Write Data Create Folders/Append Data Delete List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions Synchronize Write Attributes Write Extended Attributes
Write	Create Files/Write Data Create Folders/Append Data Read Permissions Synchronize Write Attributes Write Extended Attributes
List Folder Contents	List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions Synchronize Traverse Folder/Execute File
Full Control	Change Permissions Create Files/Write Data Create Folders/Append Data Delete Delete Subfolders and Files List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions Synchronize Take Ownership Write Attributes Write Extended Attributes

When you open the Properties sheet for an NTFS file or folder, click Advanced on the Security tab, and then click Edit, the Advanced Security Settings For Data dialog box appears, as shown in Figure 3. This dialog box is the closest you can come to working directly with the ACEs in the file or folder’s ACL.

Figure 3. The Advanced Security Settings For Data dialog box for an NTFS file or folder.

In this interface, you can see each of the ACEs that apply to the file or folder you selected when opening the dialog box. For each entry, the interface displays the following information:

• Type Specifies whether the entry contains an Allow or Deny permission. You cannot change this field on an existing entry.

• Name Specifies the security principal that will receive the permissions. By editing an entry, you can change the security principal as needed.

• Permission Specifies the permissions the security principal will receive. If the special permissions the entry assigns combine to form a standard permission, the name of that standard permission appears in this field. In the case of a nonstandard combination of special permissions, the word Special appears here. By editing an entry, you can change the permissions as needed.

• Inherited from Specifies the name of the parent folder from which the entry received the specified permissions. If the entry is applied directly to the selected file or folder, then a <not inherited> indicator appears here. You cannot change this field on an existing entry.

• Apply to Specifies whether the entry should apply the specified permissions to the selected folder only, or to specific subordinate elements in the folder. By editing an entry, you can change this field to specify virtually any combination of subordinate folders and files.

To modify an entry, you click Change permissions, select the entry, and click Edit to open a Permission Entry dialog box for the selected folder, as shown in Figure 4.

Figure 4. A Permission Entry dialog box.

In this dialog box, you can choose the special permissions you want to apply, change the security principal, and specify that you want to apply the permissions to any of the following combinations of files and folders:

• This folder only

• This folder, subfolders, and files

• This folder and subfolders

• This folder and files

• Subfolders and files only

• Subfolders only

• Files only