All versions of Windows 7 use
the NTFS (NT File System) directory structure, including Home Basic and
Home Premium. NTFS enables you to assign control of who is permitted to
access files and folders on a per-user or per-group basis. NTFS
permissions can be used to control access for either local folders or
network shares.
Windows
XP Home Edition and Professional supported installation on disks
formatted with the FAT32 file system or the NTFS file system. Many users
of XP did use NTFS formatted disks, either by choice or because their
computer manufacturers set their computer up that way. The user-based
file permission system was in effect, but usually without the users even
knowing it—on XP Home Edition, NTFS permission settings were hidden
from the user, and on XP Professional, you had to disable Simple File
Sharing to see them.
On the other hand with
Windows 7 NTFS is mandatory for installation (and also restoration), and
the security settings are available to see and modify on all versions of Windows 7. Therefore, all Windows 7 users should understand how NTFS file permissions work.
To display or
modify NTFS permissions, select a file or folder in Computer or Windows
Explorer, right-click Properties, and select the Security tab. You can
use the NTFS Permissions dialog box to designate a folder to restrict
access toc both network and local users.
In the top part of the
Security tab is the list of users or user groups with access to the file
or folder. You can select any of the names in the list to view their
associated permissions in the bottom half of the tab.
To add users to a file’s or folder’s permissions list, follow these steps:
1. | Right-click the file or folder in explorer and choose Properties, then open the Security tab.
|
2. | Under the Group or User Names list, click the Edit button. The Permissions dialog box opens to a new Security tab.
|
3. | Under the Group or User Names list, click the Add button. The Select Users or Groups dialog box appears.
|
4. | Enter
the desired username(s) into the input box provided. You can check your
names against the computer’s user accounts by clicking the Check Names
button. Hint: Use full names like “Bob Cowart” instead of just “Bob.”
Click OK.
|
5. | With
the newly added user account(s) highlighted in the Group or User Names
list, select the desired permissions. You can choose to allow or deny a
variety of actions for a given user or group. Click Apply and then click
OK.
|
6. | Click OK again to close the Properties dialog box.
|
The permission properties can each be granted or revoked individually. The permissions and their properties are listed in Table 1.
Table 1. NTFS File Permission Settings and Their Functions
| Permission | Properties |
|---|
| Full Control | Gives all the rights listed below, plus lets the user change the file’s security and ownership settings. |
| Modify | Allows a user to modify a file’s contents or delete a file. |
| Read & Execute | Allows a user to read a file’s contents and/or run an executable file as a program. |
| List Folder Contents | Allows a user to view the contents of the folder. |
| Read | Allows a user to read a file’s contents only. |
| Write | Allows
a user to create a new file, or write data in an existing file, but not
read a file’s contents. For a folder, allows users to add new files to
the folder but not view the folder’s contents. |
Note that each
permission has both Allow and Deny check boxes. To get access to a given
resource, a user must be explicitly listed with Allow checked or must
belong to a listed group that has Allow checked, and must not be listed
with Deny access or belong to any group with Deny marked. Deny preempts
Allow.
All these permissions are
additive. In other words, Read and Write can both be checked to combine
the properties of both. Full Control could be marked Allow but Write
marked Deny to give all access rights except writing. (This permission
would be strange but possible.)
Tip
If
you edit Permissions, before you click OK or Apply, click the Advanced
button and view the Effective Permissions tab. Enter a few usernames to see that the permissions work out
as you expect. If they do, only then should you click OK. |
The most productive use of
NTFS file permissions is to assign most rights by group membership. One
exception is with user home directories or profile directories, to which
you usually grant access only to the Administrators group and the
individual owner.
Editing NTFS file permissions
is protected by UAC (unless you’ve disabled it). So, expect to see a lot
of prompts to Continue (if you’re an Administrator) or to provide an
Administrator password (if you’re a standard user) when you perform
these operations.
You
might encounter files or folders that can’t be deleted even by the
Administrator account. They don’t have the Read-Only attribute set, but
Windows informs you that access is denied. Sometimes
a file or, more often, a folder is set with access controls such that
even Administrator can’t access or delete it. To erase such a file or
folder, take ownership of it . Give
Administrator full access rights. Use the Advanced Security button to
view Advanced Permissions, and check Replace Permission Entries on All
Child Objects. Click OK or Apply (then click OK), and then try to delete
the folder again. |
|
Inheritance of Permissions
Normally, permissions are assigned to a folder (or drive), and all the folders and files within it inherit
the permissions of the top-level folder. This makes it possible for you
to set permissions on just one object (folder), managing possibly
hundreds of other files and folders contained within. If necessary,
explicit permissions can be set on a file or subfolder to add to or
override the inherited permissions. Permissions displayed in the
Security tab will be grayed out if they have been inherited from a
containing folder.
You can view or change the inheritance setting for a file or folder by clicking the Advanced button on the Security tab. In Figure 1, the folder has a check in Include Inheritable Permissions from This Object’s Parent.
To change
inheritance settings, click Change Permissions. You can then uncheck the
Include Inheritable Permissions from This Object’s Parent box. If you
uncheck the box, Windows gives you the option of starting with a blank
permissions list (Remove) or keeping a copy of the settings it had
before (Copy). In either case, the item now has its own independent list
of access rights, which you can edit at will.
Caution
Changing
the permissions of the root folder of the drive containing Windows may
make your system unusable. It’s best not to mess with the permissions of
your boot (usually C:) drive. |
When you change
permissions on a folder, you may want to cancel any manually added
permissions set on the files and folders it contains. Checking the
Replace All Child Object Permissions With Inheritable Permissions From
This Object option will reset the permissions on all files in this
folder and in subfolders, and will force all subfolders to inherit
permissions from this folder.
Advanced Security Settings
If
you edit access permissions in the Advanced Security Settings dialog
box, you can exercise more “fine-grained” control over permissions. It’s
rarely necessary, but for your reference, Table 2 lists the available permission settings.
Table 2. NTFS Advanced File Permission Settings and Their Functions
| Permission | Properties |
|---|
| Traverse Folder/Execute File | For
folders, this special permission allows a user the right to move
through a folder to which he or she doesn’t have List Folder access, to
reach a file or folder to which he or she does have access. For files,
this permission allows the running of applications. (This permission is
necessary only if the user wasn’t granted the Group Policy Bypass
Traverse Checking.) |
| List Folder/Read Data | For
folders, allows the user to view the names of files or subfolders
inside a folder. For files, allows the user to read the data in a file. |
| Read Attributes | Allows the user to view the attributes of the file or folder (that is, Hidden, Read-Only, or System). |
| Read Extended Attributes | Allows
the user to view extended attributes of files or folders as defined by
another program. (These attributes vary depending on the program.) |
| Create Files/Write Data | For
folders, allows the user to create new files inside the folder. For
files, allows the user to add new data or overwrite data inside existing
files. |
| Create Folders/Append Data | For
folders, allows the user to create new subfolders. For files, allows
the user to append data to the end of an existing file. This permission
does not pertain to deleting or overwriting existing data. |
| Write Attributes | Allows the user to change the attributes of the file or folder. |
| Write Extended Attributes | Allows the user to change the extended attributes of a file or folder. |
| Delete Subfolders and Files | For
a folder, allows the user to delete subfolders and their contents. This
permission applies even if the Delete permission has not been expressly
granted on the individual subfolders or their files. |
| Delete | Allows
or denies the user the ability to delete the file. Even if Delete is
denied, a user can still delete a file if he or she has Delete
Subfolders and Files permission on the parent folder. |
| Read Permissions | Allows the user to view the file’s or folder’s permissions assigned to a file or folder. |
| Change Permissions | Allows the user to change the file’s or folder’s permissions. |
| Take Ownership | Allows the user to take ownership of a file or folder. |
Viewing Effective Permissions
The
Effective Permissions tab of the Advanced Security Settings dialog box
lets you enter a username and see what privileges the user will have as a
result of the current security settings on the file or folder, as shown
in Figure 2.
This dialog box displays the effective permissions as edited,
before they are applied to the file folder. This lets you verify that
the permissions you have set operate as desired before committing them
to the file by clicking OK or Apply.
Access Auditing
The Advanced
Security Settings dialog box provides a way for you (if you are an
Administrator) to monitor access to files and folders through the Event
Log. The Auditing tab lets you specify users and access types to
monitor, and decide whether to record log entries for successful access,
failure to access, or both. Auditing can be set for the use of each
access attribute that you can set with Permissions: List Folder, Write
Data, and so on.
Auditing is useful in several situations:
To determine what files and folders an errant application program is attempting to use
To monitor users for attempts to circumvent security
To keep a record of access to important documents
To
enable auditing, locate the folder or file you want to monitor, view
the Security tab of its Properties dialog box, click Advanced, view the
Auditing tab, click Continue, and click Add. On the Object tab of the
Auditing Entry dialog box, select a specific user or group (or
Everyone), click OK, and check the desired events to audit from the
Access options, and click OK again. You can prevent a new audit setting
from propagating into subfolders by checking Apply These Auditing
Entries to Objects and/or Containers Within This Container Only. You can
enable the resetting of audit properties of all subfolders and files by
checking Replace All Existing Auditing Inheritable Auditing Entries on
All Descendants With Inheritable Auditing Entries From This Object on
the Auditing tab of the Advanced Security Settings dialog box.
An entry is made in
the Security Event log for each audited access, so be careful if you
are enabling auditing on the entire hard drive!
Taking Ownership of Files
Sometimes files or
folders have security attributes set so stringently that even
Administrator can’t read or modify them. Usually this occurs when the
file has permissions set only for its owner and not the usual list:
Owner, Administrator, System. This can occur when a user account is
deleted. It can also happen when you have reinstalled Windows or are
using a disk drive taken from another Windows computer. Whatever the
cause, the symptom is that even an Administrator user is not able to
access the files in some folder. If you absolutely need to access such
files, you can take ownership of the file or folder, and then assign
permissions to read and write as appropriate. To take ownership of a
file or folder:
1. | Log on as Administrator.
|
2. | Right-click the file or folder in Explorer and choose Properties.
|
3. | View the Security tab and click Advanced.
|
4. | View the Owner tab, and click Edit.
|
5. | Select
Administrator (the user) or Administrators (the group) from the list.
You may want to check the Replace Owner on Subcontainers and Objects box
to change subfolders as well.
|
6. | Click OK.
|
7. | Add privileges as necessary to grant access to the desired user(s).
|
Assigning Permissions to Groups
It’s common in an
office environment to want shared folders that are accessible by some
users and not by others. For instance, you may wish to put payroll
information in a shared folder and grant access only to certain
administrative employees. In a school environment, you might want some
folders that are accessible only by teachers, and others accessible only
by members of a particular class. At home, you might want to prevent
the children from getting access to the parent’s folder. The best
practice in this case is to create local user groups,
which are collections of users that can be given privileges that carry
over to the group’s members. You can add the group and assign
permissions for specific folders and files without having to list each
of the qualified users separately. Another
benefit is that you can add and remove users from the group later on
without having to modify the settings of the various folders.
Note
You
cannot create local user groups with Windows Home Basic, Home Premium
(or Starter Edition) using the Local Users and Groups tool. If you’re a
hard-core Windows hacker, you can
use the command-line technique explained in the tip at the end of this
section. This applies equally to Windows 7 and Windows Vista computers. |
To create local user groups, follow these steps:
1. | Right-click
Computer, click Manage, and open Local Users and Groups; or, on a
domain computer, click the Advanced button on the Advanced tab of the
User Accounts Control Panel applet.
|
2. | Right-click the Groups entry in the left pane and select New Group.
|
3. | Enter a name for the new group, such as Accounting.
|
4. | Click Add and select users to add to the group.
|
5. | Click create, and then click Close.
|
To grant the group permissions to specific folders:
1. | Right-click the folder or file in Windows Explorer and select Security.
|
2. | On the Security tab and click Edit, and then click Add.
|
3. | Select
the group name (on a domain computer you may select domain groups or
local groups by selecting Location and choosing a domain name or the
local computer name).
|
4. | Click OK, and then check the appropriate permissions for the group to have under Permissions.
Tip On Windows 7 Home versions, if you’re willing to work with the command-line interface, you can create local groups. Open a Command Prompt window and type the command net localgroup
groupname
/add, but in place of groupname type the name of the group you’d like to create. Then, to add a user to the group, type the command net localgroup
groupname username
/add and again, in place of groupname, type the name of the group you created, and in place of username, type the name of a user on your computer. Repeat this command as necessary to add other users. The same command with /delete at the end instead of /add removes a user from the group. |
|
5. | If
Everyone or other groups are listed as having rights to this folder,
you may want to select the group(s) and uncheck any undesired
privileges. If the entry is grayed out, the privileges are inherited
from a containing folder. In this case, when you’re finished applying
group permissions for this folder go back to the Folder Permissions
dialog box and select Advanced, select the desired group, click the
Change Permissions button, uncheck Include Inheritable Permissions From
This Object’s Parent, and click Remove. Click Apply, then click OK.
After that, you can remove the permission entries you don’t want.
|
6. | Important:
Before you click OK to commit the changes, use the Effective
Permissions tab in the Advanced Security Settings dialog box to check
the effective rights of a few different users to be sure that the rights
are what you intend. Be sure that Administrator has at least taken
ownership privileges.
|
A user in the Users local group has access to an object that the Users local group is not assigned permissions for. Check
to see whether the user belongs to any other groups that have been
assigned permissions. Remember that permissions accumulate through
groups. If necessary, you can remove groups from those listed as having
access to the file, or you can list specific users and/or groups and
check the Deny boxes to remove access rights. |
|
Securing Your Printers
If you have a
printer that uses expensive paper or ink, and are concerned that guests,
kids, or unauthorized persons might use your printer, you should know
that printers can be secured in the same way that access is controlled
for files and folders: through user and group privileges. In the case of
printers, the privileges allow users to add jobs to the printer, delete
other people’s jobs, and so on.
On a domain network,
the network manager usually takes care of this. And on a workgroup it’s
generally not important to restrict access to printers. If you are using
Simple File Sharing, it’s not even possible to set up specific printer
access privileges.
If
you decide to, however, you can set printer access permissions by
right-clicking a printer in your Printers folder and selecting
Properties. The Security tab resembles the Security tab for files and
folders, and can be modified in the same way.
