You use NTFS permissions to specify which users and groups can access files and folders and what they can do with the contents of the files or folders. NTFS permissions are available only on NTFS volumes. They are not available on volumes formatted with file allocation table (FAT) or FAT32 file systems. NTFS security is effective whether a user accesses the file or folder at the local computer or over the network.
The permissions you assign for folders are different from the permissions you assign for files. Administrators, the owners of files or folders, and users with Full Control permission can assign NTFS permissions to users and groups to control access to files and folders.
You assign folder permissions to control the access that users have to folders and to the files and subfolders that are contained within the folders.
Table 8.1 lists the standard NTFS folder permissions that you can assign and the type of access that each provides.
Table 8.1??NTFS Folder Permissions
You can deny permission to a user account or group. To deny all access to a user account or group for a folder, deny the Full Control permission.
You assign file permissions to control the access that users have to files. Table 8.2 lists the standard NTFS file permissions that you can assign and the type of access that each provides.
Table 8.2??NTFS File Permissions
NTFS stores an access control list (ACL) with every file and folder on an NTFS volume. The ACL contains a list of all user accounts and groups that have been assigned permissions for the file or folder, as well as the permissions that they have been assigned. When a user attempts to gain access to a resource, the ACL must contain an entry, called an access control entry (ACE), for the user account or a group to which the user belongs. The entry must allow the type of access that is requested (for example, Read access) for the user to gain access. If no ACE exists in the ACL, the user can't access the resource.
You can assign multiple permissions to a user account and to each group of which the user is a member. To assign permissions, you must understand the rules and priorities by which NTFS assigns and combines multiple permissions and NTFS permissions inheritance.
A user's effective permissions for a resource are the sum of the NTFS permissions that you assign to the individual user account and to all of the groups to which the user belongs. If a user has Read permission for a folder and is a member of a group with Write permission for the same folder, the user has both Read and Write permissions for that folder.
NTFS file permissions take priority over NTFS folder permissions. If you have access to a file, you will be able to access the file if you have the Bypass Traverse Checking security permission, even if you don't have access to the folder containing the file. You can access the files for which you have permissions by using the full Universal Naming Convention (UNC) or local path to open the file from its respective application, even though the folder in which it resides is invisible if you have no corresponding folder permission. In other words, if you don't have permission to access the folder containing the file you want to access, you must have the Bypass Traverse Checking security permission and you have to know the full path to the file to access it. Without permission to access the folder, you can't see the folder, so you can't browse for the file.
You can deny permission to a user account or group for a specific file, although this is not the recommended method of controlling access to resources. Denying permission overrides all instances in which that permission is allowed. Even if a user has permission to access a file or folder as a member of a group, denying permission to the user blocks any other permissions the user might have (see Figure 8.1).
In Figure 8.1, User1 has Read permission for FolderA and is a member of Group A and Group B. Group B has Write permission for FolderA. Group A has been denied Write permission for File2.
The user can read and write to File1. The user can also read File2 but cannot write to File2 because she is a member of Group A, which has been denied Write permission for File2.
By default, permissions that you assign to the parent folder are inherited by and propagated to the subfolders and files contained in the parent folder. However, you can prevent permissions inheritance, as shown in Figure 8.2.
Whatever permissions you assign to the parent folder also apply to subfolders and files contained within the parent folder. When you assign NTFS permissions to give access to a folder, you assign permissions for the folder and for any existing files and subfolders, as well as for any new files and subfolders that are created in the folder.
You can prevent permissions that are assigned to a parent folder from being inherited by subfolders and files that are contained within the folder. That is, the subfolders and files will not inherit permissions that have been assigned to the parent folder containing them.
The folder for which you prevent permissions inheritance becomes the new parent folder. The subfolders and files contained within this new parent folder inherit the permissions assigned to it.
The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. The answers are in Appendix A, "Questions and Answers."