MCSE Top-Rated Sites


 

Controlling Access to Network Resources

Windows Server 2003 allows you to control who has access to network resources through permissions that are stored in an Access Control List.

Access Control List

NTFS stores an access control list (ACL) with every file and folder on an NTFS volume. The ACL contains a list of all user accounts and groups that have been granted access to the file or folder, as well as the type of access that they have been granted. When a user attempts to gain access to a resource, the ACL must contain an entry, called an access control entry (ACE), for the user account or a group to which the user belongs. The entry must allow the type of access that is requested for the user to gain access. If the access control entry does not exist or the entry does not match the type of access the user requests, the user will not be granted access to the resource.

NTFS Permissions

Folder Permissions

You can control the access that users have to folders and to the files and subfolders that are contained within the folder by assign folder permissions to the users and user groups.

Note: You require the NTFS file system to use NTFS File and Folder permissions.

There are six permissions that you can assign to users and user groups:

• Read Allows the user to see files and subfolders in the folder and view folder ownership, permissions, and attributes.

• Write Allows the user to create new files and subfolders within the folder, change folder attributes, and view folder ownership and permissions.

• List Folder Contents Allows the user to see the names of files and subfolders in the folder.

• Read & Execute Allows the user to browse through folders to reach other files and folders, even if the users do not have permission for those folders. It also allows the user to perform actions permitted by the Read permission and the List Folder Contents permission.

• Modify Allows the user to delete the folder and perform actions permitted by the Write permission and the Read & Execute permission.

• Full Control Allows the user to change permissions, take ownership, and delete subfolders and files. It also allows the user to perform actions permitted by all other NTFS folder permissions.

• Deny Denies a user account or group all access to a folder and denies the Full Control permission.

Note: Administrators, owners of files or folders, and users with Full Control permissions can assign NTFS permissions to other users and groups.

NTFS File Permissions

You can control the access that users have to files by assigning file permissions to the users. The NTFS file permissions that you can assign are:

• Read Allows the user to read the file, and view file attributes, ownership, and permissions.

• Write Allows the user to overwrite the file, change file attributes, and view file ownership and permissions.

• Read & Execute Allows the user to run applications. Also allows the user to perform the actions permitted by the Read permission.

• Modify Allows the user to modify and delete the file. It also allows the user to perform the actions permitted by the Write permission and the Read & Execute permission.

• Full Control Allows the user to change permissions and take ownership of the file. It also allows the user to perform the actions permitted by all the other NTFS file permissions.

Note: NTFS file permissions take priority over NTFS folder permissions. A user or user group with access to a file will be able to gain access to the file even if he or she does not have access to the folder containing the file. A user can gain access to the files for which he or she has permissions by using the full universal naming convention (UNC) or local path to open the file from its respective application, even though the folder in which it resides will be invisible if the user has no corresponding folder permission. Without permission to access the folder, you will not see the folder, so you will not be able to browse for the file you want to access.

Multiple NTFS Permissions

You can assign multiple permissions to a user account and to each group that the user is a member of. The user can thus be granted multiple permissions on the basis of the user’s group membership.

Note: The Deny permission overrides all other file and folder permissions that the user may have been granted in other groups. This can effectively prevent a particular user access to a file or folder without having to remove the user from the group.

Cumulative Permissions

A user's effective permissions for a resource are the sum of the NTFS permissions that you assign to the individual user account and to all of the groups to which the user belongs. In other words, if a user has Read permission for a folder and is a member of a group with Write permission for the same folder, the user has both Read and Write permission for that folder.

The Deny Permission

Denying a permission overrides all instances where that permission is allowed. Even if a user has permission to gain access to the file or folder as a member of a group, denying permission to the user blocks any other permission that the user might have.

NTFS Permissions Inheritance

By default, permissions that are assigned to a parent folder are inherited by and propagated to the subfolders and files that are contained in the parent folder. This is indicated on the Security tab in the Properties dialog box by a check mark in the Allow Inheritable Permissions From Parent To Propagate To This Object check box. You can however prevent permissions inheritance. To prevent a subfolder or file from inheriting permissions from a parent folder, clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box. If you clear this check box, you are prompted to select one of the options below.

Note: The folder for which you prevent permissions inheritance becomes the new parent folder, and permissions that are assigned to this folder will be inherited by the subfolders and files that are contained within it.

Copy - Copy the permissions from the parent folder to the current folder and then deny subsequent permissions inheritance from the parent folder.

Remove - Remove the permissions that are inherited from the parent folder and retain only the permissions that you explicitly assign to the file or folder.

Cancel - Cancel the dialog box and restore the check mark in the Allow Inheritable Permissions From Parent To Propagate To This Object check box.

Assigning Special Access Permissions

The standard NTFS permissions generally provide all of the access control that you need to secure your resources. However, sometimes the standard NTFS permissions do not provide the specific level of access that you might want to assign to users. To create a specific level of access, you can assign NTFS special access permissions.

There are fourteen special access permissions. Two of them are particularly useful for controlling access to resources: Change Permissions and Take Ownership.

Changing Permissions

You can give other administrators and users the ability to change permissions for a file or folder without giving them the Full Control permission over the file or folder. In this way, the administrator or user cannot delete or write to the file or folder but can assign permissions to the file or folder. To give administrators the ability to change permissions, assign Change Permissions to the Administrators group for the file or folder.

Taking Ownership

You can transfer ownership of files and folders from one user account or group to another user account or group. You can give someone the ability to take ownership of a file or folder. As an administrator, you can also take ownership of a file or folder.

Certain rules apply to taking ownership of a file or folder. These are:

• The owner of the file or folder, or any user with Full Control permission can assign the Full Control standard permission or the Take Ownership special access permission to another user account or group, allowing the user account or a member of the group to take ownership.

• An administrator can take ownership of a folder or file, regardless of assigned permissions. If an administrator takes ownership, the Administrators group becomes the owner and any member of the Administrators group can change the permissions for the file or folder and assign the Take Ownership permission to another user account or group.

• For example, if an employee leaves the company, an administrator can take ownership of the employee's files, assign the Take Ownership permission to another employee, and then that employee can take ownership of the former employee's files.

The user or a group member with Take Ownership permission must explicitly take ownership of the file or folder.

Copying and Moving Files and Folders

When you copy files or folders from one folder to another folder, or from one volume to another volume, permissions change.

When you copy a file within a single NTFS volume or between NTFS volumes:

• Windows Server 2003 treats it as a new file. As a new file, it takes on the permissions of the destination folder.

• You must have Write permission for the destination folder to copy files and folders.

• You become the CREATOR OWNER.

Note: When you copy or move files or folders to FAT volumes or to a floppy disk, the folders and files lose their NTFS permissions because FAT volumes and floppy disks do not support NTFS permissions.

When you move a file or folder within a single NTFS volume

• The file or folder retains the original permissions.

• You must have the Write permission for the destination folder to move files and folders into it.

• You must have the Modify permission for the source file or folder. The Modify permission is required to move a file or folder because Windows Server 2003 deletes the file or folder from the source folder after it is copied to the destination folder.

• The owner of the file or folder does not change.

When you move a file or folder between NTFS volumes

• The file or folder inherits the permissions of the destination folder.

• You must have the Write permission for the destination folder to move files and folders into it.

• You must have the Modify permission for the source file or folder. The Modify permission is required to move a file or folder because Windows Server 2003 deletes the file or folder from the source folder after it is copied to the destination folder.

• You become the CREATOR OWNER.

Troubleshooting NTFS Permission Problems

When you assign or modify NTFS permissions to files and folders, problems might arise. Troubleshooting these problems is important to keep resources available to users.

Problem: A user cannot gain access to a file or folder.

Solution: If the file or folder was copied, or if it was moved to another NTFS volume, the permissions might have changed. Check the permissions that are assigned to the user account and to groups of which the user is a member. The user might not have permission or might be denied access either individually or as a member of a group.

Problem: You add a user account to a group to give that user access to a file or folder, but the user still cannot gain access.

Solution: For access permissions to be updated to include the new group to which you have added the user account, the user must either log off and then log on again, or close all network connections to the computer on which the file or folder resides and then make new connections.

Problem: A user with Full Control permission to a folder deletes a file in the folder, although that user does not have permission to delete the file itself. You want to stop the user from being able to delete more files.

Solution: You have to clear the special access permission—the Delete Subfolders And Files check box—on the folder to prevent users with Full Control of the folder from being able to delete files in the folder.

Shared Folder Permissions

Shared folder permissions apply to folders, not individual files. Since you can apply shared folder permissions only to the entire shared folder, and not to individual files or subfolders in the shared folder, shared folder permissions provide less detailed security than NTFS permissions.

Shared folder permissions are only applied to users who connect to the folder over the network and not to users who gain access to the folder at the computer where the folder is stored.

Shared folder permissions can secure network resources on a FAT or FAT32 volume, on which you cannot implement NTFS permissions.

The default shared folder permission is Full Control, and it is assigned to the Everyone group when you share the folder.

Share Permissions:

Read - Display folder names, filenames, file data, and attributes; run program files; and change folders within the shared folder.

Change - Create folders, add files to folders, change data in files, append data to files, change file attributes, delete folders and files, plus, it allows the user to perform actions permitted by the Read permission.

Full Control - Change file permissions, take ownership of files, and perform all tasks permitted by the Change permission.

You can also allow or deny shared folder permissions. Applying shared permissions to user accounts and groups affects access to a shared folder. Denying permission takes precedence over the permissions that you allow.

Note: Multiple Shared Folder Permissions Combine: A user's effective permissions for a resource are the sum of the Shared Folder permissions that you assign to the individual user account and to all of the groups to which the user belongs. In other words, if a user has Read permission for a folder and is a member of a group with Change permission for the same folder, the user has both Read and Change permissions for that folder.

Denying Shared Folder Permissions Overrides Other Permissions:
Denied permissions take precedence over any permissions that you may have granted the user accounts and groups. If you deny a shared folder permission to a user, the user will not have that permission, even if you allow the permission for a group of which the user is a member.

NTFS Permissions Are Also Required On NTFS Volumes:
Shared folder permissions can be used to grant users access to files and folders on a FAT or FAT32 volume but not on an NTFS volume. On a FAT or FAT32 volume, you can grant users access to a shared folder as well as all of the files and subfolders contained in the shared folder. To grant users access to a shared folder on an NTFS volume, you must grant them the shared folder permission and the appropriate NTFS permissions for each file and folder that you want them gain access to.

Copied or Moved Shared Folders Are Not Shared:
When you copy a shared folder, the original shared folder is still shared, but the copy is not shared. When you move a shared folder, it is no longer shared.

Combining Shared Folder Permissions and NTFS Permissions

Shared folder permissions provide limited security for resources. You gain the greatest flexibility by using NTFS permissions to control access to shared folders. Also, NTFS permissions apply whether the resource is accessed locally or over the network. Therefore, a strategy for providing access to resources on an NTFS volume is to share folders with the default shared folder permissions and then control access by assigning NTFS permissions. When you share a folder on an NTFS volume, both shared folder permissions and NTFS permissions combine to secure file resources.