Windows VistaInside Out :Windows VistaInside Out Chapter 29 - Controlling Access to Files and Folders Last modified 11-27-07


Editions :Editions NTFS Permissions are the same in all editions of Windows Vista Although Windows XP Home Edition concealed NTFS permissions, no version of Vista does that


Sharing Wizard :Sharing Wizard Right-click a folder or file, select Share Select Reader, Contributor, or Co-Owner The simplest way to share files and folders


Changes to NTFS Permissions in Windows Vista :Changes to NTFS Permissions in Windows Vista The owner of an object no longer implicitly has full control access NOTE: This seems to be the same in Win XP in my tests OWNER RIGHTS is a new security identifier Vanishes when an object's owner changes—when you give or take ownership


Changes to NTFS Permissions in Windows Vista :Changes to NTFS Permissions in Windows Vista You may have to respond to a User Account Control (UAC) prompt to edit permissions Operating system files are owned by TrustedInstaller In previous versions of Windows, the Administrators group owned them


Changes to Default NTFS Permissions :Changes to Default NTFS Permissions


Controlling Access with NTFS Permissions :Controlling Access with NTFS Permissions With NTFS permissions, you can: Control access to any file or folder on any NTFS-formatted volume Allow different types of access for different users or groups


Applying Advanced Security Settings :Applying Advanced Security Settings Right-click file or folder Properties Security tab This is the Access Control List


Editing Permissions :Editing Permissions Click Edit in an object's Properties to change permissions This click is new in Vista


Discretionary Access Control :Discretionary Access Control In Windows Vista, the owner of a file or folder (typically the person who creates the file) has the right to allow or deny access to that resource In addition, members of the Administrators group and other authorized users can grant or deny permissions


Demonstration of Ownership :Demonstration of Ownership Create a folder, so you are the owner Remove all permissions except yourself Deny yourself all access You cannot open the folder, but you can still change the permissions because you are the owner


Be careful with the Deny box :Be careful with the Deny box Deny permissions take precedence over Allow permissions It's safer to just Allow, or nor Allow, permissions There is an exception to this rule, in which an Allow can take precedence over a Deny (see link Ch 29c)


Permissions :Permissions


Permissions: Basic Principles :Permissions: Basic Principles Start from the top and work down Organize shared data files into common locations Use groups whenever possible Steer clear of Special permissions Grant only the level of access that users require


If You Can't Change Permissions :If You Can't Change Permissions The Security tab is not visible Drive is FAT, not NTFS Permission settings are unavailable You are not logged on as an Administrator or the object's owner Or the selected object is inheriting its permissions from a parent folder


Built-in Users (Special Identities) :Built-in Users (Special Identities) Everyone Doesn't include Anonymous logons Creator Owner and Creator Group Identifies the creator of the file or folder Owner Rights Identifies the current owner of the file or folder Authenticated User Any user who logs on with a name and password except Guest


Built-in Users (Special Identities) :Built-in Users (Special Identities) Interactive A user logged on locally, including users accessing the machine with Remote Desktop Anonymous Logon Network logons without credentials, such as connections to a Web server Dialup A user accessing the computer with a dial-up connection Network A user logged on over the network


Special Identities Example :Special Identities Example Shared data folder Users - Read & Execute Users – Write Creator Owner – Full Control Users can create and manage their own files and folders Users can't delete objects created by other users


Reserved Special Identities :Reserved Special Identities Reserved for software and system processes Never used by human users Batch Service Local Service Network Service TrustedInstaller Never adjust these permissions


C: Drive Permissions :C: Drive Permissions Windows Vista applies specific permissions to these locations C:\ (or the root of the system drive) C:\Windows C:\System32 C:\Users Subfolders of those locations Don't change those permissions


Applying Permissions to Subfolders Through Inheritance :Applying Permissions to Subfolders Through Inheritance Files and subfolders inherit permissions from a parent folder Right-click the folder icon, Properties, Security tab, Advanced button


Applying Permissions to Subfolders Through Inheritance :Applying Permissions to Subfolders Through Inheritance To block inheritance Click Edit Uncheck "Include Inheritable Permissions From This Object’s Parent" Choose Copy or Remove


Testing the Effect of Permissions :Testing the Effect of Permissions File and folder permissions can come from a variety of settings It’s difficult to figure out exactly what each user can and can’t do Effective Permissions combine all the NTFS permissions assigned to an individual user account and to all of the groups to which that user belongs


Effective Permissions Example :Effective Permissions Example Thus, if Sue has Read & Execute permission And is also a member of a group that has been assigned Write permissions She has both Read & Execute and Write permissions for the folder


Effective Permissions :Effective Permissions Right-click file or folder, Properties Security tab, Advanced, Effective Permissions tab


Effective Permissions is Not Perfect :Effective Permissions is Not Perfect The effective permissions calculation does not include Anonymous Logon Authenticated Users group Settings granted because a user is the Creator Owner of an object Does not consider whether you’re logging on interactively or over a network Don’t trust it too far


Using Special Permissions :Using Special Permissions Click Advanced on the Security tab, click Edit, select a user or group name, click Edit


Special Permissions :Special Permissions


Leave Special Permissions Alone :Leave Special Permissions Alone The basic permissions like Full Control, Modify, etc. are almost always complex enough for any purpose Don't adjust the special permissions unless you are doing something esoteric


Setting Permissions from a Command Prompt :Setting Permissions from a Command Prompt ICACLS displays and sets permissions Permission settings: F for Full Control, M for Modify, R for Read, etc.


Taking or Assigning Ownership of Files and Folders :Taking or Assigning Ownership of Files and Folders When you create a file or folder on an NTFS drive, you become its owner Owner can allow or deny permissions Any member of the Administrators group can take or give ownership of any file or folder


How to Take or Assign Ownership of Files and Folders :How to Take or Assign Ownership of Files and Folders Right-click, Properties Security tab, Advanced Owner tab, Edit


Copying Files: Destination Folder Determines Permissions :Copying Files: Destination Folder Determines Permissions When you copy a file or folder to an NTFS drive The newly created folder or file takes on the permissions of the destination folder, and the original object retains its permissions This is true regardless of whether the destination is on the same NTFS drive as the original file or on a separate NTFS drive


Moving Files :Moving Files Moving Files to Another NTFS Drive: Destination Folder Determines Permissions Moving Files to another folder on the same NTFS drive: The moved file retains its original permissions This is because the file is not actually moved, only a pointer to it is changed


Demonstration :Demonstration Make a folder, assign Deny Full Control to Network Create two files in that folder: Inherited.txt and Explicit.txt Break inheritance on Explicit.txt, Copy permissions Move both folders to a new folder Only Explicit.txt keeps its old permissions


Going from NTFS to FAT :Going from NTFS to FAT When you copy or move a file or folder from a FAT32 drive to an NTFS drive The newly created folder or file picks up the permissions of the destination folder When you copy or move a file or folder from an NTFS drive to a FAT32 drive The moved or copied folder or file in the new destination loses all NTFS permissions Because the FAT32 file system is incapable of storing these details