The following excerpt is from Chapter 6 of the MCSE Exam Cram 2 book "Designing security for a
Microsoft Windows Server 2003 network" written by Ed Tittel, courtesy of Sams Publishing. Click to
check out the complete book
excerpt series or go straight to the practice
exam if you think you're ready to be tested.
Designing a permission structure for files and folders
Although your users might all share the same physical volumes to store their data, they still have the expectation that the files and folders are secure. You provide this security using the file systems built in to Windows Server 2003. You can control two types of permissions -- shares and NTFS. You need to be familiar with both types, and you need to understand how to combine the two types for expected effective permissions.
As mentioned previously, a user can obtain permissions for an object based on groups of which he is a member. Windows Server 2003 includes a new tool to assist you in determining effective permissions when a user has NTFS permissions from multiple sources. You need to be familiar with the following in regard to permissions structure for files and folders:
- Share permissions for files and folders
- NTFS permissions for folders
- NTFS permissions for files
- Effective permissions
Share permissions allow a user to gain access to a resource through the network. If a file or folder is not shared, the only access to that file or folder would be from the local computer where the file exists. The following are levels of share permissions:
- Read: This is the default permission for any file that is shared in Windows Server 2003. With Read permissions, a user can see a file or folder and can execute the file or open the folder. A user can also right click the file or folder and view the properties, but cannot make any changes to the file or folder or to its properties.
- Change: Change permissions allow all of the permissions of Read, but the user can also change or add to the file or folder and can change the properties of the file or folder, such as the name or other attributes. In addition, the user can also delete the file or folder with Change permissions.
- Full Control: Full Control permissions allow all of the permissions of Change, and the user can take ownership of the file or folder and, thereby, assign other users permission for the file or folder.
The following are NTFS permissions for folders:
- List Folder Contents: A user with List Folder Contents permissions can view a folder and view the files and folders within the folder, but cannot change the folder or its attributes or even view the attributes of the folder. If he were to right click the file and click Properties, he would get an Access Denied message.
- Read: A user with Read permissions for the folder can view the folder, but cannot view the contents of the folder. In addition, he cannot change the folder or its properties. He can view the properties of the folder by right clicking the folder and clicking Properties.
- Read & Execute: A user with Read & Execute permissions has all of the same permissions as a user with Read permissions, and he can double click the folder and view its contents.
- Write: A user with Write permissions has all of the same permissions as the Read & Execute permissions, and he can add files or folders to the folder. Whether he can delete files or folders from the folder depends on the individual permissions of the files or folders within the folder. He cannot delete the folder itself, but he can change its properties.
- Modify: A user who has Modify permissions to a folder has all of the permissions of Write, and he can delete the folder.
- Full Control: A user who has Full Control permissions has all of the permissions of Modify, and he can take ownership of the folder and thereby assign other users permission to the folder.
The following are NTFS permissions for files:
- Read: A user who has only Read permissions for a file can view the file, but cannot change, delete or execute the file.
- Read & Execute: A user who has Read & Execute permissions can view the file and double click the file to execute it. He cannot change or delete the file.
- Write: A user who has Write permissions can view the file and execute it, and can change the file and its properties. He cannot delete the file.
- Modify: A user who has Modify permissions has all of the same permissions as Write, and he can delete the file.
- Full Control: A user who has Full Control permissions has all of the same permissions of
Modify, and he can take ownership of the file and thereby assign permissions to other users.
ALERT: In addition to the standard NTFS permissions for files and folders, you can also select Special Permission in the Advanced security properties of the file or folder. Special permissions allow you to tailor the specific actions that a user is allowed to perform on a file or folder.
If a file or folder exists on an NTFS volume and is also shared through the network, the share permissions might be different than the NTFS permissions for the file or folder. In addition, if a user has permissions to the file from membership in multiple groups, the permissions might differ by group. The effective permissions are, therefore, a combination of all of the separate permissions. You need to remember this three-step method of determining the effective permissions for a resource:
1. Combine all of the share permissions.
2. Combine all of the NTFS permissions.
3. The effective permissions are the combination that is the most restrictive.
NOTE: A combination that includes NTFS Deny permissions always overrides and results in permissions being denied. A combination that includes share Deny permissions results in permissions being denied unless the user is logging on locally to the resource, in which case the share permissions would not apply.
Windows Server 2003 contains a new tool called the Effective Permissions tool. This tool automatically combines the NTFS permissions for a resource. You only need to select the resource and then select the user on which you want to determine the effective permissions. This tool only combines the NTFS permissions and does not take share permissions into account. It is only accurate if the combined share permissions are of the same restriction or less restrictive than the share permissions. Figure 6.5 illustrates the Effective Permissions tool.
Figure 6.5: You can use the Effective Permissions tool to determine the effective NTFS permissions.
Click for the next excerpt in this series: Designing security for a backup and recovery strategy