1. Understanding and Using Basic Permissions
In Windows 8, the owner of a file or a folder has the right to allow
or deny access to that resource, as do members of the Administrators
group and other authorized users. By allowing a permission, you grant
that permission to a user or a group. By denying a permission, you deny
that permission to a user or a group. Keep in mind that entries that
deny permissions
take precedence over entries that allow permissions. As a result, if a
user is a member of two groups, and one group is allowed a permission
and the other is denied that permission, the user is denied that
permission.
Using File Explorer, you can view the currently assigned basic
permissions by pressing and holding or right-clicking a file or a
folder, tapping or clicking Properties, and then tapping or clicking
the Security tab in the Properties dialog box.
As shown in Figure 1,
the Group Or User Names list shows the users and groups with
permissions set for the selected resource. If you select a user or a
group, the assigned permissions are shown in the Permissions For list.
If permissions are shaded (unavailable), it means they have been
inherited from a parent folder.
Working with and Setting Basic Permissions
All permissions are stored in the file system as part of the access
control list (ACL) assigned to a file or a folder. As described in Table 1,
six basic permissions are used with folders, and five are also used
with files. Although some permissions are inherited based on
permissions of a parent folder, all permissions are defined explicitly
at some level of the file system hierarchy. Permissions are listed in
this table in approximate order of their scope, from Full Control,
which grants the most permissions, to Read and Write, which grant
specific permissions.
Table 1. Basic File and Folder Permissions
|
PERMISSION |
DESCRIPTION |
|---|
|
Full Control |
Grants the user or group full control over the selected file or
folder and permits reading, writing, changing, and deleting files and
subfolders. A user with Full Control permission for a file or folder
can change permissions, delete files in the folder regardless of the
permission on the files, and also take ownership of a folder or a file.
Selecting this permission selects all the other permissions as well. | |
Modify |
Allows the user or group to read, write, change, and delete files. A
user with Modify permission can also create files and subfolders, but
the user cannot take ownership of files. Selecting this permission
selects all the permissions below it. | |
Read & Execute |
Permits viewing and listing files and subfolders as well as
executing files. If applied to a folder, this permission is inherited
by all files and subfolders within the folder. Selecting this
permission selects the List Folder Contents and Read permissions as
well. | |
List Folder Contents (folders only) |
Similar to the Read & Execute permission, but available only for
folders. Permits viewing and listing files and subfolders, as well as
executing files. Unlike Read & Execute, this permission is
inherited by subfolders, but not by files within the folder or
subfolders. | |
Read |
Allows the user or group to view and list the contents of a folder.
A user with this permission can view file attributes, read permissions,
and synchronize files. Read is the only permission needed to run
scripts. Read access is required to access a shortcut and its target. | |
Write |
Allows the user or group to create new files and write data to
existing files. A user with this permission can also view file
attributes, read permissions, and synchronize files. Giving a user
permission to write but not delete a file or a folder doesn’t prevent
the user from deleting the folder’s or file’s contents. |
Equally as important as the basic
permissions are the users and groups to which you assign those
permissions. If a user or a group whose permissions you want to assign
is already selected in the Group Or User Names list on the Security
tab, you can modify the assigned permissions by tapping or clicking
Edit and then using the Allow and Deny columns in the Permissions list.
Select check boxes in the Allow column to add permissions, or clear
check boxes to remove permissions and then tap or click OK.
To expressly forbid a user or a group from using a permission,
select the appropriate check boxes in the Deny column. Because denied permissions have precedence over other permissions, Deny is useful in two specific scenarios:
-
If a user is a member of a group that has been granted a permission,
but you don’t want the user to have the permission and don’t want to or
can’t remove the user from the group, you can override the inherited
permission by denying that specific user the right to use the
permission. -
If a permission is inherited from a parent folder and you prefer
that a user or a group not have the inherited permission, you can
override the allowed permission (in most cases) by expressly denying
the user or group the use of the permission.
If users or groups whose permissions you want to assign aren’t
already available in the Group Or User Names list on the Security tab,
you can easily add them. To set basic permissions for users or groups not already listed on a file or a folder’s Security tab, follow these steps:
-
On the Security tab, tap or click Edit. This displays the Permissions For dialog box. -
In the Permissions For dialog box, tap or click Add to display the
Select Users, Computers, Service Accounts, Or Groups dialog box, as
shown in Figure 2.
Note
In a workgroup, this dialog box is titled “Select Users Or Groups.” Both dialog boxes serve the same purpose.
Tip
Always double-check the value of the From This Location text box. In
workgroups, computers will always show only local accounts and groups.
In domains, this text box is changeable and is set initially to the
default (logon) domain of the currently logged-on user. If this isn’t
the location you want to use for selecting user and group accounts to
work with, tap or click Locations to see a list of locations you can
search, including the current domain, trusted domains, and other
resources that you can access.
-
Type the name of a user or a group account. Be sure to reference the
user account name rather than the user’s full name. When entering
multiple names, separate them with semicolons. -
Tap or click Check Names. If a single match is found for each entry,
the dialog box is automatically updated, and the entry is underlined.
Otherwise, you’ll see an additional dialog box. If no matches are
found, you’ve either entered the name incorrectly or you’re working
with an incorrect location. Modify the name in the Name Not Found
dialog box and try again, or tap or click Locations to select a new
location. When multiple matches are found, in the Multiple Names Found
dialog box, select the name you want to use, and then tap or click OK.
The users and groups are added to the Group Or User Names list. -
You can now configure permissions
for each user and group you added by selecting an account name and then
allowing or denying access permissions as appropriate.
Special Identities and Best Practices for Assigning Permissions
When you work with basic
permissions, it is important to understand not only how the permissions
are used, but how special identities can be used to help you assign
permissions. The special identities you’ll see the most are Creator
Owner and Users, but others are also used occasionally, as described in
Table 2.
Special identities are members of some groups automatically. To
configure permissions for a special identity, enter the special
identity’s name as you would the name of any other user or group.
Table 2. Special Identities Used When Setting Permissions
|
SPECIAL IDENTITY |
DESCRIPTION |
|---|
|
Anonymous Logon |
Includes any network logons for which credentials are not provided.
This special identity is used to allow anonymous access to resources,
such as those available on a web server. | |
Authenticated Users |
Includes users and computers who log on with a user name and
password; does not include users who log on using the Guest account,
even if the account is assigned a password. | |
Creator Owner |
The special identity for the account that created a file or a
folder. Windows 8 uses this group to identify the account that has
ultimate authority over the file or folder. | |
Dialup |
Includes any user who accesses the computer through a dial-up
connection. This identity is used to distinguish dial-up users from
other types of users. | |
Everyone |
Includes all interactive, dial-up, and authenticated users. Although
this group includes guests, it does not include anonymous users. | |
Interactive |
Includes any user logged on locally or through a remote desktop connection. | |
Network |
Includes any user who logs on over the network. This identity is
used to allow remote users to access a resource and does not include
interactive logons that use remote desktop connections. | |
Users |
Includes authenticated users and domain users only. The built-in Users group is preferred over Everyone. |
A solid understanding of these special identities can help you more effectively configure permissions on NTFS volumes. Additionally, whenever you work with permissions, you should keep the following guidelines in mind:
-
Follow the file system hierarchy
Inheritance plays a big part in how permissions are set. By default,
permissions you set on a folder apply to all files and subfolders
within that folder. With this in mind, start at the root folder of a
local disk or at a user’s profile folder (both of which act as
top-level folders) when you start configuring permissions. -
Have a plan Don’t
set permissions without a clear plan. If permissions on folders get out
of sync, and you are looking for a way to start over so that you have
some continuity, you might want to configure the permissions as they
should be in a parent folder and then reset the permissions on all
subfolders and files in that folder. -
Grant access only as necessary
An important aspect of the file access controls built into NTFS is that
permissions must be explicitly assigned. If you don’t grant a
permission to a user and that user isn’t a member of a group that has a
permission, the user doesn’t have that permission—it’s that simple.
When assigning permissions, it is especially important to keep this
rule in mind because it’s tempting just to give users full control
rather than the specific permissions they really need. Granting only
the specific permissions users need to do their job is known as the principle of least privilege. -
Use groups to manage permissions more efficiently
Whenever possible, you should make users members of appropriate groups
and then assign permissions to those groups rather than to individual
users. In this way, you can grant permissions to new users by making
them members of the appropriate groups. Then, when a user leaves or
goes to another group, you can change the group membership as
appropriate. For example, when Sarah joins the sales team, you can add
her to the SalesUS and SalesCan groups so that she can access those
groups’ shared data. If she later leaves the sales team and joins the
marketing team, you can remove her from the SalesUS and SalesCan groups
and add her to the MarketingUS and MarketingCan groups. This is much
more efficient than editing the properties for every folder Sarah needs
access to and assigning permissions. -
Use central access policies to enhance existing access controls
On your domain servers running Windows Server 2012, use central access
policies to very precisely define the specific attributes that users
and devices must have to access resources.
|
