This discussion covers the basics of file and folder permissions. It walks you through the kinds of permissions you can assign to files and folders and how to use them. The new and improved Access Control List is discussed, as well as the effects of multiple applied permissions and inherited permissions. First, let's answer a couple of common questions about NTFS permissions:
- What is a permission? A permission is a rule associated with an object to regulate which users can gain access to that object and in what manner.
- When can I use a permission? Permissions can be used only on NTFS formatted partitions or volumes, and that is why they are commonly referred to as NTFS permissions.
- Who can set or apply permissions? Administrators, the user that owns the files or folders, and all other users or groups that have the Full Control permission to those file and folders.
NTFS Permissions and Files
NTFS file permissions are used to control the access that a user, group, or application has to files. This includes everything from reading a file to modifying and executing the file. There are five NTFS file permissions:
- Read
- Write
- Read & Execute
- Modify
- Full Control
The five NTFS file permissions are also listed in Table 1 with a description of the access that is allowed to the user or group when each permission is assigned. As you can see, the permissions are listed in a specific order. They all build upon each other.
TABLE 1: NTFS FILE PERMISSIONSNTFS File Permission Allowed AccessRead This allows the user or group to read the file and view its attributes, ownership, and permissions set.WriteThis allows the user or group to overwrite the file, change its attributes, view its ownership, and view the permissions set.Read & Execute This allows the user or group to run and execute the application. In addition, the user can perform all duties allowed by the Read permission.ModifyThis allows the user or group to modify and delete a file including perform all of the actions permitted by the Read, Write, and Read and Execute NTFS file permissions.Full ControlThis allows the user or group to change the permission set on a file, take ownership of the file, and perform actions permitted by all of the other NTFS file permissions.
If a user needs all access to a file except to take ownership and change its permissions, the Modify permission can be granted. The access allowed by the Read, Write, and Read & Execute are automatically granted within the Modify permission. This saves you from assigning multiple permissions to a file or group of files. In later discussions in this document you will see what happens when multiple NTFS file permissions are assigned and applied and how you can determine the net access the user or group has to that file or folder.
NTFS Permissions and Folders
NTFS Folder permissions allow what access is granted to a folder and the files and subfolders within that folder. These permissions can be assigned to a user or group. This topic defines each NFTS folder permission and its effect on a folder. Table 2 displays a list of the NTFS file permissions and the access that is granted to a user or group when each permission is applied.
TABLE 2: NTFS FOLDER PERMISSIONSNTFS File Permission Allowed AccessRead This allows the user or group to view the files, folders, and subfolders of the parent folder. It also allows the viewing of folder ownership, permissions, and attributes of that folder.WriteThis allows the user or group to create new files and folders within the parent folder as well as view folder ownership and permissions and change the folder attributes.List Folder Contents This allows the user or group to view the files and subfolders contained within the folder.Read & Execute This allows the user or group to navigate through all files and subfolders including perform all actions allowed by the Read and List Folder Contents permissions.ModifyThis allows the user to delete the folder and perform all activities included in the Write and Read & Execute NTFS folder permissions.Full ControlThis allows the user or group to change permissions on the folder, take ownership of it, and perform all activities included in all other permissions.
Notice that the only major difference between NTFS file and folder permissions for the most part are a sufficient way to secure your resources on a windows 2008 network. Where they do not provide the level of granularity required, you can use Special Access Permissions can be used.