Setting folder and file permissions gives you some network security, but it doesn’t secure your PC desktop. When you use the NT file system (NTFS) in Windows XP, however, you can set file permissions at the local PC level. That means that a user sitting down at a PC, not just a user accessing the resource across a network, is bound by NTFS permissions.

NTFS permissions, which can be set only on drives partitioned with NTFS, can be assigned to drives and folders, just like sharing permissions, but they also can be assigned to individual files. Unlike sharing permissions, in which the default setting for a resource is Not Shared, NTFS permissions are set to allow access by default.

In this Daily Drill Down, we’ll cover the details of NTFS permissions in Windows XP. With an understanding of how NTFS permissions work, you’ll be able to troubleshoot permission issues more quickly as they occur on your network and clients.

NTFS permissions vs. share permissions

If you’re a little fuzzy on the differences between share permissions and NTFS permissions, check out our Daily Drill Down on ”Establish the correct file-sharing permissions in Windows XP.”

Folder and drive permissions
NTFS offers many more types of permission than the simple Read, Change, and Full Control of sharing permissions. For folders and drives, you can assign these permissions:

  • List Folder Contents: View a folder’s contents
  • Read: View a folder’s contents, open files, and view file and folder attributes
  • Read & Execute: Same as Read, plus the ability to move through folders to reach other folders, even if no permission is granted for those folders
  • Write: Same as Read, plus the ability to create and edit subfolders and change attributes
  • Modify: Combination of Read & Execute and Write, plus the ability to delete the folder
  • Full Control: Same as Modify, plus the ability to change permissions, take ownership, and delete subfolders and files
  • Special Permissions: Allows you to customize permissions on folders by selecting the individual components of the standard sets of permissions

File-level permissions
The list of permissions for individual files is the same, except for the List Folder Contents permission. For files, you can assign these permissions:

  • Read: Open the file and view its attributes, ownership, and permissions
  • Read & Execute: Same as Read, plus the ability to run applications
  • Write: Same as Read, plus the ability to change file content and attributes
  • Modify: Same as Write and Read & Execute combined, plus the ability to delete the file
  • Full Control: Same as Modify, plus the ability to change permissions and take ownership
  • Special Permissions: Allows you to customize permissions on files by selecting the individual components of the standard sets of permissions

Just like sharing permissions, NTFS permissions can be set to Allow with the Allow check box. Permissions are cumulative and can be inherited from parent folders or drives. NTFS permissions can also be set to Deny, but you should use Deny sparingly because it overrides more lenient permissions. For example, if you set Read access for a folder to Deny and the drive on which the folder resides allows Full Control, everything on that drive will have Full Control access except for that folder, which will have no access at all.

Figure A
Setting NTFS permissions on the Security tab on the Data folder’s Properties box

To set NTFS permissions, use the Security tab on the Properties page for a drive, folder, or file. The controls will seem familiar; they’re almost the same as the ones for setting sharing permissions (see Figure A).

Special access permissions
In addition to the normal NTFS permissions, you can use 14 “special access” permissions. These let you fine-tune the permissions granted for a particular object. They’re not actually separate permissions from the standard ones, but refinements of them. For example, the standard Read permission actually involves four separate permissions rolled into one. The special permissions are the four separate settings: Read Data, Read Attributes, Read Permissions, and Read Extended Attributes. By default, the special access permissions are set according to the standard permission settings you have specified, but you can change them as desired.

Figure B
Control access for a resource more precisely from the Advanced Security Settings For Data dialog box.

To view the special permission settings, click the Advanced button on the Security tab to open the Advanced Security Settings For Data dialog box, as shown in Figure B.

Figure C
You can set more specific permissions here than are possible with the normal NTFS permissions.

From here, double-click one of the listed users or groups to display the settings for the 14 extra permissions. Figure C shows the Permission Entry For Data dialog box that will open.

Most of these special permissions are useful only in odd circumstances. For example, suppose you have granted a group Modify access to a particular folder, but you want to make it impossible for them to delete a certain file in that folder. You could set one of the special access permissions—Delete—to Deny for that file.

Inheriting permissions
Notice the first check box at the bottom of Figure B. When it’s turned on, the folder or file will inherit the permissions of the parent object (that is, the drive or folder in which it resides). The gray check boxes in Figure C indicate that those permissions are inherited rather than specific to this folder.

If you deselect the Inherit From Parent The Permission Entries check box, a dialog box will appear, asking what you want to do about those inherited settings. (You won’t see this on drives, because they have nothing to inherit from, being at the top level already.) You can choose to copy them or to remove them. If you remove them, all permissions and all users that were inherited are stripped out, leaving you a clean slate with which to create new NTFS permissions for the object. Any permissions that were specifically set for this resource beforehand remain. If you copy the settings, all the settings remain the same, but the gray goes away from the check boxes, indicating that these settings are now independent settings for this folder or file only.

You might use two special access permissions more frequently: Change Permissions and Take Ownership. You can find the Change Permissions feature on the Effective Permissions tab of the Advanced Security Settings dialog box. Change Permissions is a permission that normally comes only with Full Access, but you can specifically grant it for a resource here.

Take Ownership allows a user to transfer the ownership of the file or folder to himself or herself and is located on the Owner tab of the Advanced Security Settings dialog box. There can be only one “owner” for a file or folder at a time, and that user is the only member of the CREATOR OWNER group for that object. You can assign certain rights to that group, just as you can assign permissions to any other group. The Take Ownership permission enables someone to usurp the title of Owner from another for that resource.

Note that having permission to take ownership of a resource does not automatically take the ownership. If a user has the permission to take ownership, click the Owner tab and then choose yourself on the list of users. (You cannot choose anyone else; you must choose the user name with which you are logged on.) If you also want to take ownership of all subordinate folders and files, select the Replace Owner On Subcontainers And Objects check box.

More tips for using NTFS permissions

Try to assign NTFS permissions to folders rather than individual files and make sure that the files are set to inherit their permission from the folder. (That’s the default setting, so you don’t have to check every single file.)

Create folders according to access requirements—for example, a folder for files that Marketing needs, another for files that Engineering needs, and so on, and assign NTFS permissions to those folders for the users who need them.

To prevent users from accidentally deleting important applications or data, remove the Everyone permission and assign the Read & Execute permission to the Users group and the Administrators group for the folder.

As with sharing permissions, give users only the access level that they require. In most cases, Full Control should reside only with the CREATOR OWNER group.

Don’t use Deny except when it is necessary because it can create administrative headaches later.

What happens to permissions when you move or copy?
When you copy a folder that has specifically been shared (rather than just inheriting sharing from its parent), the original remains shared, but the copy is reset to Not Shared. However, if you copy the folder to a drive or folder that is shared, it will inherit the sharing setting of its new parent location. The same goes for moving a folder. Any specific sharing permissions it has are removed, but it’s free to inherit sharing from the new location.

When you copy or move a file or folder from an NTFS drive to a FAT or FAT32 drive, all NTFS permission settings are removed, leaving it wide-open for anyone to access.

When you copy to another NTFS drive, or within the same drive, any old NTFS permissions assigned specifically to the original are stripped away, and it inherits NTFS permissions from the new location. To copy, you must have Write permission for the destination. The user doing the copying becomes the CREATOR OWNER of the copy.

When you move a file or folder to another NTFS drive, the permissions work just like copying. Any old permissions are removed, and the file or folder inherits permissions from the new location. You must have Modify permission for the file or folder being moved and Write permission for the destination drive or folder. The user doing the moving becomes the CREATOR OWNER of the file.

When you move a file or folder to a different location on the same NTFS drive, however, permissions work a little differently. The moved file or folder does inherit permissions from the new location, but if any permissions were set specifically for that object, they’re retained and they override the new inheritances. You must have Modify permission for the file or folder being moved and Write permission for the destination drive or folder. The CREATOR OWNER doesn’t change.

NTFS means more permissions options
Windows XP NTFS permissions features allow greater control for you and more configuration schemes for your users. In this Daily Drill Down, you learned to create folder and file permissions for groups and individuals using the NTFS file system. You also learned how NTFS permissions are inherited and what happens when you move or copy folders and files.