NTFS permissions offer a great deal of control when it comes to resources on your systems. When it comes to the old NTFS (from Windows NT) and the current NTFS (from Windows 2000, Windows Server 2003, and Windows XP), there are a lot of similarities and a few differences. In this edition of Security Solutions, Mike Mullins takes a closer look.
Most seasoned administrators are familiar with the fact that New Technology File System (NTFS) permissions are available on every file, folder, registry key, printer, and Active Directory object. First introduced with Windows NT to replace the File Allocation Table (FAT) file system, NTFS has gone through several changes over the years. Windows 2000, Windows Server 2003, and Windows XP use the current incarnation, NTFS v5.
When it comes to the old NTFS (from Windows NT) and the current NTFS, there are a lot of similarities and a few differences. Let's take a closer look.
Standard vs. advanced permissions
You can set NTFS permission to Allow or Deny. Here's a look at the standard permissions in the old NTFS:
- Full Control: Users can modify, add, move, and delete files, as well as their associated properties and directories. In addition, users can change permissions settings for all files and subdirectories.
- Modify: Users can view and modify files and file properties, including deleting and adding files to a directory or file properties to a file.
- Read & Execute: Users can run executable files, including scripts.
- Read: Users can view files and file properties.
- Write: Users can write to a file.
Microsoft later advanced these permissions to include the following:
- Traverse Folder/Execute File: Users can navigate through folders to reach other files or folders, even if they have no permissions for the traversed files or folders. The Traverse Folder permission takes effect only when the group or user doesn't have the Bypass Traverse Checking user right in the Group Policy snap-in. (By default, the Everyone group has the Bypass Traverse Checking user right.)
- List Folder/Read Data: Users can view a list of a folder's contents and data files.
- Read Attributes: Users can view the attributes of a file or folder, such as read-only and hidden. (NTFS defines these attributes.)
- Read Extended Attributes: Users can view the extended attributes of a file or folder. (Defined by programs, extended attributes may vary.)
- Create Files/Write Data: The Create Files permission allows users to create files within the folder. (This permission applies to folders only.) The Write Data permission allows users to make changes to the file and overwrite existing content. (This permission applies to files only.)
- Create Folders/Append Data: This Create Folders permission allows users to create folders within a folder. (This applies to folders only.) The Append Data permission allows users to make changes to the end of the file, but they can't change, delete, or overwrite existing data. (This applies to files only.)
- Write Attributes: Users can change the attributes of a file or folder, such as read-only or hidden. (NTFS defines these attributes.)
- Write Extended Attributes: Users can change the extended attributes of a file or folder.
- Delete: Users can delete the file or folder. (If users don't have the Delete permission on a file or folder, they can still delete it if they have the Delete Subfolders And Files permission on the parent folder.)
- Read Permissions: Users have reading permissions of the file or folder, such as Full Control, Read, and Write.
- Change Permissions: Users have changing permissions of the file or folder, such as Full Control, Read, and Write.
- Take Ownership: Users can take ownership of the file or folder. The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder.
What's the big difference?
The big difference between the old NTFS and the new NTFS is the establishment of Inherited and Explicit permission precedence. While you might assume that the Deny permission takes precedence over any other permission, that isn't always the case.
Here's the hierarchy for permissions:
- Explicit Deny
- Explicit Allow
- Inherited Deny
- Inherited Allow
As a user accesses each file, folder, registry key, printer, and Active Directory object, the system checks the permissions from top to bottom. When it meets one of these four conditions, it either grants or denies access. This allows you to set permission inheritance for an object and maintain fine control for exceptions to your general permissions policy.
NTFS permissions offer a great deal of control when it comes to resources on your systems. If you're having trouble with users not being able to access required data or objects in your Active Directory structure, look at the hierarchy for those permissions, and you'll find the problem.
Miss a column?
Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.