Most seasoned administrators are familiar with the fact that
New Technology File System (NTFS) permissions are available on every file,
folder, registry key, printer, and Active Directory object. First introduced
with Windows NT to replace the File Allocation Table (FAT) file system, NTFS has gone through several changes over the
years. Windows 2000, Windows Server 2003, and Windows XP use the current
incarnation, NTFS v5.
When it comes to the old NTFS (from Windows NT) and the
current NTFS, there are a lot of similarities and a few differences. Let’s take
a closer look.
Standard vs. advanced permissions
You can set NTFS permission to Allow or Deny. Here’s a look
at the standard permissions in the old NTFS:
- Full Control: Users can modify,
add, move, and delete files, as well as their associated properties and
directories. In addition, users can change permissions settings for all
files and subdirectories. - Modify: Users can view and modify
files and file properties, including deleting and adding files to a
directory or file properties to a file. - Read & Execute: Users can run
executable files, including scripts. - Read: Users can view files and
file properties. - Write: Users can write to a file.
Microsoft later advanced these permissions to include the
following:
- Traverse Folder/Execute File: Users
can navigate through folders to reach other files or folders, even if they
have no permissions for the traversed files or folders. The Traverse Folder
permission takes effect only when the group or user doesn’t have the
Bypass Traverse Checking user right in the Group Policy snap-in. (By
default, the Everyone group has the Bypass Traverse Checking user right.) - List Folder/Read Data: Users can
view a list of a folder’s contents and data files. - Read Attributes: Users can view
the attributes of a file or folder, such as read-only and hidden. (NTFS
defines these attributes.) - Read Extended Attributes: Users
can view the extended attributes of a file or folder. (Defined by programs,
extended attributes may vary.) - Create Files/Write Data: The
Create Files permission allows users to create files within the folder. (This
permission applies to folders only.) The Write Data permission allows users
to make changes to the file and overwrite existing content. (This
permission applies to files only.) - Create Folders/Append Data: This
Create Folders permission allows users to create folders within a folder.
(This applies to folders only.) The Append Data permission allows users to
make changes to the end of the file, but they can’t change, delete, or
overwrite existing data. (This applies to files only.) - Write Attributes: Users can change
the attributes of a file or folder, such as read-only or hidden. (NTFS
defines these attributes.) - Write Extended Attributes: Users
can change the extended attributes of a file or folder. - Delete: Users can delete the file
or folder. (If users don’t have the Delete permission on a file or folder,
they can still delete it if they have the Delete Subfolders And Files permission
on the parent folder.) - Read Permissions: Users have reading
permissions of the file or folder, such as Full Control, Read, and Write. - Change Permissions: Users have
changing permissions of the file or folder, such as Full Control, Read, and
Write. - Take Ownership: Users can take
ownership of the file or folder. The owner of a file or folder can always
change permissions on it, regardless of any existing permissions that
protect the file or folder.
What’s the big difference?
The big difference between the old NTFS and the new NTFS is
the establishment of Inherited and Explicit permission precedence. While you
might assume that the Deny permission takes precedence over any other
permission, that isn’t always the case.
Here’s the hierarchy for permissions:
- Explicit
Deny - Explicit
Allow - Inherited
Deny - Inherited
Allow
As a user accesses each
file, folder, registry key, printer, and Active Directory object, the
system checks the permissions from top to bottom. When it meets one of these four
conditions, it either grants or denies access. This allows you to set
permission inheritance for an object and maintain fine control for exceptions
to your general permissions policy.
Final thoughts
NTFS permissions offer a great deal of control when it comes
to resources on your systems. If you’re having trouble with users not being
able to access required data or objects in your Active Directory structure,
look at the hierarchy for those permissions, and you’ll find the problem.
Miss a column?
Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.
Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.