Which ntfs permission allows a user to open and make changes to files but not delete them?

This discusses resource security using NTFS permissions. It specifically discusses security on files and folders within the NT File System (NFTS). The document covers NTFS file and folder permissions, lists, using NTFS permissions, planning NTFS permission, using special access permission, copying and moving data with NTFS permissions assigned, and troubleshooting NTFS permission problems. This document also introduces you to the next generation of NTFS, NTFS 5.0, which windows 2008 touts as its standard file system. In addition, this document outlines all of the components of using NTFS permissions on a NTFS 5.0 file system effectively on a Windows 2000 network. Once you have read and digested this document, you should be able to secure your windows 2008 network with NTFS permissions with ease.

UNDERSTANDING NTFS PERMISSIONS

This discussion covers the basics of file and folder permissions. It walks you through the kinds of permissions you can assign to files and folders and how to use them. The new and improved Access Control List is discussed, as well as the effects of multiple applied permissions and inherited permissions. First, let's answer a couple of common questions about NTFS permissions:

• What is a permission? A permission is a rule associated with an object to regulate which users can gain access to that object and in what manner.
• When can I use a permission? Permissions can be used only on NTFS formatted partitions or volumes, and that is why they are commonly referred to as NTFS permissions.
• Who can set or apply permissions? Administrators, the user that owns the files or folders, and all other users or groups that have the Full Control permission to those file and folders.

NTFS Permissions and Files
NTFS file permissions are used to control the access that a user, group, or application has to files. This includes everything from reading a file to modifying and executing the file. There are five NTFS file permissions:

1. Read
2. Write
3. Read & Execute
4. Modify
5. Full Control

The five NTFS file permissions are also listed in Table 1 with a description of the access that is allowed to the user or group when each permission is assigned. As you can see, the permissions are listed in a specific order. They all build upon each other.

If a user needs all access to a file except to take ownership and change its permissions, the Modify permission can be granted. The access allowed by the Read, Write, and Read & Execute are automatically granted within the Modify permission. This saves you from assigning multiple permissions to a file or group of files. In later discussions in this document you will see what happens when multiple NTFS file permissions are assigned and applied and how you can determine the net access the user or group has to that file or folder.

NOTE: A file's attributes are properties of the file such as Read-Only, Hidden, Archive, and System. The System attribute is usually applied only to operating system boot files.

NTFS Permissions and Folders
NTFS Folder permissions allow what access is granted to a folder and the files and subfolders within that folder. These permissions can be assigned to a user or group. This topic defines each NFTS folder permission and its effect on a folder. Table 2 displays a list of the NTFS file permissions and the access that is granted to a user or group when each permission is applied.

Notice that the only major difference between NTFS file and folder permissions is the List Folder Contents NTFS folder permission. By using this NTFS folder permission you can limit the user's ability to browse through a tree of folders and files. This is useful when trying to secure a specific directory such as an application directory. A user must know the name and location of a file to read or execute it when this permission is applied to its parent folder.

Understanding the Access Control List (ACL)
Everyone who is familiar with Microsoft Windows NT 4.0 will find here a big change for the better. The ACLs or Access Control Lists of the past were written and assigned to a user once a successful Windows NT domain login had been established. The operating system would summarize the user's allowed access in an ACL. When a user in Microsoft Windows NT 4.0 tried to access a file or folder, the operating system would look at the user's ACL and determine whether the user was allowed access. One aspect of this feature turned out to be a huge drawback for everyday user access. If a user called the helpdesk or any other support person to gain access to a file or folder and that person made the appropriate change to the permissions, the user would have to log off and log back on. This is because the ACL in Microsoft Windows NT 4.0 was created only after a successful logon. As you will find out, windows 2008 has made a change in how ACLs work and how users use them.

NTFS 5.0 in windows 2008 stores an ACL with every file and folder on the NTFS partition or volume. The ACL includes all the users and groups that have access to the file or folder. In addition, it indicates what access or specifically what permissions each user or group is allowed to that file or folder. Then, whenever a user makes an attempt to access a file or folder on an NTFS partition or volume, the ACL checks for an ACE (Access Control Entry) for that user account. The ACE will indicate what permissions are allowed for that user account. The user is granted access to that file or folder, provided that the access requested is defined within the ACE. In other words, when user wants to read a file, the Access Control Entry is checked in that file's Access Control List. If the Access Control Entry for that user contains the Read permission, the user is granted access to read that file.

NOTE: If a user does not have an ACL of the file that he or she wants to access, access is denied.

Consider the same user/helpdesk situation discussed earlier. When the support person makes the change to the permissions on the file the user needs access to, the change is immediately saved in that file's ACL. The user can then access the file without having to log out and back in.

This is only the case when assigning permissions to users for file or folder resources. When a user is added to a group to gain access to additional resources or otherwise, the user must log out and back in to access those resources. That is because NTFS permissions granted to groups are read in a different manner.

Applying Multiple NTFS Permissions
Multiple permissions can be assigned to a single user account. They can be assigned to the user account directly or to a group the user account is a member of. When multiple permissions are assigned to a user account, unexpected things can happen. To prevent any heartache we are going to discuss the rules and regulations for assigning multiple NTFS permissions to a single user or group. This will include how file and folder permissions work together, and how denying a specific permission can affect a users' allowed access.

First of all, NTFS permissions are cumulative. This means that a user's effective permissions are the result of combining the user's assigned permissions and the permissions assigned to any groups that the user is a member of. For instance, if a user is assigned Read access to a specific file, and a group that the user account is a member of has the Write permissions assigned, the user is allowed the Read and Write NTFS permission to that file.

File Permissions Override Folder Permissions
NTFS file permissions override or take priority over NTFS folder permissions. A user account having access to a file can access that file even though it does not have access to the parent folder of that file. However, a user would not be able to do so via the folder, because that requires this "List Folders Contents" permission. When the user makes the attempt to access the file, he or she must supply the full path to it. The full path can either be the logical file path (F:\MyFolder\MyFile.txt) or use the Universal Naming Convention (UNC). To access the file via UNC the user must supply the server name, share, directory, and file, for example:

\\MYSERVER\Win2kShare\MyFolder\MyFile.txt 

If the user has access to the file but does not have an NTFS folder permission to browse for that file, the file will be invisible to the user and he or she must supply the full path to access it.

Deny Overrides All Other Permissions
The concept of permission denial has not changed through the evolution of the Microsoft Windows operating systems and NTFS. If a user is denied an NTFS permission for a file, any other instance where that permission has been allowed will be negated. Microsoft does not, nor do I, recommend using permission denial to control access to a resource � for one main reason. For instance, if a user has access to a file or folder as being a member of a group, denying permission to that user stops all other permissions that the user might have to the file or folder. This can be very hard to troubleshoot on a large network with thousands of users and groups.

This is another example of how multiple NTFS file and folder permissions are cumulative and what happens to the user's effective permissions. For an example of Deny overriding all other NTFS permissions look at Figure 1.

In Figure 1, User A is a member of Group 1 and Group 2, where he is granted access to Folder A. Group 1 allows access to Folder A and both of the files within that folder. Group 2, on the other hand, denies access to a specific file, File 1. When a user account is denied access to a file or folder, all other permissions granting that user access to that file or folder are negated. Figure 1 shows that User A's combined access to File 1 is no access at all.

Understanding Inherited NTFS Permission
By default, when NTFS permissions are assigned to a parent folder, all of the same permissions are applied or propagated to the subfolders and files of that parent folder. Alternatively, the automatic propagation of these permissions can be stopped. An example of NTFS permission inheritance is shown in Figure 2.

Subfolders and files inherit NTFS permissions from their parent folder. As the windows 2008 administrator you assign NTFS permissions to a folder. All current subfolders and files with that folder inherit those same permissions. In addition, any new files or subfolders created within that parent folder assume the same NTFS permission of that parent folder.

You can prevent NTFS permission inheritance, so that any file and subfolders in a parent folder will not assume the same NTFS permissions of their parent folder. Now here is the tricky part. The directory or folder level in which you decide to prevent the default NTFS permission inheritance becomes the new parent folder for NTFS permission inheritance.

USING NTFS PERMISSIONS

This discussion is about using NTFS permissions. The topics include planning and working with NTFS permissions. The discussion topic will give guidelines to use when planning NTFS permission on a windows 2008 network and will explain the step-by-step process for assigning such permission.

Planning NTFS Permissions
A windows 2008 network should be well thought out and planned for. The first thing that comes to mind is the Active Directory and windows 2008 domain infrastructure. This is very important, but a plan for NTFS permissions should also be thought out way in advance before a windows 2008 network is implemented.

Having a plan for NTFS permissions on your windows 2008 network will save time and money for your organization. You will also find that a network with well-planned NTFS permissions is that much easier to manage. Use the following guidelines to help you plan NTFS permissions on your windows 2008 network. Notice that some steps are not directly related to NTFS permissions themselves, but they help organize the data on your network. This makes it easier for you to manage the resources on your windows 2008 network and make sure those resources are secure.

1. The data on your windows 2008 network needs to be organized into manageable units. Separate the users' home directories from applications and public data. Try to keep data in centralized units. For instance, group all of the home directories into one folder and place them on an NTFS volume away from other data. By doing this you gain benefits such as not having to assign NTFS permissions to files, but only to the grouped folders. In addition, backup strategies become less complex. Now application files are grouped separately and do not have to be backed up with the home directories. Organizing your data can make many things easier to manage, including assigning NTFS permissions.
2. Assign user only the level of access that is required. If a user needs only to read a file, grant only the Read permission to the resource that they require access to. This precludes the possibility of a user damaging a file, such as modifying an important document or even deleting it.
3. When a group of users require the same access to a resource, create a group for those users and make each a member of that new group. Assign the NTFS permissions required to that resource to the newly created group. If at all possible avoid assigning NTFS permissions to users and only assign them to groups.
4. When assigning permissions to folders with working data, use the Read & Execute NTFS folder permission. This should be assigned to a group containing the users that need to access this folder and to the Administrators group. This will allow the users to work with the data, but will also prevent them from deleting any important files in the folder.
5. When assigning NTFS permissions to a public data folder, use the following criteria as a guideline. Assign the Read & Execute and Write NTFS permissions to the group containing the users that need access to the public data folder. The Creator Owner of the folder should be assigned the Full Control NTFS permission. Any user on the network that creates a file, including one in a public data folder, is by default the Creator Owner of that file. After that file has been created, the windows 2008 administrator can grant NTFS permissions to other users for file ownership. If the Read & Execute and the Write NTFS permissions are assigned to group of users that need access to the public data folder, they have Full Control to all files that they create in the public data folder and can modify and execute files created by other users.
6. If at all possible do not deny NTFS permission to a group or user. This is not a recommended way to manage resources on a windows 2008 network, because only NTFS permissions assigned for that resource elsewhere for the user or group are automatically stopped. This can cause a great deal of time and frustration in troubleshooting permission problems.
7. User education is always a good idea. If users have a basic understanding of the NTFS permissions and how to secure resources on a network, they can assign and manage their own files. Unfortunately user education does take a bit of time and money, but if done successfully it will pay off in the end.

This is it for the NTFS permission guidelines. When planning how to organize your data on a windows 2008 network, remember to consider NTFS permissions and how they will be affected. Every business and organization is different, but if most of these simple guidelines can be followed, managing your resources in a secure environment will be that much easier. And remember that Total Cost of Ownership is the name of the game.

Working NTFS Permissions
After a newly created volume is formatted with the NTFS 5.0 file system in windows 2008, by default the Full Control NTFS permission is granted to the Everyone group. This, of course, should be changed as soon as possible. The reason is that allowing Everyone full control means just that, everyone. That includes guests, if the Guest account is enabled, and even anonymous Internet users, if security settings on the firewall are such that they can access files on that server. By default, even though you are running NTFS, no security at all is applied. The approved NTFS permission plan should be implemented immediately. If an NTFS permission plan does not exist yet, at lease change the access for the Everyone group from Full Control to Read. Then you can assign the appropriate NTFS permissions to users as they are needed.

Now let's look into working with NFTS permissions and how to assign them. Let's start by looking at Figure 3.

1. On your windows 2008 desktop, right-click My Computer.
2. Click Explore. This will start the Windows Explorer.
3. Click the plus sign to the left of an NTFS volume that you would like to view.
4. Find a folder and right-click on that folder.
5. Click the Properties option on the list.
6. Now use Alt-Tab to switch to the Securities tab, or select it by clicking on it.

NOTE: When viewing the Securities tab from the Properties dialog box of a file, the List Folder Contents NTFS permissions is not listed in the Permissions list box.

Now that we are all on the same page, let's look at the options available to us on the security tab. Table 3 lists the options available on the Securities tab and describes briefly what they are used for.

For the purposes of this discussion we are going to skip the Advanced command button and what it does. That will be covered when we discuss the next topic, Using Special Access Permissions. The only other option on the Securities tab check box to allow inheritable permissions from parent to propagate to this object. By default when a folder is created on a NTFS volume this option is set. To turn it off, open the Securities tab and clear the check box. Figure 4 displays the message box that is displayed.

USING SPECIAL ACCESS PERMISSIONS

NTFS file and folder permissions for the most part are a sufficient way to secure your resources on a windows 2008 network. Where they do not provide the level of granularity required, you can use Special Access Permissions can be used.