Windows
 

Windows 8 : Sharing files and folders (part 5) - Understanding NTFS permissions - Creating advanced security settings

10/10/2014 4:04:57 AM

Creating advanced security settings

NTFS permissions can get confusing because of the way they work. What you just saw was straightforward information—apply a permission, and it takes effect. However, as you investigate further, additional complexity becomes apparent.

This complexity is simplified through the use of advanced security settings. By viewing these settings, you gain insight into the real state of permissions for the selected file or folder. In the main section of the window, you see that each permission entry is individually delineated, showing you exactly which permissions are assigned to specific users and groups (called principals).

To view or change the advanced security settings for a file or folder, complete the following steps:

  1. On the Properties page shown in Figure 14, tap or click the Advanced button to open the Advanced Security Settings window shown in Figure 16.

    The current security settings for the selected folder

    Figure 16. The current security settings for the selected folder

    Each permission entry is individually listed, showing you exactly which permissions have been assigned to which users and groups, called principals. To the right, you can see the reason the principals are granted the permissions they carry. These permissions have been inherited from C:\. The folder you’re working with in Figure 16 is C:\Shared-files. By default, folders in Windows 8 inherit the permissions of their parent folder. This avoids the need for an administrator to specify permissions for each folder in the system manually.

    However, you might want to have permissions change on folders deeper in the hierarchy. Fortunately, that’s not difficult, and the result is that the selected folder will have permissions that are both inherited from the parent folder and set directly. In Figure 17, you can see that the folder now has additional permissions, but these permissions were not inherited.

    Advanced Security Settings window showing a directly granted level of permissions

    Figure 17. Advanced Security Settings window showing a directly granted level of permissions

    To add a permission directly to the selected folder from the Advanced Security Settings, tap or click the Add button. This opens the Permission Entry window shown in Figure 18.

    Permission Entry window showing the Applies To drop-down list

    Figure 18. Permission Entry window showing the Applies To drop-down list

  2. In the Permissions Entry dialog box, provide the Principal name.

    This is the name of the user or group to which you want to apply new or additional permissions. In Figure 18, the administrator has already selected the group named Authenticated Users. To specify a different user or group, tap or click Select A Principal and make a selection.

  3. In the Type drop-down list, select either Allow or Deny as the permission type.

  4. Make a selection from the Applies To drop-down list.

    By default, Windows applies your new permissions settings to the current folder and to all subfolders and files according to the default inheritance rules in Windows 8. You can override this behavior by choosing a different entry from the Applies To drop-down list. Table 2 lists the available options and the impact of your selection.

    Table 2. Default permissions impact

    Apply permissions to

    Apply to current folder ONLY

    Apply to subfolders in current folder

    Apply to files in current folder

    Apply to all subfolders

    Apply to files in all subfolders

    This folder only

    x

        

    The folder, subfolders, and files

    x

    x

    x

    x

    x

    This folder and subfolders

    x

    x

     

    x

     

    This folder and files

    x

     

    x

     

    x

    Subfolders and files only

     

    x

    x

    x

    x

    Subfolders only

     

    x

     

    x

     

    Files only

      

    x

     

    x

    Under Basic Permissions, you can choose different basic permissions for the selected principal.

  5. If you’d like to see additional available permissions, tap or click Show Advanced Permissions.

    Table 3 describes the available advanced permissions.

    Table 3. Advanced NTFS permissions

    Folder permission name

    Description (folder)

    File permission name

    Description (file)

    Traverse Folder

    Allows the user to browse to folders beneath the current one

    Execute File

    Allows the user to execute the file

    List Folder

    Allows the user to view file names and subfolder names

    Read Data

    Allows the user to read data from a file

    Read Attributes

    Allows the user to view the attributes of a file or folder (such as Read-Only, Hidden)

    Read Extended Attributes

    Allows the user to view the extended attributes of a file or folder; extended attributes may be assigned by an application

    Create Files

    Allows the user to create files inside the folder

    Write Data

    Allows the user to write data to a file

    Create Folders

    Allows the user to create new folders within a folder

    Append Data

    Allows the user to add data to the end of a file but not to change the existing content

    Write Attributes

    Allows the user to change the attributes of a file or folder (such as Read-Only, Hidden)

    Write Extended Attributes

    Allows the user to change the extended attributes of a file or folder; extended attributes may be assigned by an application

    Delete Subfolders and Files

    Allows the user to delete subfolders and files; works even if the user has not been assigned the Delete permission

    Delete

    Allows the user to delete a file or a folder

    Read Permissions

    Allows the user to read the permissions for a file or folder

    Change Permissions

    Allows the user to change the permissions on a file or folder

    Take Ownership

    Allows the user to take ownership of a file or folder without regard to other permissions that might already be assigned
  6. Select the Only Apply These Permissions To Objects And/Or Containers Within This Container check box to limit the containers to which new permissions apply.

    Table 4 lists the permissions impact when this check box is selected.

    Table 4. Permissions impact when Only Apply These Permissions To Objects And/Or Containers Within This Container is selected

    Apply permissions to

    Apply to current folder ONLY

    Apply to subfolders in current folder

    Apply to files in current folder

    Apply to all subfolders

    Apply to files in all subfolders

    This folder only

    x

        

    The folder, subfolders, and files

    x

    x

    x

      

    This folder and subfolders

    x

    x

       

    This folder and files

    x

     

    x

      

    Subfolders and files only

     

    x

    x

      

    Subfolders only

     

    x

       

    Files only

      

    x

     

Note

FILE AND FOLDER PERMISSIONS CLARIFIED

There are different permission sets for folders and files, although they also share many advanced permissions. Table 3, in which there are different entries in the Folder and File columns, explains the different kinds of permissions. When a permission is shared between files and folders, there is just a single description for the permission entry. Further, although each description uses the word “Allow” to indicate that a user is allowed to perform a certain function, bear in mind that the permission can also be denied.

 
Others
 
- Windows 8 : Sharing files and folders (part 4) - Understanding NTFS permissions - Modifying file or folder permissions
- Windows 8 : Sharing files and folders (part 3) - Sharing a folder
- Windows 8 : Sharing files and folders (part 2) - Enabling folder sharing using the Windows 8 interface, Enabling folder sharing using the traditional interface
- Windows 8 : Sharing files and folders (part 1) - Configuring the Network and Sharing Center
- Windows 8 : Configuring virtual machine networking and storage (part 3) - Assigning a virtual switch to a virtual machine , Assigning storage to a virtual machine
- Windows 8 : Configuring virtual machine networking and storage (part 2) - Hyper-V virtual switch
- Windows 8 : Configuring virtual machine networking and storage (part 1) - Introducing storage and networking for Hyper-V
- Windows 8 : Customizing the Lock Screen - Customizing the Lock Screen Background,Controlling the Apps Displayed on the Lock Screen, Disabling the Lock Screen
- Windows 8 for Business : Features Exclusive to Windows 8 Enterprise,Windows RT and Business
- Windows 8 for Business : Virtualization (part 4) - VHD Shell Integration,Remote Desktop and Remote Desktop Host
- Windows 8 for Business : Virtualization (part 3) - Using Hyper-V Virtual Machine Connection
- Windows 8 for Business : Virtualization (part 2) - Using Hyper-V Manager
- Windows 8 for Business : Virtualization (part 1) - Client Hyper-V
- Windows Server 2012 : Deploying Dynamic Access Control (part 4) - Validating the Configuration
- Windows Server 2012 : Deploying Dynamic Access Control (part 3) - Adding a Resource Property to the Global Resource Property List, Creating a New Central Access Rule
- Windows Server 2012 : Deploying Dynamic Access Control (part 2) - Configuring Resource Property for Files
- Windows Server 2012 : Deploying Dynamic Access Control (part 1) - Preparing Claims
- Windows Server 2012 : Managing Users and Data with Dynamic Access Control - The Building Blocks of DAC , Requirements and Predeployment Pointers
- Windows 7 : Using BitLocker Drive Encryption
- Windows 7 : Using System Protection (part 3) - Using previous versions
 
 
Most View
 
- Windows Server 2012 : Hyper-V - Performance and Virtual Network Management - Resource Metering
- Using the Windows 8 Interface : Taking a Tour of the Windows 8 Interface (part 2) - The App Bar,The Charms Menu
- SQL Server 2012 : Backing Up the Database (part 1) - Performing Backup with Management Studio
- Sharepoint 2013 : Managing and Configuring Profile Synchronization (part 3) - SharePoint Profile Synchronization
- Microsoft Access 2010 : Creating Your Own Databases and Tables - Working with Field Properties (part 1)
- Windows 8 : Sharing and Securing with User Accounts - Using User Accounts (part 1) - Understanding User Account Control
- Overview of Oauth in Sharepoint 2013 : Introduction to OAuth
- Exchange Server 2013 : Extending Exchange - Accessing Exchange Programmatically
- Windows 8 : Customizing the Lock Screen - Customizing the Lock Screen Background,Controlling the Apps Displayed on the Lock Screen, Disabling the Lock Screen
- Microsoft Access 2010 : Relating the Information in Your Database - Establishing Relationships in Access
 
 
Top 10
 
- Upgrading to Sharepoint 2013 : Upgrading Service Applications
- Upgrading to Sharepoint 2013 : Upgrading Site Collections
- Upgrading to Sharepoint 2013 : Upgrading Content (part 4) - Attaching the Content Database
- Upgrading to Sharepoint 2013 : Upgrading Content (part 3) - Fixing the Issues, Additional Parameters
- Upgrading to Sharepoint 2013 : Upgrading Content (part 2) - Running Test-SPContentDatabase
- Upgrading to Sharepoint 2013 : Upgrading Content - Creating the Web Application, Testing the Content Database
- Windows 8 : Introducing Storage Spaces - Creating storage spaces
- Windows 8 : Working with file systems (part 5) - Working with quotas, Working with quotas for user accounts
- Windows 8 : Working with file systems (part 4) - Understanding Encrypting File System, BitLocker
- Windows 8 : Working with file systems (part 3) - Auditing access to securable objects by using SACLs