Understanding NTFS permissions
In addition to the permissions that you can set when you share a
folder, Windows includes a second, more comprehensive set of
permissions. Called NTFS permissions, these can allow or deny permissions on a per-file or per-folder basis on the Windows 8–based computer.
If you’re used to the NTFS file system permissions in earlier versions of Windows, you’ll find that not too much has changed in Windows 8. NTFS permissions are still straightforward for the most part. In this section, you learn about how NTFS permissions operate.
It’s important to understand that NTFS permissions are local permissions and are always in effect, regardless of how the server is accessed. Whereas the shared
permissions you just learned about come into play only when resources
are accessed over the network, NTFS permissions are enforced all the
time, even when signing on to the machine directly from the console. It
is through the use of NTFS permissions that organizations can secure
their data without regard to access method.
NTFS has both basic and advanced sets of permissions. On desktops,
it’s rare that you will need advanced NTFS permissions; the basic
permission set is almost always sufficient. You’ll learn about the
basic permission set first. Bear in mind that NTFS permissions can be
applied to entire folders
or to individual files. There are some minor differences between the
permissions in each case. NTFS permissions are outlined in Table 1.
Table 1. NTFS permissions
|
Permission name |
Description (folder) |
Description (file) |
|---|
|
Full control |
The user has full permission to the folder and can add, change,
move, and delete items. In addition, the user can add and remove
permissions on the folder and on any subfolders. |
The user has full rights to the file and can change, move, or delete
it. The user can also add and remove permissions on the file. |
|
Modify |
The Modify permission is a conglomeration of the Read and Write
permissions, which gives the user the ability to delete files inside a
folder and to view the contents of subfolders. |
The user can modify the contents of the selected file. |
|
Read & execute |
The user can read the contents of files in the folder or execute
programs inside the folder but cannot make changes to the items in the
folder. |
The user can read the contents of the file or execute the program but cannot make changes to the file. |
|
List folder contents |
The user can view the contents of the selected folder but cannot read a file’s contents or execute any of the files. |
This permission is not applicable at the file level. |
|
Read |
The user can read the individual items inside a folder. |
The user can read the contents of a file. |
|
Write |
The user can create files and folders but cannot modify existing items. |
The user can create a file. |
As you create groups
for permissions reasons, understand that the permissions you assign are
cumulative. Perhaps you grant a user permission to read and execute the
contents of a folder, and you grant a group to which the user belongs
the permission to write to a folder. The user will get all those
permissions because NTFS permissions are cumulative.
Modifying file or folder permissions
To modify the NTFS permissions on a file or folder, complete the following steps:
-
Press and hold or right-click the folder and select Properties.
-
On the Properties page, choose the Security tab, as shown in Figure 14.
Note
MULTIPLE USERS
You can see that a number of permissions are available for the
selected user. Any permissions you change will affect only the selected
user or group. If you want to make changes to multiple users, either
add the user to a group and then apply permissions to the group or
individually apply permissions to individual users.
-
To make changes to the permissions for the selected user or group,
tap or click the Edit button on the Properties page to display the Permissions dialog box shown in Figure 15.
Here you can see that the permissions are broken down into Allow and
Deny columns. You can allow a user a particular set of permissions or
deny a user access to a particular file or folder by selecting the
Allow or Deny check box for each permission.
Note
CUMULATIVE PERMISSIONS
Cumulative permissions apply only when you’re adding up permissions in the Allow column. When Deny permissions are involved, they always override Allow permissions.
It’s not considered a best practice to use Deny permissions very often.
Doing so can create administrative nightmares that are difficult to
solve. However, Deny can be useful when group Allow permissions have
been applied to a folder, but you still want a user in that group to be
denied access to the folder. Because the Deny permission overrides the
Allow permission, the user is denied that particular permission.
-
Make your selections and tap or click OK.
