Networking Basics: Part 20 - File Level Permissions

by [Published on 12 June 2008 / Last Updated on 12 June 2008]

This article concludes the Networking for Beginners series by talking about file level permissions.

If you would like to read the other parts in this article series please go to:

In the previous article in this series, I explained that shared folders could be secured using either share level permissions or NTFS permissions. In that article, I showed you how to use share level permissions, but it is a much more common practice to secure file shares using NTFS permissions. In this article, I will show you how.

The Convert Command

As I have explained many times before, you can only apply file level security to volumes that are formatted using the NTFS file system. If the volume is formatted using FAT or FAT32, then you are limited to using share level permissions. The good news is that it is possible to convert a FAT or a FAT32 volume to NTFS without having to reformat the volume. You can do so by using the Convert command. If the volume that you are interested in securing is already formatted as NTFS then you can skip this section.

The convert command is fairly simple to use. In its simplest form, you only have to specify the drive letter that is assigned to the volume that you want to convert, and the file system that you want to use (in this case NTFS). For example, if you wanted to convert drive D: to NTFS, the command would look like this:

CONVERT D: /FS:NTFS

Although this basic syntax will usually get the job done, there are two additional switches that I would recommend appending to the command. The first switch that I would recommend using is the /X switch. This switch forces the volume to be dismounted before the conversion process takes place. The reason why I recommend using this switch is because it will prevent open files from being damaged during the conversion process. Of course one side effect is that any open file handles will be disconnected.

The other switch that I would recommend using is the /NoSecurity switch. This switch tells Windows that you want to leave everything on the volume accessible to everyone after the conversion is complete. Obviously, applying the switch defeats the whole purpose of converting the volume in the first place. However, I like that the switch gives you the option of implementing all of the security settings from scratch, rather than having to deal with default security settings that are put into place by Windows. When both of these additional switches are applied, the command looks like this:

CONVERT D: /FS:NTFS /X /NoSecurity

NTFS Permissions

For the most part, NTFS permissions are very easy to set up. Just right click on a folder, and choose the Properties command from the resulting shortcut menu. You can assign NTFS permissions for the folder on the properties sheet's Security tab, shown in Figure A.


Figure A:
NTFS permissions are assigned through the properties sheet’s Security tab

As you can see in the figure, the top portion of the tab contains a list of users and groups. You can use the Add and Remove buttons to add or remove users and groups from this list. You can set permissions for a user or group by selecting the user or group from the list, and then using the checkboxes in the lower portion of the tab.

The permissions themselves are fairly self explanatory, so I do not really want to go into the specifics of what each one does. There are two things that you need to know about this tab. First, you have the option of either, allowing permission, denying permission, or not doing either. Keep in mind that a specific denial always overrides a granted permission. You should also realize that even if you do not set a permission, it is possible that a user could end up receiving the permission anyway through inheritance. I will talk more about inheritance a moment.

The other thing that you need to know about this tab is that although you can set permissions on individual users and groups, it is considered to be poor style to assign permissions to individual users. If you assign permissions to individual users, things can easily get out of hand, resulting in a management headache. As such, you should only assign permissions to groups.

Another thing that you might have noticed in the previous figure is the Advanced button. Since this is an article geared towards beginners I do not want to spend much time talking about advanced concepts, but there are two very important aspects of NTFS permissions that you need to be aware of.

If you click the Advanced button, you will see the Advanced Security Settings properties sheet, shown in Figure B. Take a look at the two checkboxes at the bottom of the Permissions tab.


Figure B:
The two checkboxes at the bottom of the Permissions tab allow you to control inheritance

The NTFS file system uses a concept known as inheritance. This just means that when you set a permission, that permission applies to any files or subfolders located below that point. The first of the checkboxes on the Permissions tab is selected by default. It allows inherited permissions to be applied to the selected folder, and to any subfolders beneath it.

The second checkbox allows you to replace any existing permissions on files or subfolders with the permissions that are shown in the list above.

As you can imagine, these check boxes are extremely powerful and using them incorrectly can have dire consequences. As such, I would strongly recommend that you never use either of these checkboxes. In fact, that is Microsoft's recommendation as well.

Contradictions

One of the things about the way that the NTFS file system works, and the way that Windows security in general works, it makes it possible for security contradictions to occur. For example, a user could be a member of two different groups with contradictory permissions. When this happens, there is an entire set of rules that can be applied to figure out which permissions take precedence.

Since this is a series written for beginners, I will not go into all the intricacies of the various rules. One thing that I will tell you is that an explicit denial always overrides any other permissions that have been given. Rather than go into a long discussion of the rest of the rules, I want to show you a tool that you can use to determine the effective permissions.

I have already shown you the Advanced Security Settings properties sheet, but take a look at the properties sheet's Effective Permissions tab, shown in Figure C. This tab allows you to enter the name of a user or a group. When you do, it will show you the effective permissions that are in place for the user or group.


Figure C:
The Effective Permissions tab allows you to see the NTFS permissions that are in effect for a particular user or group

If you are interested in learning more about how effective permissions are derived, there is a link at the bottom of this tab that you can click for more information.

Conclusion

Unfortunately, this is going to be the last article in the Networking for Beginners series. This has been by far the longest series that I have ever written, and it has gone on for almost 2 years now. The reason why I am ending the series is because it is just becoming too difficult to remember what I have and have not written about, and to keep the content fresh while staying on a beginner level. I sincerely hope that you have found this series to be beneficial. If so, I would kindly request that you send an e-mail to either me or to the editorial staff at WindowsNetworking.com. Depending on the response that is received, I may decide to write a similar series that discusses networking at the intermediate level. In the meantime though, I just want to say thank you for taking the time to read such a long series.

If you would like to read the other parts in this article series please go to:

Advertisement

Featured Links