Setting Permissions
Setting permissions on operating system objects such as files, directories, and registry keys provides a fine-grained access control mechanism. In Windows NT, access to objects is controlled by Discretionary Access Control Lists (DACLs). Each object in the operating system includes a DACL. Consider Example 2.2.
Example 2-2. A Sample DACL
stevesk: No Access Administrators: Write, Execute Users: Read
The DACL shown in Example 2.2 grants any member of the Administrators group Write and Execute permission. Members of the Users group have Read access. Permissions are cumulative. If a user is a member of both Users and Administrators, his effective access will be Read, Write, and Execute (the combined permissions of his user and the groups of which he’s a member). The user stevesk’s effective permission is “No Access,” regardless of which groups of which he is a member. This is because No Access overrides all other permissions.
Setting File-Level Permissions
The Windows NT File System (NTFS) supports the permissions shown in Table 2.9.
Table 2-9. The NTFS Permissions
NTFS Permission |
File |
Folder |
---|---|---|
Read (R) |
Display the contents of a file and other data such as the owner and permissions. |
Display the contents of a folder and other data such as the owner and permissions. |
Write (W) |
Modify the file. |
Add files and folders to the folder. |
Execute (X) |
Run the file, if it’s an executable. |
Make changes to folders within the folder. |
Delete (D) |
Delete the file. |
Delete ... |
Get Securing Windows NT/2000 Servers for the Internet now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.