388
|
Chapter 11: Securing and Sharing Your Data
Controlling Access to Your Data
When your disk drive or storage device is formatted using NTFS, you can use NTFS
permissions to control access to your data. As mentioned earlier, NTFS permissions
can be broken down into five broad categories: basic permissions, special permis-
sions, ownership permissions, inherited permissions, and effective permissions. The
sections that follow discuss how to use each type of permission.
Basic Permissions
With NTFS, permissions are stored in the filesystem as part of the access control list
(ACL) assigned to a file or a folder. As described in Table 11-1, files and folders have
a slightly different set of basic permissions.
When working with permissions, keep in mind that some permissions
are inherited based on the permissions of a parent folder. Inherited
permissions are applied automatically, and you cannot edit inherited
permissions without first overriding them.
Table 11-1. Basic permissions for files and folders
Permission How it’s used Used with…
Full Control Grants full control over the selected file or folder. Permits reading,
writing, changing, and deleting files and subfolders. Also permits
changing permissions, deleting files in the folder regardless of
their permissions, and taking ownership of a folder or a file. Select-
ing this permission selects all the other permissions as well.
Files and folders
Modify Permits reading, writing, changing, and deleting a file or folder.
With folders, permits creating files and subfolders, but does not
allow taking ownership of a file or folder. Selecting this permission
selects all the permissions below it.
Files and folders
Read & Execute Permits executing files. With folders, permits viewing and listing
files and subfolders as well as executing files. If applied to a folder,
this permission is inherited by all files and subfolders within the
folder. Selecting this permission selects the List Folder Contents
and Read permissions as well.
Files and folders
List Folder Contents Permits viewing and listing files and subfolders as well as execut-
ing files. Inherited only by subfolders and not by files within the
folder or its subfolders.
Folders only
Read Permits viewing and listing the contents of a file or folder. Permits
viewing file attributes, reading permissions, and synchronizing
files. Readis theonly permissionneeded torun scripts.Read access
is required to access a shortcut and its target.
Files and folders
Write Permits creating new files in folders and writing data to existing
files. Permits viewing file attributes, reading permissions, and syn-
chronizing files. Doesn’t prevent deleting a folder or file’s contents.
Files and folders
Controlling Access to Your Data
|
389
Viewing and modifying existing basic permissions
You can view or modify a file or folder’s existing basic permissions by completing the
following steps:
1. In Windows Explorer, right-click the file or folder you want to work with and
then select Properties.
2. In the Properties dialog box, select the Security tab. As shown in Figure 11-3, the
“Group or user names” list shows all users and groups with basic permissions
for the selected file or folder. If you select a user or a group in this list, the
assigned permissions are displayed in the “Permissions for” list.
If permissions are shaded (unavailable), it means they have been inher-
ited from a parent folder. I cover inheritance in detail in the “Inherited
Permissions” section, later in this chapter.
Figure 11-3. Working with basic permissions
390
|
Chapter 11: Securing and Sharing Your Data
3. Before you can change or remove permissions, you’ll need to click Edit. This
opens an editable view of the Security tab in a new dialog box.
4. Click the existing user or group whose permissions you want to modify.
5. To modify existing permissions, use the Allow and Deny columns in the “Per-
missions for” list. Select checkboxes in the Allow column to add permissions,
and clear checkboxes to remove permissions.
6. To prevent a user or a group from using a permission, select the appropriate
checkbox in the Deny column. Denied permissions have precedence over other
permissions.
7. Click OK to save your changes.
Adding new basic permissions
You can add new basic permissions to a file or folder by completing the following
steps:
1. In Windows Explorer, right-click the file or folder you want to work with and
then select Properties.
2. In the Properties dialog box, select the Security tab. The “Group or user names”
list shows all users and groups with basic permissions for the selected file or
folder.
3. If a user or group whose permissions you want to assign isn’t already listed, click
Edit. This opens an editable view of the Security tab in a new dialog box.
4. Click Add to display the Select Users or Groups dialog box, shown in Figure 11-4.
Figure 11-4. Select Users or Groups dialog box
Get Windows Vista Security: Praxisorientierte Sicherheit für Profis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
