Windows Permissions

This material was developed with funding from the National Science Foundation under Grant # DUE 1601612

Next

Restart

Back

NTFS Permissions

Close 

Permissions management is a tool to help prevent unauthorized access. Windows has two types of permissions. We will examine the difference between Share Permissions and NTFS Permissions (also called Security Permissions). Both types of permissions can be granted to specific Users or Groups.

Groups a group contains several member user accounts that have the same access right to a resource such as a folder of files.

Click on each box for more information.

Share Permissions

Permission Precedence

During the early days of networking and sharing files in Windows, the file system, FAT16, had limitations. The only way to secure the shared content was to set permissions on the Share which is the entry point to the file system.

1/5

Share Permissions

Close

File systems a way of organizing a drive indicating how data is stored and designating what types of information can be attached to the files (such as file names and permissions)

Permissions

Alice and Bob are part of the Accounting team that is working on the yearly budgets. Alice has a folder containing the budget files stored locally on her computer. Bob also needs to work on these files, but he sits in an office down the hall. If Alice shares the budgets folder with Bob, he can access and work on the files from his location.

2/5

By granting Share Permissions for the Budget folder, Bob can work on the files in the folder over the network. Windows offers Alice three different Share Permissions: Read, Change, and Full Control. Click on each of the permissions to see what access Alice can grant Bob. When granting permissions, use the principle of least privilege.

Bob can read, write, execute, or delete files and/or folders within the share.

Bob will have Read and Change permissions, and he will also be able to edit permissions and take ownership of files.

Change

Principle of Least Privilege giving a user or group account only those privileges which are essential to perform a required function

Full Control

Click on each permission for more information.

3/5

Read

Bob can view the folder’s contents

4/5

Everyone group A built-in group controlled by the Windows operating system whose members include all users 

When Alice shares the Budgets folder, there is an initial default setting for the share permissions—the Everyone groupgains the Read permission. Alice needs to be aware that Bob can now view the Budget folder’s contents, but so can everyone else on the network.

Using Share permissions has some limitations. First, there are only three levels possible: Full Control, Change, and Read. Second, once Alice grants permissions for the share (in this case the Budgets folder), those permissions apply to any files, folders, and subfolders within the share. Share permissions do not allow Alice to granularly control access to specific files and/or folders within the Budgets folder.

Main Menu

5/5

Budgets

Users can add files and subfolders and can write to a file

List folder contents

Users can view contents and can run executable files

Write

Users can read and write to files and subfolders and can delete the folder

NTFS is the default file system used in Windows. NTFS supports larger file sizes and hard drives and is more secure than FAT, its predecessor. NTFS permissions (or Security permissions) are used to manage access to files and folders stored in an NTFS file system. NTFS permissions offer more options than Share permissions. An advantage with NTFS permissions is that they affect local users as well as network users.

Full Control

Modify

Users can view the folder and any subfolder contents

NTFS Permissions

Read & Execute

Users can read, write, change and delete files and subfolders. Users can also change permissions settings for all files and subfolders

1/9

Users can view and list files and subfolders and can execute files

NTFS permissions allow Alice to granularly control the type of access she can grant the others in the accounting department. When Alice uses share and NTFS permissions together, the most restrictive permission applies.

2/9

Basic Read

Write Attributes

Tasks

Write Extended Attributes

Basic Write

3/9

Delete Subfolders and Files

List Folder/ Read Data

Travers Folder/Execute File

Delete

Read Attributes

Basic Full Control

Read Extended Attributes

Read Permissions

The table shows what tasks can be accomplished by a user based on the permissions granted.

Basic Full Modify

Change Permissions

Create Files/Write Data

Basic Read & Execute

Take Ownership

Create Folders/Append Data

Basic List Folder Contents

4/9

Alice grants explicit permissions when she creates the object or when she specifically sets permissions using the Security tab in Properties.

5/9

Say that Alice created three subfolders within her Budgets folder. Yr1, Yr2, and Yr3 will inherit whatever permissions Alice sets for the Budgets folder because those folders are considered child objects of the parent object, the Budgets folder.

Any NTFS permissions that Alice directly assigns to the Yr1 folder and the permission inherited from the Budgets folder are called the Effective Permissions for the Yr1 folder.

6/9

Carol, Bob, David, and Earl are all members of the Accounting team. Alice can grant permissions to each user account individually, or she can create a group account and add Carol, Bob, David. and Earl as members.

Accounting Group

7/9

1/10

With User/Group rights, Share/NFTS Permissions, and explicit/inherited permissions, conflicting permission settings can result.Deny override AllowExplicit permissions take precedence over InheritedPermissions inherited from a nearer relative takes precedence over permissions inherited from a distant relativePermissions from different user groups are cumulative

 Permission Precedence

2/10

If Alice uses share permissions and NTFS permissions together that cause a conflict in configuration, the most restrictive permission applies. If she grants Bob Modify NTFS permission to the Budgets folder but does not share the folder, Bob will not be able to access the Budgets folder from the network.

Modify

3/10

Drag and drop the correct box here

Note for Jasmine When the correct answer is  dropped please show  “final feedback” Could they also hear the sound “confirmation2.mp3"

Read

Element with Audio HTML

Read & Execute

Bob’s Access

Write

Alice has granted Share and NTFS permissions to the Budgets folder. What access will Bob have? Drag the appropriate boxes to indicate all of Bob’s access to the Budgets folder.

Great Job!

Full Control

List Folder Contents

Execute a script in Budgets

Create a sub-folder in Budgets

Change permissions

Note for Jasmine When the 3 correct answers are  dropped please show  “final feedback” Could they also hear the sound “confirmation2.mp3"

Delete a file in Budgets

Read Files in Budgets

Alice has granted Share and NTFS permissions to the Budgets folder. What tasks can Bob perform? Drag the appropriate boxes to indicate Bob’s access to the Budgets folder.

4/10

Alice now has options on how she manages access to the Budges folder. She can grant certain permissions or explicitly use the Deny permission. A deny permission is a restrictive permission, so it overrides more lenient permissions. Say that Bob is a member of the Accounting group. Alice needs to give that group access to a document containing the salaries of all employees, but Bob is a clerk who should not have access to that type of information.

8/9

9/9

In this case, Alice can apply the Deny permission to Bob’s User Account to override permissions given to the Accounting group.

Bob can delete folders

Bob can read files within Yr2

Alice shared the Budgets folder giving the Everyone group Read permission. Additionally, she granted the Accounting group Modify NTFS permissions to the Budgets folder. Bob is a member of the Accounting group. What access will Bob have to Yr2? Drag the appropriate boxes to indicate Bob’s access to the Budgets folder.

Bob can create files

Note for Jasmine When the 2 correct answers are  dropped please show  “final feedback” Could they also hear the sound “confirmation2.mp3"

Bob can create additional folder under Yr2

Bob can see the contents of the Yr2 folder

5/10

Drag and drop all correct boxes here

Bob’s access is limited by the NTFS permissions granted to the Accounting group.

Alice shared the Budgets folder giving the Everyone group Read permission. Additionally, she granted the Accounting group Modify NTFS permissions to the Budgets folder. Bob is a member of the Accounting group. Bob cannot edit the files in the Yr2 folder. Why?

Bob’s access is limited by share permissions granted to the Accounting group.

Bob’s access is limited by share permissions granted to Everyone.

Bob can only be granted access with explicit permissions to Yr2.

6/10

Alice granted the following permissions:Everyone has Full Control Share permissions to BudgetsAccounting has Modify NTFS permissions to Budgets.Bob has Write NTFS permissions to Yr 1.What permissions will Bob have to the Yr1 folder?

7/10

Bob is a member of the Accounting group. Based on the permissions listed below, drag and drop each task under the appropriate column above.Everyone Full Control Share Permissions to Budgets
Accounting Write NTFS Permissions to Budgets
Bob Deny Write NTFS Permissions to Yr1
Bob Modify NTFS Permissions to Yr2

Delete a subfolder within Yr2

Delete a file from the Budgets folder


Read all files in the Yr1 folder

Note for Jasmine Drag items should be dropped into the columns as shown below. And if the item can snap into place in the column and remain there until the table is filled in. Delete a file from the Budgets folder Create a new file in the Budgets folderSee what files and subfolders are in the Budgets folderDelete a subfolder within Yr2Change permissions in the Yr2 folderAll members of the Accounting group can create files in Yr1Bob can read all files in the Yr1 folderOnce complete can “final feedback” be visible Could they also hear the sound “confirmation2.mp3"

8/10

Change permissions in the Yr2 folder

Create a new file in the Budgets folder

Tasks Bob Can Do

All members of the Accounting group can create files in Yr1

Tasks Bob Cannot Do

Click to view permissions

See what files and subfolders are in the Budgets folder

Grant the Accounting group Modify NTFS Permissions to Yr3

9/10

Grant the Accounting group Change Share Permissions to Budgets

Grant the Everyone group Modify NTFS Permissions to Budgets

Alice granted the Accounting group Modify NTFS permissions to the Budgets folder. David has been working on the file within the Yr3 folder remotely, but he cannot save it in the Yr3 folder. What should Alice do?

Grant David Modify NTFS Permissions to Budgets

Everyone group Modify Share Permissions to Budgets

Earl Modify NTFS Permissions to Budgets

Accounting group Full Control NTFS Permissions to Budgets

Accounting group Deny Modify NTFS Permissions to Budgets

Everyone group Full Control Share Permissions to Budgets

10/10

What permissions should Alice grant to Earl so that he is only one who can delete files and subfolders remotely within the Budgets folder (select 2)?

Earl Full Control NTFS Permissions to Budgets

Accounting group Modify NTFS Permissions to Budgets