Learning NTFS Permissions

Discussion in 'Windows Server 2003 / 2008 / 2012 / 2016' started by zimbo, Apr 10, 2006.

  1. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    99
    181
    I have found the need to seek professional help! It looks like im going to have to learn these once and for all as they will just crop up again and again in MS exam! :( i managed to get away with it in 270 but from reading other peoples reviews on 290 if i dont learn them no way ill pass!

    So guys any ideas? When to use modify, read and execute etc etc... something i can print out and read everywhere for the next 2 weeks or any tips on how i can manage to learn these properly!

    Thanks!
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  2. _omni_

    _omni_ Megabyte Poster

    647
    10
    62
    i find them very easy. there aren't very many, so just memorize them and their functions, and make lab scenarios with share and ntfs permissions and learn what makes what.
    the effective permissions tab is useful.
     
    Certifications: MCSE 2003, MCSA:M
  3. Clyde

    Clyde Megabyte Poster

    558
    15
    62
    :dry you might find them used in the real world now and again also...
     
    Certifications: A+, Network+, Security+, MCSA, MCSE
    WIP: MCITP
  4. d-Faktor
    Honorary Member

    d-Faktor R.I.P - gone but never forgotten.

    810
    0
    39
    not sure what your question is. when to use which permission? depends on the situation and the access that the users require to the resources.
     
  5. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    99
    181
    no no i know you need them in the real world the problem im having is learning them.. which permissions do i apply in a given scenario for example..
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  6. d-Faktor
    Honorary Member

    d-Faktor R.I.P - gone but never forgotten.

    810
    0
    39
    :blink
    but your scenarios are dictated by the needs of the enterprise, which are often defined together with departmental managers. for example, some users should get only get read access to some files, while others should get modify access. there is no fixed template.
    i really don't understand your question. is it you don't understand how to apply share and ntfs rights together? or is it you don't understand the differences between modify, write and execute? please elaborate.
     
  7. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    99
    181
    d-Faktor i dont seem to understand the differences between them.. :oops:
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  8. d-Faktor
    Honorary Member

    d-Faktor R.I.P - gone but never forgotten.

    810
    0
    39
    aha. okay, here goes. all permissions are building on top of each other, each time taking it one step further.

    • read - user can open the file, but user can not save changes and can not delete the file. user can also view attributes, ownership and permissions. if application, user can not run it.
    • write - same as read, but additionally user can now also save changes and change attributes.
    • read/execute - same as read, but additionally user can now also run it if application.
    • modify - same as read, write, and read/execute, but additionally user can now also delete the file.
    • full control - same as modify, but additionally user can now also change ownership and permissions.

    [edit] i'm doing this from the top of my head. i hope no mistakes have slipped in the post, as i'm trying to focus on an exchange problem here at work as well.
     
  9. _omni_

    _omni_ Megabyte Poster

    647
    10
    62
    write doesn't allow read access. you would have to also specify read.
     
    Certifications: MCSE 2003, MCSA:M
  10. d-Faktor
    Honorary Member

    d-Faktor R.I.P - gone but never forgotten.

    810
    0
    39
    note to self: never answer questions at cf, when your mind is fully occupied on solving urgent problems elsewhere. :tune
     
  11. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,205
    136
    199
    I just want to extend this slightly if I may by asking how would effective permissions work?

    i.e. User is a member of 'X' group which has 'Y' permissions on 'A' folder, but the user is also a member of another group which has 'Z ' NTFS permissions on the A folder, however on the shared folder itself the user only has 'read' access.

    Make sense? Hope so! Took me ages to get my head around that sort of thing, and now I'm struggling to remember it! :oops:
     
  12. _omni_

    _omni_ Megabyte Poster

    647
    10
    62
    NTFS permissions are culmulative, share permissions are culmulative.
    when used together (say, accessing a folder over the network) the more restrictive of the two (culminations) "wins".

    lets say that Y=read and Z=write.
    so User would get read and write permissions to the folder locally, but over the network would have only read access.
     
    Certifications: MCSE 2003, MCSA:M
  13. Luddym

    Luddym Megabyte Poster

    797
    19
    74
    The best practice is to leave the Shared permissions wide open, (By giving full access to everyone) and then bolting the security down with NTFS.
     
    Certifications: VCP,A+, N+, MCSA, MCSE
    WIP: Christmas Drunkard
  14. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    99
    181
    yeah that one i figured out Lud thanx mate! :biggrin d-faktor nice little table ill copy yours and add the others i need to know thanks! Also thanks to the rest of you for giving more hints and tips..

    :alc
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  15. d-Faktor
    Honorary Member

    d-Faktor R.I.P - gone but never forgotten.

    810
    0
    39
    ouch! that is definitely not the best practice. you might bolt it down using ntfs, but leaving everyone with full control on the share is yet another vulnerability. you might forget to bolt it down, and you always need accounts that have full ntfs access. always minimize the risk. using a combination of share and ntfs access rights is the best practice.
     
  16. Luddym

    Luddym Megabyte Poster

    797
    19
    74
    Oooops, Learnkey should get a slap on the wrist then. :blink
     
    Certifications: VCP,A+, N+, MCSA, MCSE
    WIP: Christmas Drunkard
  17. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    99
    181
    isnt is "MS best practice" (also in the books they suggest this..) to give everyone full control on the share then lock down with NTFS.. the reason being if you have full control NTFS and Read for the share (default) you will only have Read as the effective permission? :rolleyes:
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  18. Luddym

    Luddym Megabyte Poster

    797
    19
    74
    I think the way it was described was . . . . .

    The share is only effective over the network, so If a user sits at the PC that the share is on, they can access the files.

    NTFS permissions are effective everywhere.
     
    Certifications: VCP,A+, N+, MCSA, MCSE
    WIP: Christmas Drunkard
  19. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,205
    136
    199
    Wouldn't that counter against what _omni_ said earlier in the thread though?

    Now I remember where I got confused with this stuff! :eek:
     
  20. Luddym

    Luddym Megabyte Poster

    797
    19
    74
    Nope, I think I may have just said it confusingly,

    What I meant was . . . If you sit at a machine with the share on, then the Share permissions don't count. So even if the share permissions are set to deny, you can still access the files.

    NTFS permissions count where ever you are. So you can't bypass security by simply sitting at the machine. Thus, they are effective everywhere.

    But yes, the overall permissions are the cumulation of NTFS and share. Hance why I thought it was best practice to leave Shares ope, and lock down with NTFS. :)
     
    Certifications: VCP,A+, N+, MCSA, MCSE
    WIP: Christmas Drunkard

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.