Information Technology Reference
In-Depth Information
•
Write
—Users can create and modify files and read file attributes and permissions.
However, this permission doesn't allow users to read or delete files. In most cases, the
Read or Read & execute permission should be given with the Write permission.
•
Modify
—Users can read, modify, delete, and create files. Users can't change permissions or
take ownership. Selecting this permission automatically selects Read & execute, List folder
contents, Read, and Write.
•
Full control
—Users can perform all actions given by the Modify permission with the addi-
tion of changing permissions and taking ownership.
Standard permissions should suffice for most situations. Configuring special permissions
should be reserved for, well, special circumstances. The temptation to configure special permis-
sions to follow the least privileges principle can lead to breaking the “keep it simple” rule and
result in administrators' and users' frustration. However, if you look at the NTFS permissions
Windows sets by default on every volume, you see a few ACEs that use special permissions. So
although you don't have to use them often, you need to understand them, particularly to figure
out how initial volume permissions are set. Table 6-1 describes each special permission and lists
which standard permissions include it.
Table 6-1
NTFS special permissions
Special permission
Description
Included in standard permission
Full control
Traverse folder/execute file
Same as the standard Full control permission
For folders: Allows accessing files in folders or
subfolders even if the user doesn't normally have
access to the folder
For files: Allows running program files
For folders: Allows users to view subfolders and
filenames in the folder
For files: Allows users to view data in files
Allows users to view file or folder attributes
Full control
Full control, Modify, Read & execute,
List folder contents
List folder/read data
Full control, Modify, Read & execute,
List folder contents, Read
Read attributes
Full control, Modify, Read & execute,
List folder contents, Read
Full control, Modify, Read & execute,
List folder contents, Read
Full control, Modify, Write
Read extended attributes
Allows users to view file or folder extended
attributes
Allows users to create new files and modify the
contents of existing files
Allows users to create new folders and add data
to the end of existing files but not change
existing data in a file
Allows users to change file and folder attributes
Allows users to change file and folder extended
attributes
Allows users to delete subfolders and files
in the folder
Allows users to delete the folder or file
Allows users to read NTFS permissions of
a folder or file
Allows users to take ownership of a folder or file,
which gives the user implicit permission to change
permissions on that file or folder
Create files/write data
Create folders/append data
Full control, Modify, Write
Write attributes
Write extended attributes
Full control, Modify, Write
Full control, Modify, Write
Delete subfolders and files
Full control
Delete
Read permissions
Full control, Modify
Full control, Modify, Read & execute,
List folder contents, Read, Write
Full control
Take ownership
File and Folder Ownership
Every file system object (files and folders) has an owner.
The object owner is granted certain implicit permissions, regardless of how permissions are
set in the object's DACL: viewing and changing permissions for the object and transferring
Search WWH ::
Custom Search