Logo

NTFS Basic Permissions

This video will look at the basic NTFS permissions that are available in Windows. Having an understanding of these permissions will give the administrator the foundation of how to secure their network.

<a class="wp-block-button__link"Download PDF handout
Show lesson content
Basic Permissions
There are 6 basic permissions that can be configured in Windows Explorer using the basic permissions interface. In a later video, advanced permissions will be looked at which allows these 6 basic permissions to be broken down further and customized. To configure any basic permissions, right click the file or folder that you want to configure the permission on, select the security tab, press the edit button and then add the users that you want to have access. Once the users have been added, at the bottom of the security Window, tick and un-tick the basic permissions that you want to enable or disable.

List Folder Contents: This permission allows the user to see what files and folders are present. It however does not give the user the ability to read or execute files. If the user attempts to open a document, they will be denied access and also the same will happen if they attempt to execute a file.

Read: The read permission gives the user the ability to read files. For example they will be able to open a document and see the contents of that document. However, the user will not be able to execute any files.
Read & Execute: This permission will give the user the ability to read documents and files and also to run any files that are executables. When the tick box “Read & Execute” is ticked, also the tick boxes “List folder contents” and “Read” will be ticked.

Write: The write permission gives the user only the ability to write to a document. If you apply only the write permission to a folder and then attempt to see the files in the folder, you will not be able to see any files in the folder. In theory the user could create a file even though they cannot read the file later on and see the file that was created. The write permission is very application specific. For example, notepad will require the read and write permission in order to create files. Microsoft Word uses temporary files when saving files and they will need read, write and delete in order to create and update files. When assigning permissions, it is important to test the permissions to ensure that they work with the application you are intending to use.
Modify: The modify permission when ticked will also automatically tick all the permissions below it which are “Read & Execute”, “List folder contents”, “Read” and “Write”. This allows the user to read, write and delete files.

Full control: Full control gives the user access to all other basic permissions and also gives the user the ability to change permissions and change the owner of the file. Change permission allows the user to change permissions on the file or folder to any permission they wish. Every file and folder in Windows has an owner associated with them. If the user is the owner of the file this means that they can change the permissions of the file or folder even if they do have access to the file or folder. For example, if the user wanted to give themselves read only access to a file to prevent themselves from accidently changing it, they could. If later on they decided they needed write access, they would be able to add the write permission to the file because they are the owner of the file. The permission change ownership allows the owner of the file to be changed at any time. It is possible to remove all access to the file and change the ownership of the file to a different user. If this were to occur the user is effectively locked out of the file. When this happens, the administrator has an additional right which allows them to change the owner of the file. If the administrator changes the ownership of the file so they have access, they will be able to change the permissions of the file.

Summary
The modify permission, also known as the change permission, gives the user and ability to read, write or delete files and folders. This is the most commonly assigned permission given to the end user. Full control permission adds the ability to change permissions and the owner of the file. This permission is often assigned to administrators and system users. If a user is the owner of a file or folder, they are able to change the permissions of that file even if they are not the owner of the file. An administrator has the ability to change the owner of a file or folder even if they have no access at all to the file. If the administrator makes themselves the owner of a file, they are able to change the permissions of the file or folder.

References
“File and Folder Permissions” http://technet.microsoft.com/en-us/library/bb727008.aspx

Credits

Lesson tags: 70-410-windows-server
Back to: 70-410 Installing and Configuring Windows Server 2012 > Windows File and Share Access

Installing and Configuring Windows Server 2012

Modules

DNS

Lessons