8-3LESSON 1 INTRODUCTION TO NTFS PERMISSIONSYOU CAN DENY PERMISSION TO...

Question

8-3Lesson 1 Introduction to NTFS PermissionsYou can deny permission to a user account or group. To deny all access to a useraccount or group for a folder, deny the Full Control permission.Standard NTFS File PermissionsYou assign file permissions to control the access that users have to files. Table 8-2 liststhe standard NTFS file permissions that you can assign and the type of access that eachprovides.Table 8-2 NTFS File PermissionsThis NTFS File Permission Allows the User toRead Read the file and view file attributes, ownership, and permissionsWrite Overwrite the file, change file attributes, and view file ownership and permissionsRead & Execute Run applications, plus perform the actions permitted by the Read permissionModify Modify and delete the file, plus perform the actions permitted by the Write permission and the Read & Execute permissionFull Control Change permissions and take ownership, plus perform the actions permitted by all other NTFS file permissionsHow Windows XP Professional Uses Access Control ListsNTFS stores an access control list (ACL) with every file and folder on an NTFS vol-ume. The ACL contains a list of all user accounts and groups that have been assignedpermissions for the file or folder, as well as the permissions that they have beenassigned. When a user attempts to gain access to a resource, the ACL must contain anentry, called an access control entry (ACE), for the user account or a group to whichthe user belongs. The entry must allow the type of access that is requested (for exam-ple, Read access) for the user to gain access. If no ACE exists in the ACL, the user can-not access the resource.How Effective Permissions Are Calculated When Multiple Sets of NTFS Permissions Are in EffectIt is possible for multiple sets of NTFS permissions to apply to a user for a particularresource. For example, a user might be a member of two different groups, each ofwhich is assigned different permissions to access a resource. To assign permissionseffectively, you must understand the rules and priorities by which NTFS assigns andcombines multiple permissions and NTFS permissions inheritance.What Are Effective Permissions?A user’s effective permissions for a resource are the sum of the NTFS permissionsthat you assign to the individual user account and to all the groups to which the userbelongs. If a user is granted Read permission for a folder and is a member of a groupwith Write permission for the same folder, the user has both Read and Write permis-sions for that folder.!Exam Tip To manually calculate effective NTFS permissions, first combine all allow permis-sions from all sources. Next, determine any deny permissions the user has. Deny permis-sions override allow permissions. The result is the user’s effective permissions for the resource.How File Permissions Override Folder PermissionsNTFS permissions assigned to files take priority over NTFS permissions assigned to thefolder that contains the file. If you have access to a file, you can access the file if youhave the Bypass Traverse Checking security permission—even if you do not haveaccess to the folder containing the file. You can access the files for which you have per-missions by using the full Universal Naming Convention (UNC) or local path to openthe file from its respective application, even if you have no permission to access thefolder that contains the file. In other words, if you do not have permission to access thefolder containing the file you want to access, you must have the Bypass TraverseChecking security permission and you have to know the full path to the file to accessit. Without permission to access the folder, you cannot see the folder, so you cannotbrowse for the file.See Also The Bypass Traverse Checking security permission is described further in Lesson 2, “Assigning NTFS Permissions and Special Permissions.”How Deny Permissions Override Allow PermissionsIn addition to granting a permission, you can also specifically deny a permission(although this is not the recommended method of controlling access to resources).Denying a permission overrides all instances in which that permission is allowed. Evenif a user has permission to access a file or folder as a member of a group, denying per-mission to the user blocks any other permissions the user might have (see Figure 8-1).In Figure 8-1, User1 has Read permission for FolderA and is a member of Group A andGroup B. Group B has Write permission for FolderA. Group A has been denied Writepermission for File2.

8-3LESSON 1 INTRODUCTION TO NTFS PERMISSIONSYOU CAN DENY PERMISSION TO...

You can deny permission to a user account or group. To deny all access to a user

account or group for a folder, deny the Full Control permission.

Standard NTFS File Permissions

You assign file permissions to control the access that users have to files. Table 8-2 lists

the standard NTFS file permissions that you can assign and the type of access that each

provides.

NTFS File Permissions

This NTFS File

Permission Allows the User to

Read Read the file and view file attributes, ownership, and permissions

Write Overwrite the file, change file attributes, and view file ownership and

permissions

Read & Execute Run applications, plus perform the actions permitted by the Read

permission

Modify Modify and delete the file, plus perform the actions permitted by the Write

permission and the Read & Execute permission

Full Control Change permissions and take ownership, plus perform the actions

permitted by all other NTFS file permissions

How Windows XP Professional Uses Access Control Lists

NTFS stores an access control list (ACL) with every file and folder on an NTFS vol-

ume. The ACL contains a list of all user accounts and groups that have been assigned

permissions for the file or folder, as well as the permissions that they have been

assigned. When a user attempts to gain access to a resource, the ACL must contain an

entry, called an access control entry (ACE), for the user account or a group to which

the user belongs. The entry must allow the type of access that is requested (for exam-

ple, Read access) for the user to gain access. If no ACE exists in the ACL, the user can-

not access the resource.

How Effective Permissions Are Calculated When Multiple Sets of NTFS

Permissions Are in Effect

It is possible for multiple sets of NTFS permissions to apply to a user for a particular

resource. For example, a user might be a member of two different groups, each of

which is assigned different permissions to access a resource. To assign permissions

effectively, you must understand the rules and priorities by which NTFS assigns and

combines multiple permissions and NTFS permissions inheritance.

What Are Effective Permissions?

A user’s effective permissions for a resource are the sum of the NTFS permissions

that you assign to the individual user account and to all the groups to which the user

belongs. If a user is granted Read permission for a folder and is a member of a group

with Write permission for the same folder, the user has both Read and Write permis-

sions for that folder.

!

Exam Tip To manually calculate effective NTFS permissions, first combine all allow permis-

sions from all sources. Next, determine any deny permissions the user has. Deny permis-

sions override allow permissions. The result is the user’s effective permissions for the

resource.

How File Permissions Override Folder Permissions

NTFS permissions assigned to files take priority over NTFS permissions assigned to the

folder that contains the file. If you have access to a file, you can access the file if you

have the Bypass Traverse Checking security permission—even if you do not have

access to the folder containing the file. You can access the files for which you have per-

missions by using the full Universal Naming Convention (UNC) or local path to open

the file from its respective application, even if you have no permission to access the

folder that contains the file. In other words, if you do not have permission to access the

folder containing the file you want to access, you must have the Bypass Traverse

Checking security permission and you have to know the full path to the file to access

it. Without permission to access the folder, you cannot see the folder, so you cannot

browse for the file.

See Also The Bypass Traverse Checking security permission is described further in Lesson 2,

“Assigning NTFS Permissions and Special Permissions.”

How Deny Permissions Override Allow Permissions

In addition to granting a permission, you can also specifically deny a permission

(although this is not the recommended method of controlling access to resources).

Denying a permission overrides all instances in which that permission is allowed. Even

if a user has permission to access a file or folder as a member of a group, denying per-

mission to the user blocks any other permissions the user might have (see Figure 8-1).

In Figure 8-1, User1 has Read permission for FolderA and is a member of Group A and

Group B. Group B has Write permission for FolderA. Group A has been denied Write

permission for File2.

Bạn đang xem 8 - - MICROSOFT WINDOWS XP PROFESSIONAL EXAM 70 270 PHẦN 4 PPT