NTFS permissions basic policies and principles

Source: Internet
Author: User
Tags least privilege ntfs permissions

Before attending an IT technical Support Engineer job interview, I was asked about NTFS permissions.

So, what about NTFS permissions for files or folders on Windows Server? And what's on the set?

The theory and experience at that time was limited to setting up a simple sharing, the LAN client can access, and probably know some of the refusal priority, permission inheritance. The personal interpretation of the feeling is not very systematic, the architecture is not complete.

Recently to some enterprises to build a file server, seems to have a deeper understanding of fileserver

The main permissions of the file are: Read, write, read and execute, modify, Full control, and you can customize

650) this.width=650; "title=" clip_image002 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ image002 "src=" http://s3.51cto.com/wyfs02/M01/6E/8D/wKiom1V_mh2DCp7fAABJO9ZOoZ0545.jpg "height=" 161 "/>

The permissions of the folder are: Read, write, List folder directory, modify, Full control; customize

650) this.width=650; "title=" clip_image004 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ image004 "src=" http://s3.51cto.com/wyfs02/M02/6E/8D/wKiom1V_mh2g3ebiAABaTfTERqs133.jpg "height=" 177 "/>

You can see that NTFS permissions are still very granular.

File server folder structure generally divided into three categories, public folders, Department folders, user private folders, can be organized under a root folder, unified settings sharing, NTFS permissions to be set separately, how to set the main depends on the nature of resources and enterprise customer needs.

650) this.width=650; "title=" clip_image006 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ image006 "src=" http://s3.51cto.com/wyfs02/M01/6E/89/wKioL1V_m8vwjRRnAABO0hlWYyQ372.jpg "height=" 153 "/>

This is not described in detail here, the following focus on the four cardinal principles for NTFS rights management:

The principle of authority inheritance; refusal takes precedence over the principle of permission; the principle of accumulation; privilege minimization

The mastery of these four basic principles will play a very important role in the configuration of the file server.

The principle of permission inheritance

For example, there is a folder MCSE, under which there are 4 subfolders, now you need to set the MCSE folder and the following subfolder to have write permission for the Mary user. Because of the principle of inheritance, it is only necessary to set the MCSE folder to Mary users have write permission, the subdirectory will automatically inherit the set of permissions.

650) this.width=650; "title=" clip_image007 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ image007 "src=" http://s3.51cto.com/wyfs02/M01/6E/89/wKioL1V_m8zSyFbuAAA_XPMi35g423.jpg "height=" 106 "/>

Refusal takes precedence over the permit principle

When a user belongs to two or more than two groups, the user right is denied when there is a resource that is empowered to deny any one of the groups.

Scenario: If a resource needs to be read and written by all users of the marketing department (except Mary), then we empower the markets Group and add Mary to deny read and write.

Accumulation principle

Suppose that now the "Mary" user belongs to both the "a" user group and the "B" user group, it is "read" in the user group, and the permissions in the "B" user group are "write", then according to the additive principle, the actual permissions of the "Mary" user will be "read + write" two kinds.

Scene:

Suppose Mary is a marketing department manager and Mary belongs to 2 groups, markets and managers;

A folder MCSE has permission to these 2 groups, the stock group has Read permission, the Managers group has the Modify permission, and the user Mary's permission is "read + modify".

The principle of least privilege

The Windows server system recommends using the NTFS file system, mainly because NTFS partition permissions are set more finely, such as file permissions are read, write, read and run, modified, and fully controlled. Folder permissions are read, write, List Folder contents, modify, and complete control.

This principle can be as far as possible to allow users to access or unnecessary access to resources to obtain effective permissions restrictions. So as to ensure that resources are guaranteed maximum security.

Based on this principle, in the actual permission-granting operation, we must explicitly give the resource permission to allow or deny the operation.

Scene:

A user does not have any permissions for the MCSE folder and now needs to give the user Mary permission to read the MCSE folder. can give read not to write, can write to do not to modify, can give modify do not give full control.

Summarize:

2 the "Permission inheritance" principle is used for "automating" execution of permission settings;

2 deny better than allow "principle is used to solve the conflict problem on the permission setting;

2 and the "accumulation principle" is to make the setting of the authority more flexible and changeable;

2 the "Privilege minimization" principle is used to ensure the security of resources.

NTFS permissions basic policies and principles

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.