Introduction and Application of NTFS permission in WIN2000

WIN2000 adds a feature different from WIN98 and earlier WINDOWS versions, that is, NTFS permission. With this feature, in WIN2000, You can implement security control at the folder and file level. This is different from the account and password in WIN98. in WIN98, as long as you know the account and password, then you can have full control over the computer, and cannot implement the function of only allowing reading a folder or a file to a certain account. In WIN2000, this can be achieved perfectly. OK, Lets go!

First, let's talk about the prerequisite for implementing this function, that is, your partition must be an NTFS partition. If it is a FAT or FAT32 partition, it cannot be implemented, in fact, if you only have one WIN2000 operating system on your computer, or if you have not installed Windows 98 or earlier Windows 98 systems on your computer, using NTFS partitioning is a good choice, this will greatly improve the stability and security of your system. If your partition is FAT32, you can use this command to convert it to NTFS partition:

Convert x:/fs: ntfs

X can be replaced with the actual drive letter. However, WIN98 cannot identify NTFS partitions. That is to say, if the NTFS format is used for WIN98 partitions, WIN98 cannot be used. The command is irreversible. That is to say, the command can only convert FAT32 to the NTFS format, but not the NTFS format to the FAT32 format. If you want to convert back, so we can only implement it using software such as PQ.

Now let's get down to the point. After using the NTFS partition, you must grant the NTFS permission to each user account that needs to access a resource. You must obtain a clear authorization to access the configured resource. If you do not have the permission, it will be denied access to the resource. For example, if there is A file and I set the NTFS permission for it, I set it to accessible only by myself and user A, except for me and user, this file will not be available for login from any other account. WIN2000 will prompt "no proper permission to read. This achieves the security of the file, and the security is effective on both the computer and the network, that is, even if you connect to the computer through the network, this file can only be used by users A and I, and cannot be used by others. Although the file is shared, others can only see this file but cannot read it, A little visible. Can't you eat it?

In WIN2000, there is an Access Control List (ACL, Access Control List) that contains the accounts, groups, and computers of users who can Access this resource. When a user accesses this resource, the user must have its account in the ACL, so WIN2000 allows the user to access this resource; otherwise, the user is rejected.

It should be noted that, unlike what we think, WIN2000 does not identify users based on the same user name. Each account has a Security ID (SID, security Identifier). WIN2000 identifies the user based on whether the SID is the same. If the SID is different and the user name and other settings are identical, WIN2000 will consider the two accounts as different, this is like when we receive the prize, we only recognize whether your ID card meets the requirements, regardless of whether your name is the same, this SID was randomly assigned by WIN2000 when the account was created. Therefore, after an account is deleted, it is re-created to create an identical account, its SID is different from the original one, so his NTFS permission must be reset.

Now let's talk about the practical application of NTFS permissions. Right-click the file or folder to which you want to set permissions and choose Properties> Security. Then you can see that the account or group that allows this file is owned by the Everyone group by default, this group indicates all users. The following section lists the permissions that can be set for this group or account. If the permission of Everyone is set to full control, it means that all users can operate on the file at will, including reading, modifying, deleting, and so on. This is also the default WIN2000 permission. You can also add an account and Set permissions for the account. You only need to perform the operation on your own. Now I just want to give an example to illustrate:

Assume that a FILE is called FILE and I want to set it to only USER1, USER2, and USER3. However, USER1 can operate the FILE at will, USER2 users can only read the file, but cannot perform other operations such as modification. USER3 can read and write, but cannot delete the file. I will describe the specific operation method.

1. Right-click FILE and choose Properties> Security

2. Remove the following check box before "allow propagation of inherited permissions from the parent line to this object. In the dialog box that appears, select Delete. That is to say, delete all accounts such as Everyone above.

3. Click Add. In the displayed dialog box, select USER1, add, and OK.

4. Select USER1 and check "allow" after "full control.

5. Add user2.

6. Select USER2 and check "allow" after "read". Remove all other hooks.

7. Add USER3.

8. Select USER3, tick "allow" after "modify", and confirm that "full control" is removed.

9. Select "advanced", select USER3, and click "View/Edit ". Remove the "allow" check after "delete.

10. Get it done !!! ^-^

At this time, you can use USER1 to log on, so you can have full control over the file.

Log On With USER2 to open the FILE. When saving the FILE, a prompt box is displayed, "FILE cannot be created. Check whether the path and FILE name are correct. This indicates that USER2 cannot save the file. Of course, you cannot perform other operations. He can only read the file.

Log On With USER3. You can open or save the file. When the FILE is deleted, "FILE cannot be deleted: access is denied. The source file may be in use, indicating that the file cannot be deleted.

* *** Note: it is safer to create a useless file before you fully understand the usage of permissions. Otherwise, it is none of my business to delete important files.

As for setting security for folders, the steps are similar to the above, but the folder will have an extra inheritance, that is, you can select permission settings to only work for this folder, or take effect for the folder and Its subfolders and files. You only need to tick before "reset all sub-object permissions and allow propagation to inherit Permissions.

************** **************

Many people have been confused about the multiple NTFS permissions. Now I will introduce and give an example.

* ***** Note: The following describes the problems between multiple NTFS permissions and between multiple non-NTFS permissions and shared permissions.

1. Permission Accumulation

A user's valid permissions on resources are the sum of all permissions assigned to the personal user account and the group to which the user belongs. If you have the "read" permission on the file, the group to which the user belongs has the "write" permission on the file, the user has the "read" and "write" permissions for the file at the same time, for example:

The following is an example:

There is a FILE called FILE.

USER1 user belongs to group1.

USER1 (read permission) ----> FILE <---- GROUP1 (write permission)

|

|

|

|

　　

USER1 has the permission to read and write files.

2. The File Permission is higher than the folder permission.

This means that the NTFS file permission has a priority for the NTFS folder permission. If you can access a file, even if the file is in a folder that you do not have the permission to access, you can also access the file (provided that the file has no permission to inherit the folder to which it belongs ).
For example: assume that you do not have access to the FOLDER, but the FILE in the FOLDER is. TXT does not inherit the FOLDER permission, that is, you have no permission for FILE. TXT files are accessible with permissions, but you cannot open the FOLDER using resource manager or other things. You cannot see the FILE (because you have no access permission to FOLDER ), however, you can access the file by entering its complete path. For example, you can use c: folderfile.txt to access the FILE (in disk c ).

3. Deny higher than other Permissions

Deny permission can overwrite all other permissions. Even as a member of a group has the right to access folders or files, but the group is denied access, all permissions granted to the user will be locked and the user will not be able to access the folder or files. That is to say, the permission accumulation principle at the first point above will become invalid. Example:

The following is an example:

There is a FILE called FILE.

USER1 user belongs to group1.

USER1 (read permission) ----> FILE <---- GROUP1 (denied)

|

|

|

|

　　

Access denied

In this case, the permission of USER1 to FILE is no longer: Read + write, but cannot access the FILE.

Another case is that the denial principle and accumulation principle coexist, for example:

There is a FILE called FILE.

USER1 belongs to GROUP1 and group2,

USER1 (read permission)

　　

|

|

|

　　　　　　　　　　　　　　　　　　

GROUP1 (write permission) ----> FILE <---- GROUP2 (write denied)

　　

|

|

|

　　

Read

The permission of USER1 to FILE is: Read (according to the accumulative principle, USER1 has the "read + write" permission for FILE, but the GROUP2 group to which USER1 belongs is denied to write, so only the "read" permission is left ).