NTFS permission design from entry to entry

 

NTFS permissions can only be applied to NTFS partitions. NTFS permissions can be designed for partitions, folders, and files.

1 is the "Standard Security page" attribute of the Temp folder NTFS. you can know that the Administrators group has full control permissions on the Temp folder.

In the "User Control List" area, click another group or user. The corresponding permissions are listed in the "permission Control List area" below.

Click "advanced" to go to the "Advanced Security page" attribute, which gives you a more detailed permission design. 2

 

Several features of NTFS:

1. permissions are inherited downward by default.

That is, all the folder and file permissions in an NTFS partition are inherited from the partition permissions. 1. The permission Control List area is gray and cannot be operated. This indicates that the permission inherits from the upper layer. To change to the operational status, you must first break the inheritance. The following content will be detailed.

2. In XP and 2003, the Users Group members have the permission to append files/folders by default when the partition is formatted as NTFS. Exercise caution when creating a file server. You can view the default permission through advanced properties.

3. When a user belongs to multiple groups and files/folders are assigned different permissions to these groups, the user's final permissions are accumulated.

4. When creating shared files, the sharing and security permissions take the intersection of the two.

5. Deny is the highest priority.

Figure 1

 

 

Figure 2

I will review the basic knowledge here. Next I will perform a hands-on drill.

The predefined environment is as follows:

1) The environment is the domain environment, and all groups starting with GS are the Active Directory global-Security Group.

2) All designs are performed under NTFS default conditions.

3) The shared permission is set to Everyone to allow full control.

4) All designs must retain administrator privileges.

5) the top-level Department is set to the read-only permission of Everyone.

 

1. Department is a shared directory. Other file levels are shown in figure

 

Requirement: Minimize management operations.

Allow All members of the Acc Department (GS-ACC-All) to access the ACC folder, subfolders, and subfolders;

Allow All members of the Admin department (GS-Admin-All) to access the Admin folder, subfolders, and subfolders.

 

Permission design process:

1.1 operations on the ACC folder

A) first break the parent permission inheritance-cancel the inheritance from the parent permission in the security advanced attributes. Note that the prompt "copy the parent permission to this folder" appears and select copy, to prevent all users from accessing the folder, click OK to return to the standard security page. The process of breaking inheritance will not be repeated in the future.

 

B) delete all groups and user permissions other than the Administrators, System, and Creator Owner.

It is recommended that you do not delete the default permissions of the three groups at will. Administrators provide management, and the SYSTEM is related to EFS encryption. If you delete the SYSTEM, the permission inheritance will be affected, the permission must be forcibly assigned to the lower layer. The Creator Owner is a very useful special group and will be used in subsequent designs.

C) add the GS-ACC-All group to allow "read and run", "list folder directories", and "read" permissions.

D) by default, the lower-level subfolders \ files will inherit the ACC directory permissions, without design.

 

1.2 operations on the Admin folder

Follow these steps to add the GS-Admin-All group.

 

 

2. Department is a shared directory. Other file levels are shown in figure

 

Requirement: Minimize management operations.

Allow All members of the Acc Department (GS-ACC-All) to read the ACC folder, subfolders, and subfolders.

Allows the ACC Department Manager (GS-ACC-Mgr) to modify Admin folders, subfolders, and subfolders.

 

Permission design process:

2.1 operations on the ACC folder

For the previous section, refer to Operation 1.1 and add the GS-ACC-Mgr group to allow "modify" permissions.

 

 

3. Department is a shared directory. Other file levels are shown in figure

 

Requirement: Minimize management operations.

All members of the Admin department (GS-Admin-All) can modify the Admin folder, subfolders (excluding managers), and subfolders;

Allows Admin managers (GS-Admin-Mgr) to modify Admin/Manager folders, subfolders, and subfolders;

All members of the company (GS-All-Member) are allowed to access the Admin, Manager, and organization diagram, but other files under Admin and Manager are not allowed;

Allow all company members to access the Admin \ Notice announcement file, but not other files under Admin.

 

Permission design process:

3.1 Admin folder Design

A) first break the parent permission inheritance;

B) delete all groups and user permissions other than the Administrators, systems, and Creator Owner;

C) Add GS-Admin-All to allow "modify" permission on the Admin folder;

4) add GS-All-Member to the Admin folder and only allow "list folder directories ". "List folder directories" takes effect only for folders and does not take effect for files, so that GS-All-Member members can penetrate the Admin directory, but cannot access the Admin files.

So far, the Admin folder has been set.

 

3.2 design of the Manager folder

A) first break the parent permission inheritance;

B) delete all groups and user permissions other than the Administrators, systems, and Creator Owner;

C) Add GS-Admin-Mgr to allow "modify" permission on the Manager folder;

D) add GS-All-Member to allow only "list folder directories" to the Manager folder ". Penetration effect.

So far, the Manager folder has been set.

 

3.3 design of the Notice folder

A) Add GS-All-Member permissions to the Notice folder "read and run", "list folder directories", and "read" by default.

 

3.4 Design of company organization diagram

A) Add GS-All-Member permissions to the organization chart folder "read and run", "list folder directories", and "read" by default.

 

 

4. Department is a shared directory. Other file levels are shown in figure

 

Requirement: Minimize management operations.

All members of the Admin department (GS-Admin-All) are allowed to create folders named after each member in the Admin \ Report directory, and messy files cannot be created;

Files between users can only be accessed and modified by themselves, and files cannot be accessed by other users;

 

Permission design process:

4.1 Admin folder Design

Refer to the 3.1 process.

 

4.2 design of the Report folder

A) first break the parent permission inheritance;

B) delete all groups and user permissions other than the Administrators, systems, and Creator Owner;

C) Add GS-All-Member to only allow "list folder directories" in the Report folder ".

D) go to the "advanced" Security page of the Report, click "add", enter the group name "GS-Admin-All" in the blank area, and click "OK ", in the "Report permission project" dialog box that appears, select "this folder" from "application to" and click the Clear button below to clear all default permissions, only allow "creating folders/attaching data ". Then, confirm it step by step.

 

This permission design mainly uses the user's own permissions (Only folders can be created) + Creator Owner (full control) combination. After a user creates a folder, He is the Creator of the folder, then his final permissions are upgraded to "full control ".

 

The difficulty of this design is that the user folder name under the Report folder is unknown, and permission isolation for the unknown folder is required.

 

 

5. Department is a shared directory. Other file levels are shown in figure

 

You have just set up a file server for various departments to use and require initial permissions;

Requirement: Minimize management operations.

All Department folders must be placed under the Department and named after the Department;

Only the IT Department is allowed to create folders and modify folder names, but files cannot be created;

No one else can modify the folder name under Department or delete the folder under Department;

The Department folder can only be accessed by Department members;

Department managers have full control permissions on all documents of their own departments.

 

Permission design process:

 

5.1 Department Design

A) first break the parent permission inheritance;

B) delete all groups and user permissions other than the Administrators, systems, and Creator Owner;

C) Add GS-All-Member to allow only "read and run", "list folder directories", and "read" permissions to the Department folder;

D) First add a GS-IT-All permission to modify the Department; then go to advanced and add another GS-All-Member to apply it only to "this folder" to reject the "Create File/additional data" permission;

The Department design is complete.

 

5.2 design the Department folder under Department (using ACC as an example)

A) first break the parent permission inheritance;

B) delete all groups and user permissions other than the Administrators, systems, and Creator Owner;

C) Add GS-ACC-All to allow "read and run", "list folder directories", and "read" permissions to the Acc folder;

D) add GS-ACC-Mgr to allow "Full Control" permission on the Acc folder;

E) Go to the Advanced Security page and add a GS-All-Member that is only applied to the "this folder" to reject the "Create File/additional data" permission and the "delete" permission.

So far, the ACC folder has been set.

 

5.3 For folders of other departments, see ACC.

 

 

The above NTFS permission design is some of the actual needs of my work, as long as you have a deep understanding of NTFS (each permission details in advanced features and special groups), it should not be difficult to solve.

This article is from the "Leaves Station" blog