Set Basic NTFS permission policies and principles in Win XP

There are four basic principles about permissions in Windows XP. Pay attention to these basic principles when setting NTFS permissions. We need to pay special attention to the various permission settings for Windows XP.

1. Set Basic NTFS permission policies and principles

In Windows XP, there are four basic principles for permission management: deny is superior to allow, permission minimization, accumulation, and permission inheritance. These four basic principles will play a very important role in permission settings. Let's take a look at the following:

1. Deny is superior to allow

The "Deny is superior to allow" principle is a very important and fundamental principle. It can perfectly handle the "dispute" caused by the user's ownership of the user group. For example, the "shyzhong" user belongs to both the "shyzhongs" User Group and the "xhxs" user group, when we perform a centralized allocation of "write" permissions (for user groups) for a resource in the "xhxs" group, at this time, the "shyzhong" account in this group will automatically have the "write" permission.

However, it is strange that the "shyzhong" account clearly has the "write" permission for this resource. Why can't it be executed in actual operations? Originally, in the "shyzhongs" group, the "shyzhong" user is also set permissions for this resource, but the permission is set to "Write denied ". Based on the principle that "Deny is better than allow, the "shyzhong" permission to be "denied write" in the "shyzhongs" group takes precedence over the "Allowed" write "permission granted to the" xhxs "group. Therefore, in actual operations, the "shyzhong" user cannot "write" the resource.

2. Permission minimization principle

Windows XP uses "keep the minimum permissions of users" as a basic principle for execution, which is very necessary. This principle ensures the maximum security of resources. This principle allows users to grant valid permissions to resources that cannot be accessed or do not need to be accessed.

Based on this principle, in actual permission granting operations, we must explicitly grant or deny operation permissions to resources. For example, the restricted user "shyzhong" created in the system does not have any permissions on the "DOC" directory by default, now you need to grant this user the "read" permission to the "DOC" directory, so you must add the "read" permission to the "shyzhong" user in the "DOC" directory permission list.

3 permission inheritance Principle

Permission inheritance can simplify resource permission settings. Assume that there is a "DOC" Directory, which contains sub-directories such as "DOC01", "DOC02", and "DOC03, now you need to set the "shyzhong" user for the DOC directory and Its subdirectories to have the "write" permission. Because of the inheritance principle, you only need to set the "shyzhong" user to have the "write" permission for the "DOC" directory. All subdirectories under the "shyzhong" directory will automatically inherit the permission settings.

4. Accumulation Principle

This principle is easy to understand. Assume that the "zhong" user belongs to both the "A" User Group and the "B" user group, and its permissions on the user group are "read ", in the "B" user group, the permission is "write". Based on the Accumulation principle, the actual permission of the "zhong" user is "read + write.

Obviously, the "Deny is superior to allow" principle is used to solve the conflict in permission settings; the "minimum permission" principle is used to ensure resource security; the "permission inheritance" principle is used to "automate" permission settings, while the "accumulative principle" makes permission settings more flexible and variable. Each of the several principles is useful. Any lack of one will cause a lot of trouble for permission settings!

Note: in Windows XP, all members of the "Administrators" group have the right to "Take Ownership, that is, members in the Administrator group can "seize" the permissions of their identities from other users. For example, the restricted user "shyzhong" creates a DOC directory and only gives himself the read permission, in fact, all members of the "Administrators" group can obtain this permission by "taking ownership" and other methods.

5. The file permission must be higher than the folder permission.

It seems that there is such a document. I don't know if the document version is too old. The permission settings for individual files will be prioritized by the system.

1. Cancel full control of "Everyone"

Select the file or folder to cancel permissions, right-click the file or folder, select Properties, find the ACE of "Everyone" in the ACL under the "Security" tab, and select edit, remove the check box before "Full Control" permission.

2. Permission impact of copying and moving folders

In applications with permissions, it is inevitable that resources with permissions need to be copied or moved. what changes will happen to the corresponding permissions of resources at this time? Let's take a look at the following:

(1) When copying Resources

When copying a resource, the permissions of the original resource do not change. The newly generated resource inherits the permissions of the parent-level resource in the target location.

(2) mobile resource time

& N

Bsp; when moving resources, there are two situations: first, if the resource is moved in the same drive, the original permissions of the object remain unchanged (including the permissions of the resource and the permissions inherited from the parent-level resources). Second, if the resource is moved between different drives, in this case, not only will the permissions of the object be lost, but also the permissions inherited from the parent-level resources will be replaced by the permissions inherited from the parent-level resources of the target location. In fact, a mobile operation is to first replicate the resource and then delete the resource from the original location.

(3) Non-NTFS partitions

The permission changes generated during the above-mentioned copying or moving of resources are only for NTFS partitions. If you copy or move resources to non-NTFS partitions (such as FAT16/FAT32 partitions, all permissions are automatically lost.

Html ">