Definition of NTFS permissions (Windows 2000) in Network Encyclopedia. Set of permissions to secure folders and files.
What are NTFS permissions on Windows 2000?
NTFS permissions are a set of permissions used in Microsoft Windows 2000 to secure folders and files located on an NTFS file system partition or volume. NTFS permissions provide security for both local and network access to the file system.
They are different from shared folder permissions, which can be applied only to folders and which secure the file system for network access only, not for local access.
How It Works
NTFS permissions in Windows 2000 differ depending on whether they are applied to files or to folders. The five standard file permissions and six standard folder permissions are listed in the following tables. These standard file and folder permissions are actually composed of various groupings of the 18 different special permissions – for more information, see the entry on NTFS special permissions (Windows 2000). These groupings simplify the job of securing files and folders on NTFS file system partitions and volumes.
Standard NTFS File Permissions in Windows 2000
| File Permission | User Access Granted |
| read | Open the file and view its permissions, attributes, and ownership |
| write | Modify the file, modify its attributes, and view its permissions, attributes, and ownership |
| read & execute | Delete the file and do everything read permission allows |
| modify | Delete the file and do everything read & execute and write permissions allow |
| full control | Take ownership, modify permissions, and do everything modify permission allows |
Standard NTFS Folder Permissions in Windows 2000
| Folder Permission | User Access Granted |
| read | View contents of folder and view its permissions, attributes, and ownership |
| write | Create new files and folders in the folder, modify its attributes, and view its permissions, attributes, and ownership |
| list folder contents | View contents of folder |
| read & execute | View subfolders within the folder and do everything read and list folder contents permissions allow |
| modify | Delete the folder and do everything read & execute and write permissions allow |
| full control | Take ownership, modify permissions, and do everything modify permission allows |
To use these standard permissions to secure a file or folder you must be the object’s owner, have full control of the object, or be a member of the Administrators system group. You must explicitly assign a permission to a file or folder for the permission to be granted. If no permission is specified for a given user or group, the user or group has no access to the file or folder. When you explicitly assign a permission you can choose to either allow or deny the permission.
When you create a file or folder on an NTFS file system volume, it inherits the permissions of its parent folder or volume. When you assign a permission to a parent folder or volume, you have the option of propagating that permission to all of its child folders and files.
The following rules apply to assigning permissions for files and folders on NTFS file system volumes:
- If a user belongs to two or more groups and the groups have different permissions on a given folder, the user’s effective permission is the least restrictive (most permissive) of the permissions. For example, if a user has read permission on a file and a group the user belongs to has modify permission, the effective permission is modify, which is the least restrictive of the two.
- A permission explicitly denied overrides a similar permission explicitly allowed. For example, if a user has read permission on a file and a group the user belongs to has been denied read permission, the user cannot open and read the file.
- A permission for a file overrides a similar permission for the folder containing the file. For example, if a user has modify permission on a file and read permission on the folder containing the file, the user can open, read, edit, and save changes to the file.
NOTE
The differences between NTFS standard permissions for Windows 2000 and for Windows NT include the following:
- Windows 2000 has six folder permissions; Windows NT has seven.
- Windows 2000 has five file permissions; Windows NT has four.
- In Windows 2000 you can explicitly grant or explicitly deny any standard file or folder permission. In Windows NT you can only explicitly grant a permission (but you can explicitly grant no access as a permission).
Formatting a partition using NTFS
When you format a partition or volume using NTFS, the Everyone system group is automatically assigned full control permission for the root of the volume. Any new files or folders you create on the volume inherit this permission. Be aware that leaving full control for everyone might create a security risk; you should replace it with more suitable permissions such as full control for the Authenticated Users special identity.
