General NTFS Security Concepts

General NTFS Security Concepts

NTFS security is really only one part of a much bigger picture: security under Windows NT and 2000 in general. It's no exaggeration to say that security is one of the most important aspects of these operating systems--period. Security, including controlling access to the system and its various resources, is a subject that gets a lot of attention in any NT or 2000 system. Managing security issues such as user accounts and groups is a big part of the job of any Windows NT or 2000 system administrator.

Security in NTFS, like security in the Windows NT or 2000 operating systems themselves, is oriented around the key concept of assigning rights to specific users or groups of users. Consider a network consisting of a Windows NT or Windows 2000 server, to which are connected various client machines in a network. Any user who sits down at one of these client machines can connect to the server computer, but he or she must log in to the server in order to access any of its resources, including NTFS volumes it contains. In fact, the same applies to someone who uses the server machine directly, again, assuming it has been correctly configured.

The manager of the server sets up user accounts for everyone who will use the network. He or she also sets up group accounts, to which are added lists of individual users. These groups are used to allow rights to be given to multiple users who share something in common; for example, they may all be in the same department or logical sub-unit in the organization. Someone who does not have a user account on the network may be allowed to use a guest account, but the rights assigned to such an account are generally quite minimal, for obvious reasons. If someone does not have even the guest account password, that person will quickly discover that they can do nothing on the server!

The access rights for files and directories on NTFS volumes are assigned based on these same user or group accounts. When a user logs in to a Windows NT or 2000 network, the account that is used becomes the key to what that person can access, including NTFS objects. By looking at the name of the account used to log in to the network, the system determines who the person is and also what groups the person is a member of, and assigns rights accordingly. A user can be a member of a number of different groups simultaneously (just like in "real life"). Several predefined groups are also set up in the system by default, which have specific access rights. One of these is the Administrators group, members of which have access to pretty much everything. Other groups that are set up depend on the specific role played by the computer: whether it is a domain controller for example. (Here we start to drift away from NTFS into NT/2000 generalities and networking, so I am going to stop. ;^) )

For example, consider a small company of 20 people, with a server that contains a variety of data. There may be a folder on the D: drive on this server called "D:\Budget", which contains budgeting information for the company. This is sensitive data, which is only supposed to be accessible to the President and Vice-President of the company, and their Administrative Assistant. Under NTFS, this is easy to set up by assigning specific permissions to that folder for only those persons' accounts. In fact, it is also easy to arrange the folder's permissions so that, say, the President and Vice-President can read or modify files in the folder, but the Assistant can only read the files. All others in the company can be easily blocked from the folder entirely. A full discussion of how permissions work is provided on the pages describing NTFS permissions and standard permission groups.

There are three other important overall concepts in NTFS security: object ownership, permission inheritance and auditing. Ownership is a special property right for NTFS objects that gives file owners the capability of granting permissions to others. NTFS is also designed to propagate permissions down the hierarchy of the directory structure, under the control of the user. This permission inheritance feature allows permissions to be assigned to groups of objects automatically. It also allows permissions to be automatically applied to new files that are created within an existing directory structure. NTFS 5.0 extended the control that administrators and users have in dealing with permission inheritance. Finally, auditing allows administrators to monitor changes to files or directories.

Next: Access Control Lists (ACLs) and Access Control Entries (ACEs)

Home - Search - Topics - Up

Not responsible for any loss resulting from the use of this site.
Please read the Site Guide before using this material.