File Systems

On NTFS volumes you can set access permissions on files and folders that specify which groups and users have access, and what level of access is permitted. NTFS file and folder permissions apply to users on the local computer and to users accessing the file over the network. With NTFS you can also set share permissions, which operate on shared folders in combination with file and folder permissions. File attributes (read-only, hidden, and system) also limit file access.

File and Folder Permissions

The version of NTFS included with Windows 2000 provides for inheritable permissions. In the Properties dialog box, on the Security tab, you can set the option Allow inheritable permissions from parent to propagate to this file object . This option is enabled by default. This feature reduces the time and input/output (I/O) work required to change the permissions of many files and subfolders. For example, suppose a user wants to change the permissions on a tree consisting of several thousand files. If the folders and subfolders inherit permissions, the user only needs to set permissions for the top-level folder.

Figure 17.1 shows the permissions listed on the Security tab of the Properties dialog box of a DOC file.


Figure 17.1 Permissions Dialog Box

Figure 17.2 shows the Permissions listed when you click Advanced on the Security tab of the Properties dialog box.


Figure 17.2 Advanced Permissions Dialog Box



To preserve permissions when you copy or move files between NTFS folders, use the Robocopy tool on the Windows 2000 Resource Kit companion CD.

You can back up and restore data on FAT and NTFS volumes. However, if you back up data from an NTFS volume and then restore it to a FAT volume, you lose security settings and other file information specific to NTFS.

Although NTFS provides access controls to individual files and folders, users can perform certain actions even if permissions are set on a file or folder to prevent access. For example, you have a folder (MyFolder) containing a file (File1), and you grant Full Control to a user for the folder MyFolder. If you specify that the user has No Access to File1, the user can still delete File1 because the Full Control rights in the folder allow the user to delete the contents of the folder.

To prevent files from being deleted, you must set permissions on the file itself, and you must set permissions for the folder containing the file that won't supercede the file's permissions. In the Properties dialog box, use the Security tab to deny Full Control , but to allow Modify , Read & Execute , Read , and Write permissions in place.

Anyone who has List, Read, or greater permissions in a folder can view file properties on any file in the folder, even if file permissions prevent them from seeing the contents of the file.

Share Permissions

FAT16 and FAT32 allow you to set limited file attributes but you cannot set permissions on individual files and folders. The only security available is the permissions that are set on the entire share, that affect all files and folders on that share, and that only functions over the network. After a folder is shared, you can protect the shared folder by specifying one set of share permissions for all files and subfolders of the shared folder. Share permissions are set in much the same way file and folder permissions are set in NTFS. But because share permissions apply globally to all files and folders in the share, they are significantly less versatile than the file and folder permissions used for NTFS volumes. Share permissions have no effect on users accessing the contents of a shared folder when the shared folder is on a locally-installed disk.

Share permissions apply equally to NTFS and FAT volumes. They are enforced by Windows 2000, not by the file system. However, when you move or copy a file from an NTFS to a FAT volume, permissions and other NTFS attributes are lost.