Learn Windows XP in 15 Minutes a Week: User Rights and User Privileges, Part 2

By Jason Zandri (Send Email)
Posted Jun 16, 2003


Welcome to this installment of Learn Windows XP Professional in 15 minutes a week, the 24th in our series. This article will look User Rights/User Privileges in Windows XP Professional.

This latest installment in Jason Zandri's 'Learn Windows XP in 15 Minutes a Week' series delves further into the User Rights/User Privileges in Windows XP Professional by examining all of the permission options available to administrators and users.

Rights are best described as permitted actions allowed to those users or groups on a specific system or allowed actions within the domain. The Windows XP Professional operating system allows for Rights to be configured to both individual users and groups of users.

[NOTES FROM THE FIELD] - For the 70-270 exam it is fairly important that the test taker understand the different permissions mentioned below and have good knowledge and a general understanding of each.

Permissions can apply to users and groups in the domain, any trusted domains, and all of the local user accounts and local groups on a given system. They are best described as access granted or denied to a user or group for an object or the object's properties and the level at which this access is set.

Access levels are set via the security settings within NTFS.

This means that access to a folder on an NTFS partition called DATA for users in a group called DATAUSERS may be set to "ALLOW - READ" and another group may have a setting of "DENY - WRITE."

Both are examples of permissions, granted and denied.

A DENY setting takes precedence over an ALLOW setting, even over cumulative group settings. A user that is a member of multiple groups has all of her access permissions combined, and she is given the maximum level of access to the resource based on the combined settings.

For example, a user named JUSER who is a member of the Domain Users group may have READ rights to the folder on an NTFS partition called DATA. He may also have READ/WRITE access because he is also a member of the ALTCFG group. Consequently, JUSER may also have the MODIFY right specifically assigned to him directly though his user account.

The effective sum of all of these permissions is the cumulative total, which in this case is MODIFY.

If JUSER were also a member of the group SYS, which had a permission setting of DENY - READ&EXECUTE, the only permissions JUSER would have to the DATA folder would be WRITE because DENY access control entries take precedence over ALLOW.

File and folder permissions are set through Access Control Lists (ACLs) on the object. The entries (e.g., Read) listed in the two tables below are called Access Control Entries (ACEs).

This first table lists the ACLs that can be set for folders and the Special Permissions granted that correspond to the settings.

NTFS Folder Permission
Permission Description
Read Read files and subfolders in the folder and view folder ownership, permissions, and attributes
Write Create new files and subfolders within the folder, change folder attributes, and view folder ownership and permissions
List Folder Contents List the names of files and subfolders in the folder
Read & Execute Move through folders to reach other files and folders (even if the users don't have permission for those folders) and perform actions permitted by the Read permission and the List Folder Contents permission
Modify Delete the folder as well as perform actions permitted by the Write permission and the Read & Execute permission
Full Control Change permissions, take ownership, and delete subfolders and files, as well as perform actions permitted by all other NTFS folder permissions

Special
Permissions
Full Control Modify Read &
Execute
List
Folder
Contents
Read Write
Traverse Folder/Execute File
  •    
    List Folder/Read Data
  •  
    Read Attributes
  •  
    Read Extended Attributes
  •  
    Create Files/Write Data
  •      
  • Create Folders/Append Data
  •      
  • Write Attributes
  •      
  • Write Extended Attributes
  •      
  • Delete Subfolders and Files
  •          
    Delete
  •        
    Read Permissions
  • Change Permissions
  •          
    Take Ownership
  •          
    Synchronize
  • These tables list the ACLs that can be set directly to files and the breakdown of the ACEs that can be set for files under Windows XP Professional.

    NTFS File Permission
    Permission Description
    Read Read the file, and view file attributes, ownership, and permissions
    Write Overwrite the file, change file attributes, and view file ownership and permissions
    Read & Execute Run applications, as well as perform the actions allowed by the Read permission
    Modify Modify and delete the file, as well as perform the actions permitted by the Write permission and the Read & Execute permission
    Full Control Change permissions and take ownership, as well as perform the actions permitted by all other NTFS file permissions

    Permission Description
    Traverse Folder/Execute File Execute File permission can be set to allow or deny to set the level of permissions for running program files. Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder.
    List Folder/Read Data Applies only to files, and allows or denies viewing data in files. (List Folder applies to Folders settings.)
    Read Attributes Allows or denies viewing the attributes of a file. This setting is defined via NTFS by default.
    Read Extended Attributes Allows or denies viewing the extended attributes of a file. This setting is defined via programs by default and may vary by program.
    Create Files/Write Data Write Data allows or denies making changes to the file and overwriting content.
    Create Folders/Append Data Append Data allows or denies making changes to the end of the file but not changing, deleting, or overwriting existing data. (Create Folders applies to Folder settings).
    Write Attributes Allows or denies changing the attributes of a file only; no permissions are granted for writing to the file itself (entering data). This setting is defined via NTFS by default.
    Write Extended Attributes Allows or denies changing the extended attributes of a file only; no permissions are granted for writing to the file itself (entering data). This setting is defined via programs by default and may vary by program.
    Delete Subfolders and Files Allows or denies deleting files, even if the Delete permission has not been granted on the file. (Delete Subfolders applies to folders.)
    Delete Allows or denies deleting the file. (If you do not have Delete permission on a file you can still delete it if you have been granted Delete Subfolders and Files on the parent folder.)
    Read Permissions Allows or denies reading access permissions of the file.
    Change Permissions Allows or denies changing access permissions of the file.
    Take Ownership Allows or denies taking ownership of the file.

    It is through proper permissions on all network resources that administrators enforce the principle of least privilege to users. This means that users are given no more privilege or rights to network resources than is necessary to perform their assigned tasks.

    To make certain users are granted only necessary privileges, administrators or resource owners must identify what users' jobs are, determining the minimum set of privileges required to perform those jobs, and restricting the users to that level of access.

    Administrators and resource owners tend to loosen access restrictions for users in an effort to ease administration. Oftentimes, however, they relax access too much, leading to an insecure environment.

    That wraps up this installment of "Learn Windows XP Professional in 15 Minutes a Week." As always, if you have any questions, comments, or even constructive criticism, feel free to drop me a note. I want to write solid technical articles that appeal to a wide range of readers and skill levels, and it is only through your feedback that I can be sure I am doing that.

    Until next time, best of luck in your studies and remember:

    "Love is blind, but marriage is a real eye-opener."

    Page 1 of 1


    Comment and Contribute

    Your name/nickname

    Your email

    (Maximum characters: 1200). You have characters left.