ServerWatch content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
The following tables list the ACLs that can be set directly to files and the breakdown of the ACEs that can be set for files in Windows XP Professional and Windows Server 2003.
| Read | User can read the file and view file attributes, ownership, and permissions. |
| Write | User can overwrite the file, change file attributes, and view file ownership and permissions. |
| Read & Execute | User can run applications, as well as perform the actions permitted by the Read permission. |
| Modify | User can modify and delete the file, as well as perform the actions permitted by the Write permission and the Read & Execute permission. |
| Full Control | User can change permissions and take ownership, as well as perform the actions permitted by all other NTFS file permissions. |
|
Permission
|
Description
|
| Traverse Folder/Execute File | Allows the user to execute File permission by setting the level of permissions for running program files to allow or deny. Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder. |
| List Folder/Read Data | With regard to files, Read Data allows or denies the user to view data in files. List Folder applies to Folders settings. |
| Read Attributes | Allows or denies the user to view the attributes of a file. This setting is defined via NTFS by default. |
| Read Extended Attributes | Allows or denies the user the ability to view the extended attributes of a file. This setting is defined via programs by default and may vary by program. |
| Create Files/Write Data | Write Data allows or denies the user the ability to make changes to the file and overwrite existing content. |
| Create Folders/Append Data | Append Data allows or denies the user the ability to make changes to the end of the file but not to change, delete, or overwrite existing data. (Create Folders applies to Folder settings.) |
| Write Attributes | Allows or denies the user the ability to change file attributes, only. It does not grant permissions to write to the file itself (entering data). This setting is defined via NTFS by default. |
| Write Extended Attributes | Allows or denies the user the ability to change the extended attributes of a file only. It does not grant permissions to write to the file itself (entering data). This setting is defined via programs by default and may vary by program. |
| Delete Subfolders and Files | Allows or denies the user the ability to delete files, even if the Delete permission has not been granted on the file in the case of an “allow” setting. (Delete Subfolders applies to folders.) |
| Delete | Allows or denies the user the ability to delete the file. (If you do not have Delete permission on a file you can still delete it if you have been granted Delete Subfolders and Files on the parent folder.) |
| Read Permissions | Allows or denies the user the ability to read the access permissions of the file. |
| Change Permissions | Allows or denies the user the ability to change the access permissions of the file. |
| Take Ownership | Allows or denies the user the ability to take ownership of the file. |
NOTES FROM THE FIELD — Many of the entries in the tables above cite “the user” as a point of reference. If a program or a process is given the same rights to access the data in a particular way (e.g., Append Data), it too is allowed that level of permission.
It is through proper permissions on all network resources that administrators enforce the principle of least privilege to users, groups, processes, and applications. The principle of least privilege requires that users, groups, processes, and applications be given no more privilege or rights to network resources than is necessary to perform their designated function.
To ensure this level of least privilege is maintained, administrators and resource owners must identify the minimum set of privileges required and restrict that level of access to the network resource and allow nothing more.
Generally, administrators and resource owners loosen access restrictions in an effort to ease administration. However, they tend to relax access too much, which lends to an insecure environment.
