Windows 2000 NTFS disk permissions application

WIN2000 added a different feature from WIN98 and the previous WINDOWS version, that is NTFS permissions, because of this feature, then WIN2000 can implement folders and files Level security control, which is different from the account and password in WIN98. In WIN98, as long as you know the account number and password, you can completely control the computer, but you can't allow only one folder to be read for an account or The function of a file. In WIN2000, this can be achieved perfectly. OK, Let's go! First of all, let me talk about the prerequisites to achieve this function, that is, your partition must be NTFS partition, if it is FAT or FAT32 partition, then this function can not be achieved, in fact, if you have only one WIN2000 operating system on your computer If you don't have a system with WIN98 and WIN98 installed on your machine, then using NTFS partition is a very good choice, which will greatly improve the stability and security of your system. If your partition is a FAT32 partition, you can use this command to convert it to an NTFS partition: convert x: /fs:ntfs where x can be replaced with the actual drive letter. However, it should be noted that WIN98 does not recognize the NTFS format partition, which means that if the NTFS format is used in the WIN98 partition, WIN98 will not be available. Moreover, the command is irreversible, that is to say, the command can only convert FAT32 to NTFS format, and cannot convert NTFS format to FAT32 format. If it is to be converted back, it can be implemented by software such as PQ.

Ok, now, right now, after using the NTFS partition, you must grant NTFS permissions to each user account that needs to access a resource. Users must be explicitly authorized to access the set resources. If there is no permission, it will be denied access to the resource. For example: suppose there is a file, I set NTFS permissions for him, I set it to be accessible only to myself and A users, then except for me and A, any other account login will not be able to use the file, WIN2000 will give Out of the "do not have the appropriate permissions to read" words such as the words. This achieves the security of the file, and the security is valid both on the computer and on the network, that is, even if I connect to the computer through the network, only the user and I can use the file, others It is also unusable. Although the file is shared, other people can only see this file, but they can't read it. Oh, it's a bit visible, can't eat? In WIN2000 there is something called an Access Control List (ACL) that contains the accounts, groups, and computers of users who can access the resource. When a user accesses the resource, then it must have its account in the ACL, then WIN2000 allows the user to access the resource, otherwise refused

The point to be explained here is that it is different from what we imagined. WIN2000 does not identify users based on whether the user name is the same. Each account has a Security ID (SID, security identifier) ​​when it is created. WIN2000 identifies the user based on whether the SID is the same. If the SID is different, Username and other settings are exactly the same, WIN2000 will also think that it is not the same two accounts, it is like when we receive the award, only recognize whether your ID card is consistent, regardless of whether your name is the same or not, and The SID is randomly given by WIN2000 when creating the account. Therefore, when an account is deleted, an identical account is re-established. The SID is different from the original one, and then his NTFS permissions must be reset. . Now let's talk about the practical application of NTFS permissions. Right-click on the file or folder you want to set permissions for and select Properties -> Security. At this point you can see the account or group that is allowed to use the file. By default, there is the Everyone group, which represents all users. The following sections are the permissions that can be set for this group or account. If Everyone's permissions are set to full control, it means that all users can manipulate the file at will, including reading, modifying, deleting, and so on. This is also the default permissions for WIN2000. You can also add an account and set permissions for the account. As long as you do it yourself, you know how to do it. Now I just give an example to illustrate: Suppose there is a file called FILE, I have to set it to only USER1, USER2 and USER3. These three users can use the file, but the USER1 user can operate the file at will, the USER2 user can only read the file, but can not perform other operations such as modification, USER3 can read, can write, but can not delete This document, I explain the specific operation method. 1. Right-click on FILE and select Properties -> Security. 2. Leave the following "Allow the inheritable permissions from the parent to be propagated to the object". He will pop up a dialog box and choose to delete. In other words, delete all accounts such as Everyone above. 3, point to add, pop up a dialog box, select USER1, add, OK. 4. Then select USER1 and tick the box below <;Allow". 5. Add USER2 as described above. 6. Select USER2 and tick the "allow" after "read”, and remove all other hooks. 7. Add USER3. 8. Select USER3 and tick the <;Allow” checkbox to confirm “complete control> 9. Select “Advanced”, select USER3, click “View/Edit”. Remove the "delete" > 10, get it! ! ! ^-^ At this time, log in with USER1, then you can completely control the file

Login with USER2, you can open the file, it will appear when saving, you can't create FILE, please confirm the path and file name Is the correct & rdquo; prompt box. This means that USER2 cannot save the file now. Of course, no other operations can be performed. He can only read the file. Log in with USER3 to open the file or save it. When deleting the file, it will appear "Cannot delete FILE: Access denied." The source file may be using the <quo; prompt to indicate that the file could not be deleted. ***** Reminder: Before you can fully understand the usage of permissions, it is best to create a file that is not useful and then test it, which is safer. Otherwise, it is not my business to make important documents deleted. As for the security of the folder, the steps are similar to the above, but the folder will have an inheritance, that is, you can choose whether the permission setting is only for the folder, or the subfolder of the folder and the folder. Folders and files work. Just reset the permissions of all child objects and allow the inheritable permissions to be propagated.

Key Points and Difficulties Multiple NTFS permissions have been unclear for many people. Now let me introduce and give examples. ****** Note: The following describes the problem between multiple NTFS permissions, multiple between non-NTFS permissions and shared permissions.

1. Accumulation of Permissions The effective permissions of a user to a resource are the sum of all the permissions assigned to that individual user account and the group to which the user belongs. If the user has the "Read" permission for the file, the group to which the user belongs has the right to "write" to the file, then the user has both "Read" and "Read"; and “ The permissions for writing to ” are as follows:

Assume the situation is as follows: There is a file called FILE. USER1 user belongs to GROUP1 group USER1 (read permission)----> FILE <---- GROUP1 (write permission) | | | | USER1 permission for FILE is read + write

2, file permissions are higher than folder permissions means that NTFS file permissions have priority for NTFS folder permissions, assuming you can access a file, even if the file is in a folder you do not have access to, you can Access (provided the file does not inherit the permissions of the folder it belongs to). An example is as follows: Suppose you do not have access to the folder FOLDER, but the file FILE.TXT under this folder does not inherit the permissions of FOLDER, which means that you have access to the FILE.TXT file, but you can not use Something like the resource manager to open the FOLDER folder, you can't see the file FILE (because you don't have access to FOLDER), but you can access the file by entering its full path. For example, you can use c:\\folder\\file.txt to access the FILE file (assuming it is on the C drive). 3. Reject higher than other permissions Deny permissions can override all other permissions. Even if a member of a group has access to a folder or file, but the group is denied access, all permissions that the user would have are locked out and the folder or file cannot be accessed. In other words, the principle of privilege accumulation at the first point above will be invalid. An example is as follows: Assume the situation is as follows: There is a file called FILE. USER1 user belongs to GROUP1 group USER1 (read permission)----> FILE <---- GROUP1 (rejected) | | | | Access denied Then USER1's permission on FILE will no longer be: read + write , but cannot access the file FILE. Another case is that the principle of rejection and the principle of accumulation coexist, for example: There is a file called FILE. The USER1 user belongs to the GROUP1 group and also belongs to the GROUP2 group, USER1 (read permission) | | | GROUP1 (write permission)----> FILE <---- GROUP2 (reject write) | | | Read Take USER1's privilege to FILE: read (according to the accumulation principle, USER1 has FILE originally: & ldquo; read + write & rdquo; permissions, but because the GROUP2 group to which USER1 belongs is rejected, so only “Read & rdquo; Permissions