Control access to files and folders by using permissions.
NTFS allows to very minute control over security permissions to allow you to do just about whatever you want. FAT drives do not support security access control lists (ACLs), so you cannot set file level security on FAT partitions.
Windows XP introduced a concept called “Simple File Sharing” which limits your ability to control ACLs using the GUI. You can, however, quickly turn off Simple File Sharing by:
1. Open My Computer.
2. Select the Tools menu and select Folder Options.
3. Click on the View tab.
4. Scroll down the bottom of the list.
5. Uncheck Use simple file sharing (Recommended).
6. Click OK.
Now that we have turned off Simple file sharing, we can look at and change security settings for a folder.
1. Navigate to the My Document folder on your hard drive. Create a new folder or select an existing folder in the My Documents directory.
2. Right-click on the folder and select Properties.
3. Click on the Security tab.
4. There are two ways to change the security settings for this folder, you can either Add or Remove users or groups on this screen, or you can click on Advanced for advanced control of security settings. Click on Advanced.
5. The first thing we are going to do it to turn off security inheritance from the parent folder. This allows us complete control over the security settings of this folder without inheriting security changes from the parent directory. Uncheck the Inherit from parent the permission entries… checkbox.
6. You are provided two options: Copy or Remove. Copy will copy the existing security settings from the parent folder, then allow you to make changes. Remove removes all security settings and lets you start with a blank slate. We are going to Copy the existing security settings, then change them as needed.
7. Now click OK to return to the folder properties dialog box.
8. You now see that the permissions box checkboxes are no longer grayed out – you are now welcome to change security permissions as desired.
9. Click on the Administrators group and click Remove.
10. You now have only two objects, the Administrator user account and the SYSTEM account. Click Add.
11. You can now select Users or Groups to add to the ACL list for this folder. The Locations button allows you to select a different location to search for users from. For example, if you were joined to a domain, you could use this button to select the Active Directory domain and add domain users or groups to the security permissions for this folder. Click the Advanced button.
12. You can search for users or groups in the Advanced dialog box. Click Find Now to show all of the local accounts and groups. Scroll down, select Power Users and click OK.
13. Click OK to return to the folder properties dialog box.
14. You will see the Power Users group has been added with three security permissions: Read & Execute, List Folder Contents, and Read. These are default rights assigned when you add a user account or group. Let’s add the Modify right by clicking the checkbox under Allow.
15. Once you check Modify, Write is automatically checked as it is a lower right than Modify. Click OK to save these security settings.
We can also use the command line tool we discussed earlier, CACLS, to view and edit ACLs on files and folders.
1. Open a command prompt.
2. Navigate to the folder we just changed security rights on.
3. Type in cacls foldername, in our example, this is cacls documentation.
4. The command displays the current security ACL settings for this folder.
5. Type in the following command using a local account in place of the name “Jeremy”:
Cacls documentation /G Jeremy:F
6. This will provide full access to the documentation folder to the user Jeremy:
7. As you can see, CACLS reset the permissions to only the Jeremy account. You can add a user account with security permissions by adding the /E switch to the command – telling the system to edit, not replace the ACL for this object. For example:
8. Now, if we look at the security permissions on the Documentation folder, we see two accounts:
9. Notice I only gave the Administrator “change” rights in my command – effectively giving the account Modify, Read & Execute, List Folder Contents, Read, and Write permissions.
Comments