Windows 7 / Security and Privacy

Permissions

Permissions authorize a user or a group to perform some function on an object. Objects, such as files, folders, disks, and printers, have a set of permissions associated with them that can be assigned to users and groups. The specific permissions depend on the object, but all objects have at least two permissions: Read, and either Modify or Change. Permissions are initially set in one of three ways:

  • The application or process that creates an object can set its permissions upon creation.
  • If the object allows the inheritance of permissions and they were not set upon creation, a parent object can propagate permissions to the object. For example, a parent folder can propagate its permissions to a subfolder it contains.
  • If neither the creator nor the parent sets the permissions for an object, then the Windows Server 2008 system defaults will do it.

Once an object is created, its permissions can be changed by its owner, by an administrator, and by anybody else who has been given the permission to change permissions.

The following sections look at the default permissions for three commonly used objects-folders, shares, and files-and at how those defaults are changed.

Folder Permissions

Folder permissions are set in the Security tab of the folder's Properties dialog box. You can click this tab and change the permissions with these steps:

  1. Click Start | Computer. Windows Explorer opens.
  2. In the Folders pane on the left, open the boot drive, right-click in a blank area of the right pane, and click New | Folder. Type a name for the new folder and press enter.
  3. Right-click the new folder and click Properties. In the Properties dialog box, click the Security tab.

You can see that with a default installation of Windows Server 2008, four groups are available to be given permissions. Two of these groups are domain groups (Administrators and Users groups), and two are system groups, one for internal operating system (OS) functions (System group), and one representing the owner or creator of the object. If you click each group and look at its permissions, you can see that Administrators and System have permission for everything, Users have limited permissions, and the Creator Owner has no permissions. All of the permissions that are shown here are grayed, meaning that they are inherited from a parent object (the root folder in this case) and have not been set specifically for this object.

NOTE: The default permissions in Windows Server 2003 and 2008 are substantially different than those in Windows 2000 and earlier versions of Windows NT, where the Everyone group had full permission to do everything in all but a few of the OS folders. Windows Server 2003 and 2008 start out with the opposite philosophy, where only Administrators have permission to do everything, and Users (everyone else) have limited permission. This is an intentional tightening of security on the part of Microsoft.
[Previous] [Contents] [Next]

In this tutorial:

  1. Windows Server 2008 Security
  2. Authenticate the User
  3. Network User Authentication
  4. Replacements for Passwords
  5. Certificate Authentication
  6. Control Access
  7. Groups
  8. Permissions
  9. Add New Permissions
  10. Share Permission
  11. Secure Stored Data
  12. Use File and Folder Encryption
  13. Drive Encryption with BitLocker
  14. Use a Computer with BitLocker
  15. Understand Private/Public Key Encryption
  16. Secure Data Transmission
  17. Implement Secure LAN Transmission