SUMMARY

At a basic level, file system security begins by choosing the appropriate file system. Windows 2000 includes three different file systems: NTFS, FAT32, and FAT.

The NTFS file system is the recommended file system because of its advantages in reliability and security and because it is required for large drives. The FAT and FAT32 file systems are similar to each other, except that FAT32 is designed for larger disks than FAT. NTFS has always been a more powerful file system than FAT or FAT32. Windows 2000 Server has a new version of NTFS that includes many important security features such as:

• Permissions that you can set on individual files rather than just on folders.
• File encryption, which greatly enhances security.
• Active Directory, which you can use to view and control network resources easily.
• Domains, which are part of Active Directory, and which you can use to fine-tune security options while keeping administration simple. Domain controllers require NTFS.
• Recovery logging of disk activities, which helps you restore information quickly in the event of a power failure or other system problems.
• Disk quotas, which you can use to monitor and control the amount of disk space used by individual users.
• Better scalability to large drives. The maximum drive size for NTFS is much greater than that for FAT, and as drive sizes increase, performance with NTFS does not degrade as it does with FAT.

If you are currently using the FAT file system, you can use the Convert utility that is included with Windows 2000 to convert to NTFS. For additional information about using the Convert utility, click the article number below to view the article in the Microsoft Knowledge Base:

Once you are using NTFS, you can use the file and folder permissions to secure data. Windows 2000 gives you comprehensive control over each file and folder on your hard disk. You can also use Encrypting File System (EFS) technology, which is a security technology that enables individual users to encrypt files so that the files cannot be read by others. For additional information about EFS, please check Windows Help.

back to the top

To Modify File and Folder Permissions

For example, if you want to restrict access to a folder so that group A and group B can view the folder but not remove it, you can use the following steps to add both groups and deny Write permissions for the two groups. To modify file and folder permissions:

1. Click Start, point to Programs, point to Accessories, click Windows Explorer, and then locate the file or folder for which you want to set permissions.
2. Right-click the file or folder, click Properties, and then click the Security tab.
3. To set up permissions for a new group or user, click Add. Type the name of the group or user you want to set permissions for by using the domainname\name format, and then click OK.
4. To change or remove permissions from an existing group or user, click the name of the group or user.
5. Click Allow or Deny for each permission you want to allow or deny, if necessary. Or, to remove the group or user from the permissions list, click Remove.

back to the top

To Modify Special Permissions

If you need finer control over permissions, you can modify special permissions. In this example, assume that you have shared a folder and have granted access to groups A and B. However, you do not want group A to create folders in the shared folder. You can deny the special Create Folders/Append Data permission to the Write permissions for group A. To modify special permissions:

1. Click Start, point to Programs, point to Accessories, click Windows Explorer, and then locate the file or folder for which you want to set permissions.
2. Right-click the file or folder, click Properties, and then click the Security tab.
3. Click Advanced, and then use one of the following steps:
   • To set special permissions for a new group or user, click Add. In the Name box, type the name of the user or group by using the domainname\name format. When you are finished, click OK to automatically open the Permission Entry dialog box.
   • To view or change special permissions for an existing group or user, click the name of the group or user, and then click View/Edit.
   • To remove a group or user and its special permissions, click the name of the group or user, and then click Remove. If the Remove button is unavailable, click to clear the Allow inheritable permissions check box. The file or folder will no longer inherit permissions. Skip steps 4 through 6.
4. In the Permission Entry dialog box, click where you want the permissions applied in Apply onto, if necessary. Note that Apply onto is available only for folders.
5. In Permissions, click Allow or Deny for each permission.
6. If you want the subfolders and files in the tree to inherit these permissions, click to select the Apply these permissions check box.

If the check boxes under Permissions are unavailable, or if the Remove button is unavailable, the file or folder has inherited permissions from the parent folder.

back to the top

Permissions on a File Server

You may need to assign permissions for the files on a file server. For example, suppose that you need to set file permissions on a server that is used by a small department. The file server includes a programs folder, home folders for each of the department's users, a public folder in which users can share files, and a drop folder in which users can file confidential reports that only the group manager can read.

back to the top

Programs Folder

In this folder, make all program files read-only for all users, to prevent viruses and Trojan horses. You can also grant the Change permission to members of the Administrators group, so that administrators can grant themselves Write permission when it is time to update a program.

1. Click Start, point to Programs, point to Accessories, click Windows Explorer, and then locate the folder for which you want to set permissions. In this example, use the folder called Programs.
2. In the Programs folder, right-click a program file, click Properties, and then click the Security tab.
3. Click the Everyone group. If the Everyone group is not listed, you can add the group by clicking Add.
4. In Permissions, click Allow for Read & Execute and Read.
5. Click Deny for Write, and then click to clear the check boxes for the remaining permissions.
6. Click the Administrators group, click Advanced button, and then click View/Edit.
7. For Change Permissions, click Allow, and then click OK.
8. Click Apply, click OK, and then click OK. If none of your programs needs to write any files (such as initialization files) in their own folders, you should also set all of the folders that contain programs to read-only.

back to the top

Home Folders

In these folders, give each user full control over his or her own folder, and do not give anyone permissions for any other folder.

1. Click Start, point to Programs, point to Accessories, click Windows Explorer, and then locate the folder for which you want to set permissions. In this example, use the folder called User1.
2. Right-click the User1 folder, click Properties, and then click the Security tab.
3. Remove all listed groups and users. To do this, click a group or user, and then click Remove.
4. Click Add, and then add the appropriate user. For example, add the user named User1. Click OK.
5. Click the user. In Permissions, click Allow for Full Control.

back to the top

Public Folder

In this folder, you can give all users the Modify permission. The Modify permission is more appropriate than Full Control, because Full Control also allows users to set permissions for the public folder and take ownership of it.

1. Click Start, point to Programs, point to Accessories, click Windows Explorer, and then locate the folder for which you want to set permissions. In this example, use the folder called Public.
2. Right-click the Public folder, click Properties, and then click the Security tab.
3. In Permissions, click the Everyone group, and then click to clear the Full Control check box.
4. In Permissions, click Allow for the Modify permission.
5. Remove all other groups and users. To do this, click a group or user, and then click Remove.

back to the top

Drop Folder

To create a drop folder, grant the Write permission to the Users or Everyone built-in groups for the folder, and grant the Modify permission to the manager who is to read the files in the folder.

1. Click Start, point to Programs, point to Accessories, click Windows Explorer, and then locate the folder for which you want to set permissions. In this example, use the folder called Drop and the user named Manager1.
2. Right-click the Drop folder, click Properties, and then click the Security tab.
3. Click the Everyone group. If the Everyone group is not listed, you can add the group by clicking Add.
4. Click Allow for the Write permission, and then click to clear the check boxes for the remaining permissions.
5. Click Deny for Read & Execute. This will also explicitly deny permissions for the List Folder Contents and Read permissions.
6. Keep the Everyone group and remove all other listed groups and users. To do this, click a group or user, and then click Remove.
7. Click Add, and then add the appropriate user. In this example, add Manager1. Click OK.
8. In Permissions, click the Manager1 user, click to clear the Full Control check box, and then click Allow for the Modify permission.

NOTE: Give access to local system folders or subfolders only to administrators or server operators.

back to the top

Troubleshooting

Keep in mind that groups or users who are granted Full Control permissions for a folder can delete files and subfolders in that folder, regardless of the permissions that protect the files and subfolders.

You can set file and folder permissions only on NTFS drives.

back to the top