NTFS Permissions

Applies To: Windows Server 2003, Windows Server 2003 with SP1

With NTFS access permissions as the foundation of your Web servers security, you can define the level of file and directory access that is granted to Windows users and groups. For example, if a business decides to publish its catalog on your Web server, you need to create a Windows user account for that business and then assign permissions for the specific Web site, directory, or file. The permissions should permit only the server administrator and the owner of the business to update the contents of the Web site. Public users should be allowed to view the Web site, but not to alter its contents.

To control access to directories and files in this manner, you must be using drives formatted in NTFS, not FAT32. Using FAT32 is strongly discouraged because it allows users access to every file on your hard drive. NTFS is a more powerful and restrictive file system than FAT and FAT32. With NTFS, you can limit access to your Web server's files and directories. You can also configure the access level granted to a particular user or group for the files and directories on your server.

Table 5.7 compares the security options of NTFS and FAT file systems.

Table 5.7 Comparison of NTFS and FAT File Systems

NTFS FAT

Allows administrators to control access to directories and files using NTFS permissions. Permissions can be set on the file level, as well as the directory level.

Does not allow administrators to control access to directories and files.

Supports file encryption, which greatly enhances file security.

Does not support file encryption.

Allows administrators to enable Web Distributed Authoring and Versioning (WebDAV) properties.

Does not allow administrators to enable WebDAV properties.

Supports Active Directory and domain-based security.

Does not support Active Directory and domain-based security.

The NTFS permission levels are as follows:

  • Full Control. Users can do anything to the file, including taking ownership of it. It is recommended that you grant this level of access only to administrators.

  • Modify. Users can view and modify files and file properties, including deleting and adding files to a directory or file properties to a file. Users cannot take ownership or change permissions on the file.

  • Read & Execute. Users can run executable files, including scripts.

  • List Folder Contents. Users can view a list of a folder's contents.

  • Read. Users can view files and file properties.

  • Write. Users can write to a file.

Important

If you do not assign Read & Execute permissions to the IUSR_ComputerName account for a resource, anonymous users will be denied access to that resource. The default permissions assigned when you add a user or group to the Access Control List (ACL) are Read & Execute, List Folder Contents, and Read.

For more details about setting NTFS permissions, see Setting NTFS Permissions for Directories or Files.