Security
You can assign permissions to files or folders and determine what can be done to those resources. Note that you cannot assign rights to files or folders.
For information about how to set file or folder permissions, see Windows 2000 Professional Help.
To Set File or Folder Permissions
Open Windows Explorer, and then locate the file or folder for which you want to set permissions.
Right-click the file or folder, click Properties , and then click the Security tab.
To set up permissions for a new group or user, click Add . Type the name of the group or user you want to set permissions for using the format domainname\name , and then click OK to close the dialog box.
– Or –
To change or remove permissions from an existing group or user, click the name of the group or user.In Permissions , click Allow or Deny for each permission you want to allow or deny.
– Or –
To remove the group or user from the permissions list, click Remove .
After you set permissions on a folder, new files and subfolders created in the folder inherit these permissions unless you configure this not to happen.
To Prevent A Folder from Imposing Permissions on New Files or Folders
In My Computer, right-click the folder in question, and then click Properties .
On the Security tab, click Advanced .
Select a permission entry from the Permissions Entries list, and then click View/Edit .
Select an alternate inheritance behavior from the Apply onto drop-down list.
To Prevent New Files or Folders from Inheriting Permissions
Using My Computer , right-click the folder in question, and then click Properties .
On the Security tab, clear the Allow inheritable permissions from parent to propagate to this object check box.
If the check boxes appear shaded, the file or folder has inherited permissions from the parent folder. There are three ways to make changes to inherited permissions:
Make the changes to the parent folder, and then the file or folder will inherit these permissions.
Select the opposite permission ( Allow or Deny ) to override the inherited permission.
Clear the Allow inheritable permissions from parent to propagate to this object check box. Now you can make changes to the permissions or remove the user or group from the permissions list. However, the file or folder will no longer inherit permissions from the parent folder.
If neither Allow nor Deny is selected for a permission, then the group or user might have obtained the permission through group membership. If the group or user has not obtained the permission through membership in another group, the group or user is implicitly denied the permission. To explicitly allow or deny the permission, click the appropriate check box.
The following section describes the default permissions provided to different users.
Table 13.6 describes the default file system and registry permissions.
Table 13.6 Default Settings for User Write Access
Object |
Permission |
Description |
|---|---|---|
HKEY_Current_User |
Full Control |
Users portion of the registry. |
%UserProfile% |
Full Control |
Users Profile directory. |
All Users\Documents |
Read, Create File |
Allows Users to create files that can subsequently be read (but not modified) by other Users. |
%windir%\Temp |
Synchronize, Traverse, Add File, Add Subdir |
Each computer has one temporary directory for use by service-based applications that use this directory to improve performance. |
\ (Root Directory) |
Not Configured during setup |
No permissions are applied to the root level of the directory because the Windows 2000 ACL Inheritance model would cause any root level permissions to affect all child objects, including those outside the scope of setup. |
Table 13.7 describes the default access control settings that are applied to file system objects for Power Users and Users during a clean installation of the Windows 2000 operating system onto an NTFS partition. For directories, unless otherwise stated (in parentheses), the permissions apply to the directory, subdirectories, and files.
%systemdir% refers to %windir%\system32.
*.* refers to the files (not directories) contained in a directory.
RX means Read and Execute.
Table 13.7 Default Access Control Settings for File System Objects
File System Object |
Default Power User Permissions |
Default User Permissions |
|---|---|---|
c:\boot.ini |
RX |
None |
c:\ntdetect.com |
RX |
None |
c:\ntldr |
RX |
None |
c:\ntbootdd.sys |
RX |
None |
c:\autoexec.bat |
Modify |
RX |
c:\config.sys |
Modify |
RX |
\ProgramFiles |
Modify |
RX |
%windir% |
Modify |
RX |
%windir%\*.* |
RX |
RX |
%windir%\config\*.* |
RX |
RX |
%windir%\cursors\*.* |
RX |
RX |
%windir%\Temp |
Modify |
Synchronize, Traverse, Add File, Add Subdir |
%windir%\repair |
Modify |
List |
%windir%\addins |
Modify (Dir\Subdirs) RX (Files) |
RX |
%windir%\Connection Wizard |
Modify (Dir\Subdirs) RX (Files) |
RX |
%windir%\fonts\*.* |
RX |
RX |
%windir%\help\*.* |
RX |
RX |
%windir%\inf\*.* |
RX |
RX |
%windir%\java |
Modify (Dir\Subdirs) RX (Files) |
RX |
%windir%\media\*.* |
RX |
RX |
%windir%\msagent |
Modify (Dir\Subdirs) RX (Files) |
RX |
%windir%\security |
RX |
RX |
%windir%\speech |
Modify (Dir\Subdirs) RX (Files) |
RX |
%windir%\system\*.* |
Read, Execute |
RX |
%windir%\twain_32 |
Modify (Dir\Subdirs) RX (Files) |
RX |
%windir%\Web |
Modify (Dir\Subdirs) RX (Files) |
RX |
%systemdir% |
Modify |
RX |
%systemdir%\*.* |
RX |
RX |
%systemdir%\config |
List |
List |
%systemdir%\dhcp |
RX |
RX |
%systemdir%\dllcache |
None |
None |
%systemdir%\drivers |
RX |
RX |
%systemdir%\CatRoot |
Modify (Dir\Subdirs) RX (Files) |
RX |
%systemdir%\ias |
Modify (Dir\Subdirs) RX (Files) |
RX |
%systemdir%\mui |
Modify (Dir\Subdirs) RX (Files) |
RX |
%systemdir%\OS2\*.* |
RX |
RX |
%systemdir%\OS2\DLL\*.* |
RX |
RX |
%systemdir%\RAS\*.* |
RX |
RX |
%systemdir%\ShellExt |
Modify (Dir\Subdirs) RX (Files) |
RX |
%systemdir%\Viewers\*.* |
RX |
RX |
%systemdir%\wbem |
Modify (Dir\Subdirs) RX (Files) |
RX |
%systemdir%\wbem\mof |
Modify |
RX |
%UserProfile% |
Full Control |
Full Control |
All Users |
Modify |
Read |
All Users\Documents |
Modify |
Read, Create File |
All Users\Application Data |
Modify |
Read |
Note that a Power User can write new files into the following directories but cannot modify the files that are installed there during text-mode setup. Furthermore, all other Power Users inherit Modify permissions on files created in these directories.
%windir%
%windir%\config
%windir%\cursors
%windir%\fonts
%windir%\help
%windir%\inf
%windir%\media
%windir%\system
%systemdir%
%systemdir%\OS2
%systemdir%\OS2\DLL
%systemdir%\RAS
%systemdir%\Viewers
For directories designated as [Modify (Dir\Subdirs) RX (Files)], Power Users can write new files; however, other Power Users will only have read access to those files.
Table 13.8 describes the default access control settings that are applied to registry objects for Power Users and Users during a clean installation of the Windows 2000 operating system. For a given object, permissions apply to that object and all child objects unless the child object is also listed in the table.
Table 13.8 Registry Permissions for Power Users and Users
Registry Object |
Default PowerUser Permissions |
Default User Permissions |
|---|---|---|
HKEY_LOCAL_MACHINE |
|
|
HKEY_LOCAL_MACHINE\SOFTWARE |
Modify |
Read |
HKLM\SOFTWARE\Classes\helpfile |
Read |
Read |
HKLM\SOFTWARE\Classes\.hlp |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Command Processor |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Cryptography |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Driver Signing |
Read |
Read |
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Non-Driver Signing |
Read |
Read |
HKLM\SOFTWARE\Microsoft\NetDDE |
None |
None |
HKLM\SOFTWARE\Microsoft\Ole |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Rpc |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Secure |
Read |
Read |
HKLM\SOFTWARE\Microsoft\SystemCertificates |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib |
Read (via Interactive) |
Read (via Interactive) |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AsrCommands |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Classes |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList |
Read |
Read |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost |
Read |
Read |
HKLM\SOFTWARE\Policies |
Read |
Read |
HKLM\SYSTEM |
Read |
Read |
HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg |
None |
None |
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive |
Modify |
Read |
HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation |
Modify |
Read |
HKLM\SYSTEM\CurrentControlSet\Control\WMI\Security |
None |
None |
HKLM\HARDWARE |
Read (via Everyone) |
Read (via Everyone) |
HKLM\SAM |
Read (via Everyone) |
Read (via Everyone) |
HKLM\SECURITY |
None |
None |
HKEY_USERS |
|
|
HKEY_USERS\.DEFAULT |
Read |
Read |
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\NetDDE |
None |
None |
HKEY_CURRENT_CONFIG |
= HKLM\System\CurrentControlSet\HardwareProfiles\Current |
|
HKEY_CURRENT_USER |
Full Control |
Full Control |
HKEY_CLASSES_ROOT |
= HKLM\Software\Classes |
= HKLM\Software\Classes |
For more information, see the Distributed Systems Guide in the Windows 2000 Server Resource Kit .