Share and NTFS Permission
- NTFS Permissions
- Share Permissions
- Share and NTFS Permission Similarities 共享权限和NTFS权限的相似性
- Modifying Share and NTFS Permissions修改权限
- Combining Share and NTFS Permissions组合共享权限和NTFS权限
NTFS Permissions |
||||||||||||||
NTFS permissions apply to any file or folder on a disk that has been formatted with NTFS. NTFS权限应用于使用NTFS文件系统格式化的磁盘上的任何文件或文件夹.
|
||||||||||||||
Share Permissions |
||||||||||||||
Share permissions apply to shares only when they are accessed over the network. There are only three share permissions: 共享权限应用于通过网络访问的共享:
|
||||||||||||||
Share and NTFS Permission Similarities 共享权限和NTFS权限的相似性 |
||||||||||||||
Now that you have a basic understanding of the overall NTFS and share permissions, it’s easier to explore the similarities, and there are many. These include: ◆ Both can be assigned either Allow or Deny.都可以分配Allow或者Deny ◆ Both are cumulative.都可以积累 ◆ Deny takes precedence with both.Deny都取得优先 ◆ Both support implicit deny.都支持隐式拒绝。
一、Assigning Allow or Deny As you start working with permissions, you’ll notice that they have both Allow and Deny check boxes for each of the listed permissions. Here’s an overview of how they work:
◆ If the permission is set to Allow for a user or group, the user or group has this permission. ◆ If the permission is set to Deny for a user or group, the user or group does not have the permission. ◆ Permissions are cumulative权限是累积的. If a user has multiple Allow permissions assigned (such as Allow Read and Allow Change), the user has a combination of the assigned permissions各个权限的组合. ◆ If both Allow and Deny permissions are assigned for a user, Deny takes precedence.Deny优先.
If there aren’t any permissions assigned to a user, then the user does not have access to the object. This is referred to as an implicit deny. 如果没有和用户指派任何权限,用户无法访问这个对象,这就是隐式拒绝。
Both share permissions and NTFS permissions use the discretionary access control (DAC) model to control access. 共享权限和NTFS权限都使用资助访问控制DAC模型来控制访问。
Each object has a discretionary access control list (DACL, pronounced “dackel”). The DACL is a list of access control entries (ACEs). 每个对象都拥有一个自主访问控制列表DACL。DACL是一个访问控制项ACE的列表。
Each ACE identifi es a user or a group with their associated security identifi er (SID) and Allow or Deny permission. Any object can have multiple ACEs in the DACL; said another way, any object can have multiple permissions assigned. 每个ACE使用和用户或组关联的安全标识符SID以及Allow或Deny权限来标识用户或组。 在DACL中,任何对象都可以拥有多个ACE。也就是说任何对象都可以指派多个权限。
When a user accesses a fi le, folder, or share, the operating system compares the DACL with the user’s account and group memberships. If there’s a match, the user is granted the appropriate permission.
二、累积权限Cumulative Permissions 三、Deny Takes Precedence 四、Implicit Deny隐式拒绝
|
||||||||||||||
Modifying Share and NTFS Permissions修改权限 |
||||||||||||||
|
||||||||||||||
|
||||||||||||||
Combining Share and NTFS Permissions组合共享权限和NTFS权限 |
||||||||||||||
当用户通过共享访问文件或文件夹时,识别用户拥有的权限有时候会存在挑战. People sometimes fi nd it challenging to identify the permissions a user will have when they access a fi le or folder via a share. We like to keep it simple with these three steps: 1. Determine the cumulative NTFS permissions.确定累积NTFS权限 2. Determine the cumulative share permissions.确定累积共享权限 3. Determine which of the two provides the least access (commonly called the most restrictive permission).确定那个权限提供最少的访问(通常称为最受限制权限) Imagine that Sally is a member of the G_Sales and G_ITAdmins groups. The assigned permissions for the SalesData folder (shared as the SalesData share) are shown in Table 13.2.
In step 1, you need to determine the cumulative NTFS permissions. Sally has the Read, Read & Execute, and List Folder Contents permissions as a member of the G_Sales group. Additionally, she has Full Control permission as a member of the G_IT SalesAdmins group. Since Full Control includes all the other permissions, her cumulative NTFS permissions are Full Control.
In step 2, you need to determine the cumulative share permissions. Sally has the Read permission as a member of the G_Sales group. Additionally, she has the Change permission as a member of the G_IT SalesAdmins group. Since Change includes both Read and Write, her cumulative share permissions are Change.
The last step involves a simple question. Which permission provides the least access or is the most restrictive: Full Control or Change? The answer is Change.
Change is the permission that Sally will have if accessing the share over the network.
How about a trick question? What is Sally’s permission when she accesses the SalesData folder locally?
The answer is Full Control.
Remember that share permissions apply only when a user accesses the share over a network. If the folder is accessed locally, only NTFS permissions apply.
Share permissions are applied when a user accesses a fi le or folder across the network, but they are not taken into consideration when a user accesses those resources locally, as they would be when sitting directly at the computer or when using resources on a terminal server. NTFS permissions, in contrast, are applied no matter how a user accesses those same resources, whether they are connecting remotely or logging in at the console. So, when accessing files locally, only NTFS permissions are applied. When accessing those same fi les remotely, the sum of both share and NTFS permissions is applied by calculating the most restrictive permissions of the two types. For more information about NTFS, see Chapter 13, “Files, Folders, and Basic Shares.”
|