Security

Article
09/11/2008

You can assign permissions to files or folders and determine what can be done to those resources. Note that you cannot assign rights to files or folders.

For information about how to set file or folder permissions, see Windows 2000 Professional Help.

To Set File or Folder Permissions

Open Windows Explorer, and then locate the file or folder for which you want to set permissions.
Right-click the file or folder, click Properties , and then click the Security tab.
To set up permissions for a new group or user, click Add . Type the name of the group or user you want to set permissions for using the format domainname\name , and then click OK to close the dialog box.
– Or –
To change or remove permissions from an existing group or user, click the name of the group or user.
In Permissions , click Allow or Deny for each permission you want to allow or deny.
– Or –
To remove the group or user from the permissions list, click Remove .

How Inheritance Affects Permissions

After you set permissions on a folder, new files and subfolders created in the folder inherit these permissions unless you configure this not to happen.

To Prevent A Folder from Imposing Permissions on New Files or Folders

In My Computer, right-click the folder in question, and then click Properties .
On the Security tab, click Advanced .
Select a permission entry from the Permissions Entries list, and then click View/Edit .
Select an alternate inheritance behavior from the Apply onto drop-down list.

To Prevent New Files or Folders from Inheriting Permissions

Using My Computer , right-click the folder in question, and then click Properties .
On the Security tab, clear the Allow inheritable permissions from parent to propagate to this object check box.

If the check boxes appear shaded, the file or folder has inherited permissions from the parent folder. There are three ways to make changes to inherited permissions:

Make the changes to the parent folder, and then the file or folder will inherit these permissions.
Select the opposite permission ( Allow or Deny ) to override the inherited permission.
Clear the Allow inheritable permissions from parent to propagate to this object check box. Now you can make changes to the permissions or remove the user or group from the permissions list. However, the file or folder will no longer inherit permissions from the parent folder.

If neither Allow nor Deny is selected for a permission, then the group or user might have obtained the permission through group membership. If the group or user has not obtained the permission through membership in another group, the group or user is implicitly denied the permission. To explicitly allow or deny the permission, click the appropriate check box.

Default Settings

The following section describes the default permissions provided to different users.

Default File System and Registry Permissions

Table 13.6 describes the default file system and registry permissions.

Table 13.6 Default Settings for User Write Access

Object	Permission	Description
HKEY_Current_User	Full Control	Users portion of the registry.
%UserProfile%	Full Control	Users Profile directory.
All Users\Documents	Read, Create File	Allows Users to create files that can subsequently be read (but not modified) by other Users.
%windir%\Temp	Synchronize, Traverse, Add File, Add Subdir	Each computer has one temporary directory for use by service-based applications that use this directory to improve performance.
\ (Root Directory)	Not Configured during setup	No permissions are applied to the root level of the directory because the Windows 2000 ACL Inheritance model would cause any root level permissions to affect all child objects, including those outside the scope of setup.

File System Permissions for Power Users and Users

Table 13.7 describes the default access control settings that are applied to file system objects for Power Users and Users during a clean installation of the Windows 2000 operating system onto an NTFS partition. For directories, unless otherwise stated (in parentheses), the permissions apply to the directory, subdirectories, and files.

%systemdir% refers to %windir%\system32.
*.* refers to the files (not directories) contained in a directory.
RX means Read and Execute.

Table 13.7 Default Access Control Settings for File System Objects

File System Object	Default Power User Permissions	Default User Permissions
c:\boot.ini	RX	None
c:\ntdetect.com	RX	None
c:\ntldr	RX	None
c:\ntbootdd.sys	RX	None
c:\autoexec.bat	Modify	RX
c:\config.sys	Modify	RX
\ProgramFiles	Modify	RX
%windir%	Modify	RX
%windir%\.	RX	RX
%windir%\config\.	RX	RX
%windir%\cursors\.	RX	RX
%windir%\Temp	Modify	Synchronize, Traverse, Add File, Add Subdir
%windir%\repair	Modify	List
%windir%\addins	Modify (Dir\Subdirs) RX (Files)	RX
%windir%\Connection Wizard	Modify (Dir\Subdirs) RX (Files)	RX
%windir%\fonts\.	RX	RX
%windir%\help\.	RX	RX
%windir%\inf\.	RX	RX
%windir%\java	Modify (Dir\Subdirs) RX (Files)	RX
%windir%\media\.	RX	RX
%windir%\msagent	Modify (Dir\Subdirs) RX (Files)	RX
%windir%\security	RX	RX
%windir%\speech	Modify (Dir\Subdirs) RX (Files)	RX
%windir%\system\.	Read, Execute	RX
%windir%\twain_32	Modify (Dir\Subdirs) RX (Files)	RX
%windir%\Web	Modify (Dir\Subdirs) RX (Files)	RX
%systemdir%	Modify	RX
%systemdir%\.	RX	RX
%systemdir%\config	List	List
%systemdir%\dhcp	RX	RX
%systemdir%\dllcache	None	None
%systemdir%\drivers	RX	RX
%systemdir%\CatRoot	Modify (Dir\Subdirs) RX (Files)	RX
%systemdir%\ias	Modify (Dir\Subdirs) RX (Files)	RX
%systemdir%\mui	Modify (Dir\Subdirs) RX (Files)	RX
%systemdir%\OS2\.	RX	RX
%systemdir%\OS2\DLL\.	RX	RX
%systemdir%\RAS\.	RX	RX
%systemdir%\ShellExt	Modify (Dir\Subdirs) RX (Files)	RX
%systemdir%\Viewers\.	RX	RX
%systemdir%\wbem	Modify (Dir\Subdirs) RX (Files)	RX
%systemdir%\wbem\mof	Modify	RX
%UserProfile%	Full Control	Full Control
All Users	Modify	Read
All Users\Documents	Modify	Read, Create File
All Users\Application Data	Modify	Read

Note that a Power User can write new files into the following directories but cannot modify the files that are installed there during text-mode setup. Furthermore, all other Power Users inherit Modify permissions on files created in these directories.

%windir%
%windir%\config
%windir%\cursors
%windir%\fonts
%windir%\help
%windir%\inf
%windir%\media
%windir%\system
%systemdir%
%systemdir%\OS2
%systemdir%\OS2\DLL
%systemdir%\RAS
%systemdir%\Viewers

For directories designated as [Modify (Dir\Subdirs) RX (Files)], Power Users can write new files; however, other Power Users will only have read access to those files.

Registry Permissions for Power Users and Users

Table 13.8 describes the default access control settings that are applied to registry objects for Power Users and Users during a clean installation of the Windows 2000 operating system. For a given object, permissions apply to that object and all child objects unless the child object is also listed in the table.

Table 13.8 Registry Permissions for Power Users and Users

Registry Object	Default PowerUser Permissions	Default User Permissions
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\SOFTWARE	Modify	Read
HKLM\SOFTWARE\Classes\helpfile	Read	Read
HKLM\SOFTWARE\Classes\.hlp	Read	Read
HKLM\SOFTWARE\Microsoft\Command Processor	Read	Read
HKLM\SOFTWARE\Microsoft\Cryptography	Read	Read
HKLM\SOFTWARE\Microsoft\Driver Signing	Read	Read
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates	Read	Read
HKLM\SOFTWARE\Microsoft\Non-Driver Signing	Read	Read
HKLM\SOFTWARE\Microsoft\NetDDE	None	None
HKLM\SOFTWARE\Microsoft\Ole	Read	Read
HKLM\SOFTWARE\Microsoft\Rpc	Read	Read
HKLM\SOFTWARE\Microsoft\Secure	Read	Read
HKLM\SOFTWARE\Microsoft\SystemCertificates	Read	Read
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	Read	Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	Read	Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers	Read	Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper	Read	Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	Read	Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping	Read	Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib	Read (via Interactive)	Read (via Interactive)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit	Read	Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones	Read	Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows	Read	Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	Read	Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AsrCommands	Read	Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Classes	Read	Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console	Read	Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList	Read	Read
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost	Read	Read
HKLM\SOFTWARE\Policies	Read	Read
HKLM\SYSTEM	Read	Read
HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg	None	None
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive	Modify	Read
HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation	Modify	Read
HKLM\SYSTEM\CurrentControlSet\Control\WMI\Security	None	None
HKLM\HARDWARE	Read (via Everyone)	Read (via Everyone)
HKLM\SAM	Read (via Everyone)	Read (via Everyone)
HKLM\SECURITY	None	None
HKEY_USERS
HKEY_USERS\.DEFAULT	Read	Read
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\NetDDE	None	None
HKEY_CURRENT_CONFIG	= HKLM\System\CurrentControlSet\HardwareProfiles\Current
HKEY_CURRENT_USER	Full Control	Full Control
HKEY_CLASSES_ROOT	= HKLM\Software\Classes	= HKLM\Software\Classes

For more information, see the Distributed Systems Guide in the Windows 2000 Server Resource Kit .