Microsoft is trying to emulate something that existed in Linux from the start, the UNIX style file system permissions that account for a critical part of system security.
Windows NT, 2000, XP used the NTFS file system (with the exception of some FAT32 exceptions) and NTFS has always contained some degree of file system level security. However, Microsoft has revised NTFS many times attempting to improve the file system level security striving to be more like UNIX. NTFS has several improvements over the File Allocation Table (FAT) file system. NTFS can control access to files and folders by assigning permissions that specifically allow or deny access to user or group accounts.
Windows XP could be installed on FAT32 or NTFS, however, Windows 7 must be installed on NTFS. This is because Windows 7 relies on the file system level security. Windows 7 restricts users on how and where they can access the file system.
Basic NTFS Permissions
To view basic file or folder permissions:
- Right-click the folder or file in Windows Explorer or on the desktop.
- Click Properties.
- Click the Security tab.
The Security tab shows the object name at the top and the group or user accounts with permissions set on this file or folder. Clicking on a user or group will show the permissions for that account in the Permissions For list.
Full Control – This option allows user or group to read, write, modify, execute, and delete permissions. A user with full control can take ownership of the file or folder.
Modify – This allows users or groups to read, write, change, execute, and delete permissions. It does not allow user to take but allows for the user to create folders and subfolders.
Read & execute – This option allows the user or group to view and execute files. This setting is applied to subfolders. This permission enables the List folder contents and Read permissions.
List folder contents (folder only) – This option allows a user or group to view and list files and subfolders as well as execute files. Permission is inherited by subfolders but not by files within the folder or subfolders.
Read – This option allows users or groups to view and list the contents of a folder, view file attributes, read permissions, and synchronize files.
Write – This option allows the user or group to create new files and write to existing files, view file attributes, read permissions, synchronize files, and delete files and folders.
Selecting a user or a group in the Permissions console shows the access that object has in the Permissions for list. An administrator may check or uncheck the allow or deny box for each permission. Keep in mind that using group accounts for administering file system security is often the better choice as individual accounts in groups may be managed easier. Denied permissions have precedence over any other permission so any group or user account that has denied access will be denied.