This step-by-step guide describes how to configure security for files and folders on a network to protect data from unauthorized access.
For example, assume that you get a call from Fran, the manager of your Accounts Receivable department. Fran has been working on several spreadsheets that are stored on a file server in your domain, and is concerned that employees who should not access these files may be able to open and edit the files. The files are in a folder named C:\Accounts on the server, and the folder is shared as Accounts. The share permissions on the Accounts share for Domain Users members are set to Full Control. Fran wants to allow the members of the Accountants group to edit the files and add new files, and the members of the Sales group to be able to read the files but not edit them. Fran should be the only person who can make any changes to the permissions, and no one else should have any access to the files.
Setting Security on a Folder
To configure folder and file security:
- Log on to the server by using your domain user name and password.
- Click Start, point to Programs, point to Accessories, and then click Windows Explorer.
- Expand My Computer, and then click the drive that contains the folder you want to configure. Right-click the folder you want to secure (for example, Accounting), and then click Properties.
- Click the Security tab, and then click to clear the Allow inheritable permissions from parent to propagate to this object check box.
- In the Security dialog box, click Copy.
NOTE: The inherited permissions are copied directly to this folder.
- To add a set of permissions, in the Properties dialog box, on the Security tab, click Add. In the Select Users, Computers, or Groups dialog box, double-click the appropriate user accounts or groups. When you have selected all of the users and groups to which you want to assign permissions, click OK. The groups and users you added, along with the Everyone group, are displayed in the top half of the Security tab.
- In the Name list, select each user or group one at a time, and then apply the correct permissions in the Permissions list.
The default Allow setting for Read, List Folder Contents and Read & Execute Permissions allows the Sales group the appropriate level of permissions. For the Accounting group, for the Modify permission, click Allow, so that members of that group can add new files to the folder or edit the files in the folder. For Fran's user account, for the Full Control permission, click Allow, which allows Fran to read, modify, delete, and change the permissions on the folder and its contents.
- After you set the appropriate permissions, click the Everyone group, and then click Remove.
Users Cannot Access Files and Folders That They Should Be Able to When Logged On Locally
Access permissions are combined from any permissions that are assigned directly to the user and those that are assigned to any groups of which the user is a member.
The exception to this rule is if there is an explicit Deny permission on the folder or file. This occurs because Deny permissions are enumerated first when Windows 2000 is determining whether or not a particular user can perform a particular task. Therefore, you should avoid using explicit Deny permissions (that is, avoid clicking to select a check box in the Deny
column) unless there is no other way to achieve the permissions mix that you need.
Users Can Access Files and Folders with Incorrect Permissions When Logged on Locally
For example, users can write instead of just read when they are logged on locally. Permissions, by default, are inherited from the folder that contains the object. If you are experiencing inappropriate permission levels, check for both inherited permissions that are incorrect for this object and for group memberships that may grant different levels of permissions than you want to have.
Users Cannot Access Files and Folders That They Should Be Able to Access Over the Network
When you access data over the network, both share permissions and file and folder permissions apply. Share access permissions are combined from any permissions that are assigned directly to the user and those assigned to any groups of which the user is a member. The exception to this is if there is an explicit Deny permission on the folder or file. This occurs because Deny permissions are enumerated first when Windows 2000 is determining whether or not a particular user can perform a particular task. Therefore, if Frank, for example, is a member of a group that has the Deny
check box selected for Read
in the Deny
column, he is unable to read the file or folder, even if other permissions should allow him to do so.
You should avoid using explicit Deny permissions (that is, avoid clicking to select a check box in the Deny
column) unless there is no other way to achieve the permissions mix that you need. Check both the share permissions and the file and folder permissions for the user and any groups of which he or she is a member.
There Is No Security Tab in the Folder Properties Dialog Box
If you do not see the Security
tab in the folder properties, it is likely that you are using the FAT or FAT32 file system. Windows 2000 includes a utility that can safely convert your drive to from the FAT or FAT32 file system to the NTFS file system.
: Do not convert your drive if you are running both Windows 2000 and another operating system on the computer (that is, if it is a dual-boot computer) and the other operating system cannot read NTFS drives.
To convert a partition to NTFS:
- Click Start, point to Programs, point to Accessories, and then click Command Prompt.
- Type convert drive: /FS:NTFS, where drive is the drive that you want to convert.
For example, to convert drive D to NTFS, type the following line:
convert D: /FS:NTFS
- If you attempt to convert a drive while it is being accessed by Windows 2000, Windows 2000 displays a message prompting you to convert the drive when the computer is restarted. Click Yes, quit any running programs, and then restart your computer.