Chapter 5 - File attributes and NTFS permissions
We’ve already mentioned both file attributes and NTFS permissions throughout this book. In this chapter we’ll take a closer look at file attributes, and discuss how to view and change attributes from the command line. We’ll also examine NTFS permissions, which are considerably more powerful than file attributes, and discuss how to view and alter them as well.
WHAT ARE FILE ATTRIBUTES?
“File attributes” are basically pieces of metadata that contain additional information about the file. In Windows, files generally have their names, their types (defined by the file’s extension), and their timestamps. (Certain kinds of files, such as MP3 music files, have additional kinds of metadata, such as the album and artist name.) With file attributes, however, there are four additional pieces of information that you can add to a file.
These four pieces of information are:
-Archive, represented with the A character. The Archive attribute indicates whether or not a file needs to be backed up – basically, whether or not it has been backed up since the last time the file was altered. The Windows Backup feature makes heavy use of the Archive attribute to determine if a file needs to be backed up or not.
-Hidden, represented with the H character. Hidden files are made invisible to the user – they do not show up in the Windows Explorer window, and are not listed when you use the DIR command. However, we’ve already explained how to view hidden files with the DIR /A command. Files are generally hidden to protect them from casual deletion – when editing a Microsoft Word document, for example, the temporary files that Word generates are hidden.
-Read-only, represented by the R character. When a file has the Read-only attribute, it cannot be altered. You can open it up and view it, or run it (if it’s a program), but you cannot make any changes to do it. Nor can you delete it – if you attempt to delete a file protected by the Read-only attribute, you will receive the “Access is denied” error message.
-System, represented by the S character. Windows uses the System attribute to mark which files are part of the Windows operating system. Needless to say, deleting files marked with the System attribute is a bad idea, since it can result in your computer malfunctioning or even rendering Windows unbootable. For that reason, the System attribute is almost always combined with the Read-only attribute.
LISTING FILE ATTRIBUTES
How do you find out what attributes a file possesses? You can do that with the ATTRIB command. Enter ATTRIB at the command prompt, and ATTRIB will list every file (including the hidden ones) in the current directory, along with their attributes. The output will look something like this:
C:\>attrib
A C:\autoexec.bat
A SHR C:\bootmgr
A SHR C:\BOOTSECT.BAK
A C:\config.sys
A SH I C:\hiberfil.sys
A SH C:\pagefile.sys
(Note that ATTRIB doesn’t generally work with absolute file paths – for most applications of the command, you will have to use it in the current directory.)
As you can see, this is a listing of the root directory of a C drive, and the files’ attributes are listed on the left side of the screen, with A for Archive, S for System, H for Hidden, and R for Read-only.
(The I attribute for the C:\hiberfil.sys attribute is a rare one – it simply means a file should not be listed by Windows’s built-in indexing for file search. Most regular users, and a good many administrators, will have no need for this attribute.)
CHANGING FILE ATTRIBUTES
You can also use the ATTRIB command to change a file’s attributes. For instance, if you wanted to mark the test.txt file as Read-only, you would use this command:
ATTRIB +R test.txt
And if you later changed your mind and wanted to remove the Read-only attribute, you would type this command:
ATTRIB –R test.txt
You can also change more than one attribute at the same time. Let’s say you wanted to mark test.txt both as a Hidden file and as a Read-only file. Rather than typing the ATTRIB command twice, you can change both attributes at once:
ATTRIB +R +H test.txt.
And you can also remove both attributes simulatenously:
ATTRIB –R –H test.txt
Using the plus sign (+), the minus sign (-), and the one-letter codes for the four attributes, you can change the attributes on files at your leisure.
THE SIX NTFS PERMISSIONS
While file attributes are useful, they are obsolete – they’re a holdover from the old days of DOS. NTFS file and directory permissions allow you to exercise more powerful and more granular control over individual files. In essence, NTFS permissions allow you to mark a file as Read-only, but only for certain users – other users might have permission to modify and even delete the file. And this is only the beginning of what you can do with NTFS permissions.
First, though, what is NTFS? NTFS stands for “New Technology File System.” (A “file system” is a method for organizing the information on a hard disk so the operating system and applications can find it easily.) Microsoft began working on NTFS in the early 1990s as a replacement for the older File Allocation Table (FAT) file system. NTFS has numerous advantages over FAT – it supports larger disk sizes, larger file sizes, is generally faster, and permits you to use NTFS permissions.
But what are NTFS permissions? NTFS permissions are a way of granting specific users specific permissions to files. Let’s say that you have two users on a system – Caina Amalas (with a username of camalas) and Lucan Maraeus (with a username of lmaraeus). If you have a file or a directory, you can set different permissions for the two users. You could give camalas full control over the file, while giving lmaraeus permission to only read the file.
There are six major NTFS permissions. Each of the “big six” are composed of many smaller permissions, but for the purposes of most users and administrators, the six major permissions are enough. They are:
-List Folder Contents. This lets a user see the files in a specific directory, but not necessarily open, run, or modify them. To put it simply, a user can use the DIR command to list the files in a directory, but can do nothing with them.
-Read. This lets a user view the contents of a file. Note that if it’s a program file, the user cannot run it – he needs the Read & Execute permission for that. Needless to say, the user will not be able to delete and modify any files.
-Read & Execute. This gives the user permission to run an executable file, but not permission to modify or delete it.
-Write. This lets a user both read and make changes to a file. However, the user still cannot delete the file. (Of course, a user could erase all the text or data in the file, leaving the file blank, but he cannot delete the file entirely.) If a directory has the write permission, it allows the user to add files to it.
-Modify. The modify permission allows a user to read, make changes to, run as a program, and delete a file. Basically, the user can do everything to file except change its permissions or change its ownership.
-Full control. The user can do any action to a file – deleting it, modifying it, and changing its ownership and permissions.
You’ll notice that the higher permissions are a superset of the preceding permissions. Modify is a combination of Write, Read & Execute, and Read, while Full Control is a combination of the previous five permissions. The full list of the permissions for a file or a directory is called its ACL – its Access Control List.
LISTING AND CHANGING NTFS PERMISSIONS
Listing and changing a file’s or a directory’s NTFS permissions from the Command Prompt uses the same command – the ICACLS command. The ICACLS command is extremely complicated, and has several screens worth of options and command switches – you could write an entire short book about ICACLS on its own. However, here we’ll discuss how to use ICACLS to do some basic permission changes.
To find out the NTFS permissions of a file named test.txt, use this command:
ICACLS test.txt
The command should produce output that looks something like this:
test.txt NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
SYSTEMNAME\USERNAME:(I)(F)
The first line shows the name of the file, test.txt. It also shows NT AUTHORITY\SYSTEM, which is one of the groups built into your system. The I in parentheses after the group name means that the file is inheriting its permissions from a parent folder. (In NTFS permissions, “inheritance” means that you can set the permissions on one directory, and then any subdirectories or files created in that directory “inherit” its permissions. Generally, it’s a good idea never to disable inheritance unless you have a really good idea, since disabled inheritance can cause all kinds of confusing permissions-related errors.) The F in parentheses means that NT AUTHORITY\System has the Full Control permission for the file.
The next two lines show the groups that have access to the file. The BUILTIN\Administrators group likewise has full control. After that, you’ll see a list of users that have access to the file. In this example, SYSTEMNAME\USERNAME is a placeholder for how an entry would look – SYSTEMNAME would be the name of either the local computer or the domain (if the computer is a member of an Active Directory domain) and USERNAME would be the actual username of the user involved.
ICACLS uses one-letter codes to represent the rights as user has to a file.
-N, a user has no access to the file.
-F, a user has full access to the file.
-M, a user has the right to modify the file (this includes the right to delete it).
-RX, a user has the right to read the file and run it as a program, if it’s executable.
-R, a user has only read-only access to the file.
-W, write-only access, a user can make changes to the file, but cannot delete it.
-D, a user has the right to delete the file.
You can use ICACLS to change the permissions on a file. For instance, say you wanted to give the user account camalas full control over the test.txt file:
ICACLS text.txt /grant camalas:(F)
This will grant the camalas user account full control over the test.txt file.
Likewise, if you wanted to deny camalas full control over the file, you would use this command:
ICALCS text.txt /deny camalas:(F)
The camalas user account will then be unable to access the test.txt file at all.
An important note – in NTFS permissions, a Deny permission always overrides an Allow permission. For instance, if you were grant camalas the Read permission on test.txt, but also deny the camalas account the Full control permission, camalas would be unable to access test.txt in any way. This can be confusing because user accounts can belong to groups, which have their own permission sets, which can conflict with the individual file’s permission.
ICACLS is a complicated command, but you should now know the basics of changing permissions from the Command Prompt.
No comments:
Post a Comment