Shulou(Shulou.com)06/01 Report--

This article mainly introduces the principles of Windows disk space protection, which has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

Basic policies and principles for setting NTFS permissions

In Windows XP, there are four basic principles for the management of permissions, namely: the principle of refusal over permission, the principle of minimization of permissions, the principle of accumulation and the principle of authority inheritance. These four basic principles will play a very important role in setting permissions, so let's take a look at them:

Principle of refusal over permission

The principle of "refusal is better than permission" is a very important and basic principle, which can deal with the right "disputes" caused by users over the ownership of user groups very *. For example, the user "shyzhong" belongs to both the "shyzhongs" user group and the "xhxs" user group. When we make a centralized allocation of write permissions to a resource in the "xhxs" group (that is, for the user group). At this time, the "shyzhong" account in this group will automatically have "write" permission.

But the strange thing is that the "shyzhong" account clearly has "write" access to this resource, so why can't it be executed in practice? It turns out that the "shyzhong" user is also set for this resource in the "shyzhongs" group, but the permission is "deny write". Based on the principle that "deny is better than allow", the "deny write" permission of "shyzhong" in the "shyzhongs" group will take precedence over the "write" permission granted in the "xhxs" group. Therefore, in practice, the "shyzhong" user cannot "write" to this resource.

Principle of minimization of authority

It is necessary for Windows XP to implement "keeping users' permissions to a minimum" as a basic principle. This principle can ensure the security of resources. This principle can give effective permission restrictions to resources that users cannot access or do not need to access.

Based on this principle, in the actual permission grant operation, we must explicitly give the resource permission to allow or deny the operation. For example, the new restricted user "shyzhong" in the system does not have any permissions on the "DOC" directory by default, and now you need to give this user "read" permission to the "DOC" directory, so you must add "read" permission to the "shyzhong" user in the permission list of the "DOC" directory.

Principle of authority inheritance

The principle of permission inheritance can make it easier to set permissions for resources. Suppose there is a "DOC" directory in which there are "DOC01", "DOC02", "DOC03" and other subdirectories. Now you need to set "shyzhong" user write permission to the DOC directory and its subdirectories. Because of the inheritance principle, you only need to set the "shyzhong" user to the "DOC" directory to have "write" permission, and all subdirectories under it will automatically inherit this permission setting.

Accumulation principle

This principle is easy to understand. Suppose that now the "zhong" user belongs to both the "A" user group and the "B" user group, and its permission in the A user group is "read", and the permission in the "B" user group is "write", then according to the accumulation principle, the actual permission of the "zhong" user will be "read + write".

Obviously, the principle of "deny is better than permission" is used to solve the conflict of permission setting; the principle of "permission minimization" is used to ensure the security of resources; the principle of "permission inheritance" is used to "automate" the implementation of permission settings; and the "accumulation principle" is to make the setting of permissions more flexible and changeable. Several principles have their own uses, and the lack of any one will bring a lot of trouble to the setting of permissions!

Note: in Windows XP, all members of the "Administrators" group have the right to "acquire owner identity" (Take Ownership), that is, the right of members of the administrator group to "seize" their identity from other users. For example, the restricted user "shyzhong" sets up a DOC directory and only gives himself the right to read, which seems to be a thoughtful permission setting. All members of the "Administrators" group will be able to obtain this permission through methods such as "take ownership".

Cancel the full control of "Everyone"

Select the file or folder that you want to revoke the permission, right-select the properties, find the ACE of "Everyone" in the ACL under the "Security" tab, select Edit, and uncheck the "full Control" permission.

The impact of copying and moving folders on permissions

In the application of permissions, it is inevitable that resources with permissions need to be copied or moved, so what will happen to the corresponding permissions of resources at this time? Let's take a look at:

(1) when copying resources

When you copy a resource, the permissions of the original resource do not change, while the newly generated resource inherits the permissions of the parent resource at its target location.

(2) when moving resources

When moving a resource, you will generally encounter two situations: one is that if the movement of the resource occurs in the same drive, the object retains its original permissions (including the permissions of the resource itself and the permissions previously inherited from the parent resource). Second, if the movement of resources occurs between different drives, not only the permissions of the object itself will be lost, but also the permissions originally inherited from the parent resources will be replaced by the permissions inherited from the parent resources of the target location. In fact, the move operation is the operation of copying the resource first, and then deleting the resource from the original location.

(3) non-NTFS partition

The above permission changes when copying or moving resources are only for NTFS partitions. If resources are copied or moved to non-NTFS partitions (such as FAT16/FAT32 partitions), all permissions will be automatically lost.

Thank you for reading this article carefully. I hope the article "what are the principles of Windows disk space protection" shared by the editor will be helpful to you. At the same time, I also hope that you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.