Basic Strategies and Principles for Setting NTFS Permissions in WinXP(1)

There are four basic principles for permissions in Windows XP. You should pay attention to these basic principles when setting NTFS permissions. We still need to pay special attention to the various permission settings of Windows XP.
A basic strategy and principles for setting NTFS permissions

In Windows XP, there are four basic principles for the management of permissions: rejection is better than the permissive principle, the principle of minimization of permissions, the principle of accumulation and the inheritance of permissions. The principle of sex. These four basic principles will play a very important role in the setting of permissions. Let's take a look at it:

1 Rejection is better than the allowed principle

"Principle is a very important and fundamental principle. It can perfectly handle the "disputes" caused by the user's attribution in the user group. For example, the user "shyzhong" belongs to the "shyzhongs" user group. Belongs to the “xhxs” user group. When we assign a “write” permission to a resource in the “xhxs” group (that is, for the user group), the “shyzhong” account in the group will automatically have “this time”. Write permission.

But what is strange is that the "shyzhong" account clearly has the "write" permission for this resource. Why can't it be executed in actual operation? Originally, in the "shyzhongs" group, the "shyzhong" user was also given permission settings for this resource, but the set permission was "reject write". Based on the principle of "rejection is better than allowed", the permission of "shyzhong" to be "rejected to write" in the "shyzhongs" group will be executed in preference to the permitted "write" permission granted in the "xhxs" group. Therefore, in actual operation, the "shyzhong" user cannot perform a "write" operation on this resource.

2 Principle of Permission Minimization

It is very necessary for Windows XP to implement "Keeping the user's minimum permissions" as a basic principle. This principle ensures maximum security for resources. This principle can try to limit the resources that users can't access or need to access without effective permissions.

Based on this principle, in the actual authority assignment operation, we must explicitly give the resource permission to allow or deny the operation. For example, the new restricted user "shyzhong" in the system does not have any permission to the "DOC" directory by default. Now you need to give this user permission to "read" the "DOC" directory, then you must be in " Add "Read" permission to the "shyzhong" user in the permission list of the DOC" directory.

3 Permissions Inheritance Principles

The Permissions Inheritance principle makes it easier to set permissions for resources. Suppose now that there is a "DOC" directory. There are subdirectories such as "DOC01", "DOC02", "DOC03" in this directory. Now you need to set "shyzhong" for the DOC directory and its subdirectories. "Permissions. Because of the inheritance principle, you only need to set the "write" permission for the "shyzhong" user of the "DOC" directory. All subdirectories under it will automatically inherit the settings of this permission.