There are four basic principles in XP about permissions. You need to pay attention to these basic principles when setting NTFS permissions. We still need to pay special attention to the various permission settings of Windows XP.
A basic strategy and principle for setting NTFS permissions
In Windows XP, there are four basic principles for the management of permissions: rejection is better than the permissive principle, the principle of authority minimization, the principle of accumulation And the principle of permission inheritance. These four basic principles will play a very important role in the setting of permissions. Let's take a look at it:
1 Rejection is better than the allowed principle
“ The "allow" principle is a very important and fundamental principle. It can perfectly handle the permissions caused by the user's attribution in the user group. For example, "shyzhong" is a user who belongs to "ldquo;" Shyzhongs”user group, also belongs to the “xhxs” group, when we perform a centralized allocation of “write” permissions to a resource in the “xhxs” group (ie for user groups), this group The &squo;shyzhong” account will automatically have the right to "write”.
But what's strange is that the account clearly has the "write" permission for this resource, but why can't it be executed in practice? It turns out that in the “shyzhongs” group, users also set permissions for this resource, but the permissions set are “rejected to write”. Based on the principle of “Reject better than allow”, “shyzhong” is “privileged to write” in the “shyzhongs” group, which will be given priority over the “allowed permission” in the “xhxs” group”. ” Permissions are executed. Therefore, in practice, “shyzhong” users cannot perform a "write" operation on this resource.
2 Principle of Minimizing Permissions
It is very necessary for Windows XP to "keep the user's minimum permissions" as a basic principle. This principle ensures maximum security for resources. This principle can try to limit the resources that users can't access or need to access without effective permissions.
Based on this principle, in the actual privilege assignment operation, we must explicitly give the resource permission to allow or deny the operation. For example, the newly created restricted user in the system “shyzhong” has no permissions to the “DOC” directory in the default state. Now it is necessary to give this user permission to “read ”” in the “DOC” directory. Then you must add “read” permissions to the “shyzhong” user in the permissions list of the &DOquo;DOC” directory.
3 Permissions Inheritance Principles
The Permissions Inheritance principle makes it easier to set permissions for resources. Suppose now that there is a directory of "DOC", in this directory there are subdirectories such as "DOC01", "DOC02", "DOC03", and now you need to set the DOC directory and its subdirectories under “shyzhong” The user has “write” permission. Because of the inheritance principle, you only need to set the &########################################################################################################
4 Accumulation Principle
This principle is better understood, assuming that the user now belongs to the “A” user group, which also belongs to the “B” user group, which is in the A user. The permissions of the group are "Read"", the permissions in the "B" user group are "write”, then according to the principle of accumulation, “zhong” the actual permissions of the user will be <;read + Write & rdquo; two.
Obviously, the "Reject better than allow" principle is used to resolve conflicts on permission settings; "Priority is minimized" principle is used to secure resources; "privilege inheritance" The principle is used to "automation" execution permission settings; and the "additional principle" is to make the permissions settings more flexible. Several principles are useful, and the lack of one will bring a lot of trouble to the setting of permissions!
Note: In Windows XP, all members of the "Administrators" group have the right to "take ownership" (Take Ownership), that is, members of the Administrators group can be from other users. & ldquo; The right to seize & rdquo; its identity, such as restricted users & ldquo;shyzhong” established a DOC directory, and only gave yourself the right to read, this seemingly thoughtful permission settings, in fact, "Administrators" group All members will be able to obtain this permission by means of "capture ownership".
5 permissions of the file to override the permissions of the folder
Looks like the document has such a, do not know if the document version is too old, the individual file permissions will be prioritized by the system Fortunately, it looks like two permissions.
1 Cancel "Everyone" Full Control Permissions
Select the file or folder to cancel the permissions, right click and select Properties, under the "Security" tab In the ACL, find the ACE of "Everyone", select Edit, and remove it from the "Full Control" permission.
2 The effect of copying and moving folders on permissions
In the application of permissions, it is inevitable that the resources after setting the permissions need to be copied or moved, then this time How will the corresponding permissions of the resource change? Let's take a look at it:
(1) When copying resources
When copying resources, the permissions of the original resources will not change, and the newly generated resources will inherit their target location parent. Permissions for resources.
(2) When moving resources
&n
bsp; When moving resources, there are generally two situations, one is if the movement of resources occurs Within the same drive, the object retains its original permissions (including the permissions of the resource itself and the permissions originally inherited from the parent resource); the second is that if the movement of the resource occurs between different drives, then not only the object itself Permissions are lost, and permissions that were originally inherited from the parent resource are replaced by permissions inherited from the parent resource at the target location. In fact, the move operation is the first operation to copy the resource and then delete the resource from the original location.
(3) Non-NTFS partitions
The above-mentioned permission changes when copying or moving resources are only for NTFS partitions, if you copy or move resources to non-NTFS partitions (such as FAT16) /FAT32 partition), then all permissions will be automatically lost.
Computer shop news some time ago, a friend found me, his computer has a small problem, when using th
When the computer is used for a long time, it will always produce a variety of junk files. When the
Windows 7 is finally available, but in fact, Xiao Jiang has been using the Beta and RTM versions for
Microsoft will officially stop all technical support for Windows XP on April 8. This service
WinXP system failure is a "firewall" blame
Microsoft certified Windows XP bridge configuration method
Lost local connection in xp/2k3 network neighborhood
XP system chooses automatic logout after login.
Sharing the computer windows system automatically shuts down the boot
Ten strokes successfully eliminate WinXP and cannot start fault
Application Tips for XP with Recovery Console
WinXP SP2 comes with firewall settings detailed
Protecting Windows XP System Account Security 3 Coups
Windows XP system optimization settings experience flying general feeling
Frequently encountered problems with the Win8 system
Solve three ways to automatically restart after Win8.1 shutdown
Win8.1 uninstall system automatically updated patch method
Windows10 official version of the conference broadcast address Daquan
Mining system functions, playing WinXP recorder
Win8 system store can not enter the prompt offline how to do
Win10 system can not open the start menu solution
Windows shortcuts in the Win 8 operating system
Let the Win 7 right-click menu always show all content
Win10 Redstone Preview Edition 14279 Express Edition Repair Content Summary