70-282 Exam Cram Rules of the Road: NTFS permissions

Hiya folks – I am the publisher of the above title and I like to hold virtual book readings. Today we speak of some rules of the road! BTW – did you know my Small Business Server 2008 book is out?

Rules for the Road

There will be times when you will have both, shared permissions and NTFS permissions assigned to a folder. In this case, remember these rules of the road:

Chapter 6Securing Windows Small Business Server 2003

·                       When using both NTFS and shared permissions, the most restrictive permission will rule

·                       Shared folders provide less security then NTFS security configured folders

·                       You can apply different NTFS permissions to subfolders of shared fold­ers as well as files within them

Configuring NTFS Permissions to Files and Folders

To configure permissions on a folder, you would go to the folder in Windows Explorer and right-click the folder. Click Sharing and Security and then click on the Security tab in the Properties box. Here you can add users and groups from the SBS domain as well as set their permissions.

Configuring NTFS Permissions for Printers

Setting NTFS permissions for printers is essentially the same as for files and folders. You right-click the printer, go to Properties, and then select the Security tab. You can add users and groups here as well as set printing permissions. Table 6-4 outlines the level of access associated with print permissions.

Table 6-4

Printer permissions.










Manage Printers




Manage Documents




Read Permissions




Change Permissions




Take ownership





Note that Manage Printers has all permissions but one (see gray box).

It is easy to adopt a pious attitude toward printer devices when studying for a certification exam, believing you already know all about printers. But, Microsoft has historically asked printer questions on its certification exams. We believe printer questions are asked not because you’d truly be concerned about intense printer configuration questions on an SBS network, but rather this testing content area is a way to fail and disqualify unworthy SBSers from obtaining their passing mark on the 70-282 exam. So, take printer matters seriously even if you believe printers a “baby simple.”

IMPORTANT: Just remember, to keep it easy and not get into a permission mess, use only NTFS permissions and assign groups instead of users to files, folders, and printer objects. The Microsoft TechNet discs, part of an annual subscription, has excellent NTFS resources down to the developer level. Visit TechNet at www.micro­soft.com/technet.

Auditing File and Folder Access

Auditing Files and Folders, or Object Access is a good way of finding out who is accessing files and folders. Anytime an object configured for auditing and an action occurs with the object, the action will be written to the security log (accessible through the Event Viewer). Group Policy allows auditing of not only files and folders but also system resources, system logons and system configuration changes. Auditing requires a lot of system resources itself, therefore it is recommended to configure auditing for specific objects only. Auditing policies can be set for an entire site, domain, organizational unit or individual workstations or servers.

To enable auditing on files and folders you must first access the Group Policy container and configure the Audit Object Access node as shown in Figure 6-4. Once the Audit Object Access has been enabled you are ready to audit individual files and folders.


Chapter 6Securing Windows Small Business Server 2003

Figure 6-4 Click through the console tree until you get to the Audit Policy node.

Figure 6-4

Group Policy Object Editor

Auditing can only be performed on files and folders located on NTFS volumes. To configure auditing on an individual object, go to the file or folder to be audited through Windows Explorer, click on the file or folder properties and select the Security tab, then click Advanced .

The Access Control Settings box will open. Select the Auditing tab. Here you
can choose to Allow inheritable auditing entries from the parent to propagate

to this object or Replace auditing entries on all child objects. By clicking Add and Edit you can also use the Auditing Entries list box to select whose actions are audited (users, groups or computers), and select specific actions to be audited (create files/delete files).


Harry Brelsford, CEO at SMB Nation

MBA, MCSE, CNE, CLSE, CNP, MCP, MCT, SBSC (Microsoft Small Business Specialist)

PS – my Small Business Server 2008 (SBS 2008) book is now here! J





Leave a comment

Filed under Book

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s