While the earlier writeups in this node have dealt with file permissions under Unix, Windows NT also supports assigning file permissions. File permissions under NT, however, work quite differently than under Unix, so hopefully I will be able to illustrate some of the differences below.
To start out, the basic permissions under NT are read, write, read/execute, modify and full control. Read and write permissions are similar to their counterparts on Unix systems. The read/execute permission gives the user the same access that the basic read permission does, but in addition allows them to execute the file. The modify permission gives the same rights as the read, write and read/execute permissions, but in addition allows the user to delete the file. The full control permission includes all the rights of the previous permission settings, but in addition allows the user to take ownership of the file and change the permissions. Unlike Unix, where only the owner and root can change file permissions, under NT, anyone with the full control permission can change the permissions, and take ownership of the file, including guests and anonymous connections.
Permissions under NT are only available with the NTFS file system, not with FAT or FAT32. By default, when an NTFS volume is formatted, the full control permission is assigned to the everyone group. In other words, your newly formatted volume has no security whatsoever. I leave it as an exercise to the reader to decide what their next action should be.
The last major difference between NT and Unix permissions is deny takes precedence over allow. Perhaps an example is in order. Assume you are a member of the administrators group under NT. You set the permissions for a file so that the administrators group has full control, yet the everyone group is denied all permissions. You then notice that you can’t access the file. This is because although you as a member of the administrators group have full control, the everyone group (of which the administrators group is a member) has no control, and that takes precedence. The solution is to not give the everyone group any permissions, allow or deny. Windows will then deny the everyone group access, but still allow the administrators group to access the file.
There are many other nuances to NT file permissions, but hopefully this writeup gives you enough basics so that you can all go out and set up nice and relatively secure Windows NT systems.