通常,您不必担心Windows中的权限,因为(Windows)操作系统(operating system)已经处理了这些问题。每个用户都有自己的配置文件和自己的权限集,从而防止未经授权访问文件和文件夹。
但是,有时您可能希望手动配置一组文件或文件夹的权限,以防止其他用户访问数据。这篇文章假设其他“人”也可以访问您正在使用的同一台计算机。
如果没有,您也可以加密您的硬盘驱动器,仅此而已。但是,当其他人(例如家人或朋友(family or friends))可以访问计算机时,权限就可以派上用场了。
当然,还有其他替代方法,例如使用文件属性隐藏文件和文件夹或使用命令提示符(command prompt)隐藏数据。如果愿意,您甚至可以在Windows中隐藏整个驱动器。
如果您希望设置权限以便与他人共享文件,请查看我关于创建隐藏网络共享(hidden network share)或如何在计算机、平板电脑和手机之间共享文件的帖子。
数据安全
唯一需要弄乱文件夹或文件权限(folder or file permissions)的其他情况是在尝试访问数据时收到Permission Denied 错误。(Permission Denied error)这意味着您可以获得不属于(t belong)您当前用户帐户(user account)的文件的所有权,并且仍然可以访问它们。
这很重要,因为这意味着对文件或文件夹(file or folder)设置权限并不能保证该文件或文件夹(file or folder)的安全性。在Windows中,任何(Windows)Windows PC上的管理员都可以通过获取一组文件和文件夹的所有权来覆盖它们的权限。拥有所有权后,您可以设置自己的权限。
那么这在英语(English)中是什么意思呢?基本上(Basically),如果您有不想让其他人看到的数据,那么您根本不应该将其存储在该计算机上,或者您应该使用像TrueCrypt这样的(TrueCrypt)加密工具(encryption tool)。
对于那些精通技术的读者,您可能会说“嘿(Hey)等等,TrueCrypt由于安全漏洞已经停止使用,不应该使用!” 嗯,这是正确的,但是,TrueCrypt 已经过(TrueCrypt has been audited)独立组织的审核,第一阶段(organization and Phase)和第二阶段(Phase II)已经完成。
您应该下载的唯一版本是TrueCrypt 7.1a,它已上传到GitHub 上(GitHub)经过验证的镜像。如果您对使用TrueCrypt感到不舒服,我唯一的其他建议是VeraCrypt ,它是(VeraCrypt)TrueCrypt的继任者,但修复了许多缺陷。
文件和文件夹权限
现在我们已经解决了所有这些问题,让我们来谈谈Windows中的权限。Windows中的(Windows)每个文件(Every file)和每个文件夹都有自己的一组权限。权限可以分解为具有用户及其相应权限的访问控制列表。(Access Control Lists)这是一个示例,顶部是用户列表,底部是权限:
权限也可以继承或不继承。通常在Windows中,每个文件或文件夹都从(Windows)父文件(parent folder)夹获取权限。这种层次结构一直延伸到硬盘驱动器的根目录。最简单的权限至少有三个用户:SYSTEM、当前登录的用户帐户和管理员(Administrators)组。
这些权限通常来自硬盘上的C:\Users\Username您可以通过右键单击文件或文件夹(file or folder),选择属性(Properties),然后单击安全(Security)选项卡来访问这些权限。要编辑特定用户的权限,请单击该用户,然后单击编辑(Edit)按钮。
请注意,如果权限是灰色的,就像上面的例子一样,权限是从包含的文件夹继承的。我将在下面进一步讨论如何删除继承的权限,但首先让我们了解不同类型的权限。
权限类型
Windows 中基本上有六种权限:完全控制(Full Control)、修改(Modify)、读取和执行(Read & Execute)、列出文件夹内容(List Folder Contents)、读取(Read)和写入(Write)。列出文件夹内容(List Folder Contents)是文件夹独有的唯一权限。还有更高级的属性,但您永远不需要担心这些。
那么这些权限是什么意思呢?好吧,这是微软网站上的一个很好的图表,它打破了每个权限对文件和文件夹的含义:
现在您了解了每个权限控制的内容,让我们看一下修改一些权限并检查结果。
编辑权限
在您可以编辑任何权限之前,您必须拥有文件或文件夹(file or folder)的所有权。如果所有者是另一个用户帐户(user account)或系统帐户(system account),如Local System 或 TrustedInstaller(Local System or TrustedInstaller),您将无法编辑权限。
如果您当前不是所有者,请阅读我之前关于如何在 Windows 中获取文件和文件夹所有权的帖子。(how to take ownership of files and folders in Windows)既然您是所有者,让我们再做一些事情:
-
如果您为用户设置文件夹的完全控制( Full Control)权限,则用户将能够删除任何文件或子文件夹,而不管为这些文件或子文件夹设置了什么权限。
-
默认情况下,权限是继承的,因此如果您想要文件或文件夹的自定义权限,您必须首先禁用继承。
-
拒绝权限覆盖允许权限,因此请谨慎使用它们,最好只对特定用户而不是组使用
如果您右键单击文件或文件夹(file or folder),选择属性(Properties)并单击安全(Security)选项卡,我们现在可以尝试编辑一些权限。继续并单击“编辑(Edit)”按钮开始。
在这一点上,您可以做几件事。首先,您会注意到Allow列可能是灰色的并且无法编辑。这是因为我之前谈到的继承。
但是,您可以检查拒绝(Deny)列上的项目。因此,如果您只想阻止特定用户或组(user or group)访问文件夹,请先单击“添加(Add)”按钮,添加后,您可以选中“完全控制( Full Control)”旁边的“拒绝”(Deny)按钮。
当您单击添加(Add)按钮时,您必须在框中输入用户名或组名(user name or group name),然后单击检查名称( Check Names)以确保其正确。如果您不记得用户名或组名(user or group name),请单击“高级”按钮(Advanced button),然后单击“立即查找”(Find Now)。它将向您显示所有用户和组。
单击确定(Click OK),用户或组(user or group)将被添加到访问控制列表中(access control list)。现在您可以检查Allow列或Deny列。如前所述,尝试仅对用户而不是组使用拒绝。(Deny)
现在,如果我们尝试从列表中删除用户或组会发生什么。(user or group)好吧,您可以轻松删除刚刚添加的用户,但如果您尝试删除已经存在的任何项目,您将收到一条错误消息(error message)。
为了禁用继承,您必须返回文件或文件夹的主(file or folder)安全选项卡(Security tab),然后单击底部的高级按钮。(Advanced)
在Windows 7上,您将为Owner多出一个选项卡。在Windows 10中,他们只是将其移至顶部,您必须单击更改(Change)。无论如何,在 Windows 7 中,单击第一个选项卡底部的更改权限。( Change Permissions)
在“高级安全设置”(Advanced Security Settings)对话框中,取消选中“包含来自该对象的父级的可继承权限(Include inheritable permissions from this object’s parent)”框。
当您这样做时,将弹出另一个对话框(dialog box),它会询问您是否要将继承的权限转换为显式权限,或者您是否只想删除所有继承的权限。
除非您真的确切知道您想要什么权限,否则我建议选择添加(Add)(显式权限),然后删除您不想要的任何内容。基本上(Basically),单击Add将保留所有相同的权限,但现在它们不会变灰,您可以单击Remove删除任何用户或组(user or group)。单击“删除(Remove)”,您将从一个干净的状态开始。
在Windows 10中,它看起来略有不同。单击Advanced按钮后,您必须单击Disable Inheritance。
当您单击该按钮时,您将获得与Windows 7(Windows 7)中相同的选项,但形式不同。Convert选项与Add相同,第二个选项与Remove相同。
您现在唯一需要了解的是“有效权限(Effective Permissions)”或“有效访问”(Effective Access)选项卡。那么什么是有效权限呢?好吧,让我们看看上面的例子。我有一个文本文件(text file),我的帐户Aseem具有完全控制权(Full Control)。现在,如果我将另一个项目添加到列表中,以使组Users被拒绝Full Control怎么办。
这里唯一的问题是Aseem帐户也是用户(Users)组的一部分。所以我对一个权限有完全控制权,对另一个(Control)权限有拒绝权(permission and Deny),哪一个会赢?好吧,正如我上面提到的,Deny总是覆盖Allow,所以Deny会赢,但我们也可以手动确认。
单击高级(Advanced)并转到有效权限(Effective Permissions) 或有效访问(or Effective Access)选项卡。在Windows 7中,单击“选择”按钮并输入(Select button and type)用户名或组名(user or group name)。在Windows 10中,单击选择用户(Select a user)链接。
在Windows 7中,一旦您选择了用户,它将立即在下面的列表框中(list box below)显示权限。如您所见,所有权限均未选中,这是有道理的。
在Windows 10中,您必须在选择用户后单击查看有效访问( View effective access)按钮。您还将获得一个漂亮的红色 X 表示不允许访问,一个绿色复选标记(check mark)表示允许访问,这更容易阅读。
因此,现在您几乎了解了有关Windows 文件和文件夹权限(Windows file and folder permissions)的所有信息。为了掌握这一切,确实需要在自己周围玩耍。
要了解的要点是,您需要成为所有者才能编辑权限,并且任何管理员都可以拥有文件和文件夹的所有权,而不管这些对象的权限如何。如果您有任何问题,请随时发表评论。享受!
How to Set File and Folder Permissions in Windows
Normally, you don’t have to worry about permissions in Windowѕ because that’s already taken care of bу the operating syѕtem. Each user has their own profile and their own set of permissions, which prevents unauthorized access to files and folders.
There are times, however, when you might want to manually configure the permissions on a set of files or folders in order to prevent other users from accessing the data. This post is assuming the other “people” also have access to the same computer you are using.
If not, you may as well just encrypt your hard drive and that’s it. However, when others can access the computer, like family or friends, then permissions can come in handy.
Of course, there are other alternatives like hiding files and folders using file attributes or by using the command prompt to hide data. You can even hide an entire drive in Windows if you like.
If you are looking to set permissions in order to share files with others, check out my post on creating a hidden network share or how to share files across computers, tablets and phones.
Data Security
The only other occasion where you will need to mess around with folder or file permissions is when you get a Permission Denied error when trying to access data. This means you can take ownership of files that don’t belong to your current user account and still access them.
This is important because it means that setting permissions on a file or folder does not guarantee the security of that file or folder. In Windows, an administrator on any Windows PC can override the permissions on a set of files and folders by taking ownership of them. Once you have ownership, you can set your own permissions.
So what does this mean in English? Basically, if you have data you don’t want others to see, then you should either not store it on that computer at all or you should use an encryption tool like TrueCrypt.
For those tech-savvy readers, you’ll probably be saying “Hey wait, TrueCrypt has been discontinued due to security vulnerabilities and shouldn’t be used!” Well, that is correct, however, TrueCrypt has been audited by an independent organization and Phase I and Phase II have been completed.
The only version you should download is TrueCrypt 7.1a, the one that has been uploaded to a verified mirror on GitHub. If you are not comfortable at all using TrueCrypt, the only other suggestion I have is VeraCrypt, which was the successor to TrueCrypt, but fixed many of the flaws.
File and Folder Permissions
Now that we got all of that out of the way, let’s talk about permissions in Windows. Every file and every folder in Windows has its own set of permissions. Permissions can be broken down into Access Control Lists with users and their corresponding rights. Here is an example with the user list at the top and the rights at the bottom:
Permissions are also either inherited or not. Normally in Windows, every file or folder gets their permissions from the parent folder. This hierarchy keeps going all the way up to the root of the hard drive. The simplest permissions have at least three users: SYSTEM, currently logged in user account and the Administrators group.
These permissions usually come from the C:\Users\Username folder on your hard drive. You can access these permissions by right-clicking on a file or folder, choosing Properties and then clicking on the Security tab. To edit permissions for a particular user, click on that user and then click the Edit button.
Note that if the permissions are greyed out, like in the example above, the permissions are being inherited from the containing folder. I’ll talk about how you can remove inherited permissions further below, but first let’s understand the different types of permissions.
Permission Types
There are basically six types of permissions in Windows: Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. List Folder Contents is the only permission that is exclusive to folders. There are more advanced attributes, but you’ll never need to worry about those.
So what do each of these permissions mean? Well, here is a nice chart from Microsoft’s website that breaks on what each permissions means for files and for folders:
Now that you understand what each permission controls, let’s take a look at modifying some permissions and checking out the results.
Editing Permissions
Before you can edit any permissions, you have to have ownership of the file or folder. If the owner is another user account or a system account like Local System or TrustedInstaller, you won’t be able to edit the permissions.
Read my previous post on how to take ownership of files and folders in Windows if you are currently not the owner. Now that you are the owner, let’s get a few more things out of the way:
-
If you set Full Control permissions on a folder for a user, the user will be able to delete any file or subfolder regardless of what permissions are set for those files or subfolders.
-
By default permissions are inherited, so if you want custom permissions for a file or folder, you have to first disable inheritance.
-
Deny permissions override Allow permissions, so use them sparingly and preferably only on specific users, not groups
If you right-click on a file or folder, choose Properties and click on the Security tab, we can now try to edit some permissions. Go ahead and click the Edit button to get started.
At this point, there are a couple of things you can do. Firstly, you’ll notice that the Allow column is probably greyed out and can’t be edited. This is because of the inheritance I was talking about earlier.
However, you can check items on the Deny column. So if you just want to block access to a folder for a specific user or group, click the Add button first and once added, you can check the Deny button next to Full Control.
When you click the Add button, you have to type in the user name or group name into the box and then click on Check Names to make sure it’s correct. If you don’t remember the user or group name, click on the Advanced button and then just click Find Now. It will show you all the users and groups.
Click OK and the user or group will be added to the access control list. Now you can check the Allow column or Deny column. As mentioned, try to use Deny only for users instead of groups.
Now what happens if we try to remove a user or group from the list. Well, you can easily remove the user you just added, but if you try to remove any of the items that were already there, you’ll get an error message.
In order to disable inheritance, you have to go back to the main Security tab for the file or folder and click on the Advanced button at the bottom.
On Windows 7, you’ll one extra tab for Owner. In Windows 10, they just moved that to the top and you have to click Change. Anyway, in Windows 7, click on Change Permissions at the bottom of the first tab.
On the Advanced Security Settings dialog, uncheck the Include inheritable permissions from this object’s parent box.
When you do that, another dialog box will popup and it will ask you whether you want to convert the inherited permissions to explicit permissions or whether you just want to remove all the inherited permissions.
Unless you really know exactly what permissions you want, I suggest choosing Add (explicit permissions) and then just removing whatever you don’t want afterwards. Basically, clicking on Add will keep all the same permissions, but now they won’t be greyed out and you can click Remove to delete any user or group. Clicking Remove, will start you off with a clean slate.
In Windows 10, it looks slightly different. After clicking on the Advanced button, you have to click on Disable Inheritance.
When you click on that button, you’ll get the same options as in Windows 7, but just in a different form. The Convert option is the same as Add and the second option is the same as Remove.
The only thing you have to understand now is the Effective Permissions or Effective Access tab. So what is effective permissions? Well, let’s see the example above. I have a text file and my account, Aseem, has Full Control. Now what if I add another item to the list so that the group Users is denied Full Control.
The only problem here is that the Aseem account is also part of the Users group. So I have Full Control in one permission and Deny in another, which one wins? Well, as I mentioned above, Deny always overrides Allow, so Deny will win, but we can also confirm this manually.
Click on Advanced and go to the Effective Permissions or Effective Access tab. In Windows 7, click the Select button and type in the user or group name. In Windows 10, click the Select a user link.
In Windows 7, once you select the the user, it will instantly show the permissions in the list box below. As you can see, all of the permissions are unchecked, which makes sense.
In Windows 10, you have to click the View effective access button after selecting the user. You’ll also get a nice red X for no access and a green check mark for allowed access, which is a bit easier to read.
So now you pretty much know all there is to know about Windows file and folder permissions. It does take some playing around yourself in order to get the hang of it all.
The main points to understand are that you need to be the owner in order to edit permissions and that any administrator can take ownership of files and folders regardless of the permissions on those objects. If you have any questions, feel free to post a comment. Enjoy!
