Have you ever tried to figure out all of the permissions in Windows? There’s share permissions, NTFS permissions, access control lists, and more. Here’s how they all work together.

您是否曾经尝试找出Windows中的所有权限？ 有共享权限，NTFS权限，访问控制列表等。 这是他们一起工作的方式。

安全标识符 (The Security Identifier)

The Windows Operating systems use SIDs to represent all security principals. SIDs are just variable length strings of alphanumeric characters that represent machines, users and groups. SIDs are added to ACLs(Access Control Lists) every time you grant a user or group permission to a file or folder. Behind the scene SIDs are stored the same way all other data object are, in binary. However when you see a SID in Windows it will be displayed using a more readable syntax. It is not often that you will see any form of SID in Windows, the most common scenario is when you grant someone permission to a resource, then their user account is deleted, it will then show up as a SID in the ACL. So lets take a look at the typical format in which you will see SIDs in Windows.

Windows操作系统使用SID代表所有安全主体。 SID只是表示机器，用户和组的字母数字字符的可变长度字符串。 每次向用户或组授予文件或文件夹权限时，SID就会添加到ACL(访问控制列表)中。 在后台，SID以与所有其他数据对象相同的方式存储在二进制文件中。 但是，当您在Windows中看到SID时，它将以更易读的语法显示。 在Windows中通常不会看到任何形式的SID，最常见的情况是当您授予某人对资源的权限，然后删除他们的用户帐户，然后在ACL中显示为SID。 因此，让我们看一下在Windows中将看到SID的典型格式。

The notation that you will see takes a certain syntax, below are the different parts of a SID in this notation.

您将看到的符号采用某种语法，以下是此符号中SID的不同部分。

1. An ‘S’ prefix'S'前缀
2. Structure revision number结构修订号
3. A 48-bit identifier authority value48位标识符授权值
4. A variable number of 32-bit sub-authority or relative identifier (RID) values可变数量的32位子授权或相对标识符(RID)值

Using my SID in the image below we will break up the different sections to get a better understanding.

在下图中使用我的SID，我们将分解不同的部分以获得更好的理解。

The SID Structure:

SID结构：

‘S’ – The first component of a SID is always an ‘S’. This is prefixed to all SIDs and is there to inform Windows that what follows is a SID. ‘1’ – The second component of a SID is the revision number of the SID specification, if the SID specification was to change it would provide backwards compatibility. As of Windows 7 and Server 2008 R2 the SID specification is still in the first revision. ‘5’ – The third section of a SID is called the Identifier Authority. This defines in what scope the SID was generated. Possible values for this sections of the SID can be:

' S'– SID的第一部分始终是'S'。 这是所有SID的前缀，可以通知Windows，其后是SID。 “ 1” – SID的第二个组成部分是SID规范的修订号，如果要更改SID规范，它将提供向后兼容性。 从Windows 7和Server 2008 R2开始，SID规范仍处于第一版中。 '5'– SID的第三部分称为标识符授权机构。 这定义了生成SID的范围。 SID的此部分的可能值为：

1. 0 – Null Authority0 –空权限
2. 1 – World Authority1 –世界权威
3. 2 – Local Authority2 –地方政府
4. 3 – Creator Authority3 –创作者授权
5. 4 – Non-unique Authority4 –非唯一机构
6. 5 – NT Authority5 –新台币管理局

’21’ – The forth component is sub-authority 1, the value ’21’ is used in the forth field to specify that the sub-authorities that follow identify the Local Machine or the Domain. ‘1206375286-251249764-2214032401’ – These are called sub-authority 2,3 and 4 respectively. In our example this is used to identify the local machine, but could also be the the identifier for a Domain. ‘1000’ – Sub-authority 5 is the last component in our SID and is called the RID (Relative Identifier), the RID is relative to each security principal, please note that any user defined objects, the ones that are not shipped by Microsoft will have a RID of 1000 or greater.

'21'–第四部分是子权限1，在第四字段中使用值'21'来指定后面的子权限标识本地计算机或域。 '1206375286-251249764-2214032401'–分别称为子权限2,3和4。 在我们的示例中，这用于标识本地计算机，但也可以是域的标识符。 “ 1000” –子权限5是我们SID中的最后一个组件，称为RID(相对标识符)，RID与每个安全主体有关，请注意，任何用户定义的对象，不是Microsoft附带的对象RID为1000或更大。

安全负责人 (Security Principals)

A security principal is anything that has a SID attached to it, these can be users, computers and even groups. Security principals can be local or be in the domain context. You manage local security principals through the Local Users and Groups snap-in, under computer management. To get there right click on the computer shortcut in the start menu and choose manage.

安全主体是附加了SID的任何东西，可以是用户，计算机甚至组。 安全主体可以是本地的，也可以在域上下文中。 您可以通过计算机管理下的“本地用户和组”管理单元来管理本地安全主体。 要到达那里，请右键单击开始菜单中的计算机快捷方式，然后选择管理。

To add a new user security principal you can go to the users folder and right click and choose new user.

要添加新的用户安全主体，您可以转到users文件夹，然后右键单击并选择新用户。

If you double click on a user you can add them to a Security Group on the Member Of tab.

如果双击用户，可以将其添加到“成员”选项卡上的“安全组”中。

To create a new security group, navigate to the Groups folder on the right hand side. Right click on the white space and select new group.

要创建一个新的安全组，请导航到右侧的Groups文件夹。 右键单击空白处，然后选择新组。

共享权限和NTFS权限 (Share Permissions and NTFS Permission)

In Windows there are two types of file and folder permissions, firstly there are the Share Permissions and secondly there are NTFS Permissions also called Security Permissions. Take note that when you share a folder by default the “Everyone” group is given the read permission. Security on folders is usually done with a combination of Share and NTFS Permission if this is the case it is essential to remember that the most restrictive always applies, for example if the share permission is set to Everyone = Read(which is the default), but the NTFS Permission allow users to make a change to the file, the Share Permission will take preference and the users will not be allowed to make changes. When you set the permissions the LSASS(Local Security Authority) controls access to the resource. When you logon you are given an access token with your SID on it, when you go to access the resource the LSASS compares the SID that you added to the ACL (Access Control List) and if the SID is on the ACL it determines whether to allow or deny access. No matter what permissions you use there are differences so lets take a look to get a better understanding on when we should use what.

在Windows中，有两种类型的文件和文件夹权限，首先是共享权限，其次是NTFS权限，也称为安全权限。 请注意，默认情况下，共享文件夹时，“所有人”组将被授予读取权限。 如果是这种情况，通常必须结合使用共享权限和NTFS权限来确保文件夹的安全，请务必记住最严格的限制始终适用，例如，如果共享权限设置为Everyone = Read(这是默认设置)，但是NTFS权限允许用户对文件进行更改，“共享权限”将具有优先级，并且不允许用户进行更改。 设置权限时，LSASS(本地安全机构)控制对资源的访问。 登录时，会为您提供带有SID的访问令牌，当您访问资源时，LSASS将比较您添加到ACL(访问控制列表)的SID，如果SID在ACL上，它将确定是否允许或拒绝访问。 不管您使用什么权限，都存在差异，因此让我们来了解一下何时应该使用什么权限。

Share Permissions:

共享权限：

1. Only apply to users who access the resource over the network. They don’t apply if you log on locally, for example through terminal services.仅适用于通过网络访问资源的用户。 如果您在本地登录(例如通过终端服务)，则它们不适用。
2. It applies to all files and folders in the shared resource. If you want to provide a more granular sort of restriction scheme you should use NTFS Permission in addition to shared permissions它适用于共享资源中的所有文件和文件夹。 如果要提供更精细的限制方案，除了共享权限外，还应该使用NTFS权限
3. If you have any FAT or FAT32 formatted volumes, this will be the only form of restriction available to you, as NTFS Permissions are not available on those file systems.如果您有任何FAT或FAT32格式的卷，这将是您可用的唯一限制形式，因为这些文件系统上没有NTFS权限。

NTFS Permissions:

NTFS权限：

1. The only restriction on NTFS Permissions is that they can only be set on a volume that is formatted to the NTFS file system对NTFS权限的唯一限制是只能在格式化为NTFS文件系统的卷上设置它们
2. Remember that NTFS are cumulative that means that a users effective permissions are the result of combining the user’s assigned permissions and the permissions of any groups the user belongs to.请记住，NTFS是累积性的，这意味着用户的有效权限是将用户分配的权限与该用户所属的任何组的权限结合在一起的结果。

新共享权限 (The New Share Permissions)

Windows 7 bought along a new “easy” share technique. The options changed from Read, Change and Full Control to. Read and Read/Write. The idea was part of the whole Home group mentality and makes it easy share a folder for non computer literate people. This is done via the context menu and shares with your home group easily.

Windows 7采用了一种新的“轻松”共享技术。 选项从读取，更改和完全控制更改为。 读取和读取/写入。 这个想法是整个Home小组思想的一部分，可以轻松地为非计算机知识的人共享文件夹。 通过上下文菜单完成此操作，并轻松与您的家庭组共享。

If you wanted to share with someone who is not in the home group you could always choose the “Specific people…” option. Which would bring up a more “elaborate” dialog. Where you could specify a specific user or group.

如果您想与不在家庭组中的人共享，则可以始终选择“特定人员……”选项。 这将弹出一个更“精致”的对话框。 您可以在其中指定特定用户或组的位置。

There is only two permission as previously mentioned, together they offer an all or nothing protection scheme for your folders and files.

如前所述，只有两个权限，它们一起为您的文件夹和文件提供了全有或全无的保护方案。

1. Read permission is the “look, don’t touch” option. Recipients can open, but not modify or delete a file.

   阅读权限是“外观，请勿触摸”选项。 收件人可以打开，但不能修改或删除文件。

2. Read/Write is the “do anything” option. Recipients can open, modify, or delete a file.

   读/写是“执行任何操作”选项。 收件人可以打开，修改或删除文件。

老派方式 (The Old School Way)

The old share dialog had more options and gave us the option to share the folder under a different alias, it allowed us to limit the number of simultaneous connections as well as configure caching. None of this functionality is lost in Windows 7 but rather is hidden under an option called “Advanced Sharing”. If you right click on a folder and go to its properties you can find these “Advanced Sharing” settings under the sharing tab.

旧的共享对话框具有更多选项，并为我们提供了以不同别名共享文件夹的选项，它允许我们限制同时连接的数量以及配置缓存。 在Windows 7中，所有功能都不会丢失，而是隐藏在名为“高级共享”的选项下。 如果右键单击文件夹并转到其属性，则可以在共享选项卡下找到这些“高级共享”设置。

If you click on the “Advanced Sharing” button, which requires local administrator credentials, you can configure all the settings that you were familiar with in previous versions of Windows.

如果单击需要本地管理员凭据的“高级共享”按钮，则可以配置Windows早期版本中熟悉的所有设置。

If you click on the permissions button you’ll be presented with the 3 settings that we are all familiar with.

如果单击权限按钮，将显示我们都熟悉的3个设置。

1. Read permission allows you to view and open files and subdirectories as well as execute applications. However it doesn’t allow any changes to be made.

   读取权限使您可以查看和打开文件和子目录以及执行应用程序。 但是，它不允许进行任何更改。

2. Modify permission allows you to do anything that Read permission allows, it also add the ability to add files and subdirectories, delete subfolders and change data in the files.

   修改权限允许您执行读取权限允许的任何操作，还可以添加文件和子目录，删除子文件夹以及更改文件中的数据。

3. Full Control is the “do anything” of the classic permissions, as it allows for you to do any and all of the previous permissions. In addition it gives you the advanced changing NTFS Permission, this only applies on NTFS Folders

   完全控制是传统权限的“任何操作”，因为它允许您执行任何和所有以前的权限。 此外，它还为您提供了高级更改NTFS权限，该权限仅适用于NTFS文件夹

NTFS权限 (NTFS Permissions)

NTFS Permission allow for very granular control over your files and folders. With that said the amount of granularity can be daunting to a newcomer. You can also set NTFS permission on a per file basis as well as a per folder basis. To set NTFS Permission on a file you should right click and go to the files properties where you’ll need to go to the security tab.

NTFS权限允许对文件和文件夹进行非常精细的控制。 如此说来，粒度的数量对于新手来说可能是艰巨的。 您还可以基于每个文件和每个文件夹设置NTFS权限。 要在文件上设置NTFS权限，应右键单击并转到文件属性，在该属性中需要转到安全性选项卡。

To edit the NTFS Permissions for a User or Group click on the edit button.

要编辑用户或组的NTFS权限，请单击“编辑”按钮。

As you may see there are quite a lot of NTFS Permissions so lets break them down. First we will have a look at the NTFS Permissions that you can set on a file.

如您所见，有很多NTFS权限，所以让我们分解一下。 首先，我们将了解可以在文件上设置的NTFS权限。

1. Full Control allows you to read, write, modify, execute, change attributes, permissions, and take ownership of the file.

   完全控制允许您读取，写入，修改，执行，更改属性，权限和获取文件所有权。

2. Modify allows you to read, write, modify, execute, and change the file’s attributes.

   修改允许您读取，写入，修改，执行和更改文件的属性。

3. Read & Execute will allow you to display the file’s data, attributes, owner, and permissions, and run the file if its a program.

   读取和执行将允许您显示文件的数据，属性，所有者和权限，并在文件为程序的情况下运行它。

4. Read will allow you to open the file, view its attributes, owner, and permissions.

   读取将允许您打开文件，查看其属性，所有者和权限。

5. Write will allow you to write data to the file, append to the file, and read or change its attributes.

   写入允许您将数据写入文件，追加到文件以及读取或更改其属性。

NTFS Permissions for folders have slightly different options so lets take a look at them.

文件夹的NTFS权限具有稍微不同的选项，因此让我们来看看它们。

1. Full Control allows you to read, write, modify, and execute files in the folder, change attributes, permissions, and take ownership of the folder or files within.

   完全控制允许您读取，写入，修改和执行文件夹中的文件，更改属性，权限以及获取文件夹或其中的文件的所有权。

2. Modify allows you to read, write, modify, and execute files in the folder, and change attributes of the folder or files within.

   修改允许您读取，写入，修改和执行文件夹中的文件，以及更改文件夹或其中文件的属性。

3. Read & Execute will allow you to display the folder’s contents and display the data, attributes, owner, and permissions for files within the folder, and run files within the folder.

   读取和执行将允许您显示文件夹的内容，并显示文件夹中文件的数据，属性，所有者和权限，以及运行文件夹中的文件。

4. List Folder Contents will allow you to display the folder’s contents and display the data, attributes, owner, and permissions for files within the folder.

   列出文件夹内容将允许您显示文件夹的内容，并显示文件夹中文件的数据，属性，所有者和权限。

5. Read will allow you to display the file’s data, attributes, owner, and permissions.

   读取将允许您显示文件的数据，属性，所有者和权限。

6. Write will allow you to write data to the file, append to the file, and read or change its attributes.

   写入允许您将数据写入文件，追加到文件以及读取或更改其属性。

Microsoft’s documentation also states that “List Folder Contents” will let you execute files within the folder, but it you will still need to enable “Read & Execute” in order to do so. It’s a very confusingly documented permission.

Microsoft的文档还指出，“列出文件夹内容”将使您可以执行文件夹中的文件，但是您仍然需要启用“读取并执行”才能这样做。 这是一个非常混乱的书面许可。

概要 (Summary)

In summary, user names and groups are representations of an alphanumeric string called a SID(Security Identifier), Share and NTFS Permissions are tied to these SIDs. Share Permissions are checked by the LSSAS only when being accessed over the network, while NTFS Permissions are only valid on the local machines. I hope that you all have a sound understanding of how file and folder security in Windows 7 is implemented. If you have any questions feel free to sound off in the comments.

总之，用户名和组是字母数字字符串的表示，称为SID(安全标识符)，Share和NTFS权限与这些SID绑定在一起。 只有通过网络访问时，LSSAS才会检查共享权限，而NTFS权限仅在本地计算机上有效。 我希望大家都对Windows 7中文件和文件夹安全性的实现方式有很好的了解。 如果您有任何问题，请随时在评论中取消。

翻译自: https://www.howtogeek.com/72718/how-to-understand-those-confusing-windows-7-fileshare-permissions/