This discusses resource security using NTFS permissions. It
specifically discusses security on files and folders within the
NT File System (NFTS). The document covers NTFS file and folder
permissions, lists, using NTFS permissions, planning NTFS
permission, using special access permission, copying and moving
data with NTFS permissions assigned, and troubleshooting NTFS
permission problems. This document also introduces you to the
next generation of NTFS, NTFS 5.0, which windows 2008 touts as its standard file system. In addition,
this document outlines all of the components of using NTFS
permissions on a NTFS 5.0 file system effectively on a Windows
2000 network. Once you have read and digested this document, you
should be able to secure your windows 2008 network with NTFS
permissions with ease.
UNDERSTANDING NTFS PERMISSIONS
This discussion covers the basics of file and folder
permissions. It walks you through the kinds of permissions you
can assign to files and folders and how to use them. The new and
improved Access Control List is discussed, as well as the
effects of multiple applied permissions and inherited
permissions. First, let's answer a couple of common questions
about NTFS permissions:
- What is a permission? A permission is a rule
associated with an object to regulate which users can gain
access to that object and in what manner.
- When can I use a permission? Permissions can be
used only on NTFS formatted partitions or volumes, and that is
why they are commonly referred to as NTFS permissions.
- Who can set or apply permissions? Administrators,
the user that owns the files or folders, and all other users
or groups that have the Full Control permission to those file
NTFS Permissions and Files
NTFS file permissions are used to control the access that a
user, group, or application has to files. This includes
everything from reading a file to modifying and executing the
file. There are five NTFS file permissions:
- Read & Execute
- Full Control
The five NTFS file permissions are also listed in Table 1
with a description of the access that is allowed to the user or
group when each permission is assigned. As you can see, the
permissions are listed in a specific order. They all build upon
TABLE 1: NTFS FILE PERMISSIONS
allows the user or group to read the file and view its
attributes, ownership, and permissions set.
the user or group to overwrite the file, change its
attributes, view its ownership, and view the permissions
allows the user or group to run and execute the
application. In addition, the user can perform all duties
allowed by the Read permission.
the user or group to modify and delete a file including
perform all of the actions permitted by the Read, Write,
and Read and Execute NTFS file permissions.
the user or group to change the permission set on a file,
take ownership of the file, and perform actions permitted
by all of the other NTFS file permissions.
If a user needs all access to a file except to take ownership
and change its permissions, the Modify permission can be
granted. The access allowed by the Read, Write, and Read &
Execute are automatically granted within the Modify permission.
This saves you from assigning multiple permissions to a file or
group of files. In later discussions in this document you will
see what happens when multiple NTFS file permissions are
assigned and applied and how you can determine the net access
the user or group has to that file or folder.
|NOTE: A file's
attributes are properties of the file such as Read-Only,
Hidden, Archive, and System. The System attribute is usually
applied only to operating system boot files.
NTFS Permissions and Folders
NTFS Folder permissions allow what access is granted to a folder
and the files and subfolders within that folder. These
permissions can be assigned to a user or group. This topic
defines each NFTS folder permission and its effect on a folder.
Table 2 displays a list of the NTFS file permissions and the
access that is granted to a user or group when each permission
TABLE 2: NTFS FOLDER PERMISSIONS
allows the user or group to view the files, folders, and
subfolders of the parent folder. It also allows the
viewing of folder ownership, permissions, and attributes
of that folder.
the user or group to create new files and folders within
the parent folder as well as view folder ownership and
permissions and change the folder attributes.
allows the user or group to view the files and subfolders
contained within the folder.
allows the user or group to navigate through all files and
subfolders including perform all actions allowed by the
Read and List Folder Contents permissions.
the user to delete the folder and perform all activities
included in the Write and Read & Execute NTFS folder
the user or group to change permissions on the folder,
take ownership of it, and perform all activities included
in all other permissions.
Notice that the only major difference between NTFS file and
folder permissions is the List Folder Contents NTFS folder
permission. By using this NTFS folder permission you can limit
the user's ability to browse through a tree of folders and
files. This is useful when trying to secure a specific directory
such as an application directory. A user must know the name and
location of a file to read or execute it when this permission is
applied to its parent folder.
Understanding the Access Control List
Everyone who is familiar with
Microsoft Windows NT 4.0 will find here a big change for the
better. The ACLs or Access Control Lists of the past were
written and assigned to a user once a successful Windows NT
domain login had been established. The operating system would
summarize the user's allowed access in an ACL. When a user in
Microsoft Windows NT 4.0 tried to access a file or folder, the
operating system would look at the user's ACL and determine
whether the user was allowed access. One aspect of this feature
turned out to be a huge drawback for everyday user access. If a
user called the helpdesk or any other support person to gain
access to a file or folder and that person made the appropriate
change to the permissions, the user would have to log off and
log back on. This is because the ACL in Microsoft Windows NT 4.0
was created only after a successful logon. As you will find out,
windows 2008 has made a change in how ACLs work and how users
NTFS 5.0 in windows 2008 stores an ACL with every file and
folder on the NTFS partition or volume. The ACL includes all the
users and groups that have access to the file or folder. In
addition, it indicates what access or specifically what
permissions each user or group is allowed to that file or
folder. Then, whenever a user makes an attempt to access a file
or folder on an NTFS partition or volume, the ACL checks for an
ACE (Access Control Entry) for that user account. The ACE will
indicate what permissions are allowed for that user account. The
user is granted access to that file or folder, provided that the
access requested is defined within the ACE. In other words, when
user wants to read a file, the Access Control Entry is checked
in that file's Access Control List. If the Access Control Entry
for that user contains the Read permission, the user is granted
access to read that file.
|NOTE: If a user
does not have an ACL of the file that he or she wants to
access, access is denied.
Consider the same user/helpdesk situation discussed earlier.
When the support person makes the change to the permissions on
the file the user needs access to, the change is immediately
saved in that file's ACL. The user can then access the file
without having to log out and back in.
This is only the case when assigning permissions to users for
file or folder resources. When a user is added to a group to
gain access to additional resources or otherwise, the user must
log out and back in to access those resources. That is because
NTFS permissions granted to groups are read in a different
Applying Multiple NTFS Permissions
Multiple permissions can be assigned to a single user account.
They can be assigned to the user account directly or to a group
the user account is a member of. When multiple permissions are
assigned to a user account, unexpected things can happen. To
prevent any heartache we are going to discuss the rules and
regulations for assigning multiple NTFS permissions to a single
user or group. This will include how file and folder permissions
work together, and how denying a specific permission can affect
a users' allowed access.
First of all, NTFS permissions are cumulative. This means that a
user's effective permissions are the result of combining the
user's assigned permissions and the permissions assigned to any
groups that the user is a member of. For instance, if a user is
assigned Read access to a specific file, and a group that the
user account is a member of has the Write permissions assigned,
the user is allowed the Read and Write NTFS permission to that
File Permissions Override Folder Permissions
NTFS file permissions override or take priority over NTFS folder
permissions. A user account having access to a file can access
that file even though it does not have access to the parent
folder of that file. However, a user would not be able to do so
via the folder, because that requires this "List Folders
Contents" permission. When the user makes the attempt to access
the file, he or she must supply the full path to it. The full
path can either be the logical file path (F:\MyFolder\MyFile.txt)
or use the Universal Naming Convention (UNC). To access the file
via UNC the user must supply the server name, share, directory,
and file, for example:
If the user has access to the file but does not have an NTFS
folder permission to browse for that file, the file will be
invisible to the user and he or she must supply the full path to
Deny Overrides All Other Permissions
The concept of permission denial has not changed through the
evolution of the Microsoft Windows operating systems and NTFS.
If a user is denied an NTFS permission for a file, any other
instance where that permission has been allowed will be negated.
Microsoft does not, nor do I, recommend using permission denial
to control access to a resource — for one main reason. For
instance, if a user has access to a file or folder as being a
member of a group, denying permission to that user stops all
other permissions that the user might have to the file or
folder. This can be very hard to troubleshoot on a large network
with thousands of users and groups.
This is another example of how multiple NTFS file and folder
permissions are cumulative and what happens to the user's
effective permissions. For an example of Deny overriding all
other NTFS permissions look at
In Figure 1, User A is a member of Group 1 and Group 2, where
he is granted access to Folder A. Group 1 allows access to
Folder A and both of the files within that folder. Group 2, on
the other hand, denies access to a specific file, File 1. When a
user account is denied access to a file or folder, all other
permissions granting that user access to that file or folder are
negated. Figure 1 shows that User A's combined access to File 1 is no
access at all.
Understanding Inherited NTFS
By default, when NTFS permissions are assigned to a parent
folder, all of the same permissions are applied or propagated to
the subfolders and files of that parent folder. Alternatively,
the automatic propagation of these permissions can be stopped.
An example of NTFS permission inheritance is shown in
Subfolders and files inherit NTFS permissions from their parent
folder. As the windows 2008 administrator you assign NTFS
permissions to a folder. All current subfolders and files with
that folder inherit those same permissions. In addition, any new
files or subfolders created within that parent folder assume the
same NTFS permission of that parent folder.
You can prevent NTFS permission inheritance, so that any file
and subfolders in a parent folder will not assume the same NTFS
permissions of their parent folder. Now here is the tricky part.
The directory or folder level in which you decide to prevent the
default NTFS permission inheritance becomes the new parent
folder for NTFS permission inheritance.
USING NTFS PERMISSIONS
This discussion is about using NTFS permissions. The topics
include planning and working with NTFS permissions. The
discussion topic will give guidelines to use when planning NTFS
permission on a windows 2008 network and will explain the
step-by-step process for assigning such permission.
Planning NTFS Permissions
A windows 2008 network should be well thought out and planned
for. The first thing that comes to mind is the Active Directory
and windows 2008 domain infrastructure.
This is very important, but a plan for NTFS permissions should
also be thought out way in advance before a windows 2008 network
Having a plan for NTFS permissions on your windows 2008 network
will save time and money for your organization. You will also
find that a network with well-planned NTFS permissions is that
much easier to manage. Use the following guidelines to help you
plan NTFS permissions on your windows 2008 network. Notice that
some steps are not directly related to NTFS permissions
themselves, but they help organize the data on your network.
This makes it easier for you to manage the resources on your
windows 2008 network and make sure those resources are secure.
- The data on your windows 2008 network needs to be
organized into manageable units. Separate the users' home
directories from applications and public data. Try to keep
data in centralized units. For instance, group all of the home
directories into one folder and place them on an NTFS volume
away from other data. By doing this you gain benefits such as
not having to assign NTFS permissions to files, but only to
the grouped folders. In addition, backup strategies become
less complex. Now application files are grouped separately and
do not have to be backed up with the home directories.
Organizing your data can make many things easier to manage,
including assigning NTFS permissions.
- Assign user only the level of access that is required. If
a user needs only to read a file, grant only the Read
permission to the resource that they require access to. This
precludes the possibility of a user damaging a file, such as
modifying an important document or even deleting it.
- When a group of users require the same access to a
resource, create a group for those users and make each a
member of that new group. Assign the NTFS permissions required
to that resource to the newly created group. If at all
possible avoid assigning NTFS permissions to users and only
assign them to groups.
- When assigning permissions to folders with working data,
use the Read & Execute NTFS folder permission. This should be
assigned to a group containing the users that need to access
this folder and to the Administrators group. This will allow
the users to work with the data, but will also prevent them
from deleting any important files in the folder.
- When assigning NTFS permissions to a public data folder,
use the following criteria as a guideline. Assign the Read &
Execute and Write NTFS permissions to the group containing the
users that need access to the public data folder. The Creator
Owner of the folder should be assigned the Full Control NTFS
permission. Any user on the network that creates a file,
including one in a public data folder, is by default the
Creator Owner of that file. After that file has been created,
the windows 2008 administrator can grant NTFS permissions to
other users for file ownership. If the Read & Execute and the
Write NTFS permissions are assigned to group of users that
need access to the public data folder, they have Full Control
to all files that they create in the public data folder and
can modify and execute files created by other users.
- If at all possible do not deny NTFS permission to a group
or user. This is not a recommended way to manage resources on
a windows 2008 network, because only NTFS permissions assigned
for that resource elsewhere for the user or group are
automatically stopped. This can cause a great deal of time and
frustration in troubleshooting permission problems.
- User education is always a good idea. If users have a
basic understanding of the NTFS permissions and how to secure
resources on a network, they can assign and manage their own
files. Unfortunately user education does take a bit of time
and money, but if done successfully it will pay off in the
This is it for the NTFS permission guidelines. When planning
how to organize your data on a windows 2008 network, remember to
consider NTFS permissions and how they will be affected. Every
business and organization is different, but if most of these
simple guidelines can be followed, managing your resources in a
secure environment will be that much easier. And remember that
Total Cost of Ownership is the name of the game.
Working NTFS Permissions
After a newly created volume is formatted with the NTFS 5.0 file
system in windows 2008, by default the Full Control NTFS
permission is granted to the Everyone group. This, of course,
should be changed as soon as possible. The reason is that
allowing Everyone full control means just that, everyone. That
includes guests, if the Guest account is enabled, and even
anonymous Internet users, if
security settings on the firewall are such that they can
access files on that server. By default, even though you are
running NTFS, no security at all is applied. The approved NTFS
permission plan should be implemented immediately. If an NTFS
permission plan does not exist yet, at lease change the access
for the Everyone group from Full Control to Read. Then you can
assign the appropriate NTFS permissions to users as they are
Now let's look into working with NFTS permissions and how to
assign them. Let's start by looking at
- On your windows 2008 desktop, right-click My Computer.
- Click Explore. This will start the Windows Explorer.
- Click the plus sign to the left of an NTFS volume that you
would like to view.
- Find a folder and right-click on that folder.
- Click the Properties option on the list.
- Now use Alt-Tab to switch to the Securities tab, or select
it by clicking on it.
viewing the Securities tab from the Properties dialog box of
a file, the List Folder Contents NTFS permissions is not
listed in the Permissions list box.
Now that we are all on the same page, let's look at the options
available to us on the security tab. Table 3 lists the options
available on the Securities tab and describes briefly what they
are used for.
TABLE 3: SECURITIES TAB OPTIONS
|| The name
list box displays a list of the users that currently have
access to the selected resource. You can highlight an
object in the list and either change that objects' current
NTFS permission or select remove to Remove it from the
Permissions list box is a list of all the NTFS
permissions. To allow or deny a NTFS permission to the
object selected in the Name list box click the appropriate
clicking the Add command button, the Select Users,
Computers, or Groups dialog box opens. This is where you
can select what objects to add to the Names list box.
remove objects in the Names list box by selecting an
object and then clicking Remove.
For the purposes of this discussion we are going to skip the
Advanced command button and what it does. That will be covered
when we discuss the next topic, Using Special Access
Permissions. The only other option on the Securities tab check
box to allow inheritable permissions from parent to propagate to
this object. By default when a folder is created on a NTFS
volume this option is set. To turn it off, open the Securities
tab and clear the check box.
Figure 4 displays the message box that is displayed.
USING SPECIAL ACCESS PERMISSIONS
NTFS file and folder permissions for the most part are a
sufficient way to secure your resources on a windows 2008
network. Where they do not provide the level of granularity
required, you can use Special Access Permissions can be used.