NTFS FILE

PERMISSIONS
NTFS PERMISSIONS - A BASIC INTRODUCTION

• NTFS permissions are used to manage access to the files and folders that are stored in NTFS file
systems. These permissions are available on NTFS file systems but not on FAT based file systems.
• Permissions define what a user can and cannot do with a file or folder. For example, they may be used to
allow some users to read a file and disallow others from reading it. They could also be used to stop some
users deleting or modifying files etc. Unlike share permissions, NTFS permissions affect both network
and local users.
• There are basic and advanced permissions.

• The basic permissions are:

Full Control: Users can read, modify, add, move, and delete files, as well as their associated
properties and directories. In addition, users can change permissions settings for all files and
subdirectories.

Modify: Users can view and modify files and file properties, including deleting and adding
files to a directory or file properties to a file.
List folder contents: Allows users to view a list of all files, folders and sub-folders in a directory.
They can also view folder attributes and permissions, and even execute files, but they cannot view file
contents.

Read & Execute: Users can run executable files, including scripts.

Read: Users can view files and file properties.

Write: Users can write to a file.

 BASIC PERMISSIONS

Basic List Folder

Basic Full Control Basic Modify Basic Read & Execute Basic Read Basic Write
Contents
Travers
√ √ √ √
Folder/Execute File
List Folder/ Read Data √ √ √ √ √
Read Attributes √ √ √ √ √
Read Extended
√ √ √ √ √
Attributes
Create Files/Write
√ √ √
Data
Create
√ √ √
Folders/Append Data
Write Attributes √ √ √
Write Extended
√ √ √
Attributes
Delete Subfolders and
√
Files
Delete √ √
Read Permissions √ √ √ √ √ √
Change Permissions √
Take Ownership √
Synchronize √ √ √ √ √ √
The advanced permissions are:
• Traverse Folder/Execute File: For folders: Traverse Folder allows or denies moving through folders to reach
other files or folders, even if the user has no permissions for the traversed folders. (Applies to folders only.)
Traverse folder takes effect only when the group or user is not granted the Bypass traverse checking user right in
the Group Policy snap-in. (By default, the Everyone group is given the Bypass traverse checking user right.) For
files: Execute File allows or denies running program files. (Applies to files only). Setting the Traverse Folder
permission on a folder does not automatically set the Execute File permission on all files within that folder.

List Folder/Read Data: List Folder allows or denies viewing file names and subfolder names within the folder.
List Folder only affects the contents of that folder and does not affect whether the folder you are setting the
permission on will be listed. (Applies to folders only.) Read Data allows or denies viewing data in files. (Applies
to files only.)

Read Attributes: Allows or denies viewing the attributes of a file or folder, such as read-only and hidden.
Attributes are defined by NTFS.

Read Extended Attributes: Allows or denies viewing the extended attributes of a file or folder. Extended
attributes are defined by programs and may vary by program.

Create Files/Write Data: Create Files allows or denies creating files within the folder. (Applies to folders only).
Write Data allows or denies making changes to the file and overwriting existing content. (Applies to files only.)
The advanced permissions are:

• Create Folders/Append Data: Create Folders allows or denies creating folders within the folder.
(Applies to folders only.) Append Data allows or denies making changes to the end of the file but not
changing, deleting, or overwriting existing data. (Applies to files only.)

Write Attributes: Allows or denies changing the attributes of a file or folder, such as read-only or
hidden. Attributes are defined by NTFS. The Write Attributes permission does not imply creating or
deleting files or folders, it only includes the permission to make changes to the attributes of a file or
folder.

Write Extended Attributes: Allows or denies changing the extended attributes of a file or folder.
Extended attributes are defined by programs and may vary by program. The Write Extended Attributes
permission does not imply creating or deleting files or folders, it only includes the permission to make
changes to the extended attributes of a file or folder.

Delete Subfolders and Files: Allows or denies deleting subfolders and files, even if the Delete
permission has not been granted on the subfolder or file. (Applies to folders.)
The advanced permissions are:

• Delete: Allows or denies deleting the file or folder. If you do not have Delete permission on a file or
folder, you can still delete it if you have been granted Delete Subfolders and Files on the parent folder.

Read Permissions: Allows or denies reading permissions of the file or folder, such as Full Control,
Read, and Write.

Change Permissions: Allows or denies changing permissions of the file or folder, such as Full Control,
Read, and Write.

Take Ownership: Allows or denies taking ownership of the file or folder. The owner of a file or folder
can always change permissions on it, regardless of any existing permissions that protect the file or folder.
WHAT ARE SHARE PERMISSIONS?

• Share permissions allow you to control who accesses folders over the network (they will not apply to
those users who are accessing locally). In share permissions, you cannot control access to individual
subfolders or objects on a share. Instead, share permissions apply to all of the files and folders within the
share. Share permissions can be used with NTFS, FAT, and FAT32 file systems and allow you to
determine the number of users who can access the shared folder.

Share Permission Types

 Full Control: Allows users to create, read, update and delete files and folders in a directory, as well as
NTFS files and folders. By default, the “Administrators” group is granted “Full Control” permissions.
 Change: Allows users to read files, as well as add, edit and delete files and folders. “Change”
permissions are not assigned by default.
 Read: Allows users to read content in files and folders, as well as execute programs. The “Everyone”
group is assigned “Read” permissions by default.
Effective permissions
To see effective permissions, in the advanced security settings dialog box, click the effective
permissions tab and select a user or group. These are the results of the permissions directly
assigned to the file or folder and permission inherited from parent folders. Advanced security
settings dialog provides an easy method to determine the NTFS permissions, but it does not
include share permissions. Shared permissions only apply to shares over the network.
CHANGING OWNERSHIP OF FILES AND FOLDERS

• When a user creates a file or folder, Windows automatically assigns Full Control permissions to the
creator/owner. Full Control allows the user to assign permissions to other users for the files he or she
creates.
• If the ownership of a file or folder needs to change, you can replace the existing owner with your own
account or with one of the groups you are a member of. You must have Full Control or the special
permissions "Take Ownership" to be able to take ownership of a file or folder. Users who have the
"Restore files and directories" privilege can assign ownership to any user or group
MOVING AND COPYING NTFS PROTECTED FILES

• Moving and copying protected files is similar to moving and copying a compressed file. When you copy
a protected file to a folder on the same, or a different volume, it inherits the permissions of the target
directory.
• However, when you move a protected file to a different location on the same volume, the file retains its
access permission setting as though it is an explicit permission.
• When data is moved within the same volume, the data is not actually relocated, the pointer to it is merely
changed and that is why it retains the ACL (Access Control List).
TROUBLESHOOTING ACCESS TO FILES AND SHARED FOLDERS

• A problem with a user accessing shared folders is often caused by underlying network connectivity
problems. Make sure you check basic network connectivity first, before looking at NTFS permissions.
• Then check:
 Windows shares allowing minimum access
 User rights recently denied to groups
 Permission changes assigned to parent folders
• In a large environment with many users and groups, it is important to maintain a structured user and
group design and folder hierarchy.
EXPLICIT VS. INHERITED PERMISSIONS

• Each permission that exists can be assigned one of two ways: explicitly or by inheritance. For this
reason, permissions are referred to as explicit permissions and inherited permissions.
 Explicit permissions are permissions that are set by default when the object is created, or by user action.
 Inherited permissions are permissions that are given to an object because it is a child of a parent object.
• Similar to the way rights are managed for groups of users, permissions are best managed for containers
of objects. Objects within the container inherit all the access permissions in that container.
• For example, you might explicitly give permissions to a folder named MyFolder. All subfolders created
within MyFolder automatically inherit the permissions assigned to MyFolder
• In the example above, it is possible to stop subfolders from inheriting access permissions. To do this, you
must explicitly clear a setting that causes the inheritance
ASSIGNING, ALLOWING AND DENYING PERMISSIONS

• Permissions are assigned explicitly or by inheritance. For example, a file could inherit its permissions
from its parent folder. This makes managing permissions simpler as you only need to change one
folder’s permission instead of all the files in a folder. You can also set explicit permissions for a file or a
folder. For example, a file could still inherit its permissions from its parent folder but you may also want
to give extra permissions to a specific user.
• You can allow or deny a permission. Deny beats Allow if they are applied on the same file or folder. If
the permissions are inherited, then the Allow and Deny work a bit differently. It is based on a hierarchy:
1. Explicit Deny
2. Explicit Allow
3. Inherited Deny
4. Inherited Allow
These are checked, by Windows, from first to last, and once one is matched then that security is used.
For example, if the inherited permissions on a file are that you are denied read permission, but you are
explicitly given read permission on the file, then that explicit permission overrides the inherited deny
permission.
The security applies to both users and groups. Users can be members of one or more groups. For
example, you could have a group for accountants, editors, programmers, etc. You can then base your
permissions on groups instead of specific users. This makes managing the permissions much simpler as
a new employee can simply be added to the appropriate groups. They can then access files and folders
based on their group and no permissions need to be changed.
Files and folders have ownership. When a file or folder is created Windows gives Full Control to the
owner (the creator of the file or folder). You can change ownership, but the user or group changing the
ownership needs the Full Control or Take Ownership permission.