Correctly setting up file access permissions is a crucial step in securing a Windows system. It ensures that the right people have to access the files and information they need, reducing the likelihood of accidental deletions or data leaks.
If you’re a Windows user, you’ve probably heard of NTFS permissions. But, what are they? How do they work? How can you set up NTFS permissions correctly?
In this blog post, we’ll answer all of your questions about NTFS permissions and discuss some best practices for getting Windows permissions right.
NTFS permissions are a type of access control that can be used to restrict who can access files and folders on a computer or network. NTFS permissions can be applied to both local and network resources.
These permissions are available to any drive formatted with NTFS (New Technology File System) - the default file system for Windows. For instance, if a drive is formatted with the FAT32 file system, NTFS permissions will not be available.
They’re particularly useful as these permissions can be granted to both individual users and groups - for both local users and network users.
NTFS permissions work by assigning permissions to users and groups. When a user tries to access a resource, the system checks to see if that user has the required permissions. If this isn't the case, they'll be denied access.
This allows the file system to exert control over which users can perform operations on specific drives or within directories.
Many people confuse NTFS permissions with share permissions. In actuality, NTFS permissions offer much better granular control over giving directory access to users and groups - whereas share permissions are limited to Read, Change or Full Control.
The plethora of permission types gives system administrators the ability to control exactly what certain users can do - allowing them very specific access without comprising the file security of the directory referenced.
There are two categories of NTFS permissions - basic and advanced. Most users will be able to effectively control file security using these few basic permission types, but network administrators looking for even more control should consider a few of the advanced parameters.
The basic permissions include:
Most system administrators stick to these basic permissions, but specific workflows may require more granular control.
Special permissions are accessed through the Advanced Security Settings in Windows Explorer. They include:
This isn’t an exhaustive list. You can view the full range of special permissions in the Advanced Security Settings tab. We’ll walk you through that process below.
NTFS permissions can easily be set using Windows Explorer. Here’s how:
To set permissions for an object:
In Windows Explorer, right-click a file, or directory and click Properties.
The Properties dialog box will then appear. Navigate to the Security tab. This is where you can set basic permissions.
In the top panel, we can see the list of groups and users. By default, this should show all the user groups you’ve previously configured for this system. You can add new groups and individual users by clicking Add.
Select the user or group you want to adjust permissions for and look down to the permissions section. Check and uncheck each basic permission as you see fit.
Need to access the special permissions? Click Advanced to open the Advanced Security Settings tab.
Click Add to dial in a new permission entry, or Edit to adjust an existing one.
Hit apply, and you’re done! Your NTFS file permissions have been configured.
Here are some of our top tips and best practices for using NTFS permissions effectively:
Use groups instead of granting permissions to individual users. Assigning permissions to user groups is a far simpler and more robust way to handle Windows file permissions. When a user needs to be added or removed from certain permissions, all a system administrator will need to do is modify the user groups - not the individual NTFS permissions. Granting individual user permissions can be incredibly messy, and administrators tend to lose track of which permissions are granted to whom. Stick to user groups and save yourself the headache!
Don’t give users Full Control over directories. It’s best practice to avoid granting users Full Control over files and directories. Remember, the Full Control permission enables users to modify NTFS permissions. This isn’t something the vast majority of users will need to do - and this ability should be reserved strictly for the system administrator. Grant the Modify permission. This will do for most users.
Grant the most restrictive permissions needed for a user to carry out their work. Don’t be too generous with your file permissions. A system administrator should know exactly what a user needs access to, and what they should be able to achieve with the files and directories referenced. Assign the Read permission only to users who need to read files and not change, delete, or create files in the directory. If a user isn’t involved in any of the projects contained on a specific drive, they shouldn’t be able to read those files - let alone modify them.
Administrators should speak to line managers to figure out what access is needed. It’s much safer to add permissions when requested than be too generous and risk a data leak.
Frequently audit and stay current on all NTFS permissions. Remove unnecessary and outdated permissions.
Going and manually checking the permissions of each directory is not a smart choice. Especially if you have to do this for an entire file server or even multiple servers and file shares.
This process can be automated to save time and make your job easier. NTFS Permissions Auditor is a tool that you can specify audit paths and it will automatically check all folders and create transparent reports of your permissions for you. Download the free version here and get your first reports in 5 minutes.
How to get NTFS permission report in 5 minutes? Download the free version and install it, below we set up the profile to start auditing.
Click on Create a configuration profile.
For the first audit, specifying the directories is sufficient. You can explore other profile settings later. We can Save changes and Start auditing.
Results should be available within a few minutes, depending on the number of directories and the number of Active Directory users and groups. You can see a more detailed explanation of the data you see here.
Account view shows all security principals and their folder access rights. Each account row can be expanded to see folders if it has any kind of permissions.
NTFS permissions are a powerful tool for ensuring data security within a system or network. Administrators should assign restrictive permissions to user groups and work with their organization to figure out what access permissions are needed.
Remember, NTFS permissions only work on drives that are formatted to NTFS. If you move files from NTFS to another file system - such as FAT or the Unix FS - you’ll lose the permissions data.
But, for Windows systems, NTFS permissions offer system administrators a simple yet powerful set of tools for controlling and modifying access permissions. When paired with user groups, this permissions system can simplify your data security workflow drastically.
The NTFS Permissions Auditor tool will help you understand the current situation. It will create transparent reports about all users and their permissions.