OVERVIEW OF NTFS PERMISSIONS
NTFS is the default file system of the Windows operating system family, offering a wide range of advanced features such as journaling, compression, quotas, and much more. NTFS also offers a flexible security model, allowing administrators to control how users and groups can interact with folders and files. These interactions are controlled through the assignment of permissions.
Basic and Advanced Permissions
NTFS permissions are logically grouped into a series of six basic permissions, each of which is comprised of a specific set of advanced (special) permissions. These groupings make it easier to apply complimentary permissions to users and groups.
Permissions can have different meanings depending on whether they're applied to folders or files. Let's start with the basic permissions.
Now we'll further refine our understanding of the available advanced (also known as "special") permissions.
- Traverse Folder / Execute File - Traverse Folder allows or denies moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders (applies to folders only). Execute File allows or denies running program files (applies to files only).
- List Folder / Read Data - List Folder allows or denies viewing file names and subfolder names within the folder (applies to folders only). Read Data allows or denies viewing data in files (applies to files only).
- Read Attributes - Allows or denies viewing the attributes of a file or folder, such as read-only and hidden. Attributes are defined by NTFS file system.
- Read Extended Attributes - Allows or denies viewing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.
- Create Files / Write Data - Create Files allows or denies creating files within the folder (applies to folders only). Write Data allows or denies making changes to the file and overwriting existing content (applies to files only).
- Create Folders / Append Data - Create Folders allows or denies creating folders within the folder (applies to folders only). Append Data allows or denies making changes to the end of the file but not changing, deleting, or overwriting existing data (applies to files only).
- Write Attributes - Allows or denies changing the attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS.
- Write Extended Attributes - Allows or denies changing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.
- Delete Subfolders and Files - Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file.
- Delete - Allows or denies deleting the file or folder. If you do not have Delete permission on a file or folder, you can still delete it if you have been granted Delete Subfolders and Files on the parent folder.
- Read Permissions - Allows or denies reading permissions of the file or folder, such as Full Control, Read, and Write.
- Change Permissions - Allows or denies changing permissions of the file or folder, such as Full Control, Read, and Write.
- Take Ownership - Allows or denies taking ownership of the file or folder. The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder.
By default, NTFS permissions for files and folders inherit the permissions of their parent folder. The primary purpose of file system permissions inheritance is to simplify administration. Without inheritance, administrators would need to specify permissions explicitly for each and every file and folder.
There are cases, however, when an administrator will need to assign explicit permissions to a file system branch. This can be accomplished by disabling permissions inheritance for a given set of child objects (files or folders) and then assigning the desired permissions.
Network Share Permissions
Windows shares can be used to provide access to one or more folders via the network. Share permissions are distinct from NTFS permissions and take effect when the associated folder is accessed from a remote machine. Share permissions are also less granular than NTFS permissions, offering Read, Change, and Full Control access levels.
Rules for Determining User Access
Let's review the rules that govern how these permissions systems work together to regulate access.
- If a file system object is accessed locally, NTFS permissions alone are used to control access.
- If a file system object is accessed through a share, NTFS and share permissions are merged and the most restrictive permission level wins.
- A user's individual and group membership permissions (if applicable) are merged additively, producing a cumulative effect.
- Permissions explicitly assigned to an object will override any permissions inherited from a parent object.
- Permissions inherited from nearby relatives (e.g. an object's parent folder) take precedence over more distant predecessors (e.g. an object's grandparent folder).
- Explicit deny permissions take precendence over explicit allow permissions, but explicit allow permissions take precedence over inherited deny permissions.