OVERVIEW OF NTFS PERMISSIONS

NTFS is the default file system of the Windows operating system family, offering a wide range of advanced features such as journaling, compression, quotas, and much more. NTFS also offers a flexible security model, allowing administrators to control how users and groups can interact with folders and files. These interactions are controlled through the assignment of permissions.

Basic and Advanced PermissionsBasic and Advanced Permissions

NTFS permissions are logically grouped into a series of six basic permissions, each of which is comprised of a specific set of advanced (special) permissions. These groupings make it easier to apply complimentary permissions to users and groups.

PERMISSION Read Write List Folder Contents Read & Execute Modify Full Control
Traverse Folder / Execute File List folder contents Read and execute Modify Full control
List Folder / Read Data Read List folder contents Read and execute Modify Full control
Read Attributes Read List folder contents Read and execute Modify Full control
Read Extended Attributes Read List folder contents Read and execute Modify Full control
Create Files / Write Data Write Modify Full control
Create Folders / Append Data Write Modify Full control
Write Attributes Write Modify Full control
Write Extended Attributes Write Modify Full control
Delete Subfolders and Files Full control
Delete Modify Full control
Read Permissions Read List folder contents Read and execute Modify Full control
Change Permissions Full control
Take Ownership Full control

Permissions can have different meanings depending on whether they're applied to folders or files. Let's start with the basic permissions.

Permission Meaning for Folders Meaning for Files
Read Permits viewing and listing of files and subfolders Permits viewing or accessing of the file’s contents
Write Permits adding of files and subfolders Permits writing to a file
Read & Execute Permits viewing and listing of files and subfolders as well as executing of files; inherited by files and folders Permits viewing and accessing of the file’s contents as well as executing the file
List Folder Contents Permits viewing and listing of files and subfolders as well as executing of files; inherited by folders only N/A
Modify Permits reading and writing of files and subfolders; allows deletion of the folder Permits reading and writing of the file; allows deletion of the file
Full Control Permits reading, writing, changing, and deleting of files and subfolders Permits reading, writing, changing, and deleting of the file

Now we'll further refine our understanding of the available advanced (also known as "special") permissions.

  • Traverse Folder / Execute File - Traverse Folder allows or denies moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders (applies to folders only). Execute File allows or denies running program files (applies to files only).
  • List Folder / Read Data - List Folder allows or denies viewing file names and subfolder names within the folder (applies to folders only). Read Data allows or denies viewing data in files (applies to files only).
  • Read Attributes - Allows or denies viewing the attributes of a file or folder, such as read-only and hidden. Attributes are defined by NTFS file system.
  • Read Extended Attributes - Allows or denies viewing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.
  • Create Files / Write Data - Create Files allows or denies creating files within the folder (applies to folders only). Write Data allows or denies making changes to the file and overwriting existing content (applies to files only).
  • Create Folders / Append Data - Create Folders allows or denies creating folders within the folder (applies to folders only). Append Data allows or denies making changes to the end of the file but not changing, deleting, or overwriting existing data (applies to files only).
  • Write Attributes - Allows or denies changing the attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS.
  • Write Extended Attributes - Allows or denies changing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.
  • Delete Subfolders and Files - Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file.
  • Delete - Allows or denies deleting the file or folder. If you do not have Delete permission on a file or folder, you can still delete it if you have been granted Delete Subfolders and Files on the parent folder.
  • Read Permissions - Allows or denies reading permissions of the file or folder, such as Full Control, Read, and Write.
  • Change Permissions - Allows or denies changing permissions of the file or folder, such as Full Control, Read, and Write.
  • Take Ownership - Allows or denies taking ownership of the file or folder. The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder.

Permission InheritancePermission Inheritance

By default, NTFS permissions for files and folders inherit the permissions of their parent folder. The primary purpose of file system permissions inheritance is to simplify administration. Without inheritance, administrators would need to specify permissions explicitly for each and every file and folder.

There are cases, however, when an administrator will need to assign explicit permissions to a file system branch. This can be accomplished by disabling permissions inheritance for a given set of child objects (files or folders) and then assigning the desired permissions.

Network Share PermissionsNetwork Share Permissions

Windows shares can be used to provide access to one or more folders via the network. Share permissions are distinct from NTFS permissions and take effect when the associated folder is accessed from a remote machine. Share permissions are also less granular than NTFS permissions, offering Read, Change, and Full Control access levels.

Rules for Determining User AccessRules for Determining User Access

Let's review the rules that govern how these permissions systems work together to regulate access.

  • If a file system object is accessed locally, NTFS permissions alone are used to control access.
  • If a file system object is accessed through a share, NTFS and share permissions are merged and the most restrictive permission level wins.
  • A user's individual and group membership permissions (if applicable) are merged additively, producing a cumulative effect.
  • Permissions explicitly assigned to an object will override any permissions inherited from a parent object.
  • Permissions inherited from nearby relatives (e.g. an object's parent folder) take precedence over more distant predecessors (e.g. an object's grandparent folder).
  • Explicit deny permissions take precendence over explicit allow permissions, but explicit allow permissions take precedence over inherited deny permissions.

Related LinksRelated Links

SAFE. TRUSTED. GUARANTEED.

  • 100% malware free
  • 100% spyware free
  • 100% adware free
  • 100% quality software