NTFS SECURITY & COMPLIANCE FAQ

Identifying access to sensitive data is critical for security and compliance. Here's a comprehensive approach:

Manual methods to check access:

# Check specific folder permissions icacls "C:\Sensitive\Data" /T > permissions.txt # Find all users with modify or greater access Get-Acl "C:\Sensitive\Data" | Select -ExpandProperty Access | Where {$_.FileSystemRights -match "Modify|FullControl"} # Check effective permissions for specific user icacls "C:\Sensitive\Data" /findsid domain\username

What to look for in sensitive folders:

• Excessive permissions - Users with Full Control who don't need it
• Generic groups - 'Everyone', 'Authenticated Users', 'Domain Users'
• Orphaned SIDs - Deleted accounts still in ACLs (see Finding Orphaned SIDs)
• Service accounts - Unnecessary application access
• Inheritance issues - Permissions flowing from parent folders

Compliance-focused audit approach:

• Identify sensitive data locations - HR, Finance, Customer data
• Document legitimate access needs - Who needs what and why
• Review current permissions - Compare against documented needs
• Remove excessive access - Apply least privilege principle
• Enable auditing - Track who accesses sensitive files

PowerShell script for comprehensive audit:

$sensitive = @("C:\HR", "C:\Finance", "C:\CustomerData") foreach ($path in $sensitive) { Get-ChildItem $path -Recurse | Get-Acl | Select Path, Owner, @{Name='Access';Expression={$_.Access}} | Export-Csv "SensitiveAccess_$(Get-Date -f yyyyMMdd).csv" }

Proper NTFS permissions are your first line of defense against ransomware encryption:

Ransomware-resistant permission strategy:

• Remove unnecessary write permissions - Users can't encrypt what they can't modify
• Separate read and write access - Different groups for different needs
• Protect backup locations - Write-once permissions for backup folders
• Isolate critical data - Air-gap permissions for essential files

Recommended permission structure:

# Archive/Reference Data (read-only for users) Users: Read & Execute Admins: Full Control SYSTEM: Full Control # Working Data (controlled write) Users_Read: Read & Execute Users_Write: Modify (specific users only) Admins: Full Control # Backup Location (append-only) Backup_Service: Create Files/Write Data (no delete) Admins: Full Control (restricted access)

Advanced protection techniques:

• File Screen Manager - Block executable files in data folders
• Deny permissions - Explicitly deny 'Delete' for critical files
• CREATOR OWNER restrictions - Prevent users from encrypting own files
• Honeypot folders - Detect ransomware activity early

Windows Defender folder protection:

# Enable Controlled Folder Access Set-MpPreference -EnableControlledFolderAccess Enabled # Add protected folders Add-MpPreference -ControlledFolderAccessProtectedFolders "C:\CriticalData" # Allow specific apps Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Apps\Allowed.exe"

Regulatory compliance requires specific NTFS permission configurations and audit trails:

HIPAA Requirements (Healthcare):

• Access controls - Unique user identification, automatic logoff
• Audit logs - Track all PHI (Protected Health Information) access
• Integrity controls - Prevent unauthorized changes to ePHI
• Transmission security - Encrypted file transfers
• Minimum necessary access - Users see only required patient data

SOX Requirements (Financial):

• Segregation of duties - Separate create/approve permissions
• Change documentation - Track all permission modifications
• Quarterly access reviews - Verify appropriate access
• Data retention - 7-year audit trail requirement

GDPR Requirements (EU Privacy):

• Purpose limitation - Access only for specified purposes
• Data minimization - Minimum access necessary
• Right to erasure - Ability to delete personal data
• Security measures - Encryption and access controls

Implementation checklist:

# Enable auditing for sensitive folders auditpol /set /subcategory:"File System" /success:enable /failure:enable # PowerShell audit configuration $AuditRule = New-Object System.Security.AccessControl.FileSystemAuditRule( "Everyone", "Delete,Write,ChangePermissions", "Success,Failure") $ACL = Get-Acl "C:\SensitiveData" $ACL.SetAuditRule($AuditRule) Set-Acl "C:\SensitiveData" $ACL

Required documentation:

• Access control matrix - Who has access to what
• Change logs - When permissions were modified
• Review records - Quarterly/annual access audits
• Incident reports - Unauthorized access attempts

Regular permission audits are essential for security and compliance. Here's a comprehensive audit strategy:

Recommended audit frequency:

• Critical systems - Weekly automated scans
• Sensitive data folders - Monthly detailed review
• General file shares - Quarterly assessment
• After major changes - Immediate verification
• Compliance audits - Annual comprehensive review

Key items to audit:

• Excessive permissions - Full Control where Modify suffices
• Orphaned SIDs - Deleted accounts still in ACLs
• Everyone/Guest access - Overly permissive settings
• Inheritance breaks - Inconsistent subfolder permissions
• Service account creep - Applications with unnecessary access
• Time-based access needs - Contractors, temporary employees

Automated audit PowerShell script:

# Weekly security audit script $issues = @() # Check for Everyone group Get-ChildItem C:\ -Recurse -Directory | Get-Acl | Where {$_.Access.IdentityReference -contains 'Everyone'} | ForEach {$issues += "Everyone access: $($_.Path)"} # Find orphaned SIDs Get-ChildItem C:\ -Recurse | Get-Acl | Where {$_.Access.IdentityReference -match 'S-1-5-21'} | ForEach {$issues += "Orphaned SID: $($_.Path)"} # Email results Send-MailMessage -To "admin@company.com" -Subject "Weekly Audit" -Body ($issues -join "`n")

What to document:

• Baseline permissions - Normal state documentation
• Change justifications - Why permissions were modified
• Exception tracking - Temporary elevated access
• Remediation actions - How issues were resolved

Privilege escalation through permission manipulation is a common attack vector that requires vigilant monitoring:

Common escalation techniques:

• Permission inheritance exploitation - Adding users to parent folders
• CREATOR OWNER abuse - Users modifying their own file permissions
• Backup privilege misuse - Using backup rights to read any file
• Service account compromise - Hijacking high-privilege accounts
• Symbolic link attacks - Redirecting privileged operations

Detection methods:

# Monitor permission changes Get-EventLog -LogName Security -InstanceId 4670 | Where {$_.Message -match "Permissions on.*were changed"} # Track privilege use Get-EventLog -LogName Security | Where {$_.EventID -in @(4672,4673,4674)} # Special privilege events # Detect CREATOR OWNER modifications Get-ChildItem -Recurse | Get-Acl | Where {$_.Access | Where {$_.IdentityReference -eq 'CREATOR OWNER' -and $_.FileSystemRights -match 'ChangePermissions'}}

Prevention strategies:

• Remove ChangePermissions right - Don't let users modify ACLs
• Restrict CREATOR OWNER - Limit to Modify, not Full Control
• Separate admin accounts - Different accounts for different privileges
• Monitor service accounts - Alert on unusual activity
• Disable symbolic links - fsutil behavior set SymlinkEvaluation L2L:0

Hardening critical folders:

# Remove dangerous permissions icacls "C:\Critical" /remove:g "CREATOR OWNER" /T icacls "C:\Critical" /deny "Users:(WD,AD,WEA,WA)" # Deny write attributes # Enable advanced auditing auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable

Service accounts require special attention as they're high-value targets for attackers:

Service account security principles:

• Least privilege - Only permissions required for function
• Purpose-specific accounts - One service, one account
• No interactive logon - Service accounts shouldn't log in
• Strong passwords - Long, complex, regularly rotated
• Managed Service Accounts - Use MSA/gMSA when possible

Proper permission assignment:

# Create managed service account New-ADServiceAccount -Name SQLService -RestrictToSingleComputer # Grant specific folder access only $acl = Get-Acl "C:\AppData" $permission = "DOMAIN\SQLService$","Modify","ContainerInherit,ObjectInherit","None","Allow" $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission $acl.SetAccessRule($accessRule) Set-Acl "C:\AppData" $acl # Deny interactive logon Set-ADAccountControl -Identity SQLService$ -CannotChangePassword $true -PasswordNeverExpires $true

Common service account mistakes:

• Domain Admin membership - Services rarely need this
• Password in scripts - Use Windows Credential Manager
• Shared service accounts - Multiple services, one account
• Never-expiring passwords - Without rotation policy
• Local admin rights - When file permissions would suffice

Audit service account usage:

# Find all service accounts and their permissions Get-WmiObject Win32_Service | Select Name, StartName, PathName | Where {$_.StartName -notlike "*LocalSystem*" -and $_.StartName -notlike "*NetworkService*"} # Check service account file access ForEach ($service in $services) { icacls C:\ /findsid $service.StartName /T }