NTFS permissions

What are NTFS permissions?

New Technology File System (NTFS) is the primary file system used by Windows NT systems to store, organize, and retrieve files. NTFS was introduced in 1993 as part of the Windows NT 3.1 release.

Access to files and folders in NT file systems can be regulated using the NTFS permissions. NTFS permissions can be broadly categorized into basic permissions and special permissions, and each category comprises of various performable actions such as read, write, modify, full control, and others.

In a cross-functional organizational structure, multiple departments may require access to the same files. For instance, an XLS file containing lead data from a trade show could be valuable to both the sales and marketing teams, albeit for different purposes. Sales might require read-only access, while marketing may need full control for tracking campaign performance and making necessary modifications. In such instances, administrators can use NTFS permissions to enable collaboration while maintaining the principle of least privilege and preventing undue access.

NTFS permissions list

NTFS basic permissions can be configured in file or folder properties (Properties > Security > Select the group or user name > Permissions for the selected group or user name).

Here's a list of actions a user or group may perform with a particular NTFS basic permission:

Permission What it controls
Full Control Read, write, execute, delete, and modify file or folder content and permissions.
Modify Read, write, execute, and delete file or folder content. Permissions can't be modified.
Read & Execute View file or folder content, execute scripts and programs.
List Folder Contents View directories and files contained in the folder.
Read Read file or folder contents.
Write Create, edit, and delete files or folders.
Special Permissions Provide more granular control over files or folders. Refer to the NTFS special permissions section for a better understanding.

NTFS special permissions

NTFS special permissions can be configured from the Advanced Security Settings tab (Properties > Security > Advanced > Permissions).

Here's a list of actions a user or group can perform with a particular NTFS special permission.

Special permission Actions
Traverse Folder / Execute File Traverse through subfolders and execute files.
List Folder / Read Data Read folder content, folder, and file names. Access to file content is denied.
Read Attributes Read file or folder attributes.
Read Extended Attributes Read extended attributes of a file or folder.
Create Files / Write Data Create files and write content.
Create Folders / Append Data Create subfolders and append data to existing files.
Write Attributes Modify the attributes of a file or folder.
Write Extended Attributes Modify the extended attributes of a file or folder.
Delete Subfolders and Files Files and subfolders can be deleted.
Delete Delete a folder or file.
Read Permissions View permissions of a file or folder.
Change Permissions Change permissions of a file or folder.
Take Ownership Take ownership of a file or folder.
Full Control Full control of a file or folder; can modify permissions too.

Understanding NTFS permissions inheritance

NTFS supports permission inheritance, meaning that files and subfolders will have the permissions that are set on the parent folder. By default, inheritance will be enabled for files and subfolders created within a parent folder. This helps in maintaining consistent permissions throughout a directory.

Furthermore, NTFS allows the breaking of inheritance and setting explicit permissions, but this adds complexity, security risks, and permission inconsistencies. Hence, administrators must exercise caution when resorting to explicit permissions.

Permission inheritance is distinctive for NTFS permissions, as share permissions do not allow inheritance.

NTFS permissions vs. share permissions


Point of difference NTFS permissions Share permissions
Configuration Properties > Security For special permissions: Properties > Security > Advanced Properties > Sharing > Advanced Sharing > Permissions
Scope Applicable for local access and network access. Applicable for network access.
Access levels Offer relatively granular access levels. Refer to the previous sections on NTFS permissions list and NTFS special permissions for a better understanding of NTFS access levels. Offer three access levels: Read, Change, Full Control.
Concurrent access Concurrent connections can't be restricted. Concurrent connections can be restricted.
Inheritance Support inheritance from parent folders to subfolders and files. Permissions aren't automatically inherited to subfolder/files. They apply only to the shared folder.
Sub-levels Allow explicit permissions for files and subfolders. Applied at shared-folder level and affect all contents within that folder.

Despite the differences, IT administrators can use share and NTFS permissions in conjunction. When used in conjunction, the most restrictive permission applies. For instance, if share permissions are set to Full Control and NTFS permissions are set to Write, the user will get Write access over the file.

However, if one set of permissions and more granular control better suits your organization, you can adopt NTFS permissions. But, make sure that you set the share permissions access level to full control to avoid overlap with the NTFS permissions.

Analyzing NTFS permissions with DataSecurity Plus

The flexibility and granularity offered by NTFS permissions make it a viable option for organizations. However, keeping track of an ever expanding NTFS can get tedious. With the help of DataSecurity Plus' NTFS permissions auditing tool, you can audit permissions changes, identify permission inconsistencies, and ensure that the principle of least privilege is maintained. Further, the DataSecurity Plus solution helps you to:

  • Identify privileged users in your environment with the permission analyzer tool and closely monitor their activities.
  • Audit file server permissions for files owned by inactive users, orphaned files, broken inheritances, and other potential security vulnerabilities.
  • Analyze effective permissions easily with its advanced file analysis capabilities, including on-demand reports.

Try out these features and more using our free, fully-functional trial for 30 days

Download free trial
Email Download Link