NTFS Permissions

Managing NTFS Permissions in Windows

NTFS permissions in Windows are used to restrict access to folders and files on disk partitions formatted with the NTFS file system. NTFS permissions provide flexible protection for file system objects, they can be applied to folders or to individual files; they apply both on local and on remote users (when accessing files via the network via the SMB protocol).

Each NTFS file or folder (object) has a separate record in the special table MFT (Master File Table). Each record contains a Security Descriptor consisting of two ACLs:

  • System Access Control List (SACL) — system access control list. Used to audit access to objects on the NTFS file system;
  • Discretionary Access Control List (DACL) — an access list in which users and groups are defined and their permissions to access an object.

When we talk about access permissions on the NTFS objects, we usually mean DACLs (later we will use the term ACL for them).

The object’s NTFS ACL contains the following fields:

  • A security identifier (SID) of the user or group to which this record applies;
  • List of object’s for a given SID;
  • Inheritance flags;
  • Access type (ACE): allow, deny or audit.

The access token is generated based on the user account when the user logs on. The access token contains the user SID and the SIDs of all local and domain groups in which user belongs. When a user accesses the NTFS object, Windows compares the data from the Access token with the file (folder) ACL and provides access based on this data.

You can view and manage current NTFS permissions on file system objects from File Explorer (or you can manage NTFS permissions from cli using the utility iCACLS).

Select any file or folder in File Explorer, open its properties and go to the Security tab.

In the upper part (the Groups or user names section) there is a list of SIDs (automatically converted to the user or group names), in the Permissions section you can see the NTFS permissions for the selected SID and the assigned access type (ACE).

ntfs permissions

To add a new user/group SID to the file/folder ACL, click the Edit button (available if the UAC is enabled) and use the Add/Remove buttons to add a username to the ACL. After you add the SID of the user (group), you can select an access permission on the object.

ntfs file permissions

Let’s consider the list of basic NTFS file system permissions:

  • List Folder Contents — view a list of files in a folder;
  • Read — view (in read-only mode) the file or folder;
  • Read and execute — allows to read files and run executables;
  • Write — the permission to create files (folders) and edit them (without the possibility of deletion);
  • Modify — includes the Write permission and allows you to delete objects from the file system;
  • Full Control — includes the Modify permission and additionally allows you to control access to the object (ACL modification).

You can see that all NTFS permissions are granted for the selected SYSTEM account (see the screenshot below).

In addition to basic NTFS permissions, there are additional permissions that allow you to manage access permissions on a file system objects more flexibly.
If special NTFS permissions are assigned to the selected SID, the option “Special permissions” will be marked in the list of permissions.

ntfs share permissions

To view and edit advanced permissions, click the Advanced button, select a user or group, and click the Edit button.

ntfs permissions explained

To display advanced permissions, click the Show advanced permissions link.

windows folder permissions

Full list of advanced NTFS permissions:

  • Traverse folder/execute file;
  • List folder/read data;
  • Read attributes;
  • Read extended attributes;
  • Create files/write data;
  • Create folders/append data;
  • Write attributes;
  • Write extended attributes;
  • Delete subfolders and files;
  • Delete;
  • Read permissions;
  • Change permissions;
  • Take ownership.

All permission files and folders permissions are divided into two types: explicit and inheritable (implicit). The mechanism of NTFS inheritance involves the automatic transfer of NTFS permission from the parent object to the child.

In the screenshot below, you can see that object permissions are inherited (Inhertited from: C:\). You can disable inheritance by clicking the Disable Inheritance button. In this case, you can change the object’s permissions to explicit.

ntfs folder permissions

In addition to attributes and permissions, every object in the NTFS file system has an owner attribute. This may be a local administrator, user, TrustedInstaller, SYSTEM, etc. The owner can change the access permissions on his files and folders, but the local administrator can reassign himself as the owner of any NTFS object and change the object permissions (you can use takeown command to change ownership).

You may also like:

Deploy LGPO with MDT 2013 Local Group Policy (LGPO) of computer is configured through gpedit.msc snap-in, which does not provide the possibility to export/import settings. That...
Using PsExec to Run Commands Remotely The PsExec is an easy Windows utility to replace the telnet tool. It allows you to run programs and processes on remote systems, using all the feature...
How to Migrate User Profiles with User State Migra... One of the most popular tools to migrate user profiles from one Windows computer to another is the set of CLI utilities – User State Migration Tool (U...
How to Mount Windows Folder into VMware ESXi In this article we will take a look on how to connect a network folder from Windows 2012 R2 Server as a datastore on the VMware ESXi host and use it t...
Store BitLocker Recovery Keys using Active Directo... In corporate segment one of the advantages of BitLocker Drive Encryption technology is the ability to store the Bitlocker recovery keys for encrypted ...

Add Your Comment