NTFS permissions in Windows are used to restrict access to folders and files on disk partitions formatted with the NTFS file system. NTFS permissions provide flexible protection for file system objects, they can be applied to folders or to individual files; they apply both on local and on remote users (when accessing files via the network via the SMB protocol).
Each NTFS file or folder (object) has a separate record in the special table MFT (Master File Table). Each record contains a Security Descriptor consisting of two ACLs:
- System Access Control List (SACL) — system access control list. Used to audit access to objects on the NTFS file system;
- Discretionary Access Control List (DACL) — an access list in which users and groups are defined and their permissions to access an object.
When we talk about access permissions on the NTFS objects, we usually mean DACLs (later we will use the term ACL for them).
The object’s NTFS ACL contains the following fields:
- A security identifier (SID) of the user or group to which this record applies;
- List of object’s for a given SID;
- Inheritance flags;
- Access type (ACE): allow, deny or audit.
The access token is generated based on the user account when the user logs on. The access token contains the user SID and the SIDs of all local and domain groups in which user belongs. When a user accesses the NTFS object, Windows compares the data from the Access token with the file (folder) ACL and provides access based on this data.
You can view and manage current NTFS permissions on file system objects from File Explorer (or you can manage NTFS permissions from cli using the utility iCACLS).
Select any file or folder in File Explorer, open its properties and go to the Security tab.
In the upper part (the Groups or user names section) there is a list of SIDs (automatically converted to the user or group names), in the Permissions section you can see the NTFS permissions for the selected SID and the assigned access type (ACE).
To add a new user/group SID to the file/folder ACL, click the Edit button (available if the UAC is enabled) and use the Add/Remove buttons to add a username to the ACL. After you add the SID of the user (group), you can select an access permission on the object.
Let’s consider the list of basic NTFS file system permissions:
- List Folder Contents — view a list of files in a folder;
- Read — view (in read-only mode) the file or folder;
- Read and execute — allows to read files and run executables;
- Write — the permission to create files (folders) and edit them (without the possibility of deletion);
- Modify — includes the Write permission and allows you to delete objects from the file system;
- Full Control — includes the Modify permission and additionally allows you to control access to the object (ACL modification).
You can see that all NTFS permissions are granted for the selected SYSTEM account (see the screenshot below).
In addition to basic NTFS permissions, there are additional permissions that allow you to manage access permissions on a file system objects more flexibly.
If special NTFS permissions are assigned to the selected SID, the option “Special permissions” will be marked in the list of permissions.
To view and edit advanced permissions, click the Advanced button, select a user or group, and click the Edit button.
To display advanced permissions, click the Show advanced permissions link.
Full list of advanced NTFS permissions:
- Traverse folder/execute file;
- List folder/read data;
- Read attributes;
- Read extended attributes;
- Create files/write data;
- Create folders/append data;
- Write attributes;
- Write extended attributes;
- Delete subfolders and files;
- Read permissions;
- Change permissions;
- Take ownership.
All permission files and folders permissions are divided into two types: explicit and inheritable (implicit). The mechanism of NTFS inheritance involves the automatic transfer of NTFS permission from the parent object to the child.
In the screenshot below, you can see that object permissions are inherited (Inhertited from: C:). You can disable inheritance by clicking the Disable Inheritance button. In this case, you can change the object’s permissions to explicit.
In addition to attributes and permissions, every object in the NTFS file system has an owner attribute. This may be a local administrator, user, TrustedInstaller, SYSTEM, etc. The owner can change the access permissions on his files and folders, but the local administrator can reassign himself as the owner of any NTFS object and change the object permissions (you can use takeown command to change ownership).