What are NTFS permissions?

NTFS permissions govern access to files and directories on Windows drives. These permissions apply regardless of whether the files are accessed locally from a computer or using a share via the network.
NTFS permissions can be set by right-clicking on a folder and selecting “Properties“ from the menu. Navigate to the “Security” tab to set the permissions. There are a number of permission levels to choose from:

  • List Folder Contents: The user is allowed to see which directories and files are contained in the folder.
  • Read & Execute: The user may view the file contents in the folder and run programs.
  • Modify: The user is additionally allowed to change the content of files and directories.
  • Full Control: The user is allowed to change system settings, such as permissions or ownership of the folder.

There are several more settings and options that can be set.

While you’re here – why don’t you sign up for our webinar?

“Top 5 Risks in Access Management” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up for free

While you’re here – why don’t you sign up for our webinar?

“Top 5 Risks in Access Management” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up now

How do share permissions work?

Share permissions are used to control access to folders (and their subfolders and files) when accessed over a network. Share permissions therefore have no influence if files are accessed locally using a computer.
When combined with NTFS permissions, share permissions always have priority. This means that share permissions can restrict NTFS permissions, but not extend them. Share permissions are limited to the levels “Read & Execute”, ” Modify” and “Full Control”. It is not possible to make advanced settings.

To illustrate: Let’s assume folder “\\srv\Department\Sales“ is accessed using the network share (as mentioned earlier, for local access to the file server itself, only NTFS permissions apply – share permissions have no effect).

Example #1:
• NTFS permission: “Full Control“
• Share permission: “Read & Execute“
• Effective user permissions: “Read & Execute“

The share permission does not allow “full control” when access is attempted over a network.

Example #2:
• NTFS permission: “Read & Execute“
• Share permission: “Full Control“
• Effective user permission: “Read & Execute“

Although the share permission would enable “full control” over the network, NTFS limits access to “Read & Execute”.

What settings are recommended?

We recommend setting the share permission to “Everyone“ and the permission level to “Full control“. No further share permissions should be set. This ensures that access on a network level is not restricted and that only the NTFS permissions apply.

Using NTFS only to control file server permissions has significant advantages:

• Combining NTFS permissions and share permissions is too confusing and complex
• NTFS permissions allow a granular assignment of permissions
• NTFS permissions apply even if the server is accessed locally