If several people in a company need to use the same local resources, there must be a simple and efficient way of controlling access to these resources. Commonly, this is done using share permissions and/or NTFS permissions. Both serve the purpose of protecting data and preventing unauthorized access. While they can coexist, they work in different ways.
Today, we are going to take a closer look at what exactly the difference between share permissions and NTFS permissions is and illustrate some best practice examples for using both methods in Microsoft Windows environments.
What Are NTFS Permissions?
NTFS (New Technology File System) is the standardized file system for Microsoft Windows NT and newer versions of Microsoft’s operating system. NTFS permissions govern access to folders and files on Windows drives. What’s special about NTFS permissions is that they apply both when access is made locally using a computer and for access via network. And that’s the main and also key difference between NTFS permissions and share permissions: The latter only applies when access is made via network. It does not apply for access via computer, i.e. locally.
Setting NTFS Permissions
Setting NTFS permissions is not overly complicated, though there are a couple of things you should be aware of. Our article Setting NTFS Permissions covers the 4 most common mistakes and outlines the best practices for dealing with NTFS permissions.
To set an NTFS permission, right-click on a folder or file and select “Properties”, then navigate to the “Security” tab to set your permissions. This is the window you will be looking at:
While share permissions only allow the three options (Full access, Modify and Read), NTFS permissions allow you to set access at a more granular level, both for individuals and groups.
The level of access you choose to set can be passed on to subordinate files or folders due to the NTFS permissions’ inheritance properties. The following NTFS permission levels are the most important ones:
How Do Share Permissions Work?
Share permissions are used to control access to shared folders (and their subfolders and files) when accessed over a network. This means if access is made locally using a PC, the share permission has no influence. To set share permissions, right-click on the folder, go to “Properties“, click on the “Sharing“ tab, then “Advanced Sharing“ and, finally, click on “Permissions“. You will then see this window:
Unlike NTFS permissions, share permission levels are limited to “Read”, “Modify” and “Full access”.
The Issue With Share Permissions
The last thing you need in your company are complicated, messy and convoluted access structures. But if you decide to use share permissions only, that’s probably what you’re going to be dealing with – one reason being that share permissions allow you to have different levels of permission within the same folder hierarchy, and that can be very confusing and misleading. Users might unintentionally end up receiving more rights to a folder than intended because the share permission at the lower-level folder allows more access than the folder on a higher root. Click here for more information about the disadvantages of using share permissions only.