NTFS Permissions and Share Permissions – What’s the difference?

What are NTFS permissions?

NTFS permissions govern access to files and directories on Windows drives. These permissions apply regardless of whether the files are accessed locally from a computer or using a share via the network.
NTFS permissions can be set by right-clicking on a folder and selecting “Properties“ from the menu. Navigate to the “Security” tab to set the permissions. There are a number of permission levels to choose from:

  • List Folder Contents: The user is allowed to see which directories and files are contained in the folder.
  • Read & Execute: The user may view the file contents in the folder and run programs.
  • Modify: The user is additionally allowed to change the content of files and directories.
  • Full Control: The user is allowed to change system settings, such as permissions or ownership of the folder.

There are several more settings and options that can be set.

[FREE WHITEPAPER] Best Practices for Access Rights Management in Microsoft® environments.

Read our whitepaper to find out how best to handle NTFS permissions.


How do share permissions work?

Share permissions are used to control access to folders (and their subfolders and files) when accessed over a network. Share permissions therefore have no influence if files are accessed locally using a computer.
When combined with NTFS permissions, share permissions always have priority. This means that share permissions can restrict NTFS permissions, but not extend them. Share permissions are limited to the levels “Read & Execute”, ” Modify” and “Full Control”. It is not possible to make advanced settings.

To illustrate: Let’s assume folder “\\srv\Department\Sales“ is accessed using the network share (as mentioned earlier, for local access to the file server itself, only NTFS permissions apply – share permissions have no effect).

Example #1:
• NTFS permission: “Full Control“
• Share permission: “Read & Execute“
• Effective user permissions: “Read & Execute“

The share permission does not allow “full control” when access is attempted over a network.

Example #2:
• NTFS permission: “Read & Execute“
• Share permission: “Full Control“
• Effective user permission: “Read & Execute“

Although the share permission would enable “full control” over the network, NTFS limits access to “Read & Execute”.

What settings are recommended?

We recommend setting the share permission to “Everyone“ and the permission level to “Full control“. No further share permissions should be set. This ensures that access on a network level is not restricted and that only the NTFS permissions apply.

Using NTFS only to control file server permissions has significant advantages:

• Combining NTFS permissions and share permissions is too confusing and complex
• NTFS permissions allow a granular assignment of permissions
• NTFS permissions apply even if the server is accessed locally

Witness LIVE how access rights management works using tenfold!

Join our webinar to find out how tenfold can help you manage your access rights correctly.

Sign up
By |2019-05-21T08:50:44+00:0018 / 04 / 2019|BLOG|

About the Author:

Helmut Semmelmayer
Helmut Semmelmayer has been Senior Manager Channel Sales at the software company tenfold since 2012. He is in charge of partner sales and product marketing and regularly blogs about issues and topics related to identity and access management.