Home tenfold Blog Active Directory

Modify Plus: Secure NTFS Permission Endpoints

Nele Nikolaisen · 22.01.2021

To grant users access to files and folders on Windows drives, admins can use either share permissions or NTFS permissions. NTFS (New Technology File System) is the more common method, though, as it allows a more granular approach to granting permissions. Read on to learn how to use the “Modify Plus“ option to further optimize your NTFS settings and close a security hole in your access structure at the same time.

What Is “Modify Plus”?

In the NT File System, there are six permission sets to choose from: Full Control, Modify, Read & Execute, List Folder Contents, Read and Write. Each of these permission sets contains additional special permissions.

Read our post to learn how to set NTFS permissions correctly and how to avoid the five most common mistakes when doing so.

While these varying levels of access allow admins to adjust permissions for users individually, they do also come with a problem: The permission “Modify” contains the special permission “Delete”.

Frustrated user who accidentally deleted the project folder.
“Where did the project folder go?!” Use Modify Plus for NTFS and you’ll never have to ask that question again. (c) Anatoliy Karlyuk

NTFS Permission “Modify“ Gives Users Power to “Delete“

This means users who have the permission “Modify“ for a folder can also move or delete this folder.

This is a big issue, especially with regard to resources that are shared by several users. Common scenarios include:

  • Someone intentionally moves Folder A (e.g. a project folder) into Folder B, but not everyone has access to Folder B. Now users who would normally have access to Folder A but not Folder B can no longer access Folder A.

  • Someone accidentally moves the folder and now no one can find it.

  • Someone deletes the folder (intentionally or by mistake) and now no one can access it anymore.

Modify Plus: The Alternative

With tenfold, you can replace the permission “Modify“ with the permission “Modify Plus“. Unlike “Modify“, “Modify Plus“ does NOT include the special permission “Delete“. Instead, it contains the special permission “Delete Subfolders and Files“.

This means users who have the permission “Modify Plus” can still modify (and delete) all files and folders contained inside the project folder, but the main folder itself can no longer be deleted or moved.

Video Overview

Watch Our Demo Video to See tenfold in Action!

About the Author: Nele Nikolaisen

Nele Nikolaisen is a content manager at tenfold. She is also a book lover, cineaste and passionate collector of curiosities.