NTFS permissions are used to control access to files and folders in Windows environments and are particularly relevant for directories that are shared over a network. While any administrator knows how to set or change NTFS permission levels, the tricky part is how to manage them consistently and efficiently for hundreds or thousands of different users.
Today, we are going to take a look at five common mistakes made when setting NTFS permissions. To help you avoid errors like these, we will also walk you through the best practices for NTFS permission management.
How to Set NTFS Permissions Correctly
NTFS permissions allow you to grant directory access to individual users and groups. In contrast to share permissions, where the choice of permission levels is limited to Read, Change or Full Control, NTFS permissions offer much more granular control. To set NTFS permissions, right-click on a folder or file and select “Properties”, then go to the “Security” tab to select permissions or click on “Advanced” for further settings and special permissions.
Available permission levels include:
You can read our guide to learn more about the difference between Share and NTFS permissions, but here is the short version: You can use both simultaneously to manage file shares, but the more restrictive permission type takes priority.
Setting NTFS Permissions: The 5 Most Common Mistakes
1. Direct User Access
The number 1 mistake admins make when setting NTFS permissions is giving users direct access instead of assigning permissions through groups (where the user is a member of Group X and Group X is given access to the folder). This might save time in the moment, but ends up creating a lot more work in the long run.
Yes, it takes effort to create, name and manage hundreds of different groups. But it’s still a lot easier than trying to balance of thousands of individual permissions. When file access needs to be adjusted later on, would you rather make one change to the relevant permission group or change the settings for dozens of individual users? Exactly.
There’s also the problem of transparency: While you can easily check which groups a user is part of by examining their account, direct access they have been granted will not show up in this list. You would have to check the properties of the directory in question to see the permission entry. If the user is deleted later on, their entries in the Access Control List will stay behind and turn into so-called orphaned SIDs, which add to the clutter on your Active Directory.
2. Using Organizational Units as Permission Groups
One common but detrimental practice is using organizational groups as permission groups (especially on department drives), i.e. giving them direct NTFS permissions to certain folders. However, it is better not to assign rights to organizational groups directly, but instead to use them solely to group together users belonging to the same organizational unit.
Finally, in order to then grant all users of an organizational unit certain permissions, the organizational group must be added to the appropriate read or write group for the directory.
3. Reusing Permission Groups
Even admins who follow these recommendations and set NTFS permissions via group membership tend to fall for another common mistake: reusing groups to assign permissions without knowing what the permission group was originally intended for. By using the same group to assign new access rights, group members will end up with more permissions than the group name indicates.
These structures become especially confusing when permission groups are nested within themselves or within other permission groups by mistake. To learn more about why users who have more permissions than absolutely necessary are a threat to the safety of your data, read our article Reference Users – An Underestimated Risk.
4. Ignoring Conventions
You may have noticed a common theme in these mistakes: When you deviate from the intended approach, whether it’s group usage or naming conventions, things quickly get chaotic. To prevent confusion, mix-ups and other structural issues, all admins must follow the same standards at all times. That’s part of the reason why manually implementing NTFS best practices requires a great deal of effort and discipline across your entire organization.
5. Broken Folder Navigation
The use of NTFS permissions does not automatically guarantee that users who have permissions for a specific folder can actually navigate to that folder, e.g. via the Explorer. This requires special list permissions (“Show folder contents”). The best way to set them is via special permission groups called “list groups“, which are nested with the actual permission groups.
By being a member of a read or write group, the user automatically receives all required list rights. It is, however, very important to ensure that ability to view folder contents only applies to the folder in question, and not to all of its subfolders as well. Otherwise, users might be able to browse all directories on the file server.
To avoid these kinds of mistakes in the future, read our free white paper and learn about best practices for managing permissions in Microsoft environments.