Computer screen showing random code after crashing due to an NTFS file system error.

NTFS permissions are used to control access to files and folders in Windows environments and are particularly relevant for directories that are shared over a network. While any administrator knows how to set or change NTFS permission levels, the tricky part is how to manage them consistently and efficiently for hundreds or thousands of different users.

Today, we are going to take a look at five common mistakes made when setting NTFS permissions. To help you avoid errors like these, we will also walk you through the best practices for NTFS permission management.

Contents (show)

How to Set NTFS Permissions Correctly

NTFS permissions allow you to grant directory access to individual users and groups. In contrast to share permissions, where the choice of permission levels is limited to Read, Change or Full Control, NTFS permissions offer much more granular control. To set NTFS permissions, right-click on a folder or file and select “Properties”, then go to the “Security” tab to select permissions or click on “Advanced” for further settings and special permissions.

Available permission levels include:

  • Full Control: Grants complete access, including the ability to see, read, write, execute and delete files or folders, as well as change permission settings for all subdirectories.

  • Modify: The user can see, read, execute, write and delete files. Also allows for the deletion of the folder itself.

  • Read & Execute: Can view folder contents and run programs or scripts.

  • List folder contents: Allows the user to see files and directories contained within a folder, an important setting for navigating to deeper levels in the folder structure.

  • ReadCan see folder contents and also view the files and folders in question.

  • Write: Users can add new files and folders and write to existing files.

  • Special permissions: Additional permissions available through the Advanced Security Settings in the Windows file system. Includes options such as Read Attributes, Create Files or Traverse Folder.

You can read our guide to learn more about the difference between Share and NTFS permissions, but here is the short version: You can use both simultaneously to manage file shares, but the more restrictive permission type takes priority.

Since NTFS permissions offer more fine-grained access control, many admins choose to set share permissions to a high level (Full Control for admins and Change for users) and define the actual permission level using the NTFS system.

Setting NTFS Permissions: The 5 Most Common Mistakes

1. Direct User Access

The number 1 mistake admins make when setting NTFS permissions is giving users direct access instead of assigning permissions through groups (where the user is a member of Group X and Group X is given access to the folder). This might save time in the moment, but ends up creating a lot more work in the long run.

Yes, it takes effort to create, name and manage hundreds of different groups. But it’s still a lot easier than trying to balance of thousands of individual permissions. When file access needs to be adjusted later on, would you rather make one change to the relevant permission group or change the settings for dozens of individual users? Exactly.

There’s also the problem of transparency: While you can easily check which groups a user is part of by examining their account, direct access they have been granted will not show up in this list. You would have to check the properties of the directory in question to see the permission entry. If the user is deleted later on, their entries in the Access Control List will stay behind and turn into so-called orphaned SIDs, which add to the clutter on your Active Directory.

2. Using Organizational Units as Permission Groups

One common but detrimental practice is using organizational groups as permission groups (especially on department drives), i.e. giving them direct NTFS permissions to certain folders. However, it is better not to assign rights to organizational groups directly, but instead to use them solely to group together users belonging to the same organizational unit.

Finally, in order to then grant all users of an organizational unit certain permissions, the organizational group must be added to the appropriate read or write group for the directory.

Otherwise, the same risks arise here as from user accounts with direct permissions: A loss of transparency and an increased risk of being left with orphaned SIDs if someone alters the structure or if a user is deleted.

3. Reusing Permission Groups

Even admins who follow these recommendations and set NTFS permissions via group membership tend to fall for another common mistake: reusing groups to assign permissions without knowing what the permission group was originally intended for. By using the same group to assign new access rights, group members will end up with more permissions than the group name indicates.

These structures become especially confusing when permission groups are nested within themselves or within other permission groups by mistake. To learn more about why users who have more permissions than absolutely necessary are a threat to the safety of your data, read our article Reference Users – An Underestimated Risk.

4. Ignoring Conventions

You may have noticed a common theme in these mistakes: When you deviate from the intended approach, whether it’s group usage or naming conventions, things quickly get chaotic. To prevent confusion, mix-ups and other structural issues, all admins must follow the same standards at all times. That’s part of the reason why manually implementing NTFS best practices requires a great deal of effort and discipline across your entire organization.

5. Broken Folder Navigation

The use of NTFS permissions does not automatically guarantee that users who have permissions for a specific folder can actually navigate to that folder, e.g. via the Explorer. This requires special list permissions (“Show folder contents”). The best way to set them is via special permission groups called “list groups“, which are nested with the actual permission groups.

By being a member of a read or write group, the user automatically receives all required list rights. It is, however, very important to ensure that ability to view folder contents only applies to the folder in question, and not to all of its subfolders as well. Otherwise, users might be able to browse all directories on the file server.

To avoid these kinds of mistakes in the future, read our free white paper and learn about best practices for managing permissions in Microsoft environments.

[FREE WHITE PAPER] Best Practices for Access Management in Microsoft® Environments

Read our white paper to learn how to best handle access rights in Microsoft® environments.

Go to download

[FREE WHITE PAPER] Best practices for Access Management in Microsoft® Environments

Read our white paper to learn how to best treat rights in Microsoft® environments.

Go to download

NTFS Permissions Best Practices

So we’ve established what not to do when it comes to NTFS permissions, but how do you actually manage NTFS permissions correctly? There are various aspects to consider, but to help you get started, we’ve compiled the most important recommendations for managing NTFS permissions safely and efficiently.

Create a Clear Policy

To establish a standardized process for granting access, naming groups, adding new directories etc., it helps to put everything in writing. Clear documentation ensures that you always have a reference point when you are unsure of the proper way to do handle an edge case, and is especially helpful for getting larger teams of administrators on the same page.

Always Use Groups

Always use permission groups to set NTFS permissions. Do not give user objects direct NTFS permissions: They are impossible to keep track of and when the user in question is removed from the Active Directory, they will leave behind orphaned entries in the access control list.

Keep Root Clear

If you let users, even executives or managers, create new folders in the root directory, your tidy folder structure will soon become cluttered with random items. Instead, keep the root-level hierarchy locked down and only allow IT to add new directories.

Avoid Hidden Permissions

Do not set NTFS permissions on deep levels in the directory. Limit the number of levels to 2-3 in order to keep things clear and simple and prevent so-called “hidden permissions” from occurring.

User navigates through windows folder structure to target directory.

Remember Folder Navigation

Users who have Read and Execute access to a specific folder must also have the List Folder Contents permission for any higher-up folders in order to navigate to their target. The List Folder Contents permission should be assigned via group membership. By using nested groups, you can ensure that each user automatically receives the NTFS permissions for browsing when they are given the relevant permissions to the subordinate folder.

Avoid Breaking Inheritance

In Windows, it is possible to “break up inheritance for permissions on each folder level. This means that the usual mechanisms (i.e. superordinate NTFS permissions are inherited by subordinate folders) can be bypassed, making it possible to set entirely new NTFS permissions. This process should be avoided because it makes it more difficult to read NTFS permissions and, as a result, permission structures become confusing and chaotic.

Use Access Based Enumeration

Windows 2003 R2 introduced Access Based Enumeration (ABE), which allows folders to be made invisible to users who do not have access to them. Activating this setting will massively improve clarity for users, as they no longer have to comb through hundreds of directories just to find the specific folder they actually need and have access to.

Implement Least Privilege Access

In accordance with the Principle of Least Privilege, each user should only be given the minimum level of access required to do their job. Eliminating unnecessary permissions prevents them from being exploited in the case of a cyberattack or insider threat, thus making your Active Directory and file server more secure.

While you’re here – why not sign up for our free webinar?

“The Top 5 Risks in Access Management” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up now

While you’re here – why not sign up for our free webinar?

“The Top 5 Risks in Access Management” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up now