NTFS permissions are used to control access to directories in Microsoft environments and are particularly relevant for directories that are shared over a network. Setting NTFS permissions is not overly complicated, but users still often make mistakes.
Today, we are going to take a look at the five most common mistakes made when setting NTFS permissions. We will also outline some best practice examples of how to share folders and files using NTFS permissions.
How to Set NTFS Permissions Correctly
NTFS permissions allow you to grant directory access to individual users and groups. In contrast to share permissions, where the choice of permission levels is limited to “Read”, “Modify” or “Full Control” only, NTFS permissions allow you to set permissions more granularly.
To learn more about the difference between share permissions and NTFS permissions, click here. To set NTFS permissions, right-click on a folder or file and select “Properties”, then go to the “Security” tab to select permissions.
The 5 Most Common Mistakes When Setting NTFS Permissions
1. Direct User Access
The number 1 mistake made when setting NTFS permissions is giving user objects direct access to folders instead of via groups (where the user is a member of Group X and Group X is given access to the folder). If the user is given access directly, the permission entry will not appear in that person’s user account, which in turn has a very negative impact on transparency. If the user is deleted at some point later on, what we are left with is a so-called “orphaned SID” (recognizable by its infamous “unknown account” entries (S-123-12345-12345).
This is because removing a user from AD will delete the user account itself (including all group memberships), but not its ACEs, or Access Control Entires. The ACE is used on directories if users are given access rights directly.
2. Using Organizational Units as Permission Groups
One common but detrimental practice is using organizational groups as permission groups (especially on department drives), i.e. giving them direct NTFS permissions to certain folders. However, it is better not to assign rights to organizational groups directly, but instead to use them solely to group together users belonging to the same organizational unit.
Finally, in order to then grant all users of an organizational unit certain permissions, the organizational group must become a member of the appropriate read or write group for the directory.
3. Multiple Use of Permission Groups
Even if recommendations are followed and NTFS permissions are set via group membership, there is another common mistake that is often made: admins re-use groups to assign permissions, without being aware of what the permission group was intended for. They do this because they don’t know any better, but the results are just as fatal. Why? Because members who are part of the group that is being re-used will suddenly have more permissions than the group name would indicate.
These structures becomes especially confusing when permission groups are nested within themselves or with other permission groups by mistake.These structures becomes especially confusing when permission groups are nested within themselves or with other permission groups by mistake. To learn more about why users who have more rights than necessary may pose a threat to the security of your data, read our article Reference Users – An Underestimated Risk.
4. Ignoring Conventions
Managing the groups needed to comply with NTFS best practices manually requires a great deal of effort as well as organization-wide discipline. To prevent confusion, mix-ups and other structural issues, all admins must follow the same standards and naming conventions without fail.
5. List Rights Are Either Set Incorrectly or Not Set at all
The use of NTFS permissions does not automatically guarantee that users who have permissions for a specific folder can actually navigate to that folder, e.g. via the Explorer. To do this requires special list permissions (“Show folder contents”) to be set. The best way to do set these permissions is via special permission groups called “list groups“, which are nested with the actual permission groups.
By being a member of a read or write group, the user automatically receives all required list rights. It is, however, very important to ensure that these list rights only apply to the respective folder and not to all of its subfolders as well.
Otherwise, users might be able to browse all directories on the file server. To avoid these kinds of mistakes in th future, read our free white paper and learn about best practices for managing permissions in Microsoft environments.
White Paper: Access Management in Microsoft Environments:
- What are NTFS permissions exactly and how do they work?
- What are common mistakes when setting NTFS permissions?
- What are the best practices for handling NTFS permissions?
- How are NTFS permissions read?
- What is the best way to document NTFS permissions?