NTFS permissions are used to control access to directories in Microsoft environments and are particularly relevant for directories that are shared over a network. Setting NTFS permissions is not overly complicated, but users still often make mistakes.

Today, we are going to take a look at the four most common mistakes made when setting NTFS permissions. We will also outline some best practice examples of how to share folders and files using NTFS permissions.

How to Set NTFS Permissions Correctly

NTFS permissions allow you to grant directory access to individual users and groups. In contrast to share permissions, where the choice of permission levels is limited to „Read“, „Modify“ or „Full Control“ only, NTFS permissions allow you to set permissions more granularly.

To learn more about the difference between share permissions and NTFS permissions, click here. To set NTFS permissions, right-click on a folder or file and select “Properties”, then go to the “Security” tab to select permissions.

The 4 Most Common Mistakes When Setting NTFS Permissions

1. Direct User Access

The number 1 mistake made when setting NTFS permissions is giving user objects direct access to folders instead of via groups (where the user is a member of Group X and Group X is given access to the folder). If the user is given access directly, the permission entry will not show up in their user account and this is absolutely detrimental to transparency. If the user is deleted at some point, you will be left with what is referred to as an “orphaned SID” (recognizable by their infamous “unknown account” entries (S-123-12345-12345).

2. Using Organizational Units as Permission Groups

Organizational units are often used in the same way as permission groups (especially on department drives): they are given direct NTFS access to specific folders. The problematic result is the same as for user accounts that have direct access to folders: less transparency and a risk of leaving behind orphaned entries as a result of structural changes (e.g. when an employee changes to another department, you will again be left with an orphaned SID).

3. Multi-Use of Permission Groups

Sometimes, even if recommendations are followed and the NTFS permission is set via group membership, there is another common mistake: without being aware what the permission group is intended for, admins just use the group more than once to assign different permissions. This is equally detrimental to transparency, because members who are part of the group that is being re-used will suddenly receive more permissions than the group name would indicate.

4. Ignoring Conventions

Manually managing the groups needed to comply with NTFS best practices requires a high level of human effort and organization-wide discipline. To prevent confusion, mix-ups and other structural issues, all admins must follow the same standards and naming conventions.

While you’re here – why don’t you sign up for our webinar?

“Top 5 Risks in Access Management” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up for free

While you’re here – why don’t you sign up for our webinar?

“Top 5 Risks in Access Management” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up now

What Are the Best Practices for Setting NTFS Permissions?

There are a couple of aspects to consider when setting NTFS permissions:

  • Always use permission groups to set NTFS permissions correctly. Do not give user objects direct NTFS permissions – otherwise, when the user is deleted from the Active Directory, they will leave behind an orphaned entry in the directory.
  • Do not set NTFS permissions on deep levels in the directory. Limit the number of levels to 2-3 in order to keep things clear and simple and prevent so-called “hidden permissions” from occurring.
  • Users who have a “Read and Execute” permission for a specific folder must also have the “List Folder Contents“ permission for any superordinate folders in order to be able to navigate to the actual desired folder. The “List Folder Contents“ permission should be assigned via group membership. Ideally, these groups are nested, so that each user automatically receives the NTFS permissions for browsing when they are given the relevant permissions to the subordinate folder.
  • In Windows, it is possible to “break up inheritance structures for permissions on each folder level. This means that the usual mechanisms (i.e. superordinate NTFS permissions are inherited by subordinate folders) can be bypassed, making it possible to set entirely new NTFS permissions. This process should be avoided because it makes it more difficult to read NTFS permissions and, as a result, permission structures become confusing and chaotic.
  • Windows 2003 R2 introduced “Access Based Enumeration“ (ABE), which allows folders to be made invisible to users who do not have access to them. Activating this setting will massively improve clarity for users, as they no longer have to comb through hundreds of directories just to find the specific folder they actually need and have access to.

Whitepaper “Best Practices for Access Management in Microsoft Environments”

To get a more detailed overview of all technical and organizational aspects, download our whitepaper “Best Practices for Access Management in Microsoft Environments“, which covers the following questions:

  • What are NTFS permissions exactly and how do they work?
  • What are common mistakes when setting NTFS permissions?
  • What are the best practices for handling NTFS permissions?
  • How are NTFS permissions read?
  • What is the best way to document NTFS permission assignments?