NTFS Permissions Best Practices: How to Set Permissions Correctly!
NTFS permissions are used to control access to files and folders in Windows environments and are particularly relevant for directories that are shared over a network. While any administrator knows how to set or change NTFS permission levels, the tricky part is how to manage them consistently and efficiently for hundreds or thousands of different users.
Today, we are going to take a look at five common mistakes made when setting NTFS permissions. To help you avoid errors like these, we will also walk you through the best practices for NTFS permission management.
How to Set NTFS Permissions Correctly
NTFS permissions allow you to grant directory access to individual users and groups. In contrast to share permissions, where the choice of permission levels is limited to Read, Change or Full Control, NTFS permissions offer much more granular control. To set NTFS permissions, right-click on a folder or file and select “Properties”, then go to the “Security” tab to select permissions or click on “Advanced” for further settings and special permissions.
Available permission levels include:
Full Control: Grants complete access, including the ability to see, read, write, execute and delete files or folders, as well as change permission settings for all subdirectories.
Modify: The user can see, read, execute, write and delete files. Also allows for the deletion of the folder itself.
Read & Execute: Can view folder contents and run programs or scripts.
List folder contents: Allows the user to see files and directories contained within a folder, an important setting for navigating to deeper levels in the folder structure.
Read: Can see folder contents and also view the files and folders in question.
Write: Users can add new files and folders and write to existing files.
Special permissions: Additional permissions available through the Advanced Security Settings in the Windows file system. Includes options such as Read Attributes, Create Files or Traverse Folder.
You can read our guide to learn more about the difference between Share and NTFS permissions, but here is the short version: You can use both simultaneously to manage file shares, but the more restrictive permission type takes priority. Of course, share permissions only apply when access is made over the network.
Since NTFS permissions offer more fine-grained access control, many admins choose to set share permissions to a high level (Full Control for admins and Change for users) and define the actual permission level using the NTFS system.
Setting NTFS Permissions: The 5 Most Common Mistakes
Direct User Access
The number 1 mistake admins make when setting NTFS permissions is giving users direct access instead of assigning permissions through groups (where the user is a member of Group X and Group X is given access to the folder). This might save time in the moment, but ends up creating a lot more work in the long run.
Yes, it takes time and effort to create, name and manage hundreds of different groups. But it’s still a lot easier than trying to balance thousands of individual permissions. When file access needs to be adjusted later on, would you rather make one change to the relevant permission group or change the settings for dozens of individual users? Exactly.
There’s also the problem of transparency: While you can easily check which groups a user is part of by examining their account, direct access they have been granted will not show up in this list. You would have to check the properties of the directory in question to see the permission entry. If the user is deleted later on, their entries in the Access Control List will stay behind and turn into so-called orphaned SIDs, which add clutter to your Active Directory.
Assigning Permissions to User Groups
Similar to granting direct access to users is the common practice of assigning permissions directly to groups of users instead of adding this group to dedicated permission groups that govern access to different resources. User groups should only be used to group together staff members that are part of the same organizational unit (OU).
Otherwise, you are left with the same problem created by users with direct permissions: A loss of transparency and an increased risk of being left with orphaned SIDs if someone alters the structure or if a user is deleted.
Reusing Permission Groups
Even admins who follow these recommendations and set NTFS permissions via dedicated permission groups tend to fall for another common mistake: reusing groups to assign additional permissions that go beyond the intended use of the group. It may be tempting to alter an existing group to add or change permission levels for the sake of convenience. However, by using the same AD group to assign new access rights, group members will end up with more permissions than the group name indicates.
These structures become especially confusing when permission groups are nested within themselves or within other permission groups by mistake. To learn more about why users who have more permissions than absolutely necessary are a threat to the safety of your data, read our article Reference Users – An Underestimated Risk.
You may have noticed a common theme in these mistakes: When you deviate from the intended approach, whether it’s group usage or naming conventions, things quickly get chaotic. To prevent confusion, mix-ups and other structural issues, all admins must follow the same standards at all times. That’s part of the reason why manually implementing NTFS best practices requires a great deal of effort and discipline across your entire organization.
Broken Folder Navigation
The use of NTFS permissions does not automatically guarantee that users who have permissions for a specific folder can actually navigate to that folder via the Windows Explorer. This requires list permissions (“Show folder contents”) for superordinate directories. The best way to set list rights is via dedicated list groups.
By making permission groups members of the list groups for directories above their folder, users automatically receive the necessary permissions when they are given access to a resource. It is, however, very important to restrict inheritance to ensure the ability to view folder contents only applies to the folder in question, not other folders within the same directory.
Otherwise, users end up being able to browse all directories on the file server. To avoid these kinds of mistakes in the future, read our free white paper and learn about best practices for managing permissions in Microsoft environments.
You can learn more about how to securely manage Windows environments in our guide to Active Directory security.
Best Practices for Access Management In Microsoft® Environments
An in-depth manual on how to set up access structures correctly, including technical details. Also includes information on reporting and tips for implementation.
NTFS Permissions Best Practices
So we’ve established what not to do when it comes to NTFS permissions, but how do you actually manage NTFS permissions correctly? There are various aspects to consider, but to help you get started, we’ve compiled the most important recommendations for managing NTFS permissions safely and efficiently.
Create a Clear Policy
To establish a standardized process for granting access, naming groups, adding new directories etc., it helps to put everything in writing. Clear documentation ensures that you always have a reference point when you are unsure of the proper way to do handle an edge case, and is especially helpful for getting larger teams of administrators on the same page.
Always Use Groups
Always use permission groups to set NTFS permissions. Do not give user objects direct NTFS permissions: They are impossible to keep track of and when the user in question is removed from the Active Directory, they will leave behind orphaned entries in the access control list.
Keep Root Clear
If you let users, even executives or managers, create new folders in the root directory, your tidy folder structure will soon become cluttered with random items. Instead, keep the root-level hierarchy locked down and only allow IT to add new directories.
Remember Folder Navigation
Users who have Read and Execute access to a specific folder must also have the List Folder Contents permission for any higher-up folders in order to navigate to their target. The List Folder Contents permission should be assigned via group membership. By using nested groups, you can ensure that each user automatically receives the NTFS permissions for browsing when they are given the relevant permissions to the subordinate folder.
Do Not Go Too Deep
Do not set explicit NTFS permissions on deep levels in the directory. Limit the number of levels to 2-3 in order to keep things clear and simple. The number of permission groups and list groups needed to manage explicit permissions on deeper levels quickly grows out of control. Since Windows actually puts a hard limit on the number of groups a user can be part of, having too many nested groups can lead to not all permissions being read correctly.
Avoid Breaking Inheritance
In Windows, it is possible to “break up“ inheritance for permissions on each folder level. This means that the usual mechanisms (i.e. superordinate NTFS permissions are inherited by subordinate folders) can be bypassed, making it possible to set entirely new NTFS permissions. This process should be avoided because it makes it more difficult to read NTFS permissions and, as a result, permission structures become confusing and chaotic.
Use Access Based Enumeration
Windows 2003 R2 introduced Access Based Enumeration (ABE), which allows folders to be made invisible to users who do not have access to them. Activating this setting will massively improve clarity for users, as they no longer have to comb through hundreds of directories just to find the specific folder they actually need and have access to.
Implement Least Privilege Access
In accordance with the Principle of Least Privilege, each user should only be given the minimum level of access required to do their job. Eliminating unnecessary permissions prevents them from being exploited in the case of a cyberattack or insider threat, thus making your Active Directory and file server more secure.
Sign Up for a Free Trial to Discover tenfold’s Full Range of Features