Setting NTFS permissions

NTFS permissions are used to control access to directories in Microsoft environments and are particularly relevant for directories that are shared over a network. Setting NTFS permissions is not overly complicated, but users still often make mistakes.

Today, we are going to take a look at the five most common mistakes made when setting NTFS permissions. We will also outline some best practice examples of how to share folders and files using NTFS permissions.

Contents (show)

How to Set NTFS Permissions Correctly

NTFS permissions allow you to grant directory access to individual users and groups. In contrast to share permissions, where the choice of permission levels is limited to “Read”, “Modify” or “Full Control” only, NTFS permissions allow you to set permissions more granularly.

To learn more about the difference between share permissions and NTFS permissions, click here. To set NTFS permissions, right-click on a folder or file and select “Properties”, then go to the “Security” tab to select permissions.

The 5 Most Common Mistakes When Setting NTFS Permissions

1. Direct User Access

The number 1 mistake made when setting NTFS permissions is giving user objects direct access to folders instead of via groups (where the user is a member of Group X and Group X is given access to the folder). If the user is given access directly, the permission entry will not appear in that person’s user account, which in turn has a very negative impact on transparency. If the user is deleted at some point later on, what we are left with is a so-called “orphaned SID” (recognizable by its infamous “unknown account” entries (S-123-12345-12345).

This is because removing a user from AD will delete the user account itself (including all group memberships), but not its ACEs, or Access Control Entires. The ACE is used on directories if users are given  access rights directly.

2. Using Organizational Units as Permission Groups

One common but detrimental practice is using organizational groups as permission groups (especially on department drives), i.e. giving them direct NTFS permissions to certain folders. However, it is better not to assign rights to organizational groups directly, but instead to use them solely to group together users belonging to the same organizational unit.

Finally, in order to then grant all users of an organizational unit certain permissions, the organizational group must become a member of the appropriate read or write group for the directory.

Otherwise, the same risks arise here as from user accounts with direct permissions: A loss of transparency and an increased risk of being left with orphaned SIDs if someone alters the structure or if a user is deleted.

3. Multiple Use of Permission Groups

Even if recommendations are followed and NTFS permissions are set via group membership, there is another common mistake that is often made: admins re-use groups to assign permissions, without being aware of what the permission group was intended for. They do this because they don’t know any better, but the results are just as fatal. Why? Because members who are part of the group that is being re-used will suddenly have more permissions than the group name would indicate.

These structures becomes especially confusing when permission groups are nested within themselves or with other permission groups by mistake.These structures becomes especially confusing when permission groups are nested within themselves or with other permission groups by mistake. To learn more about why users who have more rights than necessary may pose a threat to the security of your data, read our article Reference Users – An Underestimated Risk.

4. Ignoring Conventions

Managing the groups needed to comply with NTFS best practices manually requires a great deal of effort as well as organization-wide discipline. To prevent confusion, mix-ups and other structural issues, all admins must follow the same standards and naming conventions without fail.

5. List Rights Are Either Set Incorrectly or Not Set at all

The use of NTFS permissions does not automatically guarantee that users who have permissions for a specific folder can actually navigate to that folder, e.g. via the Explorer. To do this requires special list permissions (“Show folder contents”) to be set. The best way to do set these permissions is via special permission groups called “list groups“, which are nested with the actual permission groups.

By being a member of a read or write group, the user automatically receives all required list rights. It is, however, very important to ensure that these list rights only apply to the respective folder and not to all of its subfolders as well.

Otherwise, users might be able to browse all directories on the file server. To avoid these kinds of mistakes in th future, read our free white paper and learn about best practices for managing permissions in Microsoft environments.

White Paper: Access Management in Microsoft Environments:

  • What are NTFS permissions exactly and how do they work?
  • What are common mistakes when setting NTFS permissions?
  • What are the best practices for handling NTFS permissions?
  • How are NTFS permissions read?
  • What is the best way to document NTFS permissions?

[FREE WHITE PAPER] Best Practices for Access Management in Microsoft® Environments

Read our white paper to learn how best to treat access rights in Microsoft® environments.

Go to download

[FREE WHITE PAPER] Best practices for Access Management in Microsoft® Environments

Read our white paper to learn how best to treat access rights in Microsoft® environments.

Go to download

What Are the Best Practices for Setting NTFS Permissions?

There are a couple of aspects to consider when setting NTFS permissions:

  • Always use permission groups to set NTFS permissions correctly. Do not give user objects direct NTFS permissions – otherwise, when the user is deleted from the Active Directory, they will leave behind an orphaned entry in the directory.
  • Do not set NTFS permissions on deep levels in the directory. Limit the number of levels to 2-3 in order to keep things clear and simple and prevent so-called “hidden permissions” from occurring.
  • Users who have a “Read and Execute” permission for a specific folder must also have the “List Folder Contents“ permission for any superordinate folders in order to be able to navigate to the actual desired folder. The “List Folder Contents“ permission should be assigned via group membership. Ideally, these groups are nested, so that each user automatically receives the NTFS permissions for browsing when they are given the relevant permissions to the subordinate folder.
  • In Windows, it is possible to “break up inheritance structures for permissions on each folder level. This means that the usual mechanisms (i.e. superordinate NTFS permissions are inherited by subordinate folders) can be bypassed, making it possible to set entirely new NTFS permissions. This process should be avoided because it makes it more difficult to read NTFS permissions and, as a result, permission structures become confusing and chaotic.
  • Windows 2003 R2 introduced “Access Based Enumeration“ (ABE), which allows folders to be made invisible to users who do not have access to them. Activating this setting will massively improve clarity for users, as they no longer have to comb through hundreds of directories just to find the specific folder they actually need and have access to.

While you’re here – why don’t you sign up for our webinar?

“Top 5 Risks in Access Management” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up for free

While you’re here – why don’t you sign up for our webinar?

“Top 5 Risks in Access Management” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up now