What Are the Best Practices for Setting NTFS Permissions?
There are a couple of aspects to consider when setting NTFS permissions:
- Always use permission groups to set NTFS permissions correctly. Do not give user objects direct NTFS permissions – otherwise, when the user is deleted from the Active Directory, they will leave behind an orphaned entry in the directory.
- Do not set NTFS permissions on deep levels in the directory. Limit the number of levels to 2-3 in order to keep things clear and simple and prevent so-called “hidden permissions” from occurring.
- Users who have a “Read and Execute” permission for a specific folder must also have the “List Folder Contents“ permission for any superordinate folders in order to be able to navigate to the actual desired folder. The “List Folder Contents“ permission should be assigned via group membership. Ideally, these groups are nested, so that each user automatically receives the NTFS permissions for browsing when they are given the relevant permissions to the subordinate folder.
- In Windows, it is possible to “break up“ inheritance structures for permissions on each folder level. This means that the usual mechanisms (i.e. superordinate NTFS permissions are inherited by subordinate folders) can be bypassed, making it possible to set entirely new NTFS permissions. This process should be avoided because it makes it more difficult to read NTFS permissions and, as a result, permission structures become confusing and chaotic.
- Windows 2003 R2 introduced “Access Based Enumeration“ (ABE), which allows folders to be made invisible to users who do not have access to them. Activating this setting will massively improve clarity for users, as they no longer have to comb through hundreds of directories just to find the specific folder they actually need and have access to.
Whitepaper “Best Practices for Access Management in Microsoft Environments”
To get a more detailed overview of all technical and organizational aspects, download our whitepaper “Best Practices for Access Management in Microsoft Environments“, which covers the following questions:
- What are NTFS permissions exactly and how do they work?
- What are common mistakes when setting NTFS permissions?
- What are the best practices for handling NTFS permissions?
- How are NTFS permissions read?
- What is the best way to document NTFS permission assignments?