Simplifying NTFS File Permissions

I’ve avoided NTFS file permissions for the better part of two decades. First off, I’m not an enterprise admin, and secondly, it seemed like every network I came across had virtually no permissions. Unix, which has a primitive permission system, was usually more “locked down” in most cases.

Lately, though, there have been some mean malware in the wild, including one that encrypts your data, and then charges a ransom to decrypt it. Imagine that getting into your file servers. Yikes.

One corrective is to use those file permissions to protect your files from changes.

References are here.….………


If you change permissions on a share, you have to log out and log back in to see the effect, because the various security principles are cached when you log in.

Changes on large folders and shares take a long time, because the system has to traverse the tree to set permissions.

On network shares, there are two major layers of security – the security on the share, and the security on the files. If the share’s permissions are less permissive, you’ll find yourself seeing an “access denied” message when you have the “change permissions” or “take ownership” or “write” permissions on a file or folder.

Why NTFS seems complex.

The main reason why NTFS file security seems so complex is because Windows is set up to put some complex permissions on newly formatted disks. Why do they do that? User expectation.

The design of the underlying NTFS file system is to deny access to a folder (or file), unless and ACE in the ACL allows it. Think of it as “deny all except who are permitted”. But there’s also a setting that explicitly denies access, too, so it’s more like “deny this list of users, then allow this other list of users, and deny everyone else.”

The expectations of the Windows users, however, is that you have access to everything, except where you are denied access, or someone has taken away your access. So Windows makes new disks with permissions that make that work.

If you take the default “wide open” file system, and then try to impose limitations on it, things can get complex.

Forcing simplicity on the file system.

The easy solution is to revoke all the permissions, and then add a simpler set of permissions that make the disk “wide open” to all the authenticated users. Then, at shared folders, you break the inheritance of permissions, and create new permissions that make the folder available only to selected users and groups.

Then, use groups to make groups of people, and use these groups to grant permissions to specific folders.

If you have many folders, use groups to make another tier of organization. See the third link above.

This seems complex, but it really simplifies security.