NTFS and share permissions are both often used in Microsoft Windows environments. While share and NTFS permissions both serve the same purpose — preventing unauthorized access — there are important differences to understand before you determine how to best perform a task like sharing a folder. Here are the key differences between share and NTFS permissions, along with some recommendations for when and how to use each of them.
What Are NTFS Permissions?
NTFS (New Technology File System) is the standard file system for Microsoft Windows NT and later operating systems; NTFS permissions are used to manage access to data stored in NTFS file systems. The main advantages of NTFS share permissions are that they affect both local users and network users and that they are based on the permissions granted to an individual user at the Windows logon, regardless of where the user is connecting from.
There are both basic and advanced NTFS permissions. You can set each of the permissions to “Allow” or “Deny” to control access to NTFS objects. Here are the basic types of access permissions:
- Full Control — Users can add, modify, move and delete files and directories, as well as their associated properties. In addition, users can change permissions settings for all files and subdirectories.
- Modify — Users can view and modify files and file properties, including adding files to or deleting files from a directory, or file properties to or from a file.
- Read & Execute — Users can run executable files, including scripts.
- Read — Users can view files, file properties and directories.
- Write — Users can write to a file and add files to directories.
Share permissions manage access to folders shared over a network; they don’t apply to users who log on locally. Share permissions apply to all files and folders in the share; you cannot granularly control access to subfolders or objects on a share. You can specify the number of users who are allowed to access the shared folder. Share permissions can be used with NTFS, FAT and FAT32 file systems.
There are three types of share permissions: Full Control, Change and Read. You can set each of them to “Deny” or “Allow” to control access to shared folders or drives:
- Read — Users can view file and subfolder names, read data in files, and run programs. By default, the “Everyone” group is assigned “Read” permissions.
- Change — Users can do everything allowed by the “Read” permission, as well as add files and subfolders, change data in files, and delete subfolders and files. This permission is not assigned by default.
- Full Control — Users can do everything allowed by the “Read” and “Change” permissions, and they can also change permissions for NTFS files and folders only. By default, the “Administrators” group is granted “Full Control” permissions.
Here are the key differences between NTFS and share permissions that you need to know:
- Share permissions are easy to apply and manage, but NTFS permissions enable more granular control of a shared folder and its contents.
- When share and NTFS permissions are used simultaneously, the most restrictive permission always wins. For example, when the shared folder permission is set to “Everyone Read Allow” and the NTFS permission is set to “Everyone Modify Allow”, the share permission applies because it is most restrictive; the user is not allowed to change the files on the shared drive.
- Share permissions can be used when sharing folders in FAT and FAT32 file systems; NTFS permissions can’t.
- NTFS permissions apply to users who are logged on to the server locally; share permissions don’t.
- Unlike NTFS permissions, share permissions allow you to restrict the number of concurrent connections to a shared folder.
- Share permissions are configured in the “Advanced Sharing” properties in the “Permissions” settings. NTFS permissions are configured on the Security tab in the file or folder properties.
How to Change NTFS Permissions
To change NTFS permissions:
- Open the “Security” tab.
- In the folder’s “Properties” dialog box, click “Edit”.
- Click on the name of the object you want to change permissions for.
- Select either “Allow” or “Deny” for each of the settings.
- Click “Apply” to apply the permissions.
Alternatively, you can change NTFS permissions using PowerShell.
To change share permissions:
- Right-click the shared folder.
- Click “Properties”.
- Open the “Sharing” tab.
- Click “Advanced Sharing”.
- Click “Permissions”.
- Select a user or group from the list.
- Select either “Allow” or “Deny” for each of the settings.
Permissions Best Practices
- Assign permissions to groups, not user accounts — Assigning permissions to groups simplifies management of shared resources. If a user’s role changes, you simply add them to the appropriate new groups and remove them from any groups that are no longer relevant.
- Enforce the principle of least privilege — Grant users the permissions they need and nothing more. For example, if a user needs to read the information in a folder but never has a legitimate reason to delete, create, or change files, make sure they have only the “Read” permission.
- Use only NTFS permissions for local users — Share permissions apply only to users who access shared resources over the network; they do not apply to users who log on locally.
- Put objects with the same security requirements in the same folder — For example, if users require the “Read” permission for several folders that are used by one department, store those folders in the same parent folder and share that parent folder, rather than sharing each folder individually.
- Do not set the permissions for the “Everyone” group to “Deny” — The “Everyone” group includes anyone who has access to shared folders, including the “Guest” account, with the exception of the “Anonymous Logon” group.
- Avoid explicitly denying permissions to a shared resource — Normally, you should explicitly deny permissions only when you want to override specific permissions that are already assigned.
- Grant the “Administrators” group the “Full Control” permission to the parent shared folder — This strategy enables administrators to manage permissions, export access lists, and track changes to all permissions, files and folders.
- Keep a close eye on the membership of the “Administrators” group — Users in this group have “Full Access” permissions to all of your shared files and folders. Therefore, you should carefully audit changes to its membership, using either audit policy and the security event log, or third-party software solutions that can notify you about any changes to this powerful group in real time, as well as facilitate regular attestation for all user permissions.
For more information, read about NTFS permissions management best practices.
Using Just One Set of Permissions
If you feel that working with two separate sets of permissions is too complicated, you can use just NTFS share permissions. Simply change the share permissions for the folder to “Full Control,” and then you can make whatever changes you want to the NTFS permissions without having to worry about the file share permissions interfering with them.
Understanding the differences between Share and NTFS permissions enables you to use them together to secure access to local and shared resources. Following the guidelines and best practices detailed here will further strengthen the security of your IT environment.