Data Centers

Dissecting default NTFS permissions: Looking under the hood

Consultant Brad Bird takes a look at NTFS file permissions and their default application. Make sure you understand what each of them includes and how they are inherited through the hierarchy to close up security gaps.

In this post, I am referring to the permissions on Windows Vista Business Edition. The different versions of Windows, such as Windows NT, Windows 2000, 2003, XP, and 2008, may differ only slightly as far as what the permissions are made up of. The default application of these permissions is entirely another story. For instance in Windows 2000, the Everyone group had the Full Control default NTFS permission at the C:\ level, and these permissions were inherited through the hierarchy -- not a very good security practice. Other versions of Windows have improved in their application of these default permissions.

For most applications, the default NTFS permissions are sufficient. So what are these default permissions?

1.       Full Control

2.       Modify

3.       Read and Execute

4.       List Folder Contents

5.       Read

6.       Write

Generally speaking, if someone has Modify permission, they have the other permissions as well when editing files or folders is concerned. Read and Execute has Read and List Folder Contents and so on.... Write permission has a slight exception and is isolated because there are circumstances in which you might want someone to write to a file or folder but not be able to read it. The other permission that is considered "key to the kingdom" is Full Control. The Full Control permission not only gives you access to the permissions needed to edit files and folders but also controls the ability to modify access to the file or folder.

These default permissions are actually made up of individual permissions, which I will show in Table A.

Table A

 

FC

M

R&E

LFC (folders only)

R

W

Full Control

P

 

 

 

 

 

Traverse Folder/Execute File

P

P

P

P

 

 

List Folder/Read Data

P

P

P

P

P

 

Read Attributes

P

P

P

P

P

 

Read Extended Attributes

P

P

P

P

P

 

Create Files/Write Data

P

P

 

 

 

P

Create Folders/Append Data

P

P

 

 

 

P

Write Attributes

P

P

 

 

 

P

Write Extended Attributes

P

P

 

 

 

P

Delete Subfolders and Files

P

 

 

 

 

 

Delete

P

P

 

 

 

 

Read Permissions

P

P

P

P

P

P

Change Permissions

P

 

 

 

 

 

Take Ownership

P

 

 

 

 

 

Notice how the individual permissions for Read and Execute, List Folder Contents, and Read are very similar yet the applications are quite different.

The other thing to keep in mind with the different permissions is where they are being applied. The default characteristic of permissions is that they will be inherited throughout the hierarchy to as low as possible.

The possible choices when checking your options to modify how these permissions are applied are:

  • this folder only
  • this folder, subfolders, and files
  • this folder and subfolders
  • this folder and files
  • subfolders and files only
  • subfolders only
  • files only

The default permission application is this folder, subfolders, and files, which explains inheritance.

As for options, depending on circumstance, you might want to restrict the application of permissions. For instance, control access to C:\Windows.

The purpose of my dissection here was just to take a look under the covers of NTFS file permissions and consider what the defaults are. What is your experience? Do you have any foolproof permission application formulas?

Need help configuring, administering, supporting, and optimizing network infrastructure? Then turn to our free Network Administration NetNote. Automatically sign up today!

About

Brad Bird is a lead technical consultant and MCT certified trainer based in Ottawa, ON. He works with large organizations, helping them architect, implement, configure, and customize System Center technologies, integrating them into their business pr...

3 comments
LeonBA
LeonBA

One nitpick, though: if someone has Modify permission to a resource, they generally have the other permissions, as you say, except: they won't have Full Control. There's one note I would add, which might seem self-explanatory or not. When someone in an enterprise asks for access to a resource, they're generally asking for (or at least are generally given) Modify permission, unless there's a reason for them to have some other kind of permission--for instance, Read-only.

ktunison
ktunison

This is also information you will come across if you go to take the workstation certification exams for XP/Vista. It would be nice if you also describe the other aspects of NTFS. For example what happens when you remove a folder from inheriting parent permissions, the effective permissions tab. Another nice follow-on to this could be the attrib command.

Editor's Picks