Many users who migrate from Windows 9x to Windows 2000 may not be familiar with NTFS permissions and, specifically, how they differ from share permissions. Understanding NTFS permissions and share permissions is critical to securely sharing local resources with others on the network. Here’s a quick look at the basic differences between share and NTFS permissions, along with some recommendations about using each.

Share vs. NTFS
Share permissions are the permissions you set for a folder when you share that folder. The share permissions determine the type of access others have to the shared folder across the network. There are three types of share permissions: Full Control, Change, and Read.

NTFS permissions determine the action users can take for a folder or file both across the network and locally. Unlike share permissions, NTFS permissions offer several other permissions besides Full Control, Change, and Read that can be set for groups or individually. The most restrictive permission applies when share and NTFS permissions conflict.

Pay close attention to FAT drives
The default behavior in Windows 2000 is to grant Full Control to the built-in Everyone group when you share a folder. If you’re sharing an NTFS folder, Full Control at the share level is fine because you can allow or deny access (or varying levels of access) through NTFS permissions for specific users or groups. When sharing a folder on a FAT volume, however, pay closer attention to permissions.

For example, you probably don’t want Everyone to have Full Control; instead, you can limit access based on group membership. If that’s the case, open the Sharing property page for the folder and click Permissions to open the Permissions dialog box. Adjust share permissions as necessary, adding and removing groups, to achieve the required level of security.

To configure NTFS permissions, click the Security tab in the folder’s property sheet, and then adjust permissions as needed, adding and removing groups and specifying the required permissions.