Windows 101: Know the basics about NTFS permissions

Most seasoned administrators are familiar with the fact that
New Technology File System (NTFS) permissions are available on every file,
folder, registry key, printer, and Active Directory object. First introduced
with Windows NT to replace the File Allocation Table (FAT) file system, NTFS has gone through several changes over the
years. Windows 2000, Windows Server 2003, and Windows XP use the current
incarnation, NTFS v5.

When it comes to the old NTFS (from Windows NT) and the
current NTFS, there are a lot of similarities and a few differences. Let’s take
a closer look.

Standard vs. advanced permissions

You can set NTFS permission to Allow or Deny. Here’s a look
at the standard permissions in the old NTFS:

• Full Control: Users can modify,
  add, move, and delete files, as well as their associated properties and
  directories. In addition, users can change permissions settings for all
  files and subdirectories.
• Modify: Users can view and modify
  files and file properties, including deleting and adding files to a
  directory or file properties to a file.
• Read & Execute: Users can run
  executable files, including scripts.
• Read: Users can view files and
  file properties.
• Write: Users can write to a file.

Microsoft later advanced these permissions to include the
following:

• Traverse Folder/Execute File: Users
  can navigate through folders to reach other files or folders, even if they
  have no permissions for the traversed files or folders. The Traverse Folder
  permission takes effect only when the group or user doesn’t have the
  Bypass Traverse Checking user right in the Group Policy snap-in. (By
  default, the Everyone group has the Bypass Traverse Checking user right.)
• List Folder/Read Data: Users can
  view a list of a folder’s contents and data files.
• Read Attributes: Users can view
  the attributes of a file or folder, such as read-only and hidden. (NTFS
  defines these attributes.)
• Read Extended Attributes: Users
  can view the extended attributes of a file or folder. (Defined by programs,
  extended attributes may vary.)
• Create Files/Write Data: The
  Create Files permission allows users to create files within the folder. (This
  permission applies to folders only.) The Write Data permission allows users
  to make changes to the file and overwrite existing content. (This
  permission applies to files only.)
• Create Folders/Append Data: This
  Create Folders permission allows users to create folders within a folder.
  (This applies to folders only.) The Append Data permission allows users to
  make changes to the end of the file, but they can’t change, delete, or
  overwrite existing data. (This applies to files only.)
• Write Attributes: Users can change
  the attributes of a file or folder, such as read-only or hidden. (NTFS
  defines these attributes.)
• Write Extended Attributes: Users
  can change the extended attributes of a file or folder.
• Delete: Users can delete the file
  or folder. (If users don’t have the Delete permission on a file or folder,
  they can still delete it if they have the Delete Subfolders And Files permission
  on the parent folder.)
• Read Permissions: Users have reading
  permissions of the file or folder, such as Full Control, Read, and Write.
• Change Permissions: Users have
  changing permissions of the file or folder, such as Full Control, Read, and
  Write.
• Take Ownership: Users can take
  ownership of the file or folder. The owner of a file or folder can always
  change permissions on it, regardless of any existing permissions that
  protect the file or folder.

What’s the big difference?

The big difference between the old NTFS and the new NTFS is
the establishment of Inherited and Explicit permission precedence. While you
might assume that the Deny permission takes precedence over any other
permission, that isn’t always the case.

Here’s the hierarchy for permissions:

• Explicit
  Deny
• Explicit
  Allow
• Inherited
  Deny
• Inherited
  Allow

As a user accesses each
file, folder, registry key, printer, and Active Directory object, the
system checks the permissions from top to bottom. When it meets one of these four
conditions, it either grants or denies access. This allows you to set
permission inheritance for an object and maintain fine control for exceptions
to your general permissions policy.

Final thoughts

NTFS permissions offer a great deal of control when it comes
to resources on your systems. If you’re having trouble with users not being
able to access required data or objects in your Active Directory structure,
look at the hierarchy for those permissions, and you’ll find the problem.

Miss a column?

Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.