NTFS permissions to lock down a text file?

By Tech_Lady ·
Here's the situation: A user (accounting clerk) on our network using accounting software creates a payroll ACH report that writes as a .txt file to a folder on our network. This file is then copied/drug to an online secure banking repository for processing by another user (the clerk's supervisor). Currently an "Accounting" group in AD, Administrators, and System have FC permissions on the folder and inheritance is enabled.

The problem is that auditors have an issue with the created files being editable by users (even the user who created it)and want it locked down after creation. We need to apply permissions that will allow the user (via an action in the software) to create and write the file to the folder, but then NOT be able to edit it once it is created. The file will need to be able to be read by the bank after dropping it at their repository. Currently, the creating user shows as the owner of the files.

If you need to know... We are running Windows Server 2003 and all workstations are Windows XP Professional.

Can anyone help me with this permissions issue?


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Interesting issue

by markp24 In reply to NTFS permissions to lock ...


would it be possible to create a vbs script or batch file to run XCACLS and change the file to Read only for all when the application that creates it exits?
or change the folder permissions to special permissions and allow Create and read, but deny change and delete.
ill post more once i think this out a bit more

Collapse -

Interesting things....

by cmiller5400 In reply to NTFS permissions to lock ...

Those auditors know how to make us go bald.

I'm sure that it can be accomplished somehow using the NTFS permissions, but be warned, deny permissions take precedence, even for Administrators.

I'd start by looking closely at the advanced permissions set. I'd bet there is a combination that will accomplish what you need. Below is a link to a good article explaining permissions.

Collapse -

Another angle

by mafergus In reply to NTFS permissions to lock ...

If it's only one user, set the application to run as a unique user so it is able to access the file and the user wouldn't need rights to location at all.

Collapse -

Share Folder Permissions

by Master_Key In reply to NTFS permissions to lock ...

I think the shared folder permission need to be checked, becuase you can allow the creator only to have full access, or r/w/change, thus other users will face that.

If you have active directory on the server, right click on that folder or this specific file and grant permissions to other users. hope it could help :)

Collapse -

More input

by Tech_Lady In reply to NTFS permissions to lock ...

Thanks for the ideas. We only run payroll every 2 weeks, so I created a folder (as a test) with the user running the file-creating software having only the following NTFS permissions which I thought would work: (Allowed these; denied none)
Traverse folder/Execute File
List Folder/Read data
Read Attributes
Read Extended Attributes
Create files/Write data
Read permissions

So, I had the user try to process the payroll and let the software write the file to this test folder, but she gets a pop-up error that says "File not created" or something to that effect. When you navigate to the folder the file is actually there, but contains 0 kb.

I like the idea of running the software as another user, but the software interacts with a network database and numerous data files, so I'm not sure how well that would work.

I need this figured out. It seems like it should be simple, but it is definitely not. Is there some way I can let the software write the files to a folder with Full Control, then trigger a script or something that will copy the file to a different folder with locked-down permissions and then delete the original?

I guess I'm grasping at straws... Thanks for help.

Collapse -

What about the folder the file is moved to?

by seanferd In reply to More input

Can't you set permissions on that folder so that this user can move the file to the folder, but no other access rights are granted to the folder?

If users need access to that folder otherwise, I'd consider a new, locked-down folder to which to move only these text files. Deny everything, allow Create Folders/Write Data. This should allow the user to dump the file in, but not access the folder to access a file to edit it.

Collapse -

This is a tough one

by markp24 In reply to More input


I would like to try the "run as" option, Is there a staging/ test setup your can try this on to ensure it doesn't cause unforeseen issues?

I also like the last post for tamper proofing the file.

Collapse -

Typical way to create a report is successive appending

by TobiF In reply to More input

Typically any program, which collects data for a report will create the file (when it is opened in the program), and then, row by row, it will append rows to the file, but since it's not allowed to make changes to the file, we're stuck.

Collapse -

What about a different approach?

by TobiF In reply to NTFS permissions to lock ...

Instead of fiddling with file system, permissions and so on, I have another idea to deal with the same problem:

Let a script in the system use PGP or GNUPG to sign the file! The digital signature can be put in a separate file or the signed text can be embedded within text delimiters, depending on what you need.

Now, anybody can verify the file hasn't been tampered with.

Collapse -


by Tech_Lady In reply to What about a different ap ...

I love the idea, but I don't know how to do it. If you can provide steps so I can intelligently sell this to the accounting department and the auditors, I'm game!

Related Discussions

Related Forums