Permissions management is one of the most critical concepts in security, and it involves ensuring that proper permissions are set for users. One important aspect of permissions management is understanding the difference between share and NTFS permissions, which serve the same purpose of preventing unauthorized access but function independently of each other.
However, conflicts may arise when NTFS and share permissions interact or when a shared folder is nested within another shared folder with different permissions. Such conflicts can lead to users being unable to access their data or being granted higher levels of access than intended by security administrators.
I will be discussing the key differences between share and NTFS permissions, so you’ll know what to do.
What is NTFS?
A file system is a method of organizing data on a drive that specifies how data is stored and what types of information, such as file names and permissions, can be attached to files.
NTFS, which stands for New Technology File System, is the latest file system used by the Windows NT operating system for storing and retrieving files. Before NTFS, Microsoft’s older operating systems primarily used the file allocation table (FAT) file system, which was designed for small disks and simple folder structures.
Compared to FAT, NTFS offers support for larger file sizes and hard drives, as well as enhanced security features. Microsoft introduced NTFS in 1993 with the release of Windows NT 3.1, and it has been the file system used in all of Microsoft’s subsequent operating systems, including Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP, Windows 2000, and Windows NT.
NTFS Permissions
NTFS permissions are used to manage access to the files and folders that are stored in NTFS file systems.
To see what kind of permissions you will be extending when you share a file or folder:
- Right-click on the file/folder
- Go to “Properties”
- Click on the “Security” tab
All then you’ll navigate this window:
Besides Full Control, Change, and Read that can be set for groups or individually, NTFS offer a few more permission options:
- Full control: Allows users to read, write, change, and delete files and subfolders. In addition, users can change permissions settings for all files and subdirectories.
- Modify: Allows users to read and write of files and subfolders; also allows deletion of the folder.
- Read & execute: Allows users to view and run executable files, including scripts.
- List folder contents: Permits viewing and listing of files and subfolders as well as executing of files; inherited by folders only.
- Read: Allows users to view the folder and subfolder contents.
- Write: Allows users to add files and subfolders, allows you to write to a file.
Share Permissions
When we share specific folder and we want to set the permissions for that folder – that’s a share. Basically, the share permissions determine the type of access others have to the shared folder across the network.
To check what kind of permissions you will be extending when you share a folder:
- Right click on the folder
- Go to “Properties”
- Click on the “Sharing” tab
- Click on “Advanced Sharing…”
- Click on “Permissions”
And you’ll navigate to this window:
There are three types of share permissions: Full Control, Change, and Read.
- Full Control: Enables users to “read,” “change,” as well as edit permissions and take ownership of files.
- Change: Change means that user can read/execute/write/delete folders/files within share.
- Read: Read allows users to view the folder’s contents.
How to Use Share and NTFS Permissions
One of the common questions that comes up when you’re configuring security is “what happens when share and NTFS permissions interact with each other?”
When we have set up share and NTFS permissions together, the most restrictive permission wins.
Example 1: If the share permissions are “Read”, and NTFS permissions are “Full control”, when a user accesses the file on the share, they will be given “Read” permission.
Example 2: If the share permissions are “Full Control”, and NTFS permissions are “Read”, when a user accesses the file on the share, they will still be given a “Read” permission.
Managing NTFS Permissions and Share Permissions
As a system administrator, having both NTFS permissions and share permissions can sometimes be complicated and time-consuming. However, there is a solution to simplify this process. By using only NTFS permissions, you can gain greater flexibility and control over access to shared folders.
Shared folder permissions may provide limited security with just three types of permission settings, which is why using NTFS permissions is recommended. NTFS permissions are applied whether the resource is accessed locally or over the network, making them more versatile.
To switch to using only NTFS permissions, change the share permissions for the folder to “Full Control.” Once this is done, you can easily manage and modify the NTFS permissions without worrying about any interference from the share permissions.