Summary: Windows provides two sets of permissions to restrict access to files and folders: NTFS permissions and share permissionsSee less Windows provides two sets of permissions to restrict access to files and folders: NTFS permissions and share permissions
This article may have been automatically translated. If you have any feedback regarding its quality, please let us know using the form at the bottom of this page.
Article Content
Symptoms
Article Summary: This article discusses NTFS permissions and share permissions in Windows and how they work together to regulate access to files and folders.
Windows provides two sets of permissions to restrict access to files and folders: NTFS permissions and share permissions.
- NTFS permissions are applied to every file and folder stored on a volume formatted with the NTFS file system. By default, permissions are inherited from a root folder to the files and subfolders beneath it, though this inheritance can be disabled. NTFS permissions take effect regardless of whether a file or folder is accessed locally or remotely. NTFS permissions, at the basic level, offer access levels of Read, Read and Execute, Write, Modify, List Folder Contents, and Full Control, as shown below:
There is also an advanced set of NTFS permissions, which divides the basic access levels into more granular settings. These advanced permissions vary depending on the type of object to which they are applied. The advanced permissions on a folder are shown below:
- Share permissions are only applied to shared folders. They take effect when a shared folder is accessed across a network from a remote machine. The share permissions on a particular shared folder apply to that folder and its contents. Share permissions are less granular than NTFS permissions, offering access levels of Read, Change, and Full Control:
The most important thing to remember about NTFS permissions and share permissions is the manner in which they combine to regulate access.
The rules for determining a user's level of access to a particular file are as follows:
- If the file is accessed locally, only the NTFS permissions are used to determine the user's level of access.
- If the file is accessed through a share, NTFS and share permissions are both used, and the most restrictive permission applies. For example, if the share permissions on the shared folder grant the user Read access and the NTFS permissions grant the user Modify access, the user's effective permission level is Read when accessing the share remotely and Modify when accessing the folder locally.
- A user's individual permissions combine additively with the permissions of the groups that the user is a member of. If a user has Read access to a file, but the user is a member of a group that has Modify access to the same file, the user's effective permission level is Modify.
- Permissions assigned directly to a particular file or folder [explicit permissions] take precedence over permissions inherited from a parent folder [inherited permissions].
- Explicit Deny permissions take precedence over explicit Allow permissions, but because of the previous rule, explicit Allow permissions take precedence over inherited Deny permissions.
Both sets of permissions can be assigned in the properties window of a file or folder. NTFS permissions are assigned in the Security tab of the properties window, while share permissions are assigned in the Sharing tab by clicking Advanced Sharing, then clicking Permissions.
NTFS is the default file system of the Windows operating system family, offering a wide range of advanced features such as journaling, compression, quotas, and much more. NTFS also offers a flexible security model, allowing administrators to control how users and groups can interact with folders and files. These interactions are controlled through the assignment of permissions.
NTFS permissions are logically grouped into a series of six basic permissions, each of which is comprised of a specific set of advanced [special] permissions. These groupings make it easier to apply complimentary permissions to users and groups.
PERMISSIONReadWriteList Folder ContentsRead & ExecuteModifyFull ControlTraverse Folder / Execute File
Permissions can have different meanings depending on whether they're applied to folders or files. Let's start with the basic permissions.
PermissionMeaning for FoldersMeaning for FilesReadPermits viewing and listing of files and subfoldersPermits viewing or accessing of the file’s contentsWritePermits adding of files and subfoldersPermits writing to a fileRead & ExecutePermits viewing and listing of files and subfolders as well as executing of files; inherited by files and foldersPermits viewing and accessing of the file’s contents as well as executing the fileList Folder ContentsPermits viewing and listing of files and subfolders as well as executing of files; inherited by folders onlyN/AModifyPermits reading and writing of files and subfolders; allows deletion of the folderPermits reading and writing of the file; allows deletion of the fileFull ControlPermits reading, writing, changing, and deleting of files and subfoldersPermits reading, writing, changing, and deleting of the file
Now we'll further refine our understanding of the available advanced [also known as "special"] permissions.
- Traverse Folder / Execute File - Traverse Folder allows or denies moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders [applies to folders only]. Execute File allows or denies running program files [applies to files only].
- List Folder / Read Data - List Folder allows or denies viewing file names and subfolder names within the folder [applies to folders only]. Read Data allows or denies viewing data in files [applies to files only].
- Read Attributes - Allows or denies viewing the attributes of a file or folder, such as read-only and hidden. Attributes are defined by NTFS file system.
- Read Extended Attributes - Allows or denies viewing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.
- Create Files / Write Data - Create Files allows or denies creating files within the folder [applies to folders only]. Write Data allows or denies making changes to the file and overwriting existing content [applies to files only].
- Create Folders / Append Data - Create Folders allows or denies creating folders within the folder [applies to folders only]. Append Data allows or denies making changes to the end of the file but not changing, deleting, or overwriting existing data [applies to files only].
- Write Attributes - Allows or denies changing the attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS.
- Write Extended Attributes - Allows or denies changing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.
- Delete Subfolders and Files - Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file.
- Delete - Allows or denies deleting the file or folder. If you do not have Delete permission on a file or folder, you can still delete it if you have been granted Delete Subfolders and Files on the parent folder.
- Read Permissions - Allows or denies reading permissions of the file or folder, such as Full Control, Read, and Write.
- Change Permissions - Allows or denies changing permissions of the file or folder, such as Full Control, Read, and Write.
- Take Ownership - Allows or denies taking ownership of the file or folder. The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder.
By default, NTFS permissions for files and folders inherit the permissions of their parent folder. The primary purpose of file system permissions inheritance is to simplify administration. Without inheritance, administrators would need to specify permissions explicitly for each and every file and folder.
There are cases, however, when an administrator will need to assign explicit permissions to a file system branch. This can be accomplished by disabling permissions inheritance for a given set of child objects [files or folders] and then assigning the desired permissions.
Windows shares can be used to provide access to one or more folders via the network. Share permissions are distinct from NTFS permissions and take effect when the associated folder is accessed from a remote machine. Share permissions are also less granular than NTFS permissions, offering Read, Change, and Full Control access levels.