Free Certification Practice Tests and Study Guides
Join Us! | Login | Help




Windows 2003 NTFS and Share Permissions


The concept of permissions in a Microsoft environment is one of the more confusing subjects that certification candidates face, but a very necessary topic to know as many of Microsoft's certification exams test on this. This guide aims to help you understand the different the various types of permissions and how to use them in a Windows 2003 environment.

NTFS file permissions are used to control the access that a user, group, or application has to folders and files. They are referred to as NTFS permissions because a drive must be formatted with NTFS in order to utilize these permissions.

NTFS File Permissions:
NTFS file permissions are used to control the access that a user, group, or application has to files. This first table displays the available permissions for files.

Full Control Read, write, modify, execute, change attributes, permissions, and take ownership of the file.
Modify Read, write, modify, execute, and change the file's attributes.
Read & Execute Display the file's data, attributes, owner, and permissions, and run the file (if it's a program or has a program associated with it for which you have the necessary permissions).
Read Display the file's data, attributes, owner, and permissions.
Write Write to the file, append to the file, and read or change its attributes.

Windows 2000 & 2003 have the option of denying a user or users a particular permission. For example, if you wanted to make sure that Bob is unable to read any file, then simply deny him read permissions. Permissions are cumulative, except for Deny, which overrides everything. By cumulative, we mean that a user's effective permissions are the result of combining the user's assigned permissions and the permissions assigned to any groups that the user is a member of. For example, if Bob is assigned Read access to a file, and the "sales" group that Bob is a member of has Write permissions assigned, Bob's effective permissions is are Read and Write for that file.

NTFS Folder Permissions:
NTFS Folder permissions determine the access that is granted to a folder and the files and subfolders within that folder. These permissions can be assigned to a user or group. The following table displays the different permissions for folders.

Full Control Read, write, modify, and execute files in the folder, change attributes, permissions, and take ownership of the folder or files within.
Modify Read, write, modify, and execute files in the folder, and change attributes of the folder or files within.
Read & Execute Display the folder's contents and display the data, attributes, owner, and permissions for files within the folder, and run files within the folder (if they're programs or have a program associated with them for which you have the necessary permissions).
List Folder Contents Display the folder's contents and display the data, attributes, owner, and permissions for files within the folder, and run files within the folder (if they're programs or have a program associated with them for which you have the necessary permissions).
Read Display the file's data, attributes, owner, and permissions.
Write Write to the file, append to the file, and read or change its attributes.

The Read & Execute and List Folder Contents folder permissions appear to be exactly the same, however, they are inherited differently, thus are different permissions. Files can inherit the Read & Execute permissions but can't inherit the List Folder Contents permission. Folders can inherit both.

File permissions override folder permissions. For example, let's say that Bob has read access to a file called file.txt which is located in a folder that he has no access to. In this case, the file will be invisible to the Bob and since he cannot list the folder contents, he would have to access the file using the UNC path or the logical file path.

Copying, Moving, and Inheritance:
The next table shows what happens to files when they are copied or moved within or across NTFS partitions.

Moving within a partition Does not create a new file - simply updates location in directory. File keeps its original permissions.
Moving across a partition Creates a new file and deletes the old one. Inherits the target folders permissions.
Copying within a partition Creates a new file which inherits permissions of target folder.

Files moved from an NTFS partition to a FAT partition do not retain their attributes or security descriptors, but will retain their long filenames.

Special Access File Permissions:
Windows 2000 & 2003 also support special access permissions which are made by combining other permissions. The following tables will show special access permissions and the recipes to make them.

File Special Permissions Full Control Modify Read & Execute Read Write
Traverse Folder/Execute File X X X    
List Folder/Read Data X X X X  
Read Attributes X X X X  
Read Extended Attributes X X X X  
Create Files/Write Data X X     X
Create Folders/Append Data X X     X
Write Attributes X X     X
Write Extended Attributes X X     X
Delete Subfolders and Files X        
Delete X X      
Read Permissions X X X X X
Change Permissions X        
Take Ownership X        
Synchronize X X X X X

Special Access Folder Permissions:
Below are the special access permissions for folders.

Folder Special Permissions Full Control Modify Read & Execute List Folder Contents Read
Traverse Folder/Execute File X X X X  
List Folder/Read Data X X X X X
Read Attributes X X X X X
Read Extended Attributes X X X X X
Create Files/Write Data X X      
Create Folders/Append Data x x      
Write Attributes X X      
Write Extended Attributes X X      
Delete Subfolders And Files X        
Delete X X      
Read Permissions X X X X X
Change Permissions X        
Take Ownership X        
Synchronize X X X X X


Remember that file permissions override the permissions of its parent folder. Anytime a new file is created, the file will inherit permissions from the target folder.

Share Permissions:
Shares are administered through the MMC, My Computer or through Explorer and permissions can be set on a share in the "Share Permissions" tab. Share level permissions only apply when a file or folder is being accessed via the network and do not apply to a user logged into the machine locally. The following are the different share-level permissions:

Read View files and subdirectories. Execute applications. No changes can be made.
Change Includes read permissions and the ability to add, delete or change files or subdirectories
Full Control Can perform any and all functions on all files and folders within the share.


The Deny permission can also be applied to shares. The Deny permission overrides all others. When folders on FAT and FAT32 volumes are shared, only the share level permissions apply as these systems do not support file and directory (NTFS) permissions. When folders on NTFS volumes are shared, the effective permission of the user will be the most restrictive of the NTFS and share permissions. This means that if Bob is trying to access a file called mystuff located on myshare and he has share permissions of read and file permissions of full control, his effective permissions would be read. Conversely, if his share permissions are full control and his file permissions are read, he will still only have read permissions to mystuff.

Effective Permissions Tool in Windows 2003:
Determining effective permissions can get confusing, especially on enterprise networks. In Windows 2003, Microsoft included a new feature that helps sort this mess out. If you go to the Advanced properties of the Security tab for NTFS resources, there is a tab titled "Effective Permissions" which allows you to calculate the permissions that apply to users or groups. This tool does not take share permissions into account.

Best Practices:
The way companies manage their permissions will vary based on their needs. In any event, a lot of planning should be done before implementing permissions systems in order to avoid a lot of headaches later. Below are some best practices for using permissions.

When setting permissions, you want to minimize the amount of administration required. Imagine if you had to manage the permissions on every file on your network for every user. It would be an administrative nightmare. For this reason, unless absolutely necessary, assign permissions to groups and place users in the relevant group. The same should be done for share permissions as well.

Avoid using Deny permissions except in the following types of cases:
  • Use Deny permissions to exclude a subset of a group which has Allowed permissions.
  • Use Deny to exclude one special permission when you have already granted full control to a user or group.
You definitely should not ever use Deny permissions for the everyone group because that includes administrators.

When possible, use security templates.

Keep in mind that priveledges (rights) can sometimes override permissions.

Note: While the permissions systems in Windows 2000 and 2003 are nearly identical, there are a few differences. One of the biggest permissions differences between Windows 2000 and 2003 was the default security settings. Windows 2000 shipped with full control for the everyone group (NTFS and share permissions), guest account was enabled, etc. Windows 2003 was locked down better in its default state. For more information on this, read Changes to Default Settings Make Windows Server 2003 More Secure (Part 1).





IT Showcase