How do I... Secure Windows XP NTFS files and shares?

by Erik "Eckel Network+, MCP+I, MCSE" | Jan 22, 2007 6:23:00 PM

Tags: Microsoft Windows, Advertising & Promotion, Erik Eckel Network+, MCP+I, MCSE, permission, NTFS Permissions, NTFS, dialog box, Microsoft Windows XP, security

Takeaway: Windows XP's NTFS file system, and permissions assigned to folder shares, are designed to protect files and folders from being access by unauthorized parties, whether those parties are internal or external to an organization. Here’s how to ensure you’re administering NTFS permissions and file shares appropriately.

This article is also available as a TechRepublic download.

Security is all the rage. From white-hat hacker articles in Wired magazine to daily e-mail newsletter alerts, security concerns threaten to overwhelm most IT professionals.

Most of the talk targets protecting an organization's resources from external audiences. But often there's a very real need to partition data within an organization, too. Just imagine the trouble that would arise were employees able to access one another's HR records.

Windows XP's NTFS file system, and permissions assigned to folder shares, are designed to protect files and folders from being access by unauthorized parties, whether those parties are internal or external to an organization. Here's how to ensure you're administering NTFS permissions and file shares appropriately.

File Share Permissions

Most users begin sharing files with workgroups, or peer-to-peer networks, by following these steps:

1. Right-clicking the folder containing the documents, spreadsheets and files they wish to share.
2. Selecting Sharing And Security from the pop-up menu.
3. Selecting the Share This Folder button from the Sharing tab of the folder's Properties dialog box. (Figure A)

Figure A

A folder's Properties dialog box is used to configure share-level permissions for users and groups.

1. Entering a Share Name for the folder.
2. Optionally supplying some wording describing the folder's contents within the Comment field.
3. Clicking OK.

However, that method won't always work as you intend, especially on Windows XP systems formatted with NTFS (in which conflicting NTFS permissions can prevent an intended user from accessing those resources -- more on that in a moment). Worse, Windows XP's default share permissions behavior is set to provide Everyone with access to the share's contents.

It's also important to note that Windows XP's Simple File Sharing, enabled by default, must be turned off to specify different permissions for different users. To turn off Simple File Sharing:

1. Open Windows Explorer.
2. Click Tools.
3. Select Folder Options.
4. Click the View tab.
5. Within the Advanced Settings window, scroll to the bottom and uncheck the box for the Use Simple File Sharing (Recommended) option.
6. Click OK.

To remove the Everyone permissions, and specify varying access permissions different users should receive to a file share:

1. Right-click the folder you wish to share.
2. Select Sharing And Security from the pop-up menu.
3. Click the Permissions button. The Permissions ForFolderName dialog box will appear. (Figure B)

Figure B

Share permissions are configured using the Share Permissions tab (reached by clicking the Permissions button from a shared folder's Properties dialog box.

4. Highlight Everyone from within the Group Or User Names window.
5. Click the Remove button.
6. Click the Add button. The Select Users Or Groups dialog box will appear. (Figure C)

Figure C

Specify users and groups by entering them in the Enter The Object Names To Select window and clicking OK.

7. Within the Enter The Object Names To Select window, specify the users' names for whom you wish to provide access, then click OK.
8. Highlight (within the Group Or User Names window) the names of the users and groups you selected and specify the appropriate permissions (Allow or Deny for Full Control, Change and Read are the options that appear) within the Permission For Username or Group dialog box.
9. Click OK to apply the changes and close the dialog box; click OK to close the FolderName Properties dialog box.

The Full Control permission enables a user or group to read, write, delete and execute files within the folder. Users possessing Full Control permission can also create and delete new folders within the share.

The Change permission enables a user or group to read and change files within the folder and create new files and folders within the shared folder. Users with Change permission can also execute programs within the folder.

The Read permission, meanwhile, enables a user or group to read files within the share and execute programs located within the folder.

Windows XP systems formatted with the NTFS file system provide additional permission settings. The next section reviews configuring NTFS permissions.

NTFS Permissions

Windows NTFS permissions provide a host of additional permissions options. In addition, NTFS permissions can be applied to a single file or folder.

Before configuring NTFS permissions, first ensure the Windows XP system is configured to use the NTFS file system:

1. Click Start.
2. Click Run.
3. Type compmgmt.msc and click OK. The Computer Management console will appear.
4. Highlight Disk Management within the Storage section to learn the file system in use for each of the system's drives.

If a hard disk or partition isn't formatted using NTFS, you can upgrade the disk by typing convert X: /fs:ntfs where X denotes the drive requiring the upgrade. Using the convert command, you can upgrade a drive to NTFS without losing its data. However, it's always best to confirm you have a working backup on hand before executing the command.

To configure NTFS permissions:

1. Right-click the file or folder you wish to share.
2. Select Properties from the pop-up menu.
3. Click the Security tab.
4. Use the Add/Remove buttons to add and remove permissions for users and groups.
5. Highlight the respective user or group within the Group Or User Names window and specify the appropriate permissions from within the Permissions For User/Group window using the provided Allow and Deny checkboxes. (Figure D)
6. Click OK to apply the changes.

Figure D

NTFS permissions permit applying more granular rights, as compared to folder shares.

Note that, by default, subfolders will inherit permissions from parent folders. To customize permissions inheritance, click the Advanced button found on the share or filename's Properties dialog box.

Several NTFS permissions are available:

• Full Control -- enables a user or group to perform essentially all actions, including view files and subfolders, execute application files, list folder contents, read and execute files, change file and folder attributes, create new files, append data to files, delete files and folders, change file and folder permissions and take ownership of files and folders.
• Modify -- enables a user or group to view files and subfolders, execute application files, list folder contents, view file and folder attributes, change file and folder attributes, create new files and folders, append file data and delete files.
• Read & Execute -- enables a user or group to view files and folders, execute application files, list folder contents, read file data and view file and folder attributes.
• List Folder Contents -- enables a user or group to navigate folders, list folder contents and view file and folder attributes.
• Read -- enables a user or group to view a folder's contents, read data and view file and folder attributes.
• Write -- enables a user or group to change file and folder attributes, create new files, make changes to files and create new folders and append file data.

To determine a user's ultimate resulting permissions, add all the NTFS permissions granted to a user directly and as a result of group membership, then subtract those permissions denied directly and as a result of group membership.

For example, if a user is explicitly granted Full Control but is also a member of a Group in which Full Control is denied, the user will not receive Full Control rights. If a user received Read & Execute and List Folder Contents in one group but was also a member of a group that had List Folder Contents denied, the user's resultant NTFS permissions would be only Read & Execute. For this reason, administrators should carefully apply Deny permissions, as the Deny attribute overrules any equivalent instances of Allow when the two rights are applied to the same user or group.

Windows XP includes an effective permissions tool you can use to help verify the permissions a user or group receives. To access the tool:

1. Open the folder or filename's Properties dialog box.
2. Click the Security tab.
3. Click the Advanced button. The Advanced Security Settings For File/Foldername will open.
4. Click the Effective Permissions tab. (Figure E)
5. Click the Select button.
6. The Select User Or Group dialog box will appear.
7. Type the group or username whose permissions you wish to confirm in the Enter The Object Name To Select window and click OK.
8. The Advanced Security Settings For File/Foldername dialog box will display the resulting NTFS permissions for that user or group.

Figure E

The Effective Permissions tab helps simplify determining a user or group's actual permissions.

Combining Share and NTFS Permissions

It sounds straightforward. Configure the permissions you want and a user is good to go. But there's one additional catch to keep in mind. Folder share and NTFS permissions must combine to determine the actual rights a user or group receives. Unfortunately, they often conflict.

To determine the ultimate permissions a user receives, take the user or group's resulting shared permissions and compare it with the user or group's resulting NTFS permissions. Note that the most restrictive of those rights will prevail.

For example, if a user's resulting NTFS rights are Read and Execute and the same user's resulting share permission is Full Control, the user will not receive Full Control. Instead, Windows calculates the most restrictive of the two resulting rights, which in this case is the NTFS permission of Read and Execute.

Remember that, to determine a user or group's ultimate resulting permissions, the most restrictive of the resulting NTFS and share rights applies. This is an important lesson that's easily forgotten but that quickly leads to frustration for users, so be sure to spend time up front properly calculating share and NTFS permissions.

Print/View all Posts Comments on this article

Your favorite story about inappropriate accessMark W. Kaelin  | 01/22/07

I had justDumphrey  | 01/25/07

Keeping permissions simple...kernsconsulting@...  | 01/31/07

I have always been frustrated by thisdavid_scott@...  | 01/25/07

You were taught correctlyRNR1995@...  | 02/01/07

Why Share permissions ?MWRMWR  | 01/25/07

that makes alot of sensedavid_scott@...  | 01/26/07

Non NTFS and out of domain shareMWRMWR  | 01/28/07

NewLaptop:files fr. externl FATdrive copy2 MaxtorMini3 access denieddaros05@...  | 12/24/07

Simple File Sharing vs. Not-So-Simpledsjjfg@...  | 04/27/07

and file permissions under XPHome ?MWRMWR  | 04/29/07