In Microsoft Windows networks, permissions on the file server can be assigned either via share permissions or NTFS permissions. A combination of both types of permissions is also possible. However, NTFS permissions are predominantly used, since access can be controlled more granularly.
As a rule, either the “Read and Execute” or “Change” permission level is assigned as the permission level for users. This ensures that the user is provided with read-only or write-only access to the desired directory.
However, the classic “Modify” permission brings with it a problem.
In this article, we address this problem and provide a solution to secure the permission endpoints in the future.
The Problem with the "Change" Permission
As a rule, IT provides a certain basic structure on the file server. Let’s assume the common case of a department structure: there is usually a separate directory for each department, to which the employees of the department usually get a “Change” permission on the department folder. In this case, the department directory is the permission endpoint (the directory on which the permission finally takes effect).
If you take a look at the extended permissions that combine the “Change” permission, the problem quickly becomes apparent.
This shows that the permission leads to the user being able to delete the directory (“delete” also includes “move” or “rename” the folder).
So this means that the user can “break” the permission endpoint given by IT. So he can move, rename or delete the directory.
This is always a problem for administrators.
Folders often disappear and have to be laboriously searched for in deeper folder structures or restored from the backup because users move or delete them by mistake or deliberately.
Download our Whitepaper!
Deepen your knowledge with our whitepaper on NTFS Best Practices.
" Modify Plus" as an Alternative to the "Change" Permission
To protect and secure the permission endpoints, you should not use the default “Change” permission. Instead, you should work with a modified “Change” permission, the “Modify Plus”.
If you look at the extended permissions of a “Modify Plus” permission, you can see that the “Delete” flag is not set here. On the contrary, the “Delete subfolders and files” flag is assigned for “Modify Plus”.
In this way, the administrator ensures that his specified permission endpoint can no longer be damaged by the user. Within the department directory, however, the user is still able to create folders and files, modify them or delete, rename and move them. The main folder (in our example the department directory) itself can no longer be deleted, moved or renamed.
Are you looking for professional advice?
Do you need support in optimizing your file servers? Feel free to contact us!
Conclusion and Recommendation
In order to secure the permission endpoints, it is recommended to replace the assigned “Change” permissions in the file system with the improved ” Modify Plus” permission.
With our permSUITE and the permWRITER included in it, administrators can optimize the existing permissions to this end. With our permWRITER the permissions can be assigned via the “Modify Plus” permission level.
Afterwards we recommend to keep the optimized and cleaned permissions consistent and valid with a software solution for permanent use. Our Austrian partner tenfold with its identity and access management solution of the same name “tenfold” is also able to assign ” Modify Plus” permissions and thus protect the permission endpoints.
The prior cleanup of the file shares with permSUITE and the subsequent connection to tenfold ensures a permanently secure folder structure.