If a company wants to share local resources such as files and folders, it must be possible to control access permissions efficiently and easily. To protect against unwanted access to company data, there are two ways to manage permissions:
Share permissions and NTFS permissions. Both are intended for data protection, can be used separately, but behave differently.
In the following article, we will discuss the differences between share and NTFS permissions, explain how they work, and provide an overview of current NTFS best practices on file servers.
What are NTFS Permissions?
NTFS stands for “New Technology File System” and is a proprietary file system from Microsoft, which was introduced with Windows NT and is also used on today’s Windows client and server versions.
The NTFS permissions control local access to folder structures and their files. If a user would access his data directly locally on a file server, the share permissions would have no meaning. In this case, only the NTFS permissions would apply, since the access is local and not via a network share.
The individual NTFS permissions for a folder or a file are summarized in the so-called “access control list” (ACL) and form in each case an “access control entry” or permission entry (ACE). Thus, for each folder and each file there is a separate access list that contains the permission entries.
What are the NTFS Permission Levels?
In the NTFS file system, there are six predefined basic permissions, which are composed of different “extended permissions”. The following NTFS permission levels are the basic permissions and build on each other:
- Show folder contents: The user is allowed to list the contents of the folder and thus see which folders and files are inside.
- Read: The user may additionally read the contents of folders and files.
- Read & Execute: The user can additionally execute files and programs that can be operated.
- Write: The user may additionally create files and subfolders and modify content in data.
- Change: The user may additionally delete files and folders.
- Full access: The user is additionally allowed to change system settings (e.g. adjust permissions, adjust inheritance, adjust owner …).
With NTFS permissions, access for users or groups can be assigned in a more detailed and granular manner than is possible with share permissions. Thus, administrators are theoretically able to enable various special permissions.
What are Share Permissions?
Share permissions are used to control access to files and folders over a network. If users are to access a folder and its contents that has been shared with several users on the network, a file share permission must be assigned for these users. However, this permission ONLY applies to access via the network, NOT to local access to this folder.
What are the Permission Levels for Shares?
On shares, the possible permissions that can be assigned are limited to a minimum. It is also not possible to assign extended permissions or settings. The following permission levels exist for shares:
- Read: The user is allowed to list and display the folder contents, as well as read the contents of data.
- Modify: The user may additionally create and delete files and subfolders, as well as modify content in data.
- Full access: The user is additionally allowed to change system settings (e.g. adjust permissions, adjust inheritance, adjust owner …).
Are you looking for professional advice?
Do you need support in optimizing your file servers? Feel free to contact us!
The Disadvantage of Share Permissions
As a rule, the exclusive use of share permissions is not flexible enough and should be avoided. To control permissions within a hierarchy exclusively with share permissions, nested shares would have to be created, each with its own share permissions. This increases the complexity on the file server many times over – for users and administrators. A transparent evaluation of who is allowed to access which folder is almost impossible and can only be generated with considerable effort.
The Interaction of Share and NTFS Permissions
The assigned share permission for a user only controls access via the network share in the folder structures below it. On the folder structures below a network share, the permissions should be supplemented with NTFS permissions. When accessing the folder structures over the network, a combination of share and NTFS permissions should always be used.
To avoid unintentionally granting users insufficient or too extensive permissions, it is important to be clear about which of the permissions take priority.
NOTE: When using share and NTFS permissions at the same time, the most restrictive permission is always applied!
Example of how to use Share and NTFS Permissions together
For network access to a folder, the more restrictive permission always applies. We will use some graphical examples to illustrate the logic behind the combination of share and NTFS permissions.
Example A:
If one assigns “Modify” for the share permission and “Read & Execute” for the NTFS permission, the user is able to read and execute the data contained in the folder. Although one receives the permission level “Modify” when accessing via the network, this is restricted to “Read & Execute” by the NTFS permission.
Example B:
If the share permission is set to “read” and the NTFS permission is set to “full access”, the user is able to read the data contained in the folder. Since the more restrictive permission is applied, full access is not used for local access when accessing via the network.
Best Practice - Combination of Share and NTFS Permissions
Due to the limited possibilities of using only share permissions, it is recommended to supplement them with additional NTFS permissions. This increases the security on the file server and at the same time gives you much more flexibility in assigning permissions.
It is therefore advisable to make your folders available in the network with share permissions and to ensure further requirements and accesses within the folder hierarchy via NTFS permissions.
NOTE: Assign the permission level "Full Access" in the release permissions for administrators and the permission level "Modify" for " Authenticated Users"!
This ensures that the necessary folders are available on the network, but the permissions within the hierarchy can be controlled much more granularly through NTFS permissions.