What’s the Difference Between Share and NTFS Permissions?

Danny Murphy by    Published On - 04.29.2019   Auditing

Both share and NTFS permissions serve the same purpose within Windows environments; namely, to help you prevent unauthorized access to your critical folders. However, there are some critical differences between the two that will determine which one you use.

In this blog we will learn about what share permissions and NTFS permissions are, what the differences between the two are and the best practices for using them.

What Are Share Permissions?

Simply put, share permissions allow you to control who accesses folders over the network (they will not apply to those users who are accessing locally). In share permissions, you cannot control access to individual subfolders or objects on a share. Instead, share permissions apply to all of the files and folders within the share. Share permissions can be used with NTFS, FAT and FAT32 file systems and allow you to determine the number of users who can access the shared folder.

Share Permissions allow you to grant Full Control, Change or Read permissions to users. As is suggested by the name, Full Control grants users the right to read, change and control permissions for NTFS files and folders. This is the highest level of privilege granted by share permissions (administrators will likely hold Full Control). Control permissions allow users to make changes to files and subfolders (including deleting), and Read permissions allows users only to view the data.

What Are NTFS Permissions?

New Technology File System (NTFS) is used to manage data stored on NTFS file systems and is the de facto file system for Windows NT and later operating systems. Unlike share permissions, NTFS permissions affect both network and local users. The types of NTFS permissions available are similar to share permissions but go into a bit more detail.

The basic types of access permissions are Full Control, Modify, Read & Execute, Read and Write. Most of these are self-explanatory, and similar to share permissions. Read & Execute rights allow users to run executables, including scripts.

Differences Between NTFS and Share Permissions

The type of permissions you choose to use will depend on what you’re looking to achieve and the resources you have available to you. NTFS permission provide more granular access controls but are more difficult to apply and manage than share permissions. If you want to use both NTFS and share permissions together, the most restrictive permission will be the dominant one.

As previously mentioned, NTFS permission give you the ability to control access to both network and local users, whereas share permissions will only apply to network users. Share permissions also allows you to limit the number of concurrent logons to a shared folder, which will help to eliminate data misuse.

Best Practices for Using Permissions

Your entire objective when using permissions should be to operate on a policy of least privilege, where users only have access to the files and folders they need to do their job. To help achieve this, there are a number of things you can do:

  • Don’t assign permissions to user accounts: Permissions should be assigned only to groups in order to simplify the management of access to shared resources. If an employee in your organization changes roles and requires a new set of permissions, you can simply remove them and add them to the most appropriate groups.
  • Use the Administrators group wisely: Users in this group will be able to do anything with your files and folders, including changing permissions. There are very few users who warrant this kind of control, and those that do need to be audited and monitored closely. You should use a third-party File Server audit solution to audit, monitor and alert on changes administrators are making to your files and folders.
  • Group objects together depending on security requirements: If there are a load of folders that apply to one particular department in the organization, group them into a parent folder and share that parent folder. This will save you having to go through and share each folder individually.

If you want to better understand the permissions and privileges in your organization and ensure that you are operating on a principle of least privilege, start a free trial of LepideAuditor today to see how we can help.

If you liked this, you might also like...